Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 93)

Page 47 of 238
PDF with 1895 Questions

Which of the following is the BEST course of action to reduce risk impact?

  1. Create an IT security policy.
  2. Implement corrective measures.
  3. Implement detective controls.
  4. Leverage existing technology

Answer(s): B

Explanation:

To reduce risk impact, the best course of action is to implement corrective measures, which are actions taken to eliminate or minimize the negative effects of a risk event after it has occurred12.
Corrective measures can include restoring normal operations, repairing or replacing damaged assets, recovering lost data, compensating affected stakeholders, and implementing lessons learned12.
Corrective measures can reduce risk impact by minimizing the duration, severity, and scope of the consequences of a risk event, as well as preventing recurrence or escalation of similar risks in the future12.
The other options are not the best course of action to reduce risk impact, but rather different types of risk responses that may have different objectives and effects. For example:
Creating an IT security policy is an example of a preventive measure, which is an action taken to avoid or reduce the likelihood of a risk event before it occurs12. A preventive measure can reduce risk exposure, but not risk impact. Implementing detective controls is an example of a monitoring measure, which is an action taken to identify and measure the occurrence or status of a risk event during or after it occurs12. A monitoring measure can provide timely information and feedback, but not reduce risk impact.
Leveraging existing technology is an example of a mitigation measure, which is an action taken to reduce the likelihood or impact of a risk event before it occurs12. A mitigation measure can reduce risk exposure, but not necessarily risk impact. References =
1: Risk Management Guide for Information Technology Systems, NIST Special Publication 800-30, July 2002
2: Project Risk Management Handbook, California Department of Transportation, June 2011



Which of the following data would be used when performing a business impact analysis (BIA)?

  1. Cost-benefit analysis ofrunning the current business
  2. Cost of regulatory compliance
  3. Projected impact of current business on future business
  4. Expected costs for recovering the business

Answer(s): D

Explanation:

A business impact analysis (BIA) is a process that identifies and assesses the effects that accidents, emergencies, disasters, and other unplanned, negative events could have on a business. The BIA (sometimes also called business impact assessment) predicts how a business will be affected by everything from a hurricane to a labor strike1. One of the data that would be used when performing a BIA is the expected costs for recovering the business. This data can help to estimate the amount of resources and funds that would be needed to restore the normal operations and functions of the business after a disruption. The expected costs for recovering the business can include:
The costs of repairing or replacing damaged or lost assets, such as equipment, inventory, or facilities
The costs of hiring or training additional staff, or outsourcing some tasks or services The costs of implementing alternative or backup systems or processes, such as cloud computing or manual procedures

The costs of communicating and coordinating with customers, suppliers, partners, regulators, and other stakeholders
The costs of complying with legal or contractual obligations, or paying fines or penalties The costs of mitigating or preventing further losses or damages, such as insurance premiums or security measures23
The expected costs for recovering the business can help to determine the priority and urgency of the recovery activities, and to allocate the available resources and funds accordingly. The expected costs for recovering the business can also help to evaluate the cost-effectiveness and feasibility of the recovery strategies and options, and to justify the investment in the business continuity planning and management4.

The other options are not the data that would be used when performing a BIA, but rather the data that would be used for other purposes or processes. A cost-benefit analysis of running the current business is a data that would be used to compare the advantages and disadvantages of different business decisions or alternatives, such as launching a new product or service, or expanding to a new market. A cost-benefit analysis can help to assess the profitability and viability of the current business, but it does not measure the impact of a disruption on the business5. A cost of regulatory compliance is a data that would be used toestimate the amount of resources and funds that would be required to meet the rules and standards set by the authorities or agencies that govern the business, such as laws, regulations, or policies. A cost of regulatory compliance can help to ensure the legality and accountability of the business, but it does not measure the impactof a disruption on the business. A projected impact of current business on future business is a data that would be used to forecast the potential outcomes and consequences of the current business activities or strategies on the future business performance and growth, such as sales, revenue, market share, or customer satisfaction. A projected impact of current business on future business can help to plan and optimize the future business, but it does not measure the impact of a disruption on the current business. References =
Business Impact Analysis | Ready.gov
Business Impact Analysis Toolkit | Smartsheet
Business Impact Analysis (BIA): Prepare for Anything [2023] · Asana How To Conduct Business Impact Analysis in 8 Easy Steps - G2 Cost Benefit Analysis - ISACA
[Regulatory Compliance - ISACA]
[Impact Analysis - ISACA]
[CRISC Review Manual, 7th Edition]



An employee lost a personal mobile device that may contain sensitive corporate information.
What should be the risk practitioner's recommendation?

  1. Conduct a risk analysis.
  2. Initiate a remote data wipe.
  3. Invoke the incident response plan
  4. Disable the user account.

Answer(s): B

Explanation:

The best recommendation for a risk practitioner when an employee lost a personal mobile device that may contain sensitive corporate information is to initiate a remote data wipe. A remote data wipe is a process of erasing the data stored on a device remotely, using a command sent over anetwork or a wireless connection. A remote data wipe can help to prevent the unauthorized access, use, disclosure, or theft of the sensitive corporate information, and to minimize the potential impact of the loss on the enterprise's reputation, operations, and compliance. A remote data wipe can also help to comply with the data breach notification laws and regulations, and to reduce the legal liability and penalties. Conducting a risk analysis, invoking the incident response plan, and disabling the user account are not as immediate and effective as initiating a remote data wipe, as they do not address the primary risk of data exposure and loss. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 217.



Which of the following conditions presents the GREATEST risk to an application?

  1. Application controls are manual.
  2. Application development is outsourced.
  3. Source code is escrowed.
  4. Developers have accessto production environment.

Answer(s): D

Explanation:

The production environment is the environment where the application is deployed and used by the end users. The production environment should be protected from unauthorized or unintended changes that could compromise the availability, integrity, or confidentiality of the application and its data. Developers have access to the production environment presents the greatest risk to an application, as it could allow them tobypass the change management process, introduce errors or vulnerabilities, or manipulate the application or its data for malicious purposes. The other options are not as risky as developers having access to the production environment, as they involve different aspects of the application lifecycle:
Application controls are manual means that the application relies on human intervention to perform some functions or validations, such as data entry, reconciliation, or authorization. This could increase the risk of human error, fraud, or inefficiency, but it does not directly affect the production environment.
Application development is outsourced means that the application is developed by a third party, such as a vendor or a contractor. This could increase the risk of quality issues, contractual disputes, or intellectual property rights, but it does not directly affect the production environment.
Source code is escrowed means that the source code of the application is deposited with a trusted third party, such as a lawyer or a bank. This could provide assurance and continuity in case the original developer is unable or unwilling to maintain or support the application, but it does not directly affect the production environment. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.1.1.1, pp. 144-145.



Read" rights to application files in a controlled server environment should be approved by the:

  1. business process owner.
  2. database administrator.
  3. chiefinformation officer.
  4. systems administrator.

Answer(s): A

Explanation:

Read rights: The permission to view or access the content of a file or a folder1. Application files: The files that contain the code, data, or resources of an application or a program2.
Controlled server environment: A server environment that is managed and secured by a set of policies, procedures, and tools3.
Business process owner: The person who is responsible for the design, execution, and performance of a business process.
Read rights to application files in a controlled server environment should be approved by the business process owner. The business process owner is the person who has the authority and accountability for the business process that uses or depends on the application files. The businessprocess owner should approve the read rights to application files in a controlled server environment to:
Ensure that the read rights are aligned with the business needs and objectives

Prevent unauthorized or unnecessary access to the application files Protect the confidentiality, integrity, and availability of the application files Comply with the relevant laws and regulations that govern the access to the application files The other options are not the best choices for approving the read rights to application files in a controlled server environment, because they do not have the same level of authority, responsibility, or knowledge as the business process owner. The database administrator, who is the person who manages and maintains the database systems and data, may have the technical skills and access to grant the read rights to application files, but they may not have the business insight or approval to do so. The chief information officer, who is the person who oversees the IT strategy and operations of the organization, may have the executive power and oversight to approve the read rights to application files, but they may not have the specific or detailed knowledge of the business process or the application files. The systems administrator, who is the person who configures and maintains the server systems and networks, may have the administrative privileges and tools to grant the read rights to application files, but they may not have the business understanding or authorization to do so. References = Read Permission - an overview | ScienceDirect Topics, What is an Application File? - Definition from Techopedia, What is a Server Environment? - Definition from Techopedia, [Business Process Owner: Definition, Roles, and Responsibilities]



A risk practitioner has received an updated enterprise risk management (ERM) report showing that residual risk is now within the organization's defined appetite and tolerance levels.
Which of the following is the risk practitioner's BEST course of action?

  1. Identify new risk entries to include in ERM.
  2. Remove the risk entries from the ERM register.
  3. Re-perform the risk assessment to confirm results.
  4. Verify the adequacy of risk monitoring plans.

Answer(s): D

Explanation:

The risk practitioner's best course of action when the residual risk is now within the organization's defined appetite and tolerance levels is to verify the adequacy of risk monitoring plans. Risk monitoring is the process of tracking and reviewing the risk status and performance, and ensuring that the risk responses are effective and efficient1. Risk monitoring plans are the documents that specify the objectives, scope, methods, roles, and responsibilities for the riskmonitoring activities2. By verifying the adequacy of risk monitoring plans, the risk practitioner can:
Ensure that the risk monitoring plans are aligned with the organization's risk strategy,

objectives, and policies, and that they comply with the relevant standards and regulations3. Evaluate whether the risk monitoring plans are comprehensive and consistent, and that they cover all the key aspects and indicators of the risks and the risk responses4. Identify and address any gaps, issues, or challenges that may affect the implementation or outcome of the risk monitoring plans, and recommend and implement appropriate improvement actions5.
The other options are not the best course of action, because:
Identifying new risk entries to include in ERM is not a relevant or necessary course of action, as it is not directly related to the residual risk or the risk responses. ERM is the process of identifying, analyzing, evaluating, and managing the risks that may affect the organization's strategic, operational, financial, or reputational objectives6. Identifying new risk entries is a part of the risk identification process, which is the first step in ERM. It should be performedperiodically or when there are significant changes in the internal or external environment, not when the residual risk is within the appetite and tolerance levels7. Removing the risk entries from the ERM register is not a valid or advisable course of action, as it may create a false sense of security or complacency. The ERM register is a tool that records and summarizes the key information and data about the identified risks and the risk responses. Removing the risk entries from the ERM register may imply that the risks no longer exist or matter, which is not true. The risks may still occur or change, and the risk responses may still fail or become obsolete. Therefore, the risk entries should be kept and updated in the ERM register, unless the risks are completely eliminated or transferred. Re-performing the risk assessment to confirm results is not an efficient or effective course of action, as it may be redundant or unnecessary. Risk assessment is the process of estimating the probability and impact of the risks, and prioritizing the risks based on their significance and urgency. Re-performing the risk assessment may not provide any new or useful information or insights, and may waste time and resources. Instead, the risk practitioner should verify and validate the risk assessment results, and ensure that they are accurate and reliable.
References =
Risk Monitoring - CIO Wiki
Risk Monitoring Plan - CIO Wiki
Risk Monitoring and Reporting - ISACA
Risk Monitoring and Control - Project Management Institute Risk Monitoring and Review - The National Academies Press Enterprise Risk Management - CIO Wiki
Risk Identification - CIO Wiki
[Risk Register - CIO Wiki]
[Risk Register: How to Use It in Project Management - ProjectManager.com] [Risk Assessment - CIO Wiki]
[Risk Assessment Process - ISACA]



An organization automatically approves exceptions to security policies on a recurring basis.
This practice is MOST likely the result of:

  1. a lack of mitigating actions for identified risk
  2. decreased threat levels
  3. ineffective service delivery
  4. ineffective IT governance

Answer(s): D

Explanation:

IT governance is the process of ensuring that IT supports the organization's objectives and strategies, and that IT risks are managed appropriately. IT governance involves defining the roles, responsibilities, and accountabilities of the IT stakeholders, establishing the IT policies, standards, and procedures, and monitoring and evaluating the IT performance and outcomes1.
An organization that automatically approves exceptions to security policies on a recurring basis is most likely the result of ineffective IT governance, because it indicates that the organization:
Lacks a clear and consistent IT strategy and direction, and does not align IT with the business goals and needs
Fails to implement and enforce the IT policies, standards, and procedures, and does not ensure the compliance and accountability of the IT users and providers Neglects to identify and assess the IT risks, and does not implement the appropriate risk responses and controls
Does not monitor and measure the IT performance and outcomes, and does not review and improve the IT processes and practices23
The other options are not the most likely results of ineffective IT governance, but rather some of the possible causes or consequences of it. A lack of mitigating actions for identified risk is a possible consequence of ineffective IT governance, as it implies that the organization does not have a systematic and proactiveapproach to IT risk management, and does not address the IT risks in a timely and effective manner. Decreased threat levels is a possible cause of ineffective IT governance, as it may create a false sense of security and complacency, and reduce the motivation and urgency to implement and follow the IT policies, standards, and procedures. Ineffective service delivery is a possible consequence of ineffective IT governance, as it means that the organization does not deliver the IT services that meet the expectations and requirements of the customers and stakeholders, and does not ensure the quality and reliability of the IT services. References =

IT Governance - ISACA
IT Governance: What It Is and Why You Need It
IT Governance: The Benefits of an Effective Enterprise IT Governance Framework [CRISC Review Manual, 7th Edition]



Who is PRIMARILY accountable for identifying risk on a daily basis and ensuring adherence to the organization's policies?

  1. Third line of defense
  2. Line of defense subject matter experts
  3. Second line of defense
  4. First line of defense

Answer(s): D



Viewing page 93 of 238



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts