Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 21)

Page 21 of 238
PDF with 1895 Questions

Which of the following is the BEST method for assessing control effectiveness against technical vulnerabilities that could be exploited to compromise an information system?

  1. Vulnerability scanning
  2. Systems log correlation analysis
  3. Penetration testing
  4. Monitoring of intrusion detection system (IDS) alerts

Answer(s): C

Explanation:

Penetration testing is the best method for assessing control effectiveness against technical vulnerabilities that could be exploited to compromise an information system, as it simulates areal-world attack scenario and evaluates the security posture of the system. Penetration testing is a type of security testing that involves performing authorized and ethical hacking activities on a system to identify and exploit its vulnerabilities and weaknesses. Penetration testing can help to measure and improve the effectiveness and efficiency of the controls implemented to protect the system from unauthorized access, modification, or damage. The other options are not the best methods for assessing control effectiveness against technical vulnerabilities that could be exploited to compromise an information system. Vulnerability scanning is an automated process that uncovers potential vulnerabilities in systems and software, but it does not provide information on the impact and severity of the vulnerability or how they can be exploited using different exploitation techniques1. Systems log correlation analysis is a process of examining and analyzing the records of system activities and events, but it does not directly test the controls or simulate the attack scenarios. Monitoring of intrusion detection system (IDS) alerts is a process of tracking and auditing the system or network for any signs of malicious or anomalous activities, but it does not evaluate the control performance or identify the root causes of the vulnerabilities. References = Vulnerability Assessment Principles | Tenable®, A Complete Guide on Vulnerability Assessment Methodology, Karen Scarfone Scarfone Cybersecurity - NIST Computer Security Resource ...



An organization has four different projects competing for funding to reduce overall IT risk.
Which project should management defer?

  1. Project Charlie
  2. Project Bravo
  3. Project Alpha
  4. Project Delta

Answer(s): D

Explanation:

Project Delta should be deferred by management, as it has the lowest return on investment (ROI) among the four competing projects. ROI is a measure of the profitability or efficiency of a project, calculated by dividing the net benefits by the total costs. Project Delta has a net benefit of $100,000 and a total cost of $200,000, resulting in an ROI of 0.5. The other projects have higher ROIs: Project Alpha has an ROI of 1.0, Project Bravo has an ROI of 0.8, and Project Charlie has an ROI of 0.6. Therefore, Project Delta is the least attractive option for reducingoverall IT risk, and management should prioritize the other projects instead. References = How to Manage Project Risk: A 5-Step Guide; Matching the right projects with the right resources; Risk Types in Project Management



An organization has established workflows in its service desk to support employee reports of security-related concerns.
Which of the following is the MOST efficient approach to analyze these concerns?

  1. Map concerns to organizational assets.
  2. Sort concerns by likelihood.
  3. Alignconcerns to key vendors.
  4. Prioritize concerns based on frequency of reports.

Answer(s): D

Explanation:

Prioritizing concerns based on frequency of reports is the most efficient approach to analyze the security-related concerns reported by employees, because it helps to identify and focus on the most common or recurring issues that may pose the highest risk or impact to the organization. A security-related concern is a potential or actual problem or threat that may affect the confidentiality, integrity, or availability of the organization's IT systems or data. A service desk is a function that provides a single point of contact for users to report and resolve their IT-related issues or requests. A workflow is a sequence of steps or tasks that are performed to achieve a specific goal or outcome. A workflow for supporting employee reports of security-related concerns may include capturing, categorizing, prioritizing, assigning, and resolving the concerns. Prioritizing concerns based on frequency of reports is the most efficient approach, as it helps to optimize the use of resources and time, and to reduce the likelihood and severity of security incidents or breaches. Mapping concerns to organizational assets, sorting concerns by likelihood, and aligning concerns to key vendors are all possible approaches to analyze the security-related concerns, but they are not the most efficient approach, as they may require more data collection, analysis, or coordination, and may not reflect the urgency or importance of the concerns. References = Risk and Information Systems Control Study Manual, Chapter 5, Section 5.3.2, page 200



The BEST indication that risk management is effective is when risk has been reduced to meet:

  1. risk levels.
  2. risk budgets.
  3. risk appetite.
  4. risk capacity.

Answer(s): C

Explanation:

The best indication that risk management is effective is when risk has been reduced to meet the risk appetite of the enterprise. Risk appetite is the amount and type of risk that an enterprise is willing to accept in pursuit of its objectives. Risk appetite reflects the enterprise's risk culture, strategy, and values, and provides a basis for setting risk tolerance levels and risk response strategies. Risk management is effective when it enables the enterprise to align its risk exposure with its risk appetite, and to optimize the risk-return trade-off. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 1, Section 1.2.1, page 181



Which of the following is a KEY outcome of risk ownership?

  1. Risk responsibilities are addressed.
  2. Risk-related information is communicated.
  3. Risk-oriented tasks are defined.
  4. Business process risk isanalyzed.

Answer(s): A

Explanation:

A key outcome of risk ownership is that risk responsibilities are addressed, as this means that the risk owner has the authority and accountability to manage the risk, and that the roles and expectations of the other stakeholders are clearly defined and agreed upon. Risk ownership is the process of assigning a person or entity with the responsibility to manage a particular risk. Risk ownership helps to ensure that the risk is properly identified, assessed, and treated, and that the risk status and performance are monitored and reported. The other options are not key outcomes of risk ownership, although they may be related or beneficial aspects of it. Risk-related information is communicated is an outcome of risk reporting, which is a part of risk monitoring and control. Risk-oriented tasks are defined is an outcome of risk response planning, which is a part of risk treatment. Business process risk is analyzed is an outcome of risk assessment, which is a part of risk identification and analysis. References = Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Identification, page 47.



Which of the following is the BEST evidence that risk management is driving business decisions in an organization?

  1. Compliance breaches are addressed in a timely manner.
  2. Risk ownership is identified and assigned.
  3. Risk treatment options receive adequate funding.
  4. Residual risk is within risk tolerance.

Answer(s): C

Explanation:

Risk treatment options are the actions or plans that are implemented to modify or reduce the risk exposure of the organization. Risk treatment options receive adequate funding when the organization allocatessufficient resources and budget to support the risk response actions, and to ensure that the risk controls are effective and efficient. This is the best evidence that risk management is driving business decisions in the organization, as it shows that the organizationprioritizes and values the risk management process, and that it aligns its risk strategy and objectives with its business goals and value creation. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, Question 245. CRISC: Certified in Risk & Information Systems Control Sample Questions, Question 245. CRISC Sample Questions 2024, Question 245.



During a risk assessment, a risk practitioner learns that an IT risk factor is adequately mitigated by compensating controls in an associated business process.
Which of the following would enable the MOST effective management of the residual risk?

  1. Schedule periodic reviews of the compensating controls' effectiveness.
  2. Report theuse of compensating controls to senior management.
  3. Recommend additional IT controls to further reduce residual risk.
  4. Request that ownership of the compensating controls is reassigned to IT

Answer(s): A

Explanation:

A compensating control is a control that is implemented to reduce the risk exposure when the primary control is not feasible or cost-effective. A compensating control may not directly address the root cause of the risk, but it can provide an alternative or supplementary way of mitigating the risk. A residual risk is the risk that remains after the risk response has been implemented. A residual risk can be accepted, monitored, or further reduced depending on the risk tolerance and appetite of the organization. During a risk assessment, a risk practitioner is a person who is responsible for identifying and analyzing the potential sources and consequences of risk events.
When a risk practitioner learns that an IT risk factor is adequately mitigated by compensating controls in an associated business process, the action that would enable the most effective management of the residual risk is to schedule periodic reviews of the compensating controls' effectiveness, which means to measure and evaluate the performance and compliance of the compensating controls on a regular basis. By scheduling periodic reviews of the compensating controls' effectiveness, the risk practitioner can ensure that the compensating controls are stilloperating as intended, and that they are delivering the expected results. The risk practitioner can also identify any gaps or weaknesses in the compensating controls, and recommend any improvements or adjustments as needed. References = CRISC Review Manual, 7th Edition, page 177.



Which of the following BEST facilitates the development of relevant risk scenarios?

  1. Perform quantitative risk analysis of historical data.
  2. Adopt an industry-recognized risk framework.
  3. Use qualitative risk assessment methodologies.
  4. Conductbrainstorming sessions with key stakeholders.

Answer(s): D

Explanation:

Brainstorming sessions with key stakeholders are the best way to facilitate the development of relevant risk scenarios, as they can generate diverse and creative ideas, perspectives, and insights about the potential risks and their impact on the organization's objectives and operations. Brainstorming sessions can also foster collaboration, communication, and engagement among the stakeholders, and help to identify and prioritize the most significant and realistic risk scenarios. Brainstorming sessions can be guided by an industry-recognized risk framework, such as ISACA's Risk IT, and supported by qualitative or quantitative risk assessment methodologies, but they are not sufficient by themselves to develop relevant risk scenarios.


Reference:

·ISACA, How to Write Strong Risk Scenarios and Statements1 ·ISACA, Risk Scenario Development and Analysis2



Viewing page 21 of 238
Viewing questions 161 - 168 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts