Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 17)

Page 17 of 238
PDF with 1895 Questions

Which of the following is the GREATEST impact of implementing a risk mitigation strategy?

  1. Improved alignment with business goals.
  2. Reduction of residual risk.
  3. Increased costs due to control implementation.
  4. Decreased overall risk appetite.

Answer(s): B

Explanation:

The primary goal of risk mitigation is to reduce residual risk to an acceptable level. This aligns with the principles ofRisk Treatment, ensuring that the implemented strategies effectively address identified risks without exceeding the organization's risk appetite.



Which of the following MUST be assessed before considering risk treatment options for a scenario with significant impact?

  1. Risk magnitude
  2. Incident probability
  3. Risk appetite
  4. Cost-benefit analysis

Answer(s): A

Explanation:

According to the Risk Assessment and Management: A Complete Guide, risk magnitude is the product of the likelihood and impact of a risk scenario. Risk magnitude is an important factor to consider before choosing risk treatment options, as it indicates the level of exposure andpotential harm that the organization faces from the risk scenario. Risk treatment options should be selected based on the risk magnitude, as well as the risk appetite and tolerance of the organization. For a scenario with significant impact, the risk magnitude is likely to be high, and therefore the risk treatment options should aim to reduce the likelihood and/or impact of the risk scenario as much as possible, or to transfer or avoid the risk altogether. References = Risk Assessment and Management: A Complete Guide, ISO 27001 Risk Assessment & Risk Treatment: The Complete Guide



Which of the following elements of a risk register is MOST likely to change as a result of change in management's risk appetite?

  1. Key risk indicator (KRI) thresholds
  2. Inherent risk
  3. Risk likelihood and impact
  4. Risk velocity

Answer(s): A

Explanation:

According to the CRISC Review Manual (Digital Version), key risk indicator (KRI) thresholds are the most likely elements of a risk register to change as a result of change in management's risk appetite, as they reflect the acceptable levels of risk exposure for the organization. KRIthresholds are the values or ranges that trigger an alert or a response when the actual KRI values deviate from the expected or desired values. KRI thresholds help to:
Monitor and measure the current risk levels and performance of the IT assets and processes Identify and report any risk issues or incidents that may require attention or action Evaluate the effectiveness and efficiency of the risk response actions and controls Align the risk management activities and decisions with the organization's risk appetite and risk tolerance
If the management's risk appetite changes, the KRI thresholds may need to be adjusted accordingly to ensure that the risk register reflects the current risk preferences and expectations of the organization.

References = CRISC Review Manual (Digital Version), Chapter 4: IT Risk Monitoring and Reporting, Section 4.1: IT Risk Monitoring, pp. 217-2181



Which of the following controls will BEST detect unauthorized modification of data by a database administrator?

  1. Reviewingdatabase access rights
  2. Reviewing database activity logs
  3. Comparing data to input records
  4. Reviewing changes to edit checks

Answer(s): B

Explanation:

Unauthorized modification of data by a database administrator is a security risk that involves altering, deleting, or inserting data on a database without proper authorization or approval, by a person who has privileged access to the database, such as a database administrator12. The best control to detect unauthorized modification of data by a database administrator is to review database activity logs, which are records that capture and store the details and history ofthe transactions or activities that are performed on the database, such as who, what, when, where, and how34.
Reviewing database activity logs is the best control because it provides evidence and visibility of the database operations, and enables the detection and reporting of any deviations, anomalies, or issues that may indicate unauthorized modification of data by a database administrator34.
Reviewing database activity logs is also the best control because it supports the accountability and auditability of the database operations, and facilitates the investigation and resolution of any unauthorized modification of data by a database administrator34. The other options are not the best controls, but rather possible measures or techniques that may supplement or enhance the review of database activity logs. For example:
Reviewing database access rights is a measure that involves verifying and validating the permissions and privileges that are granted or revoked to the users or roles who can access or modify the data on the database56. However, this measure is not the best control because it does not directly detect unauthorized modification of data by a database administrator, especially if the database administrator has legitimate access rights to the data56. Comparing data to input records is a technique that involves matching and reconciling the data on the database with the original or source data that are entered or imported into the database, and identifying and correcting any discrepancies or errors78. However, this technique is not the best control because it does not directly detect unauthorized modification of data by a database administrator, especially if the input records are also modified or compromised78.
Reviewing changes to edit checks is a technique that involves examining and evaluating the modifications or updates to the edit checks, which are rules or validations that are applied to the data on the database to ensure their accuracy, completeness, andconsistency9 . However, this technique is not the best control because it does not directly detect unauthorized modification of data by a database administrator, especially if the edit checks are bypassed or disabled9 . References =
1: Database Security: Attacks and Solutions | SpringerLink2
2: Unauthorised Modification of Data With Intent to Cause Impairment3
3: Database Activity Monitoring - Wikipedia4
4: Database Activity Monitoring (DAM) | Imperva5
5: Database Access Control - Wikipedia6
6: Database Access Control: Best Practices for Database Security7
7: Data Reconciliation - Wikipedia8
8: Data Reconciliation and Gross Error Detection9
9: Edit Check - Wikipedia
Edit Checks: A Data Quality Tool



Who should have the authority to approve an exception to a control?

  1. information security manager
  2. Control owner
  3. Risk owner
  4. Risk manager

Answer(s): B

Explanation:

The control owner is the person who has the authority to approve an exception to a control. A control is a policy, procedure, or technical measure that is implemented to prevent or mitigate a risk. A control owner is responsible for the design, implementation, operation, and maintenance of the control, as well as for monitoring and reporting its performance and effectiveness. A control owner is also accountable for the approval of any changes or exceptions to the control, based on the risk assessment and business justification. An information security manager, a risk owner, and a risk manager are not the best choices, as they do not have the same level of authority, responsibility, and knowledge as the control owner in relation to the control. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 35.



The PRIMARY benefit of conducting a risk workshop using a top-down approach instead of a bottom-up approach is the ability to:

  1. identify specific project risk.
  2. obtain a holisticview of IT strategy risk.
  3. understand risk associated with complex processes.
  4. incorporate subject matter expertise.

Answer(s): B

Explanation:

Obtaining a holistic view of IT strategy risk is the primary benefit of conducting a risk workshop using a top-down approach instead of a bottom-up approach, because it helps to identify and assess the risks that may affect the alignment and integration of IT with the organization's objectives and strategy. A risk workshop is a collaborative and interactive method of conducting a risk assessment, where the risk practitioner facilitates a group discussion with the relevant stakeholders to identify, analyze, and evaluate the risks and their controls. A top-down approach is a method of conducting a risk workshop that starts from the high-level or strategic perspective, and then drills down to the lower-level or operational details. A bottom-up approach is a methodof conducting a risk workshop that starts from the low-level or operational details, and then aggregates them to the higher-level or strategic perspective. A top-down approach can offer a holistic view of IT strategy risk, as it helps to understand the big picture and the interrelationships of the risks and their impacts across the organization. A bottom-up approach can offer a detailed view of specific project or process risk, as it helps to capture the granular and technical aspects of the risks and their controls. Therefore, obtaining a holistic view of IT strategy risk is the primary benefit of using a top- down approach, as it supports the strategic alignment and integration of IT with the organization. Identifying specific project risk, understanding risk associated with complex processes, and incorporating subject matter expertise are all possible benefits of conducting a risk workshop, but they are not the primary benefit of using a top-down approach, as they are more suitable for a bottom-up approach. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.2.2, page 87



The PRIMARY reason for establishing various Threshold levels for a set of key risk indicators (KRIs) is to:

  1. highlight trends of developing risk.
  2. ensure accurate and reliablemonitoring.
  3. take appropriate actions in a timely manner.
  4. set different triggers for each stakeholder.

Answer(s): C

Explanation:

The primary reason for establishing various threshold levels for a set of key risk indicators (KRIs) is to take appropriate actions in a timely manner. KRIs are metrics that provide information on the level of exposure to a given risk or the effectiveness of the controls in place. Threshold levels are predefined values that indicate when the risk level is acceptable, tolerable, or unacceptable. By establishing various threshold levels for a set of KRIs, the enterprise can monitor the risk situation and trigger the necessary responses before the risk becomes too severe or costly to mitigate. The other options are not the primary reasons for establishing various threshold levels, although they may be secondary benefits or outcomes of doing so. References = Risk and Information Systems Control Study Manual, Chapter 5:
Risk and Control Monitoring and Reporting, page 189.



When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:

  1. information risk assessments with enterprise risk assessments.
  2. key risk indicators(KRIs) with risk appetite of the business.
  3. the control key performance indicators (KPIs) with audit findings.
  4. control performance with risk tolerance of business owners.

Answer(s): B

Explanation:

The most helpful factor to align when defining thresholds for control key performance indicators (KPIs) is the control performance with the risk tolerance of business owners. Control KPIs are metrics that measurethe effectiveness and efficiency of the controls that are implemented to mitigate the risks. By aligning the control performance with the risk tolerance of business owners, the thresholds for control KPIs can reflect the acceptable level of risk and the desired level of control for the business processes and objectives. Information risk assessments with enterprise risk assessments, key risk indicators (KRIs) with risk appetite of the business, andcontrol KPIs with audit findings are other possible factors to align, but they are not as helpful as control performance with risk tolerance of business owners. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 12; CRISC Review Manual, 6th Edition, page 215.



Viewing page 17 of 238
Viewing questions 129 - 136 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts