Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 14)

Page 14 of 238
PDF with 1895 Questions

Which of the following should be the GREATEST concern for an organization that uses open source software applications?

  1. Lack of organizational policy regarding open source software
  2. Lack of reliability associated with the use of open source software
  3. Lack of monitoring over installation of open source software in the organization
  4. Lack of professional supportfor open source software

Answer(s): A

Explanation:

Lack of organizational policy regarding open source software should be the greatest concern for an organization that uses open source software applications, as it may expose the organization to legal, security, and operational risks. Open source software is software that is freely available and can be modified and distributed by anyone, subject to certain conditions and licenses. An organizational policy regarding open source software should define the criteria and procedures for selecting, acquiring, using, and maintaining open source software, as well as the roles and responsibilities of the stakeholders involved. Lack of reliability, lack of monitoring, and lack of professional support are not the greatest concerns, as they can be addressed by implementing quality assurance, configuration management, and community engagement practices for open source software. References = CRISC by Isaca Actual Free Exam Q&As, question 214; CRISC: Certified in Risk & Information Systems Control Sample Questions, question 214.



Which of the following should be a risk practitioner's PRIMARY focus when tasked with ensuring organization records are being retained for a sufficient period of time to meet legal obligations?

  1. Data duplication processes
  2. Data archival processes
  3. Data anonymization processes
  4. Data protection processes

Answer(s): B

Explanation:

Data archival processes should be the primary focus of a risk practitioner when ensuring that organization records are being retained for a sufficient period of time to meet legal obligations, because data archival processes ensure that records are stored securely, reliably, and accessibly for as long as they are needed. Data archival processes also help to manage the storage capacity, retention policies, and disposal procedures of records. Data duplication processes are not the primary focus, because they are mainly used for backup and recovery purposes, not for long-term retention. Data anonymization processes are not the primary focus, because they are mainly used for privacy and confidentiality purposes, not for legal compliance. Data protection processes are not the primary focus, because they are mainly used for security and integrity purposes, not for retention requirements. References = Free ISACA CRISC Sample Questions and Study Guide



Which of the following would BEST ensure that identified risk scenarios are addressed?

  1. Reviewing the implementation of the risk response
  2. Creating a separate risk register for key business units
  3. Performing real-time monitoring of threats
  4. Performing regular risk control self-assessments

Answer(s): A

Explanation:

The best way to ensure that identified risk scenarios are addressed is to review the implementation of the risk response. The risk response is the action or plan that is taken to reduce, avoid, transfer, or accept the risk, depending on the chosen risk treatment option1. Reviewing the implementation of the risk response means checking whether the risk response actions are executed as planned, whether they are effective and efficient in mitigating the risk, and whether they are aligned with the organization's objectives and risk appetite2. Reviewing the implementation of the risk response helps to monitor and control the risk, identify any gaps or issues, and make any necessary adjustments or improvements. The other options are not the best ways to ensure that identified risk scenarios are addressed, as they are either less comprehensive or less specific than reviewing the implementation of the risk response. Creating a separate risk register for key business units is a way of documenting and tracking the risks that affect different parts of the organization. However, this is not the same as addressing the risk scenarios, as it does not indicate how the risks are treated or resolved. Performing real-time monitoring of threats is a way of detecting and responding to any changes or events that may increase the likelihood or impact of the risks. However, this is not the same as addressing theriskscenarios, as it does not measure the effectiveness or efficiency of the risk response actions. Performing regular risk control self- assessments is a way of evaluating and testing the design and operation of the controls that are implemented to mitigate the risks. However, this is not the same as addressing the risk scenarios, as it does not cover the other aspects of the risk response, such as risk avoidance, transfer, or acceptance. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.7, Page 59.



Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs?

  1. Ensuring availability of resources for log analysis
  2. Implementing log analysis tools to automate controls
  3. Ensuring the control is proportional to the risk
  4. Building correlations between logs collected from different sources

Answer(s): C

Explanation:

The primary consideration when implementing controls for monitoring user activity logs is ensuring that the control is proportional to the risk, because this helps to optimize the balance between the benefits and costs of the control, and to avoid over- or under-controlling the risk. User activity logs are records of the actions or events performed by users on IT systems, networks, or resources, such as accessing, modifying, or transferring data or files. Monitoring user activity logs can help to detect and prevent potential threats, such as unauthorized access, data leakage, or malicious activity, and to support the investigation and remediation of incidents. However, monitoring user activity logs also involves certain costs and challenges, such as collecting, storing, analyzing, and reporting large amounts of log data, ensuring the accuracy, completeness, and timeliness of the log data, protecting the privacy and security of the log data, and complying with the relevant laws and regulations.

Therefore, when implementing controls for monitoring user activity logs, the organization should consider the level and impact of the risk that the control is intended to address, and the value and effectiveness of the control in reducing the risk exposure and impact. The organization should also consider the costs and feasibility of implementing and maintaining the control, and the potential negative consequences or side effects of the control, such as performance degradation, user dissatisfaction, or legal liability. By ensuring that the control is proportional to the risk, the organization can achieve the optimal level of risk management, and avoid wasting resources or creating new risks. References = Risk IT Framework, ISACA, 2022, p. 151



A risk practitioner recently discovered that sensitive data from the production environment is required for testing purposes in non-production environments.
Which of the following i the BEST recommendation to address this situation?

  1. Enable data encryption in the test environment
  2. Implement equivalent security in the test environment.
  3. Prevent the use of production data for test purposes
  4. Mask data before being transferred to the test environment.

Answer(s): D

Explanation:

Masking data before being transferred to the test environment is the best recommendation to address the situation where sensitive data from the production environment is required for testing purposes in non-production environments. Data masking is a technique that replaces sensitive data elements with realistic but fictitious data, preserving the format, structure, and meaning of the original data. Data masking ensures that the test data is sufficiently anonymized and de-identified, while still maintaining its functionality and validity for testing purposes. Data masking also reduces the risk of data leakage, exposure, or breach in the test environment, which may have lower security controls than the production environment. The other options are not the best recommendations, as they do not adequately protect the sensitive data or meet the testingrequirements. Enabling data encryption in the test environment may protect the data from unauthorized access, but it does not prevent the data from being decrypted by authorized users who may misuse or mishandle it. Implementing equivalent security in the test environment may be costly, complex, or impractical, and it may not be feasible to replicate the same level of security controls as in the production environment. Preventing the use of production data for test purposes may not be possible or desirable, as production data may be required to ensure the accuracy, reliability, and quality of the testing results. References = P = NP: Cloud dataprotection in vulnerable non-

production environments ...; Data masking secures sensitive data in non-production environments ...; CRISC EXAM TOPIC 2 LONG Flashcards | Quizlet



Which of the following would BEST help to ensure that identified risk is efficiently managed?

  1. Reviewing the maturity of the control environment
  2. Regularly monitoring the project plan
  3. Maintaining a key risk indicator for eachasset in the risk register
  4. Periodically reviewing controls per the risk treatment plan

Answer(s): D

Explanation:

According to the CRISC Review Manual (Digital Version), periodically reviewing controls per the risk treatment plan would best help to ensure that identified risk is efficiently managed, as it involves verifying the effectiveness and efficiency of the implemented risk response actions and identifying any gaps or changes in the risk profile. Periodically reviewing controls per the risk treatment plan helps to:
Confirm that the controls are operating as intended and producing the desired outcomes Detect any deviations, errors, or weaknesses in the controls and their performance Evaluate the adequacy and appropriateness of the controls in relation to the current risk environment and the organization's risk appetite and risk tolerance Recommend and implement corrective actions or improvement measures to address any issues or deficiencies in the controls
Update the risk register and the risk treatment plan to reflect the current risk status and the residual risk levels
References = CRISC Review Manual (Digital Version), Chapter 4: IT Risk Monitoring and Reporting, Section 4.1: IT Risk Monitoring, pp. 215-2161



A PRIMARY function of the risk register is to provide supporting information for the development of an organization's risk:

  1. strategy.
  2. profile.
  3. process.
  4. map.

Answer(s): B

Explanation:

A primary function of the risk register is to provide supporting information for the development of an organization's risk profile, which is a comprehensive and structured representation of therisks that the organization faces. The risk profile helps the organization to understand its risk exposure, appetite, and tolerance, and to align its risk management strategy with its business objectives and context. The risk register is a document that records and tracks the identified risks, their causes, impacts, likelihood, responses, owners, and status. The risk register is anessential input for creating and updating the risk profile, as it provides the data and analysis of the risks that need to be prioritized and addressed. The other options are not the primary function of the risk register, although they may be related to it. The risk strategy is the plan and approach for managing the risks, and it is based on the risk profile. The risk process is the set of activities and tasks for identifying, assessing, responding, and monitoring the risks, and it is facilitated by the risk register. The risk map is a graphical tool for displaying the risks based on their impact and likelihood, and it is derived from the risk register. References = Risk Register: A Project Manager's Guide with Examples [2023] · Asana; Purpose of a risk register: Here's what a risk register is used for; Risk Register: Definition, Importance, and Elements! - Bit Blog; What is a Risk Register? A Complete Guide | Capterra; Risk Registers: What Are They, When Should You Use Them, and Why?



Which of The following BEST represents the desired risk posture for an organization?

  1. Inherent risk is lower than risk tolerance.
  2. Operational risk is higher than risk tolerance.
  3. Accepted risk is higher thanrisk tolerance.
  4. Residual risk is lower than risk tolerance.

Answer(s): D

Explanation:

The best representation of the desired risk posture for an organization is when the residual risk is lower than the risk tolerance. Residual risk is the remaining risk after the implementation of risk responses or controls. Risk tolerance is the acceptable level of risk that the organization is willing to take or bear. Thedesired risk posture is when the organization has reduced the residual risk to a level that is equal to or lower than the risk tolerance, which means that the organization has achieved its risk objectives and is comfortable with the remaining risk exposure. The other options are not the best representation of the desired risk posture, as they indicate that the organization has not effectively managed its risk. Inherent risk is lower than risk tolerance means that the organization has not identified or assessed its risk properly, as inherent risk is the risk before any controls or responses are applied. Operational risk is higher than risk tolerance means that the organization has not implemented or monitored its risk responses or controls adequately, as operational risk is the risk of loss resulting from inadequate or failed internal processes,people, and systems. Accepted risk is higher than risk tolerance means that the organization has not aligned its risk appetite and risk tolerance, as accepted risk is the risk that the organization chooses to retain or take without any further action. References = Risk and Information Systems Control Study Manual, Chapter 2, Section 2.3.1, page 2-23.



Viewing page 14 of 238
Viewing questions 105 - 112 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts