Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 15)

Page 15 of 238
PDF with 1895 Questions

Which of the following is MOST important information to review when developing plans for using emerging technologies?

  1. Existing IT environment
  2. IT strategic plan
  3. Risk register
  4. Organizational strategic plan

Answer(s): D

Explanation:

The most important information to review when developing plans for using emerging technologies is the organizational strategic plan. The organizational strategic plan is a document that defines the vision, mission, goals, and objectives of the organization. It also outlines the strategies, actions, and resources that are needed to achieve them. The organizational strategic plan provides the direction, alignment, and guidance for the use of emerging technologies, and ensures that they are aligned with and support the organizational needs and priorities. The other options are not as important as the organizational strategic plan, as they are related to the current state, specific area, or potential issues of the use of emerging technologies, not the overall purpose and value of the use of emerging technologies. References = Risk and InformationSystems Control Study Manual, Chapter 1:
IT Risk Identification, Section 1.2: IT Risk Identification Methods, page 19.



An organization has experienced several incidents of extended network outages that have exceeded tolerance.
Which of the following should be the risk practitioner's FIRST step to address this situation?

  1. Recommend additional controls to address the risk.
  2. Update the risk tolerance level to acceptable thresholds.
  3. Update the incident-related risk trend in the risk register.
  4. Recommend a root cause analysis of the incidents.

Answer(s): D

Explanation:

The first step for the risk practitioner to address the situation of extended network outages that have exceeded tolerance is to recommend a root cause analysis of the incidents. A root cause analysis is a process of identifying and resolving the underlying causes of a problem or an event. By performing a root cause analysis, the risk practitioner can determine why the network outages occurred, what factors contributed to them, and how they can be prevented or reduced in the future. Recommending additional controls, updating the risk tolerance level, and updating the incident-related risk trend are possible steps that may follow the root cause analysis, but they are not the first step. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 4; CRISC Review Manual, 6th Edition, page 153.



Which of the following is a risk practitioner's BEST course of action if a risk assessment identifies a risk that is extremely unlikely but would have a severe impact should it occur?

  1. Rate the risk as high priority based on the severeimpact.
  2. Obtain management's consent to accept the risk.
  3. Ignore the risk due to the extremely low likelihood.
  4. Address the risk by analyzing treatment options.

Answer(s): D



A risk practitioner has been asked to evaluate a new cloud-based service to enhance an organization's access management capabilities.
When is the BEST time for the risk practitioner to provide opinions on control strength?

  1. After the initial design
  2. Before production rollout
  3. After a few weeks in use
  4. Before end-user testing

Answer(s): A

Explanation:

Providing opinions on control strength after the initial design is the best time for the risk practitioner, because it helps to ensure that the controls are aligned with the requirements and objectives of the new cloud-based service, and that they are effective and efficient in mitigating the risks associated with the service. A cloud-based service is a service that is delivered over the internet, where the service provider owns and manages the IT infrastructure, platforms, or applications, and the customer pays only for the resources or functions they use. An access management capability is a capability that enables the organization to control and monitor the access to its IT systems or networks, such as authentication, authorization, or auditing. Controls are policies, procedures, or mechanisms that help to reduce or eliminate the risks that may affect the security, reliability, performance, or compliance of the cloud-based service. Providing opinions on control strength after the initial design is the best time, as it allows the risk practitioner to review the design specifications and requirements, and to provide feedback and recommendations on the adequacy and suitability of the controls. Providing opinions on control strength before production rollout, after a few weeks in use, or before end-user testing are all possible times for the risk practitioner, but they are not the best time, as they may be too late or too early to influence the design and implementation of the controls. References = Risk and Information Systems Control Study Manual, Chapter 5, Section 5.2.1, page 183



A risk practitioner is defining metrics for security threats that were not identified by antivirus software.
Which type of metric is being developed?

  1. Key control indicator (KCI)
  2. Key risk indicator (KRI)
  3. Operational level agreement (OLA)
  4. Service level agreement (SLA)

Answer(s): B

Explanation:

A KRI is a measure used by an organization to measure the health of a particular risk. In this case, the risk practitioner is developing a metric to measure the risk associated with security threats that were not identified by antivirus software12.
References
1Standardized Scoring for Security and Risk Metrics - ISACA 2Key Performance Indicators for Security Governance, Part 1 - ISACA



Which of the following will BEST help to ensure new IT policies address the enterprise's requirements?

  1. involve IT leadership in the policy development process
  2. Require business users to sign acknowledgment of the poises
  3. involve business owners in the pokey development process
  4. Provide policy owners with greater enforcement authority

Answer(s): C

Explanation:

To ensure that new IT policies address the enterprise's requirements, it is important to involve the business owners who are the primary stakeholders of the IT services and processes. Business owners can provide valuable input on the business objectives, risks, and expectations that the IT policies should align with and support. By involving business owners in the policy development process, the IT policies will be more relevant, realistic, and acceptable to the business units. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.3: IT Risk Scenarios, page 23.



Winch of the following can be concluded by analyzing the latest vulnerability report for the it infrastructure?

  1. Likelihood of a threat
  2. Impact of technology risk
  3. Impact of operational risk
  4. Control weakness

Answer(s): D

Explanation:

A vulnerability report for the IT infrastructure is a document that identifies and evaluates the weaknesses or gaps in the IT systems, networks, or devices that could be exploited by threats or cause incidents. By analyzing the latest vulnerability report, one can conclude the existence and extent of control weaknesses in the IT infrastructure, because control weaknesses are the deficiencies or failures of the controls that are supposed to prevent, detect, or correct the vulnerabilities. The other options are not the correct answers, because they are not directly concluded by analyzing the latest vulnerability report. The likelihood of a threat, the impact of technology risk, and the impact of operational risk are examples of risk factors or consequencesthat depend on the vulnerability and the threat, but they are not determined by the vulnerability report alone. References = CRISC: Certified in Risk & Information Systems Control Sample Questions



During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT.
Which of the following is the BEST way for the risk practitioner to address these concerns?

  1. Describe IT risk scenarios in terms of business risk.
  2. Recommend the formation of an executive risk council to oversee IT risk.
  3. Provide an estimate of IT system downtime if IT risk materializes.
  4. Educate business executives on IT risk concepts.

Answer(s): A

Explanation:

IT risk scenarios are hypothetical situations or occurrences that illustrate the potential impact of IT-related threats or opportunities on the organization's objectives, performance, or value creation12.
Business risk scenarios are hypothetical situations or occurrences that illustrate the potential impact of business-related threats or opportunities on the organization's objectives,

performance, or value creation34.
The best way for the risk practitioner to address the concerns of the business executives who question why they have been assigned ownership of IT-related risk scenarios is to describe IT risk scenarios in terms of business risk, which is a technique that involves translating and communicating the IT risk scenarios into the language and context of the business risk scenarios, and highlighting the linkages and dependencies between them56. Describing IT risk scenarios in terms of business risk is the best way because it helps the business executives to understand and appreciate the relevance and importance of IT risk scenarios, andhow they affect the achievement of the organization's goals and the delivery of value to the stakeholders56.

Describing IT risk scenarios in terms of business risk is also the best way because it helps the business executives to accept and fulfill their roles and responsibilities as the owners of IT risk scenarios, and to collaborate and coordinate with the IT team and other stakeholders in the risk management process56.
The other options are not the best ways, but rather possible alternatives or supplements that may support or enhance the description of IT risk scenarios in terms of business risk. For example:
Recommending the formation of an executive risk council to oversee IT risk is a way that involves establishing and empowering a group of senior leaders from different business units and functions to provide the strategic direction, guidance, and oversight for the IT risk managementprocess78. However, this way is not the best way because it does not directlyaddress the concerns of the business executives who question why they have been assigned ownership of IT risk scenarios, and it may not be feasible or effective without a clear and common understanding of IT risk scenarios among the council members78. Providing an estimate of IT system downtime if IT risk materializes is a way that involves quantifying and communicating the potential loss or disruption of the IT systems or services that support the organization's operations, if the IT risk scenarios occur9 . However, this way is not the best way because it does not fully capture or convey the impact of IT risk scenarios on the organization's objectives, performance, or valuecreation, and it may not be relevant or meaningful for some IT risk scenarios that are not related to IT system downtime9 . Educating business executives on IT risk concepts is a way that involves providing and delivering the knowledge and skills on the principles, frameworks, and techniques of IT risk management, and the roles and responsibilities of the IT risk owners and stakeholders . However, this way is not the best way because it does not specifically address the concerns of the business executives who question why they have been assigned ownership of IT risk scenarios, and it may not be sufficient or effective without a practical and contextual application of IT risk concepts to the organization's situation and goals . References =
1: IT Scenario Analysis in Enterprise Risk Management - ISACA2
2: New Toolkit and Course From ISACA Help Practitioners Develop Risk Scenarios - ISACA1
3: Business Risk - Investopedia3

4: Business Risk: Definition, Types, Examples & How to Manage4
5: Risk IT Framework, ISACA, 2009
6: IT Risk Management Framework, University of Toronto, 2017
7: Executive Risk Council - ISACA5
8: Executive Risk Council: A Guide to Success6
9: IT System Downtime - ISACA7
IT System Downtime: Causes, Costs, and How to Prevent It8 IT Risk Education - ISACA9
IT Risk Education: A Guide to Success



Viewing page 15 of 238
Viewing questions 113 - 120 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts