Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 18)

Page 18 of 238
PDF with 1895 Questions

Warning banners on login screens for laptops provided by an organization to its employees are an example of which type of control?

  1. Corrective
  2. Preventive
  3. Detective
  4. Deterrent

Answer(s): D

Explanation:

Warning banners on login screens serve as deterrent controls. Deterrent controls are designed to discourage individuals from attempting unauthorized actions by warning them of potential consequences.
Purpose of Warning Banners
Warning banners provide clear notice to users, both authorized and unauthorized, that their activities may be monitored and that unauthorized access is prohibited. They serve as a legal disclaimer, which can be crucial in prosecuting unauthorized access attempts.
Effectiveness as a Deterrent Control
The primary function of a warning banner is to deter potential intruders by making them aware of the surveillance and legal implications of unauthorized access. For authorized users, it reinforces awareness of the organization's security policies and acceptable use agreements.

Comparison with Other Control Types
A. Corrective: These controls are used to correct or restore systems after an incident. B. Preventive: These controls are designed to prevent security incidents from occurring. C. Detective: These controls are used to detect and alert about security incidents. D. Deterrent: These controls are intended to discourage individuals from performing unauthorized activities.
References
Sybex-CISSP-Official-Study-Guide-9-Edition.pdf, p. 829, detailing the role of warning banners as deterrent controls .



Which of the following would be considered a vulnerability?

  1. Delayed removal of employee access
  2. Authorized administrative access to HR files
  3. Corruption of files due to malware
  4. Server downtime due to a denial ofservice (DoS) attack

Answer(s): A

Explanation:

According to the CRISC Review Manual (Digital Version), a vulnerability is a flaw or weakness in an asset's design, implementation, or operation and management that could be exploited by a threat. A delayed removal of employee access is a vulnerability, as it allows former employees to retain access to the organization's IT assets and processes, which could lead to unauthorized disclosure, modification, or destruction of data or resources. A delayed removal of employee access could be caused by poor personnel management, lack of security awareness, or inadequate access control policies and procedures. References = CRISC Review Manual (Digital Version), Chapter 1: IT Risk Identification, Section 1.5: IT Risk Identification Methods and Techniques, pp. 32-331



An organization recently invested in an identity and access management (IAM) solution to manage user activities across corporate mobile devices.
Which of the following is MOST important to update in the risk register?

  1. Inherent risk
  2. Risk appetite
  3. Risk tolerance
  4. Residual risk

Answer(s): D

Explanation:

Residual risk is the remaining risk after implementing risk responses, such as controls or mitigation strategies. With the deployment of an IAM solution, the organization has addressed certain access-related risks. Updating the risk register to reflect the new residual risk levels ensures accurate tracking and informs future risk management decisions.


Reference:

ISACA CRISC Review Manual, 7th Edition, Chapter 3: Risk Response and Reporting, Section: Risk Response.



When a risk practitioner is building a key risk indicator (KRI) from aggregated data, it is CRITICAL that the data is derived from:

  1. business process owners.
  2. representative data sets.
  3. industry benchmark data.
  4. data automation systems.

Answer(s): B

Explanation:

Building Key Risk Indicators (KRIs):
KRIs are metrics used to provide an early signal of increasing risk exposure in various areas of an organization.
Importance of Representative Data Sets:
To ensure KRIs are accurate and meaningful, it is critical that the data used is representative of the entire population or relevant subset of activities being monitored. Representative data ensures that the KRIs reflect the true state of risk and are not biased or incomplete.
Impact on KRIs:
Using representative data sets improves the reliability and validity of KRIs, enabling better risk detection and management.
It ensures that the KRIs provide a realistic view of potential risk trends and patterns.
Comparing Other Data Sources:
Business Process Owners:While they provide valuable insights, data from them alone may not be representative.

Industry Benchmark Data:Useful for comparisons but not specific to the organization's unique context.
Data Automation Systems:Helpful for efficiency but must ensure the data is representative.


Reference:

The CRISC Review Manual emphasizes the importance of using representative data to build effective KRIs (CRISC Review Manual, Chapter 3: Risk Response and Mitigation, Section 3.11 Data Collection Aggregation Analysis and Validation) .



Which of the following is MOST important when identifying an organization's risk exposure associated with Internet of Things (loT) devices?

  1. Defined remediation plans
  2. Management sign-off on the scope
  3. Manual testing of device vulnerabilities
  4. Visibility into all networked devices

Answer(s): A



Which of the following is the GREATEST benefit of a three lines of defense structure?

  1. An effective risk culture that empowers employees to report risk
  2. Effective segregation of duties to prevent internal fraud
  3. Clear accountability for risk management processes
  4. Improved effectiveness and efficiency of business operations

Answer(s): C

Explanation:

A three lines of defense structure is a model that defines the roles and responsibilities of different functions and levels within an organization for risk management and control. The first line of defense is the operational management, which is responsible for owning and managing the risks. The second line of defense is the risk management and compliance functions, which are responsible for overseeing and supporting the risk management processes. The third line of defense is the internal audit function, which is responsible for providing independent assurance on the effectiveness of the risk management and control systems. The greatest benefit of a three lines of defense structure is that it provides clear accountability for risk management processes, as it clarifies who is responsible for what, and how they interact and communicate with each other. This can help to avoid duplication, confusion, or gaps in the risk management activities, and ensure that the risks are properly identified, assessed, treated, monitored, and reported. References = CRISC Review Manual, 7th Edition, page 107.



The PRIMARY reason a risk practitioner would be interested in an internal audit report is to:

  1. plan awareness programs for business managers.
  2. evaluatematurity of the risk management process.
  3. assist in the development of a risk profile.
  4. maintain a risk register based on noncompliance.

Answer(s): B

Explanation:

According to the CRISC Review Manual (Digital Version), the primary reason a risk practitioner would be interested in an internal audit report is to evaluate the maturity of the risk management process, as it provides an independent and objective assessment of the effectiveness and efficiency of the risk management activities and controls. An internal audit report helps to:
Identify and evaluate the strengths and weaknesses of the risk management process and its alignment with the organization's objectives and strategy Detect and report any gaps, errors, or deficiencies in the risk identification, assessment, response, and monitoring processes and controls
Recommend and implement corrective actions or improvement measures to address the issues or findings in the risk management process
Communicate and coordinate the audit results and recommendations with the relevant stakeholders, such as the risk owners, the senior management, and the board Enhance the accountability and transparency of the risk management process and its outcomes
References = CRISC Review Manual (Digital Version), Chapter 4: IT Risk Monitoring and Reporting, Section 4.2: IT Risk Reporting, pp. 223-2241



Which of the following is the result of a realized risk scenario?

  1. Technical event
  2. Threat event
  3. Vulnerability event
  4. Loss event

Answer(s): D

Explanation:

The result of a realized risk scenario is a loss event. A loss event is an occurrence that causes harm or damage to the organization's assets, resources, or reputation. A loss event is also known as an incident or a breach. A loss event is the outcome of a risk scenario, which is a description of a possible situation or event that could affect the organization's objectives or operations. A risk scenario consists of three elements: a threat, a vulnerability, and an impact. A threat is a potential source of harm or damage. A vulnerability is a weakness or flaw that could be exploited by a threat. An impact is the consequence or effect of a threat exploiting a vulnerability. A risk scenario is realized when a threat exploits a vulnerability and causes an impact, which results in a loss event. The other options are not the result of a realized risk scenario, although they may be part of a risk scenario. A technical event, a threat event, and a vulnerability event are all types of events that could occur in a risk scenario, but they are not the final outcome or result of a risk scenario. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.2.1, page 4-13.



Viewing page 18 of 238
Viewing questions 137 - 144 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts