Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 16)

Page 16 of 238
PDF with 1895 Questions

Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to a bring your own device (BYOD) program?

  1. Number of users who have signed a BYOD acceptable use policy
  2. Number of incidents originating from BYOD devices
  3. Budget allocated to the BYOD program security controls
  4. Number of devices enrolled in the BYOD program

Answer(s): B

Explanation:

The most effective key risk indicator (KRI) for monitoring risk related to a bring your own device (BYOD) program is the number of incidents originating from BYOD devices, as it directly measures the impact and frequency of the potential threats and vulnerabilities associated with the use of personal devices for accessing company data and systems. A BYOD program can pose various risks to an organization, such as data loss or breach, malware infection, unauthorized access, compliance violation, or device theft or loss12. The number of incidents originating from BYOD devices can help to identify and quantify these risks, and to trigger appropriate risk response actions when the incidents exceed the acceptable thresholds. The other options are not the most effective KRIs, as they do not directly measure the risk level or impact of the BYOD program. The number of users who have signed a BYOD acceptable use policy may indicate the awareness and compliance of the users, but not the actual risk exposure or mitigation. The budget allocated to the BYOD program security controls may indicate the investment and efficiency of the risk management, but not the effectiveness or necessity. The number of devices enrolled in the BYOD program may indicate the scope and scale of the risk, but not the severity or likelihood. References = Key Risk Indicators: A Practical Guide; KRI Framework for Operational Risk Management



Which of the following is the MOST significant indicator of the need to perform a penetration test?

  1. An increase in the number of high-risk audit findings
  2. An increase in the number of security incidents
  3. An increase in the percentage of turnover in IT personnel
  4. An increase in the number of infrastructure changes

Answer(s): B

Explanation:

An increase in the number of security incidents is the most significant indicator of the need to perform a penetration test, because it suggests that the organization's IT systems or networks are vulnerable to attacks and may not have adequate security controls in place. A penetration test is a simulated attack on an IT system or network to identify and exploit its weaknesses and evaluate its security posture. A penetration test can help to discover and remediate the vulnerabilities that may have caused or contributed to the security incidents, and to prevent or reduce the likelihood and impact of future incidents. An increase in the number of high-risk audit findings, an increase in the percentage of turnover in IT personnel, and an increase in the number of infrastructure changes are all possible indicators of the need to perform a penetration test, but they are not the most significant indicator, as they do not directly reflect the actual or potential occurrence of security incidents. References = Risk and Information Systems Control Study Manual, Chapter 5, Section 5.3.2, page 200



It is MOST important that security controls for a new system be documented in:

  1. testing requirements
  2. the implementation plan.
  3. System requirements
  4. The security policy

Answer(s): C

Explanation:

It is most important that security controls for a new system be documented in the system requirements. The system requirements define the functional and non-functional specifications of the system, including the security controls that are needed to protect the system and its data. Documenting the security controls in the system requirements can help ensure that they are designed, developed, tested, and implemented as part of the system development life cycle. Testing requirements, the implementation plan, and the security policy are other documents that may include security controls, but they are not as important as the system requirements. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 5; CRISC Review Manual, 6th Edition, page 212.



A company has located its computer center on a moderate earthquake fault.
Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?

  1. The contingency plan provides for backup media to be taken to the alternative site.
  2. The contingency plan for high priority applications does not involve a shared cold site.
  3. The alternative site is a hot site with equipment ready to resume processing immediately.
  4. The alternative site does not reside on the same fault no matter how far the distance apart.

Answer(s): D

Explanation:

The most important consideration when establishing a contingency plan and an alternate processing site for a company that has located its computer center on a moderate earthquake fault is that the alternative site does not reside on the same fault no matter how far the distance apart, as it ensures that the alternative site is not affected by the same earthquake event that may disrupt the primary site, and that the business continuity and recovery objectives can be met. The other options are not the most important considerations, as they are more related to the backup, priority, or readiness of the alternative site, respectively, rather than the location of the alternative site. References = CRISC Review Manual, 7th Edition, page 111.



What is the PRIMARY reason an organization should include background checks on roles with elevated access to production as part of its hiring process?

  1. Reduce internal threats
  2. Reduce exposure to vulnerabilities
  3. Eliminate risk associated with personnel
  4. Ensure new hires have the required skills

Answer(s): A

Explanation:

The primary reason an organization should include background checks on roles with elevated access to production as part of its hiring process is to reduce internal threats. Internal threats are the risks that originate from within the organization, such as employees, contractors, or partners. Roles with elevated access to production have the privilege and ability to access,

modify, or delete sensitive or critical data and systems. If these roles are assigned to individuals who have malicious intent, criminal records, or conflicts of interest, they may pose a significant threat to the organization's security, integrity, and availability. By conducting background checks, the organization can verify the identity, credentials, and history of the candidates, and prevent or minimize the possibility of hiring untrustworthy or unsuitable individuals. The other options are not as important as reducing internal threats, as they are related to the outcomes, impacts, or requirements of the roles with elevated access to production, not the reasons for conducting background checks. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Response, Section 3.3: IT Risk Response Implementation, page 145.



Which of the following will BEST communicate the importance of risk mitigation initiatives to senior management?

  1. Business case
  2. Balanced scorecard
  3. Industry standards
  4. Heat map

Answer(s): A

Explanation:

A business case will BEST communicate the importance of risk mitigation initiatives to senior management, because it provides a clear and concise justification of the objectives, benefits, costs, and risks of the proposed initiatives. A business case helps to align the risk mitigation initiatives with the enterprise's strategy and goals, and to obtain the necessary approval and support from senior management. The other options are not as effective as a business case, because:
Option B: A balanced scorecard is a tool to measure and monitor the performance of the enterprise across four perspectives: financial, customer, internal process, and learning and growth. It does not communicate the importance of risk mitigation initiatives, but rather the outcomes and impacts of them.
Option C: Industry standards are benchmarks or best practices that define the minimum requirements or expectations for a certain domain or activity. They do not communicate the importance of risk mitigation initiatives, but rather the compliance or alignment of them with the external environment.
Option D: A heat map is a tool to visualize and prioritize the risks based on their likelihood and impact. It does not communicate the importance of risk mitigation initiatives, but rather the severity and distribution of the risks. References = Risk and Information Systems Control

Study Manual, 7th Edition, ISACA, 2020, p. 118.



Which of the following is MOST important when developing risk scenarios?

  1. Reviewing business impact analysis (BIA)
  2. Collaborating with IT audit
  3. Conducting vulnerability assessments
  4. Obtaining input from key stakeholders

Answer(s): D

Explanation:

The most important factor when developing risk scenarios is obtaining input from key stakeholders. A risk scenario is a description of a possible event or situation that could affect the enterprise's objectives, processes, or resources. Obtaining input from key stakeholders, such as business owners, process owners, subject matter experts, or external parties, helps to ensure that the risk scenarios are realistic, relevant, and comprehensive. It also helps to identify the sources,drivers, indicators, likelihood, impact, and responses of the risk scenarios, and to align them with the enterprise's risk appetite and tolerance. Obtaining input from key stakeholders also fosters a collaborative and participatory approach to risk management, and enhances the risk awareness and ownership among the stakeholders. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.3, page 621



After migrating a key financial system to a new provider, it was discovered that a developer could gain access to the production environment.
Which of the following is the BEST way to mitigate the risk in this situation?

  1. Escalate the issue to the service provider.
  2. Re-certify the application access controls.
  3. Remove the developer'saccess.
  4. Review the results of pre-migration testing.

Answer(s): C

Explanation:

After migrating a key financial system to a new provider, it was discovered that a developer could gain access to the production environment. This indicates that there is a risk of unauthorized access, use, disclosure, modification, or destruction of sensitive data, such as financial records, transactions, reports, etc.
A control that could mitigate this risk is to remove the developer's access to the production environment. This means that the developer would not be able to alter the source code or configuration of the financial system without proper authorization or approval. The other options are not the best ways to mitigate the risk in this situation. They are either irrelevant or less effective than removing the developer's access.
The references for this answer are:
Risk IT Framework, page 14
Information Technology & Security, page 8
Risk Scenarios Starter Pack, page 6



Viewing page 16 of 238
Viewing questions 121 - 128 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts