Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 2)

Page 2 of 238
PDF with 1895 Questions

An organization plans to implement a new Software as a Service (SaaS) speech-to-text solution Which of the following is MOST important to mitigate risk associated with data privacy?

  1. Secure encryption protocols are utilized.
  2. Multi-factor authentication is set up for users.
  3. The solution architecture is approved by IT.
  4. A risk transfer clause is included in the contact

Answer(s): B

Explanation:

Utilizing secure encryption protocols is the most important factor to mitigate risk associated with data privacy when implementing a new Software as a Service (SaaS) speech-to-text solution, as it ensures that the data is protected from unauthorized access, interception, or modification during the transmission and storage in the cloud. Setting up multi-factor authentication for users, approving the solution architecture by IT, and including a risk transfer clause in the contract are not the most important factors, as they may not address the data privacy issue, but rather the data access, quality, or liability issue, respectively. References = CRISC Review Manual, 7th Edition, page 153.



The PRIMARY reason for periodically monitoring key risk indicators (KRIs) is to:

  1. rectify errors in results of KRIs.
  2. detect changes in the risk profile.
  3. reduce costs of risk mitigation controls.
  4. continually improve risk assessments.

Answer(s): B

Explanation:

The primary reason for periodically monitoring key risk indicators (KRIs) is to detect changes in the risk profile of the enterprise. KRIs are metrics that provide information on the level of exposure to a specific risk or a group of risks. By monitoring KRIs, the enterprise can identifyany deviations from the expected risk level, and take appropriate actions to adjust the risk response or the risk appetite. Monitoring KRIs also helps to validate the effectiveness of risk mitigation controls and the accuracy of risk assessments. Rectifying errors in results of KRIs, reducing costs of risk mitigation controls, and continually improving risk assessments are possible benefits of monitoring KRIs, but they are not the primary reason. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.1.1.2, page 175.



While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially Which of the following would be the BEST approach for the risk practitioner to take?

  1. Temporarily suspend emergency changes.
  2. Document the control deficiency in the risk register.
  3. Conduct a root cause analysis.
  4. Continue monitoring change management metrics.

Answer(s): C

Explanation:

According to the CRISC Review Manual, a root cause analysis is a technique that identifies the underlying causes of an event or a problem. It helps to determine the most effective actions to prevent or mitigate the recurrence of the event or problem. A root cause analysis is the best approach for the risk practitioner to take in this scenario, because it will help to understand why the number of emergency changes has increased substantially and what can be done to address the issue. The other options are not the best approaches, because they do not address the underlying causes of the problem. Temporarily suspending emergency changes may disrupt the business operations and create more risks. Documenting the control deficiency in the risk register is a passive action that does not resolve the problem. Continuing monitoring change management metrics is an ongoing activity that does not provide any insight into the problem.

References = CRISC Review Manual, 7th Edition, Chapter 3, Section 3.2.4, page 130.



Which of the following is the MOST important consideration for prioritizing risk treatment plans when faced with budget limitations?

  1. Inherent risk and likelihood
  2. Management action plans associated with audit findings
  3. Residual risk relative to appetite and tolerance
  4. Key risk indicator (KRI) trends

Answer(s): C

Explanation:

When prioritizing risk treatment plans under budget constraints, the focus should be onresidual risk relative to appetite and tolerance. This ensures that resources are allocated to risks that exceed the organization's risk appetite, aligning treatment efforts with strategic objectives and minimizing critical exposure.



Which of the following is the MOST important reason to link an effective key control indicator (KCI) to relevant key risk indicators (KRIs)?

  1. To monitor changes in the risk environment
  2. To provide input to management for the adjustment of risk appetite
  3. To monitor the accuracy of threshold levels in metrics
  4. To obtain business buy-in for investment in risk mitigation measures

Answer(s): A

Explanation:

Key control indicators (KCIs) are metrics that measure how well a specific control is performing in reducing the causes, consequences, or likelihood of a risk1. Key risk indicators (KRIs) are metrics that measure changes in the risk exposure or the potential impact of a risk2. By linkingan effective KCI to relevant KRIs, the organization can monitor changes in the risk environment and assess how the control is influencing the risk level3. This can help the organization to:
Identify emerging or escalating risks and take timely and appropriate actions Evaluate the effectiveness and efficiency of the control and make improvements if needed

Align the control with the risk appetite and tolerance of the organization Communicate the risk and control status to stakeholders and regulators References = Risk and Information Systems Control Study Manual, Chapter 6: Risk Response and Mitigation4



The BEST criteria when selecting a risk response is the:

  1. capability to implement the response
  2. importance of IT risk within the enterprise
  3. effectiveness of risk response options
  4. alignment ofresponse to industry standards

Answer(s): C

Explanation:

The effectiveness of risk response options is the best criteria when selecting a risk response, because it reflects the degree to which the response can reduce the impact or likelihood of the risk, or enhance the benefit or opportunity of the risk. The effectiveness of risk response options can be evaluated by considering factors such as cost, feasibility, timeliness, and alignment with the organization's objectives and risk appetite. The other options are not as good as the effectiveness of risk response options, because they do not measure the outcome or value of the response, but rather focus on the input or process of the response, as explained below:
A . Capability to implement the response is a criteria that considers the availability and adequacy of the resources, skills, and knowledge required to execute the response.
While this is an important factor to consider, it does not indicate how well the response can address the risk or achieve the desired result.
B . Importance of IT risk within the enterprise is a criteria that considers the significance and priority of the risk in relation to the organization's strategy, objectives, and operations.

Whilethis is an important factor to consider, itdoes not indicate how well the response can address the risk or achieve the desired result.
D . Alignment of response to industry standards is a criteria that considers the compliance and conformity of the response with the best practices, norms, and expectations of the industry or sector.
While this is an important factor to consider, it does not indicate how well the response can address the risk or achieve the desired result. References = Risk and Information Systems Control Study Manual, Chapter 2, Section 2.2.2, page 40. How to Select Your Risk Responses -Rebel's Guide to Project Management, Risk Response Plan in Project Management: Key Strategies & Tips, Risk Responses - options for managing risk - Stakeholdermap.com



During a risk treatment plan review, a risk practitioner finds the approved risk action plan has not been completed However, there were other risk mitigation actions implemented.
Which of the fallowing is the BEST course of action?

  1. Review the cost-benefit of mitigating controls
  2. Mark the risk status as unresolved within the risk register
  3. Verify the sufficiency of mitigating controls with the risk owner
  4. Update the risk register with implemented mitigating actions

Answer(s): C

Explanation:

The best course of action for a risk practitioner who finds that the approved risk action plan has not been completed but other risk mitigation actions have been implemented is to verify the sufficiency of mitigating controls with the risk owner. This is because the risk owner is the person who is accountable for the risk and the risk response strategy, and therefore should be consulted to ensure that the alternative actions are adequate and effective in reducing the risk to an acceptable level. The other options are not the best course of action, although they may also be performed after verifying the sufficiency of mitigating controls with the risk owner. Reviewing the cost-benefit of mitigating controls, marking the risk status as unresolved within the risk register, and updating the risk register with implemented mitigating actions are secondary actions that depend on the outcome of the verification process. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.3.2, p. 193.



Which of the following is the BEST risk management approach for the strategic IT planning process?

  1. Key performance indicators (KPIs) are established to track IT strategicinitiatives.
  2. The IT strategic plan is reviewed by the chief information security officer (CISO) and enterprise risk management (ERM).
  3. The IT strategic plan is developed from the organization-wide risk management plan.
  4. Risk scenarios associated with IT strategic initiatives are identified and assessed.

Answer(s): D

Explanation:

Identifying and assessing the risk scenarios associated with IT strategic initiatives is the best risk management approach for the strategic IT planning process, because it helps to understand and evaluate the potential or actual threats or opportunities that may affect the achievement or implementation of the IT strategic initiatives, and to determine the appropriate risk responses and controls. A risk scenario is a hypothetical situation or event that describes the source, cause, consequence, and impact of a risk. A risk scenario can be positive or negative, depending on whether it represents an opportunity or a threat. An IT strategic initiative is a project or program that supports or enables the IT strategy, which is a plan that defines how IT supports and aligns with the organization's vision, mission, and strategy. The strategic IT planning process is a process of developing, implementing, and monitoring the IT strategy and its associated IT strategic initiatives. Identifying and assessing the risk scenarios is the best risk management approach, as it helps to anticipate and prepare for the potential or actual outcomes of the IT strategic initiatives, and to optimize the risk- reward balance and the value delivery of IT. Establishing key performance indicators (KPIs) to track IT strategic initiatives, reviewing the IT strategic plan by the chief information security officer (CISO) and enterprise risk management (ERM), and developing the IT strategic plan from the organization-wide risk management plan are all possible risk management approaches for the strategic IT planning process, but they are not the best approach, as they do not directly address the identification and assessment of the risk scenarios associated with IT strategic initiatives. References = Risk and Information Systems Control Study Manual, Chapter 2, Section 2.1.1, page 37



Viewing page 2 of 238
Viewing questions 9 - 16 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts