Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 13)

Page 13 of 238
PDF with 1895 Questions

A recent regulatory requirement has the potential to affect an organization's use of a third party to supply outsourced business services.
Which of the following is the BEST course of action?

  1. Conduct a gap analysis.
  2. Terminate the outsourcing agreement.
  3. Identify compensating controls.
  4. Transfer risk to the third party.

Answer(s): A

Explanation:

The best course of action when a recent regulatory requirement has the potential to affect an organization's use of a third party to supply outsourced business services is to conduct a gap analysis, as it involves comparing the current and desired states of compliance, and identifying any gaps or discrepancies that need to be addressed. Terminating the outsourcing agreement, identifying compensating controls, and transferring risk to the third party are not the best courses of action, as they may not be feasible, effective, or appropriate, respectively, and may require the prior knowledge of the compliance gaps and risks. References = CRISC Review Manual, 7th Edition, page 111.



The PRIMARY advantage of involving end users in continuity planning is that they:

  1. have a better understanding of specific business needs
  2. can balance the overall technical and business concerns
  3. can see the overall impact to the business
  4. are more objective than information security management.

Answer(s): A

Explanation:

Continuity planning is the process of developing strategies and plans to ensure the continuity of critical business functions and processes in the event of a disruption or disaster. Continuity planning involves identifying the risks, impacts, and recovery options for various scenarios, as well as testing and updating the plans regularly. The primary advantage of involving end users in continuity planning is that they have a better understanding of specific business needs, such as the operational requirements, the customer expectations, and the dependencies and interdependencies of the business processes. End users can provide valuable input and feedback on the continuity plans, as well as participate in the testing and validation of the plans. End users can also help to ensure the alignment of the continuity plans with the business objectives and priorities, as well as the compliance with the relevant standards and regulations. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.4.1, p. 204-205



A user has contacted the risk practitioner regarding malware spreading laterally across the organization's corporate network.
Which of the following is the risk practitioner's BEST course of action?

  1. Review all log files generated during the period of malicious activity.
  2. Perform a root cause analysis.
  3. Notify the cybersecurity incident response team.
  4. Update the risk register.

Answer(s): C

Explanation:

Notifying the incident response team ensures immediate action to contain and remediate the malware spread, limiting further impact. This aligns withIncident Response and Containmentprotocols under risk management.



After the implementation of internal of Things (IoT) devices, new risk scenarios were identified.
What is the PRIMARY reason to report this information to risk owners?

  1. To reevaluate continued use to IoT devices
  2. The add new controls to mitigate the risk
  3. The recommend changes to the IoT policy
  4. To confirm the impact to the risk profile

Answer(s): D

Explanation:

The primary reason to report the information about the new risk scenarios identified after the implementation of Internet of Things (IoT) devices to risk owners is to confirm the impact to the risk profile. The risk profile is a summary of the level and nature of the risks that the organization faces or may face in the future. The risk profile reflects the risk appetite, tolerance, and capacity of the organization, and guides the risk management decisions and actions. The implementation of IoT devices may introduce new risks or increase the likelihood or impact of existing risks, such as data privacy, security, or interoperability issues. Therefore, the information about the new risk scenarios should be reported to the risk owners, who have the authority and responsibility for managing the risks and their responses, to confirm the impact to the risk profile and to determine the appropriate risk treatment plans. The other options are not asprimary as confirming the impact to the risk profile, as they are related to the reevaluation, mitigation, or recommendation of the IoT devices, not the confirmation or assessment of the risk profile. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.2: IT Risk Register, page 19.



The percentage of unpatched systems is a:

  1. threat vector.
  2. critical success factor (CSF).
  3. key performance indicator (KPI).
  4. key risk indicator (KRI).

Answer(s): D

Explanation:

The percentage of unpatched systems is best classified as a Key Risk Indicator (KRI). KRIs are metrics used by organizations to provide an early signal of increasing risk exposures in various areas of the business. Here's a
Understanding KRIs:
Definition: KRIs are specific metrics that provide insights into the risk level of an organization. They help in identifying potential risks that could impact the business negatively if not addressed promptly.
Purpose: KRIs are used to monitor the effectiveness of risk management strategies and to provide an early warning system for emerging risks.
Percentage of Unpatched Systems as a KRI:
Indicator of Vulnerability: The percentage of unpatched systems directly indicates how vulnerable an organization is to cyber threats. Unpatched systems are a common entry point for attackers, making this metric critical for assessing the organization's exposure to cyber risks.
Impact on Security Posture: A high percentage of unpatched systems can significantly increase the likelihood of security incidents, making it a valuable metric for risk management.
Proactive Risk Management: By monitoring this KRI, organizations can take proactive measures to address vulnerabilities before they are exploited.
Comparison with Other Options:
Threat Vector: A threat vector refers to the path or means by which a threat can reach and impact an asset. It is not a metric like the percentage of unpatched systems. Critical Success Factor (CSF): CSFs are essential elements necessary for an organization to achieve its mission.
While important, they are not specific metrics used to measure risk. Key Performance Indicator (KPI): KPIs measure how effectively an organization is achieving its key business objectives.
While related, KPIs focus on performance rather than risk exposure.


Reference:

CRISC Review Manual: Provides detailed insights into KRIs and their role in risk management.
ISACA Risk IT Framework: Discusses the use of KRIs in monitoring and managing IT risks effectively.



Which of the following is the BEST course of action when an organization wants to reduce likelihood in order to reduce a risk level?

  1. Monitor riskcontrols.
  2. Implement preventive measures.
  3. Implement detective controls.
  4. Transfer the risk.

Answer(s): B

Explanation:

The best course of action when an organization wants to reduce likelihood in order to reduce a risk level is to implement preventive measures. Likelihood is the probability or chance of a risk occurring, and risk level is the combination of likelihood and impact of a risk. Preventive measures are controls that are designed to prevent or deter the occurrence of a risk, such as policies, standards, procedures, guidelines, etc. Implementing preventive measures is the best course of action, because it helps to reduce the likelihood of a risk, and consequently, the risk level. Implementing preventive measures also helps to protect and enhance the organization's objectives, performance, and improvement. The other options are not the best course of action, although they may be related to the risk management process. Monitoring risk controls, implementing detective controls, and transferring the risk are all activities that can help to manage or mitigate the risks, but they do not necessarily reduce the likelihood or the risk level. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.1, page 4-21.



Which of the following is the BEST way to manage the risk associated with malicious activities performed by database administrators (DBAs)?

  1. Activity logging and monitoring
  2. Periodic access review
  3. Two-factor authentication
  4. Awareness training and background checks

Answer(s): A

Explanation:

According to the CRISC Review Manual, activity logging and monitoring is the best way to manage the risk associated with malicious activities performed by database administrators (DBAs), because it enables the detection and prevention of unauthorized or inappropriate actions on the database. Activity logging and monitoring involves capturing and reviewing the activities of the DBAs, such as the commands executed, the data accessed or modified, the privileges used,and the time and duration of the sessions. Activity logging and monitoring can also provide an audit trail for accountability and forensic purposes. The other options are not the best ways to manage the risk, because they do not directly address the malicious activities of the DBAs. Periodic access review is a control that verifies the appropriateness of the access rights granted to the DBAs, but it does not monitor their actual activities. Two-factor authentication is a control that enhances the security of the authentication process, but it does not prevent the DBAs from performing malicious activities once they are authenticated. Awareness training and background checks are controls that aim to reduce the likelihood of the DBAs engaging in malicious activities, but they do not guarantee their compliance or behavior. References = CRISC Review Manual, 7th Edition, Chapter 4, Section 4.1.3, page 166.



To help identify high-risk situations, an organization should:

  1. continuously monitor the environment.
  2. develop key performance indicators (KPIs).
  3. maintain a risk matrix.
  4. maintain a risk register.

Answer(s): A

Explanation:

To help identify high-risk situations, an organization should continuously monitor the environment, as it can help to detect and respond to any changes or emerging risks that may affect the organization's objectives and strategy. Continuous monitoring can also provide timely and relevant feedback and information to the decision-makers and stakeholders, and enable them to adjust the risk strategy and response actions accordingly. Continuous monitoring can also help to ensure that the risk management process is aligned with the organization's risk appetite andtolerance, and supports the achievement of the organization's goals and value creation. References = ISACA Certified in Risk and Information Systems Control (CRISC)Certification Exam Question and Answers, Question 243. CRISC: Certified in Risk & Information Systems Control Sample Questions, Question 243. CRISC Sample Questions 2024, Question 243.



Viewing page 13 of 238
Viewing questions 97 - 104 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts