Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions

Which of the following would MOST likely cause a risk practitioner to change the likelihood rating in the risk register?

  1. Risk appetite
  2. Control cost
  3. Control effectiveness
  4. Risk tolerance

Answer(s): C

Explanation:

The likelihood rating in the risk register is a measure of how probable it is that a risk event will occur, given the current conditions and controls. The risk practitioner should change the likelihood rating if there is a significant change in the effectiveness of the controls that are implemented to prevent or reduce the risk. For example, if a control becomes obsolete, ineffective, or bypassed, the likelihood rating should increase, as the risk event becomes more likely to happen. Conversely, if a control becomes more efficient, reliable, or robust, the likelihood rating should decrease, as the risk event becomes less likely to happen. The other options are not likely to cause a change in the likelihood rating, as they are not directly related to the probability of the risk event. Risk appetite is the amount of risk that an organization is willing to accept in pursuit of its objectives. Control cost is the amount of resources that are required to implement and maintain a control. Risk tolerance is the acceptable level of variation that an organization is willing to allow for a risk to deviate from its desired level or expected outcome. These factors may influence the risk response or the risk acceptance, but not the likelihood rating. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.4: Risk Register, p. 25- 26.



A software developer has administrative access to a production application.
Which of the following should be of GREATEST concern to a risk practitioner?

  1. The administrative access doesnot allow for activity log monitoring.
  2. The administrative access does not follow password management protocols.
  3. The administrative access represents a deviation from corporate policy.
  4. The administrative access represents a segregation of duties conflict.

Answer(s): D

Explanation:

According to the CRISC 351-400 topic3 Flashcards, the administrative access represents a segregation of duties conflict, which should be of greatest concern to a risk practitioner. Segregation of duties is a principle that aims to prevent fraud, errors, or abuse of power by ensuring that no single person can perform incompatible functions, such as development, testing, and production. By having administrative access to a production application, a software developer can potentially modify the code, bypass the testing and approval process, and deploy the changes without proper authorization or documentation. This can compromise the integrity, availability, and security of the application, and expose the organization to operational, financial, legal, or reputational risks. Therefore, the answer is D. The administrative access represents a segregation of duties conflict. *References



A risk practitioner notices that a particular key risk indicator (KRI) has remained below its established trigger point for an extended period of time.
Which of the following should be done FIRST?

  1. Recommend a re-evaluation of the current threshold of the KRI.
  2. Notifymanagement that KRIs are being effectively managed.
  3. Update the risk rating associated with the KRI In the risk register.
  4. Update the risk tolerance and risk appetite to better align to the KRI.

Answer(s): A

Explanation:

The FIRST thing that should be done when a KRI has remained below its established trigger point for an extended period of time is to recommend a re-evaluation of the current threshold of the KRI, because it may indicate that the trigger point is set too high or too low, or that the KRI is not relevant or effective in measuring the risk exposure. A re-evaluation of the current threshold of the KRI may result in adjusting the trigger point, changing the KRI, or removing the KRI. The other options are not the first thing that should be done, because:
Option B: Notifying management that KRIs are being effectively managed is not the first thing that should be done, because it may not reflect the true risk status and performance. A KRI that remains below its trigger point for a long time may not be a valid or reliable indicator of the risk exposure, and it may not capture the changes or trends in the risk environment.
Option C: Updating the risk rating associated with the KRI in the risk register is not the first thing that should be done, because it may not be accurate or consistent. A risk rating is based on the likelihood and impact of the risk, and it should be derived from a comprehensive risk analysis, not just from a single KRI. A KRI that remains below its trigger point for a long time may not reflect the actual likelihood and impact of the risk, and it may not be aligned with the other risk indicators and assessments.
Option D: Updating the risk tolerance and risk appetite to better align to the KRI is not the first thing that should be done, because it may not be appropriate or feasible. Risk tolerance and risk appetite are the acceptable level of risk exposure and variation that the enterprise is willing to accept in pursuit of its objectives, and they are determined by the executive management and the board of directors, based on the enterprise's strategy and goals. A KRI that remains below its trigger point for a long time may not represent the desired or optimal level of risk exposure and variation, and it may not be aligned with the enterprise's strategy and goals. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 121.



An organization is considering outsourcing user administration controls tor a critical system. The potential vendor has offered to perform quarterly sett-audits of its controls instead of having annual independent audits.
Which of the following should be of GREATEST concern to me risk practitioner?

  1. The controls may not be properly tested
  2. The vendor will not ensure against control failure
  3. The vendor will not achieve best practices
  4. Lack of a risk-based approach to access control

Answer(s): D

Explanation:

The greatest concern for the risk practitioner when the potential vendor has offered to perform quarterly self-audits of its controls instead of having annual independent audits is that the controls may not be properly tested. Self-audits are audits that are performed by the vendor itself, without the involvement of an external or independent party. Self-audits may not be reliable, objective, or consistent, as the vendor may have biases, conflicts of interest, or lack of expertise in auditing its own controls. Self-audits may also not follow the same standards, criteria, or methodologies as independent audits, and may not provide sufficient assurance or evidence of the effectiveness of the controls. The other options are not as concerning as the possibility of improper testing of the controls, as they are related to the outcomes, expectations, or approaches of the controls, not the quality or validity of the controls. References = Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.3: IT Control Assessment, page 6



Which of the following BEST helps to mitigate risk associated with excessive access by authorized users?

  1. Monitoring user activity using security logs
  2. Revoking access for users changing roles
  3. Granting access based on least privilege
  4. Conducting periodic reviews of authorizations granted

Answer(s): C

Explanation:

The principle of least privilege is a key concept in information security that aims to provide users with the minimum level of access--or permissions--necessary to perform their job functions. Byensuring that users only have the access they need, organizations can significantly reduce the risk associated with excessive access by authorized users.
Understanding Least Privilege
The principle of least privilege restricts access rights for users to the bare minimum permissions they need to perform their work. This minimizes the potential damage from accidents or malicious activities.
Least privilege should be applied to all user accounts, including administrative and service accounts.
Implementation
Implementing least privilege involves a detailed analysis of job functions and the necessary access required for each role.
Regularly review and update access permissions to ensure they remain aligned with current job responsibilities and organizational needs.
Mitigating Risk
By limiting access to only what is necessary, organizations can prevent users from having permissions that could be exploited, intentionally or unintentionally, to cause harm. This also includes revoking unnecessary privileges when users change roles or no longer need access.
Comparison with Other Options
A . Monitoring user activity using security logs: While monitoring can detect inappropriate activity, it does not preventit.
B . Revoking access for users changing roles: This is a necessary practice but does not address the initial allocation of excessive privileges.
D . Conducting periodic reviews of authorizations granted: Periodic reviews are important but are reactive rather than proactive.
References
Sybex-CISSP-Official-Study-Guide-9-Edition.pdf, p. 641, discussing the principle of least privilege and its implementation .



An incentive program is MOST likely implemented to manage the risk associated with loss of which organizational asset?

  1. Employees
  2. Data
  3. Reputation
  4. Customer lists

Answer(s): A

Explanation:

An incentive program is most likely implemented to manage the risk associated with loss of employees, as it aims to motivate, retain, and reward the employees who have valuable skills, knowledge, and experience, and to reduce the risk of employee turnover, dissatisfaction, or underperformance. Data, reputation, and customer lists are not the organizational assets that are most likely managed by an incentive program, as they are more related to the information, image, or relationship of the organization, respectively, rather than the human capital of the organization. References = CRISC Review Manual, 7th Edition, page 100.



After the announcement of a new IT regulatory requirement, it is MOST important for a risk practitioner to;

  1. prepare an IT risk mitigation strategy.
  2. escalate to senior management.
  3. perform a cost-benefit analysis.
  4. review the impact to the IT environment.

Answer(s): D

Explanation:

Reviewing the impact to the IT environment is the most important task for a risk practitioner to perform after the announcement of a new IT regulatory requirement, because it helps to identify and assess the gaps and risks that the new requirement may introduce or affect. A regulatory requirement is a rule or standard that an organization must comply with to meet the expectations of a regulator, such as a government agency or an industry body. A new regulatory requirement may impose new obligations, restrictions, or expectations on the organization, especially on its IT environment, which supports the business processes and functions. Therefore,reviewing the impact to the IT environment is the first step to understand the implications and implications of the new requirement, and to plan the appropriate actions to achieve compliance. Preparing an IT risk mitigation strategy, escalating to senior management, and performing a cost-benefit analysis are all important tasks to perform after reviewing the impact to the IT environment, but they are not the most important task, as they depend on the results of the impact review. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.1, page 153



Which of the blowing is MOST important when implementing an organization s security policy?

  1. Obtaining management support
  2. Benchmarking against industry standards
  3. Assessing compliance requirements
  4. Identifying threats and vulnerabilities

Answer(s): A

Explanation:

The most important thing when implementing an organization's security policy is to obtain management support. Management support means that the senior management and the board of directors endorse, approve, and fund the security policy and its implementation. Management support also means that the management communicates, promotes, and enforces the security policy across the organization. Management support can help to ensure that the security policy is aligned with the organizational strategy and objectives, and that it is effective, consistent, and sustainable. The other options are not as important as obtaining management support, as they are related to the specific aspects or components of the security policy implementation, not the overall success and acceptance of the security policy implementation. References = Risk and Information Systems Control Study Manual, Chapter
3: IT Risk Response, Section 3.3: IT Risk Response Implementation, page 145.



Viewing page 10 of 238
Viewing questions 73 - 80 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts