Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 12)

Page 12 of 238
PDF with 1895 Questions

Which of the following is the BEST indication of the effectiveness of a business continuity program?

  1. Business continuity tests are performed successfully and issues are addressed.
  2. Business impact analyses are reviewed and updated in a timely manner.
  3. Business continuity and disaster recovery plans are regularly updated.
  4. Business units are familiar with the business continuity plans and process.

Answer(s): A

Explanation:

According to the Section 4: Quiz 40 - Business Continuity Plan Flashcards, the best indication of the effectiveness of a business continuity program is the successful performance of business continuity tests and the resolution of any issues that arise. Business continuity tests are exercises that simulate various scenarios of disruption or disaster and evaluate the organization's ability to recover and resume its critical functions. Business continuity tests can help to validate the assumptions, objectives, and strategies of the business continuity program, as well as to identify and address any gaps, weaknesses, or errors in the business continuity and disaster recovery plans. By performing business continuity tests regularly and effectively, the organization can ensure that its business continuity program is aligned with its needs andexpectations, and that it can cope with any potential crisis. References = Section 4:
Quiz 40 - Business Continuity Plan Flashcards



Which of the following is the MAIN purpose of monitoring risk?

  1. Communication
  2. Risk analysis
  3. Decision support
  4. Benchmarking

Answer(s): C

Explanation:

The main purpose of monitoring risk is to provide decision support for the organization. Risk monitoring is the process of tracking and reviewing the risk management activities, the risk profile, and the risk performance of the organization. By monitoring risk, the organization can obtain timely and relevant information and feedback on the risk situation, and use it to make informed and effective decisions on risk management and business objectives. Communication, risk analysis, and benchmarking are other possible purposes of risk monitoring, but they are not as important as decision support. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 12; CRISC Review Manual, 6th Edition, page 215.



Which of the following is the BEST method of creating risk awareness in an organization?

  1. Marking the risk register available to project stakeholders
  2. Ensuring senior management commitment to risk training
  3. Providing regular communication to risk managers
  4. Appointing the risk manager from the business units

Answer(s): B

Explanation:

The best method of creating risk awareness in an organization is to ensure senior management commitment to risk training. Senior management plays a vital role in setting the tone and direction of the risk culture and governance in the organization. By demonstrating their support and participation in risk training, they can influence and motivate the employees to follow the risk policies and procedures, and to enhance their risk knowledge and skills. Marking the risk register available to project stakeholders, providing regular communication to risk managers, and appointing the risk manager from the business units are other methods of creating risk awareness, but they are not as effective as ensuring senior management commitment to risk training. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 12; CRISC Review Manual, 6th Edition, page 215.



Which of the following proposed benefits is MOST likely to influence senior management approval to reallocate budget for a new security initiative?

  1. Reduction in the number of incidents
  2. Reduction in inherent risk
  3. Reduction in residual risk
  4. Reduction in the number of known vulnerabilities

Answer(s): C

Explanation:

The proposed benefit that is most likely to influence senior management approval to reallocate budget for a new security initiative is the reduction in residual risk, as it indicates the expected value and outcome of the initiative in terms of reducing the risk exposure and impact to the level that is aligned with the risk tolerance and appetite of the organization. The other options are not the most likely benefits, as they may not reflect the actual or optimal risk reduction, or may not be relevant or measurable for the senior management, respectively. References = CRISC Review Manual, 7th Edition, page 111.



Which of the following can be used to assign a monetary value to risk?

  1. Annual lossexpectancy (ALE)
  2. Business impact analysis
  3. Cost-benefit analysis
  4. Inherent vulnerabilities

Answer(s): A

Explanation:

Annual loss expectancy (ALE) is a method to assign a monetary value to risk by multiplying the probability of a risk event by the potential loss associated with that event1. ALE can be used to compare the costs and benefits of different risk mitigation options and to determine the optimallevel of investment in riskmanagement2. Business impact analysis (BIA) is a process to identify and evaluate the potential effects of a disruption on the critical functions and processes of an organization3. BIA can help to forecast the impacts of a risk event, but it does not assign a monetary value to the risk itself. Cost-benefit analysis (CBA) is a technique to compare the costs and benefits of a project, decision, or action4. CBA can help to evaluate the feasibility and profitability of a risk mitigation option, but it does not assign a monetary value to the risk itself. Inherent vulnerabilities are the weaknesses or flaws in a system, process, or asset that expose it to potential threats5. Inherent vulnerabilities can increase the likelihood or impact of a risk event, but they do not assign a monetary value to the risk itself. References = Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.2: Risk Analysis, pp. 77-81.



Which of the following scenarios represents a threat?

  1. Connecting a laptop to a free, open,wireless access point (hotspot)
  2. Visitors not signing in as per policy
  3. Storing corporate data in unencrypted form on a laptop
  4. A virus transmitted on a USB thumb drive

Answer(s): D

Explanation:

A virus transmitted on a USB thumb drive is a scenario that represents a threat, as it involves a malicious or harmful event that could compromise the confidentiality, integrity, or availability of an information system. A virus is a type of malware that can infect and damage files, programs, or devices by replicating itself and spreading to other systems or networks. A USB thumb drive is a portable storage device that can be used to transfer data between computers or devices. Avirus transmitted on a USB thumb drive can occur when a user inserts an infected USB thumb drive into a computer or device, or when a user downloads or copies an infected file from a USB thumb drive to a computer or device. A virus transmitted on a USB thumb drive can pose a serious risk to the information system, as it can corrupt or delete data, disrupt or degrade performance, steal or leak information, or allow unauthorized access or control.
The other options are not scenarios that represent a threat, but rather vulnerabilities or weaknesses that could increase the likelihood or impact of a threat. Connecting a laptop to a free, open, wireless access point (hotspot) is a vulnerability, as it exposes the laptop to potential eavesdropping, interception, or manipulation by malicious actors on the same network. Visitorsnot signing in as per policy is a vulnerability, as it creates a gap in the physical security and access control of the premises, and could allow unauthorized or malicious visitors to enter or access sensitive areas or assets. Storing corporate data in unencrypted form on a laptop is a vulnerability, as it reduces the protection and security of the data, and could enable unauthorized or malicious access, disclosure, or modification of the data in case of loss, theft, or compromise of the laptop. References = What is a Computer Virus? | McAfee, What is a USB Flash Drive? | Kingston Technology, Threats, Vulnerabilities, and Exploits ­ oh my!



A risk practitioner is performing a risk assessment of recent external advancements in quantum computing.
Which of the following would pose the GREATEST concern for the risk practitioner?

  1. The organization has incorporated blockchain technology in its operations.
  2. The organization has not reviewed its encryption standards.
  3. The organization has implemented heuristics on its network firewall.
  4. The organization has not adopted Infrastructure as a Service (laaS) for its operations.

Answer(s): B



An IT organization is replacing the customer relationship management (CRM) system.
Who should own the risk associated with customer data leakage caused by insufficient IT security controls for the new system?

  1. Chief information security officer
  2. Business process owner
  3. Chief riskofficer
  4. IT controls manager

Answer(s): B

Explanation:

The business process owner is the stakeholder who is responsible for the business process that is supported by the IT system, such as the CRM system. The business process owner has the authority and accountability to manage the risk and its response associated with the business process and the IT system. The business process owner should own the risk of customer data leakage caused by insufficient IT security controls for the new system, as it directly affects the performance, functionality, and compliance of the business process. The other options are not the correct answer, as they involve different roles or responsibilities in the risk management process:
The chief information security officer is the senior executive who oversees the enterprise- wide information security program, and provides guidance and direction to the information security managers and practitioners. The chief information security officer may advise or support the business process owner in managing the risk of customer data leakage, but does not own the risk.
The chief risk officer is the senior executive who oversees the enterprise-wide risk management program, and provides guidance and direction to the risk managers and practitioners. The chief risk officer may advise or support the business process owner in managing the risk of customer data leakage, but does not own the risk. The IT controls manager is the person who designs, implements, and monitors the IT controls that mitigate the IT risks, such as the IT security controls for the new system. The IT controls manager may advise or support the business process owner in managing the risk of customer data leakage, but does not own the risk. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.1.1.1, pp. 95-96.



Viewing page 12 of 238
Viewing questions 89 - 96 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts