Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 20)

Page 20 of 238
PDF with 1895 Questions

Which of the following methods is the BEST way to measure the effectiveness of automated information security controls prior to going live?

  1. Testing in a non-production environment
  2. Performing a security control review
  3. Reviewing the security audit report
  4. Conducting a risk assessment

Answer(s): A

Explanation:

Automated information security controls are controls that are implemented or executed by software or hardware, without human intervention, to protect the confidentiality, integrity, and availability of information and systems1. Examples of automated information security controls include firewalls, antivirus software, encryption, authentication, and logging2. The effectiveness of automated information security controls refers to how well they achieve their intended objectives and outcomes, such as preventing, detecting, or responding to security threats or incidents3. The best way to measure the effectiveness of automatedinformation security controls prior to going live is to test them in a non-production environment, which is an environment thatsimulates the production environment, but does not contain real or sensitive data orsystems4. Testing in a non-production environment allows the organization to verify the proper and consistent configuration, functionality, and performance of the automated information security controls, without affecting the normal operations or risking the exposure of the data or systems5. Testing in a non-production environment also enables the organization to identify andresolve any issues or gaps in the automated information security controls, and to evaluate their compatibility and interoperability with other systems or controls6. Performing a security control review, reviewing the security audit report, and conducting a risk assessment are not the best ways to measure the effectiveness of automated information security controls prior to going live, as they do not provide direct and timely information on the configuration, functionality, and performance of the automated information security controls. Performing a security control review is a process that involves checking and verifying that the organization's security controls are up to date, relevant, and effective7. A security control review can help to identify and address any issues or gaps in the security controls, but it does not show the actual behavior and results of the automated information security controls in a realistic environment. Reviewing the security audit report is a process that involves reading and analyzing the findings and recommendations of an independent examination and evaluation of the organization's security controls8. A security audit report can help to provide assurance and advice on the adequacy and effectiveness of the security controls, but it does not show the current and dynamic status and performance of the automated information security controls in a changing environment. Conducting a risk assessment is a process that involves identifying, analyzing, and evaluating the risks and their potential impacts on the organization's objectives and performance. A risk assessment can help to anticipate and prepare for the risks that may affect the organization's security, but it does not show the actual impact and outcome of the automated information security controls in a specific scenario. References = 1: Automation Support for Security Control Assessments
- NIST2: Automated Security Control Assessment: When Self-Awareness Matters3: Technology Control Automation: Improving Efficiency, Reducing ... - ISACA4:
[What is a Non-Production Environment? | Definition and FAQs] 5: [Why You Need a Non- Production Environment - Plutora] 6: [Testing Automated Security Controls - SANS Institute] 7: A brief guide to assessing risks and controls | ACCA Global8: IT Risk Resources | ISACA : [Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.1: Risk Identification, pp. 57-59.]



Which of the following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?

  1. Perform a post-implementation review.
  2. Conduct user acceptance testing.
  3. Review the key performance indicators (KPIs).
  4. Interview process owners.

Answer(s): A

Explanation:

Performing a post-implementation review is the best way to confirm whether appropriate automated controls are in place within a recently implemented system, as it helps to evaluate the effectiveness and efficiency of the system and its controls after they have been deployed and operationalized. A post-implementation review is a process of assessing and validating the system and its controls against the predefined criteria and objectives, such as functionality, performance, security, compliance, and user satisfaction. A post- implementation review can help to confirm whether appropriate automated controls are in place within a recently implemented system by providing the following benefits:
It verifies that the system and its controls meet the design specifications and standards, and comply with the relevant laws, regulations, and contractual obligations. It identifies and measures the actual or potential benefits and value of the system and its controls, such as improved efficiency, reliability, or quality. It detects and analyzes any issues, gaps, or weaknesses in the system and its controls, such as errors, inconsistencies, or vulnerabilities.
It provides recommendations and action plans to address the identified issues, gaps, or weaknesses, and to improve or enhance the system and its controls. It communicates and reports the results and findings of the review to the relevant stakeholders, and solicits their feedback and suggestions. The other options are not the best ways to confirm whether appropriate automated controls are in place within a recently implemented system. Conducting user acceptance testing is an important step to ensure that the system and its controls meet the user requirements and expectations, but it is usually performed before the system is implemented and operationalized, and it may not cover all aspects of the system and its controls. Reviewing the key performance indicators (KPIs) is a useful method to measure and monitor the performance of the system and its controls, but it may not provide a comprehensive or objective evaluation of the system and its controls. Interviewing process owners is a possible technique to collect and analyze information on the system and its controls, but it may not provide sufficient or reliable evidence to confirm the appropriateness of the system and its controls. References = Post-Implementation Review: The Key to a Successful Project, IT Risk Resources | ISACA, Post Implementation Review (PIR) - Project Management Knowledge



An organization learns of a new ransomware attack affecting organizations worldwide.
Which of the following should be done FIRST to reduce the likelihood of infection from the attack?

  1. Identify systems that are vulnerable to being exploited by the attack.
  2. Confirm with the antivirus solution vendor whether the next update will detect the attack.
  3. Verify the data backup process and confirm which backups are the most recent ones available.
  4. Obtain approval for funding to purchase a cyber insuranceplan.

Answer(s): A

Explanation:

The first step to reduce the likelihood of infection from the attack is to identify systems that are vulnerable to being exploited by the attack. This would help the organization to assess the scope and severity of the risk, and to prioritize the systems that need immediate protection.

Identifying systems that are vulnerable to being exploited by the attack would also help the organization to apply the appropriate patches, updates, or configurations to prevent or mitigate the attack, and to isolate or disconnect the systems that are already infected or compromised. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.2, page 60123



A business impact analysis (BIA) has documented the duration of maximum allowable outage for each of an organization's applications.
Which of the following MUST be aligned with the maximum allowable outage?

  1. Mean time to restore (MTTR)
  2. Recovery time objective (RTO)
  3. Recovery point objective (RPO)
  4. Mean time to detect (MTTD)

Answer(s): B

Explanation:

The recovery time objective (RTO) is the planned recovery time for a process or system which should occur before reaching the business process's maximum tolerable downtime (MTD) or maximum allowable outage (MAO). The RTO must be aligned with the MAO to ensure that the continuity of the business process is not compromised by a prolonged outage. The RTO is determined by the business impact analysis (BIA) based on the criticality and urgency of the business process and its dependencies. The RTO also helps to select and implement appropriate recovery methods and procedures for the process or system. References = Risk and Information Systems Control Study Manual, Chapter 6: IT Risk Monitoring and Reporting, Section 6.2: ITRisk Reporting, Page 307; What is the difference between RPO, RTO, and MTD? - Tandem Blog.



When assessing the maturity level of an organization's risk management framework, which of the following should be of GREATEST concern to a risk practitioner?

  1. Reliance on qualitative analysis methods
  2. Lack of a governance, risk, and compliance (GRC) tool
  3. Lack of senior management involvement
  4. Use of multiple risk registers

Answer(s): C

Explanation:

Senior management involvement is foundational to an effective risk management framework. Lack of engagement signals inadequate oversight, strategic alignment, and resource commitment, impairing the program's success. This is supported by CRISC's focus on governance and leadership alignment to ensure enterprise risk management objectives are met.



Which of the following BEST enables a risk practitioner to identify the consequences of losing critical resources due to a disaster?

  1. Risk management action plans
  2. Business impact analysis (BIA)
  3. What-if technique
  4. Tabletop exercise results

Answer(s): B

Explanation:

Business Impact Analysis (BIA):
Purpose: A BIA is a systematic process to evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident, or emergency. Identification of Consequences: It identifies critical resources and the consequences of their loss, allowing an organization to determine the operational and financial impacts of such losses.
Steps Involved in BIA:

Identify Critical Functions: Determine which business functions and processes are essential to the organization's operations.
Assess Impact: Evaluate the impact of losing these functions on the organization's ability to operate.
Estimate Downtime Tolerance: Determine the maximum allowable downtime for critical functions before significant harm occurs.
Identify Dependencies: Document dependencies between systems, processes, and resources to understand how disruptions to one part affect the whole.
Comparison with Other Options:
Risk Management Action Plans: These are detailed plans developed to address identified risks but do not specifically focus on the impact of losing critical resources.
What-if Technique: This is a brainstorming technique used to explore potential risks and their impacts but is not as structured as a BIA.
Tabletop Exercise Results: These exercises simulate disaster scenarios to test response plans but do not provide the comprehensive impact analysis that a BIA does.
Best Practices:
Regular Updates: Regularly update the BIA to reflect changes in the business environment and operational dependencies.
Integration with DR/BC Plans: Ensure that findings from the BIA are integrated into disaster recovery (DR) and business continuity (BC) plans to enhance overall preparedness.


Reference:

CRISC Review Manual: Discusses the importance of BIA in identifying the impacts of losing critical resources and guiding the development of effective risk management strategies . ISACA Standards: Highlight the role of BIA in evaluating the consequences of resource loss and informing business continuity planning .



Which of the following provides the BEST assurance of the effectiveness of vendor security controls?

  1. Review vendor control self-assessments (CSA).
  2. Review vendor service level agreement (SLA) metrics.
  3. Require independent control assessments.
  4. Obtain vendor references from existing customers.

Answer(s): C

Explanation:

The best way to provide assurance of the effectiveness of vendor security controls is to require independent control assessments. Independent control assessments are evaluations of thevendor's security controls by a third-party auditor or assessor, such as an external auditor, a certification body, or a testing laboratory. Independent control assessments provide an objective and unbiased opinion on the adequacy and performance of the vendor's security controls, as well as the compliance with relevant standards and regulations. Independent control assessments can also provide evidence and assurance to the customers of the vendor's security posture and capabilities. Reviewing vendor control self-assessments (CSA), vendor service level agreement(SLA) metrics, or vendor references from existing customers are not as reliable or credible as independent control assessments, because they may be biased, incomplete, or outdated.



A failure in an organization s IT system build process has resulted in several computers on the network missing the corporate endpoint detection and response (EDR) software.
Which of the following should be the risk practitioner's IMMEDIATE concern?

  1. Multiple corporate build images exist.
  2. The process documentation was not updated.
  3. The IT build process was not followed.
  4. Threats are not being detected.

Answer(s): D



Viewing page 20 of 238
Viewing questions 153 - 160 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts