Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 22)

Page 22 of 238
PDF with 1895 Questions

Which of the following offers the SIMPLEST overview of changes in an organization's risk profile?

  1. A risk roadmap
  2. A balanced scorecard
  3. A heat map
  4. The risk register

Answer(s): C

Explanation:

A heat map is a graphical representation of the organization's risk profile that shows the relative level of risk for each risk category or event. A heat map uses colors, shapes, or symbols to indicate the magnitude and likelihood of each risk, as well as its trend and status. A heat map offers the simplest overview of changes in the organization's risk profile, as it allows the risk decision-makers to quickly identify the most significant risks, theareas of improvement or deterioration, and the gaps or overlaps in risk management. A heat map can also be used to communicate the risk profile to senior management and other stakeholders in a clear and concise manner. References = Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.3: IT Risk Assessment Methods and Techniques, Page 77; Future Risks: How organizations see changes in risk management - Aon.



Which of the following key performance indicators (KPis) would BEST measure me risk of a service outage when using a Software as a Service (SaaS) vendors

  1. Frequency of business continuity plan (BCP) lasting
  2. Frequency and number of new software releases
  3. Frequency and duration of unplanned downtime
  4. Number of IT support staff available after business hours

Answer(s): C

Explanation:

Software as a Service (SaaS) is a cloud computing model that provides software applications over the internet, without requiring the users to install or maintain them on their own devices. SaaS vendors are responsible for hosting, managing, and updating the software applications, and providing technical support and security to the users. The key performance indicator (KPI) that would best measure the risk of a service outage when using a SaaS vendor is the frequency and duration of unplanned downtime, which is the amount and length of time that the software applications are unavailable or inaccessible due to unexpected events, such as network failures, server crashes, power outages, cyberattacks, etc. The frequency and duration of unplanned downtime indicate the reliability and availability of the SaaS vendor, and the potential impact of the service outage on the users' business operations and productivity. References = 3



Which of the following BEST reduces the likelihood of fraudulent activity that occurs through use of a digital wallet?

  1. Require multi-factor authentication (MFA) to access the digital wallet.
  2. Use a digital key to encrypt the contents of the wallet.
  3. Enable audit logging on the digitalwallet's device.
  4. Require public key infrastructure (PKI) to authorize transactions.

Answer(s): A

Explanation:

Requiring MFA increases the security of digital wallets by adding an additional layer of authentication, making it harder for unauthorized users to gain access. This aligns withAccess Control Standardsand significantly reduces the likelihood of fraud.



Which of the following is the BEST approach to mitigate the risk associated with a control deficiency?

  1. Perform a business case analysis
  2. Implement compensating controls.
  3. Conduct a control sell-assessment (CSA)
  4. Build a provision for risk

Answer(s): B

Explanation:

The best approach to mitigate the risk associated with a control deficiency is to implement compensating controls. A control deficiency is a situation where a control is missing, ineffective, or inefficient, and cannot provide reasonable assurance that the objectives or requirements are met. A compensating control is a control that provides an alternative or additional measure of protection when the primary or preferred control is not feasible or effective. A compensating control can help to reduce the likelihood and/or impact of the risk associated with the control deficiency, and maintain the compliance or performance level. The other options are not as effective as implementing compensating controls, as they are related to the analysis, assessment, or provision of the risk, not the mitigation of the risk. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Response, Section 3.3: IT Risk Response Implementation, page 145.



Who is accountable for risk treatment?

  1. Enterprise risk management team
  2. Risk mitigation manager
  3. Business process owner
  4. Risk owner

Answer(s): D

Explanation:

Risk treatment is the process of selecting and implementing the appropriate risk response strategy and actions to address the identified risks. Risk treatment can involve different strategies, such as avoiding, reducing, transferring, or accepting the risk. Risk owner is the person or group who has the authority and accountability to manage the risk and its response. Risk owner is accountable for risk treatment, as they are responsible for deciding, approving, and executing the risk treatment plan, and for monitoring and reportingthe results and outcomes of the risk treatment. The other options are not accountable for risk treatment, as they have different roles or responsibilities in the risk management process:
Enterprise risk management team is the group of risk managers and practitioners who support the enterprise-wide risk management program, and provide guidance and direction to the risk owners and stakeholders. Enterprise risk management team may advise or assist the risk owner in risk treatment, but they are not accountable for risk treatment. Risk mitigation manager is the person who designs, implements, and monitors the risk mitigation actions or measures that reduce the likelihood or impact of the risk to an acceptable level, such as controls, policies, or procedures. Risk mitigation manager may advise or assist the risk owner in risk treatment, but they are not accountable for risk treatment.
Business process owner is the stakeholder who is responsible for the business process that is supported by the IT system or application, such as the CRM system. Business process owner may be affected by or contribute to the risk, and may be involved in the risk treatment, but they are not accountable for risk treatment, unless they are also the risk owner. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.1.1.1, pp. 95-96.



Which of the following is MOST useful input when developing risk scenarios?

  1. Common attacks in other industries.
  2. Identification of risk events.
  3. Impact on critical assets.
  4. Probability of disruptive risk events.

Answer(s): B

Explanation:

Identifying specific risk events provides the foundational input for creating relevant and actionable risk scenarios. These scenarios form the basis of assessing potential impacts and determining effective controls. This is a key step in theRisk Identification and Assessmentprocess.



The MOST essential content to include in an IT risk awareness program is how to:

  1. populate risk register entries and build a risk profile for management reporting.
  2. prioritize IT-related actions by considering risk appetite and risk tolerance.
  3. define the IT risk framework for the organization.
  4. comply with the organization's IT risk and information security policies.

Answer(s): D

Explanation:

The most essential content to include in an IT risk awareness program is how to comply with the organization's IT risk and information security policies. This will help to ensure that the staff members are aware of their roles and responsibilities, and that they follow the best practices andstandards to protect the organization's information assets and systems. Compliance with the IT risk and information security policies also helps to reduce the likelihood and impact of IT-related incidents and breaches, and to align the IT activities with the organization's objectives and strategies. Populating risk register entries, prioritizing IT- related actions, and defining the IT risk framework are important aspects of IT risk management, but they are not the most essential content to include in an IT risk awareness program. References = Risk and Information Systems Control Study Manual, 7th Edition,

Chapter 5, Section 5.1.1.2, page 2291
1: ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide, Answer to Question 646.



Which of the following is the MOST important reason to restrict access to the risk register on a need-to-know basis?

  1. It contains vulnerabilities and threats.
  2. The risk methodology is intellectual property.
  3. Contents may be used as auditable findings.
  4. Risk scenarios may be misinterpreted.

Answer(s): A

Explanation:

Restricting access to the risk register on a need-to-know basis is important because it contains vulnerabilities and threats that could expose the organization to potential harm or loss if they are disclosed or exploited by unauthorized parties. The risk register is a tool that captures and documents the risk identification, analysis, evaluation, and treatment processes1. The risk register contains sensitive information such as the sources and causes of risk, the potential impacts and consequences of risk, the likelihood and frequency of risk occurrence, and the risk response actions and plans1. If this information is accessed by unauthorized parties, such as competitors, hackers, or malicious insiders, they could use it to launch attacks, sabotageoperations, or gain an unfair advantage over the organization. Therefore, access to the risk register should be limited to those who have a legitimate need and authorization to view, modify, or use the information, such as the risk owners, managers, or practitioners



Viewing page 22 of 238
Viewing questions 169 - 176 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts