Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 11)

Page 11 of 238
PDF with 1895 Questions

Which of the following would be the result of a significant increase in the motivation of a malicious threat actor?

  1. Increase in mitigating control costs
  2. Increase in risk event impact
  3. Increase in risk event likelihood
  4. Increase in cybersecurity premium

Answer(s): C

Explanation:

The result of a significant increase in the motivation of a malicious threat actor would be an increase in risk event likelihood. The likelihood of a risk event is influenced by the factors of threat, vulnerability, and exposure. The motivation of a threat actor is a key component of the threat factor, as it reflects the intent and capability of the actor to exploit a vulnerability. Therefore, a higher motivation would imply a higher probability of an attack. An increase in mitigating control costs, risk event impact, or cybersecurity premium are possible consequences of a risk event, but they are not directly affected by the motivation of the threat actor. References = ISACA Certified in Risk and Information Systems Control (CRISC)Certification Exam Question and Answers, question 6; CRISC Review Manual, 6th Edition, page 67.



In the three lines of defense model, a PRIMARY objective of the second line is to:

  1. Review and evaluate the risk management program.
  2. Ensure risks and controls are effectively managed.
  3. Implement risk management policies regarding roles and responsibilities.
  4. Act as the owner for any operational risk identified as part of the risk program.

Answer(s): B

Explanation:

The second line of defense provides oversight to ensure risks and controls are effectively managed. This includes compliance, risk management policies, and performance monitoring, aligning withRisk Governanceframeworks and enhancing the organization's risk resilience.



Which of the following should be the PRIMARY focus of a risk owner once a decision is made to mitigate a risk?

  1. Updating the risk register to include the risk mitigation plan
  2. Determining processes for monitoring the effectiveness of the controls
  3. Ensuring that control design reduces risk to an acceptable level
  4. Confirming to managementthe controls reduce the likelihood of the risk

Answer(s): C

Explanation:

The primary focus of a risk owner once a decision is made to mitigate a risk is to ensure that the control design reduces the risk to an acceptable level. This means that the risk owner shouldverify that the control objectives, specifications, and implementation are aligned with the risk mitigation plan, and that the control is effective in reducing the risk exposure to within the risk appetite and tolerance of the enterprise. The risk owner should also ensure that the control design is consistent with the enterprise's policies, standards, and procedures,

and that it complies with any relevant laws, regulations, or contractual obligations. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.2.4, page 185.



An organization is planning to engage a cloud-based service provider for some of its data- intensive business processes.
Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?

  1. Service level agreement
  2. Customer service reviews
  3. Scope of services provided
  4. Right to audit the provider

Answer(s): C

Explanation:

According to the CRISC Review Manual (Digital Version), the right to audit the provider is the most important factor to help define the IT risk associated with outsourcing activity to a cloud-based service provider, as it enables the organization to verify the compliance and performance of the provider with the contractual obligations and service level agreements.
The right to audit the provider helps to:
Assess the security, availability, confidentiality, integrity, and privacy of the data and processes hosted by the provider
Identify and evaluate the risks and controls related to the cloud-based services and the provider's infrastructure
Monitor and measure the quality and effectiveness of the cloud-based services and the provider's governance and management practices
Report and resolve any issues or incidents related to the cloud-based services and the provider's operations
Ensure the alignment of the cloud-based services and the provider's policies and standards with the organization's objectives and requirements References = CRISC Review Manual (Digital Version), Chapter 3: IT Risk Response, Section 3.3: Risk Response Options, pp. 176-1771



An organization is implementing encryption for data at rest to reduce the risk associated with unauthorized access.
Which of the following MUST be considered to assess the residual risk?

  1. Data retention requirements
  2. Data destruction requirements
  3. Cloud storage architecture
  4. Key management

Answer(s): D

Explanation:

The most important factor to consider when assessing the residual risk of implementing encryption for data at rest is the key management. Key management is the process of generating, storing, distributing, using, and destroying the cryptographic keys that are used to encrypt anddecrypt the data. Key management is essential for ensuring the security, availability, and integrity of the encrypted data, as well as for complying with the legal and regulatory requirements. Poor key management could result in the loss, theft, compromise, or corruption of the keys, which could lead to unauthorized access, data breach, data loss, or data recovery failure. Therefore, key management must be considered to assess the residual risk, which is the risk that remains after the risk treatment, such as encryption, is applied. Data retention requirements, data destruction requirements, and cloud storage architecture are not as important as key management, as they do not directly affect the encryption and decryption of the data, and they may not introduce significant residual risk. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 217.



Which of the following is MOST important requirement to include in a Software as a Service (SaaS) vendor contract to ensure data is protected?

  1. The vendor must provide periodic independent assurance reports.
  2. The vendor must host data in a specific geographic location.
  3. The vendor must be held liable for regulatory fines for failure to protect data.
  4. The vendormust participate in an annual vendor performance review.

Answer(s): B

Explanation:

The vendor must host data in a specific geographic location to ensure that the data is protected by the applicable data protection laws of the EU or the country where the data originates. This is especially important for SaaS customers who transfer personal data from the EU to third countries, as they need to comply with the GDPR and the new Standard

Contractual Clauses (SCCs) that regulate such transfers. The vendor must also provide adequate security measures and guarantees to protect the data from unauthorized access, disclosure, or loss. References = Risk and Information Systems Control Study Manual, Chapter 5: IT Risk Mitigation, Section 5.3: IT Risk Mitigation Strategies and Approaches, Page 253; Data Protection ­ New EU Standard Contractual Clauses - Bodle Law.



The risk associated with an asset before controls are applied can be expressed as:

  1. a function of thelikelihood and impact
  2. the magnitude of an impact
  3. a function of the cost and effectiveness of control.
  4. the likelihood of a given threat

Answer(s): A

Explanation:

The risk associated with an asset before controls are applied is also known as the inherent risk. It is the level of risk that exists in the absence of any mitigating actions or measures. To express the inherent risk, one needs to consider two factors: the likelihood and the impact of a potential threat. The likelihood is the probability or frequency of a threat occurring, while the impact is the magnitude or severity of the consequences if the threat materializes. The inherent risk can be calculated by multiplying the likelihood and the impact, or by using a risk matrix that assigns a risk rating based on the combination of these two factors. The other options are not correct ways of expressing the inherent risk, as they do not account for both the likelihood and the impact of a threat. The magnitude of an impact is only one component of the risk, and it does not reflect how likely the threat is to happen. The function of the cost and effectiveness of control is related to the residual risk, which is the risk that remains after controls are applied. The likelihood of a given threat is also only one component of the risk, and it does not indicate how severe the impact would be if the threat occurs. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.1, Page 47.



Which of the following would be MOST beneficial as a key risk indicator (KRI)?

  1. Current capital allocation reserves
  2. Negative security return on investment (ROI)
  3. Project cost variances
  4. Annualized lossprojections

Answer(s): B

Explanation:

A key risk indicator (KRI) is a metric used to measure and monitor the level of risk associated with a particular process, activity, or system within an organization1. KRIs are typically used in risk management to provide early warning signs of potential risks and to help organizations take proactive steps to mitigate those risks. KRIs are designed to be quantitative and measurable, allowing organizations to track changes in risk levels over time and to identify trends and patterns that may indicate an increased likelihood of risk. A negative security return on investment (ROI) would be most beneficial as a KRI, as it would indicate that the organization is spending more on security than the value it is generating or protecting. A negative security ROI would suggest that the organization is either over- investing in security, under-utilizing its security assets, or facing significant security threats or incidents that erode its security value. A negative security ROI would alert the organization to review its security strategy, budget, and performance, and to adjust them accordingly to optimize its security ROI and reduce its risk exposure2. Current capital allocation reserves are not the most beneficial as a KRI, as they do notdirectly measure the level of risk associated with a particular process, activity, or system. Capital allocation reserves are the amount of capital that an organization sets aside to cover potential losses or liabilities arising from its activities. Capital allocation reserves may reflect the organization's overall risk appetite and tolerance, but they do not provide specific information on the sources, types, or impacts of risks that the organization faces3. Project cost variances are not the most beneficial as a KRI, as they do not directly measure the level of risk associated with a particular process, activity, or system. Project cost variances are the differences between the actual and planned costs of a project. Project cost variances may indicate the performance or efficiency of a project, but they do not provide specific information on the risks that may affect the project's objectives, scope, quality, or schedule4. Annualized loss projections are not the most beneficial as a KRI, as they do not directly measure the level of risk associated with a particular process, activity, or system. Annualized loss projections are the estimates of the potential losses that an organization may incur in a year due to various risk events. Annualized loss projections may help the organization to plan and budget for its risk management activities, but they do not provide specific information on the likelihood, frequency, or severity of riskevents that may occur5. References = 1: Key risk indicator - Wikipedia2: What Is A Key Risk Indicator?3: Capital Allocation - Overview, Importance, and Methods4: Project Cost Variance: Definition, Formula, and Examples5: [Annualized Loss Expectancy (ALE) - Definition, Formula, and Example]



Viewing page 11 of 238
Viewing questions 81 - 88 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts