Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 23)

Page 23 of 238
PDF with 1895 Questions

Which of the following resources is MOST helpful to a risk practitioner when updating the likelihood rating in the risk register?

  1. Risk control assessment
  2. Audit reports with risk ratings
  3. Penetration test results
  4. Business impact analysis (BIA)

Answer(s): C

Explanation:

Penetration test results are the most helpful resource to a risk practitioner when updating the likelihood rating in the risk register. Penetration testing is a method of simulating real-world attacks on an IT system or network to identify and exploit vulnerabilities and measure the potential impact. Penetration test results provide empirical evidence of the existence and severity of vulnerabilities, as well as the ease and probability of exploitation. These results can help the risk practitioner to update the likelihood rating of the risks associated with the vulnerabilities, and to prioritize the risk response actions. Risk control assessment, audit reports with risk ratings, and business impact analysis (BIA) are also useful resources for risk management, but they are not as directly related to the likelihood rating as penetration test results. References = Risk and Information Systems Control Study Manual, Chapter 2, Section 2.3.3, page 2-28.



Which of the following is the PRIMARY reason to use administrative controls in conjunction with technical controls?

  1. To gain stakeholder support for the implementation of controls
  2. To comply with industry best practices by balancing multiple types of controls
  3. To improve the effectiveness of controls that mitigate risk
  4. To address multiple risk scenarios mitigated by technical controls

Answer(s): C

Explanation:

Administrative controls, such as policies, procedures, and training, complement technical controls by addressing the human and organizational aspects of risk management. Using bothtypes of controls together enhances the overall effectiveness of the risk mitigation strategy, ensuring that technical measures are supported by appropriate governance and user behavior.


Reference:

ISACA CRISC Review Manual, 7th Edition, Chapter 4: Information Technology and Security, Section: Control Types and Implementation.



Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?

  1. Riskmitigation budget
  2. Business Impact analysis
  3. Cost-benefit analysis
  4. Return on investment

Answer(s): C

Explanation:

A cost-benefit analysis is the best guidance when selecting an appropriate risk treatment plan. A risk treatment plan is a document that describes the actions or measures that are taken or planned to modifythe risk, such as reducing, avoiding, transferring, or accepting the risk1. Selecting an appropriate risk treatmentplan means choosing the most suitable and effective option foraddressing the risk, based on the organization's objectives, strategies, and risk criteria2. A cost-benefit analysis is a method of comparing the benefits and costs of different alternatives or options, and selecting the one that maximizes the net benefit or value3. A cost-benefit analysis is the best guidance when selecting an appropriate risk treatment plan, because it helps to:
Evaluate the feasibility, effectiveness, and efficiency of the risk treatment options, and compare them against the organization's risk appetite and tolerance; Balance the benefits and costs of the risk treatment options, and consider both the quantitative and qualitative aspects of the risk and the risk response; Optimize the use of the organization's resources and capabilities, and ensure that the risk treatment options are aligned and integrated with the organization's goals and values; Support the risk decision making and prioritization, and provide a rational and transparent basis for selecting the best risk treatment option. The other options are not the best guidance when selecting an appropriate risk treatment plan, as they are either less comprehensive or less relevant than a cost-benefit analysis. A risk mitigation budget is a document that allocates the financial resources for implementing and maintaining the risk mitigation actions or measures4. A risk mitigation budget can help to ensure the availability and adequacy of the funds for the risk treatment options, as well as to monitor and control the risk treatment expenditures. However, a risk mitigation budget is not the best guidance when selecting an appropriate risk treatment plan, as it does not address the benefits or value of the risk treatment options, or the suitability or effectiveness of the risk treatment options. A business impact analysis is a method of estimating the potential effects or consequences of a risk on the organization's objectives, operations, or performance5. A business impact analysis can help to assess the severity and priority of the risk, as well as to identify the critical assets and resources that are involved or impacted by the risk. However, a business impact analysis is not the best guidance when selecting an appropriate risk treatment plan, as it does not address the costs or feasibility of the risk treatment options, or the alternatives or options for the risk treatment. A return on investment is a metric that measures the profitability or efficiency of an investment, project, or activity, by comparing the benefits and costs of the investment, project, or activity6. A return on investment can help to evaluate the performance and effectiveness of the risk treatment options, as well as to compare the risk treatment options with other investments, projects, or activities. However, a return on investmentis not the best guidance when selecting an appropriate risk treatment plan, as it does not address the qualitative or intangible aspects of the risk and the risk response, or the risk appetite and tolerance of the organization. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.8, Page 61.



Which of the following is the BEST indicator of the effectiveness of IT risk management processes?

  1. Percentage of businessusers completing risk training
  2. Percentage of high-risk scenarios for which risk action plans have been developed
  3. Number of key risk indicators (KRIs) defined
  4. Time between when IT risk scenarios are identified and the enterprise's response

Answer(s): D

Explanation:

IT risk management is the process of identifying, assessing, and mitigating the risks related to the use of information technology (IT) in the organization. IT risk management aims to ensure the confidentiality, integrity, and availability of IT resources and information, and to support the IT governance and strategy of the organization1. The best indicator of the effectiveness of IT risk management processes is the time between when IT risk scenarios are identified and the enterprise's response. This indicator can help to measure how quickly and efficiently the organization can detect and respond to the IT risks, and how well the organization can prevent or minimize the negative impacts of the IT risks. The time between when IT risk scenarios are identified and the enterprise's response can include:
The time taken to identify and report the IT risk scenarios, using various methods and sources, such as risk assessments, audits, monitoring, alerts, or incidents

The time taken to analyze and evaluate the IT risk scenarios, using various tools and techniques, such as risk matrices, risk registers, risk indicators, or risk models The time taken to select and implement the IT risk responses, using various strategies and controls, such as avoidance, mitigation, transfer, or acceptance The time taken to review and improve the IT risk management processes, using various feedback and learning mechanisms, such as lessons learned, best practices, or benchmarks23 The other options are not the best indicators of the effectiveness of IT risk management processes, but rather some of the inputs or outputs of IT risk management processes. Percentage of business users completing risk training is an indicator of the awareness and competence of the IT users and providers, which can affect the IT risk management performance, but it does not measure the IT risk management processes directly. Percentage of high-risk scenarios for which risk action plans have been developed is an indicator of the completeness and coverage of the IT risk management activities, which can affect the IT risk management outcomes, but it does not measure the IT risk management processes directly. Number of key risk indicators (KRIs) defined is an indicator of the scope and complexity of the IT risk management objectives, whichcan affect the IT risk management resources and capabilities, but it does not measure the IT risk management processes directly. References = IT Risk Management - ISACA
Risk Management Process - ISACA
Risk Response - ISACA
[CRISC Review Manual, 7th Edition]



Which of the following would be MOST useful to senior management when determining an appropriate risk response?

  1. A comparison of current risk levels withestablished tolerance
  2. A comparison of cost variance with defined response strategies
  3. A comparison of current risk levels with estimated inherent risk levels
  4. A comparison of accepted risk scenarios associated with regulatory compliance

Answer(s): A

Explanation:

A comparison of current risk levels with established tolerance is the most useful information for senior management when determining an appropriate risk response, as it shows the gap between the actual risk exposure and the desired risk exposure of the enterprise. This gap indicates the need and urgency for risk response actions, and helps senior management to prioritize and allocate resources for risk mitigation. A comparison of current risk levels with established tolerance also reflects the effectiveness of the existing risk management process and controls, and enables senior management to monitor and adjust the risk strategy and objectives accordingly. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, Question 234. CRISC by Isaca Actual Free Exam Q&As, Question 9. CRISC: Certified in Risk & Information Systems Control Sample Questions, Question 234. CRISC Sample Questions 2024, Question 234.



Which of the following is the MOST essential characteristic of a good IT risk scenario?

  1. The scenario is aligned to business control processes.
  2. The scenario is aligned to the organization's risk appetite and tolerance.
  3. The scenario is aligned to a business objective.
  4. The scenario is aligned to known vulnerabilities in information technology.

Answer(s): C

Explanation:

A good IT risk scenario must be aligned with a business objective. This alignment ensures that the risk scenario is relevant to the organization's goals and can be effectively integrated into its risk management processes.
Alignment to Business Objective (Answer C):
Importance: Aligning risk scenarios with business objectives ensures that they are relevant and support the organization's overall strategy.
Impact: This alignment helps in prioritizing risk management efforts and resources toward areas that directly affect the organization's success. Outcome: It leads to more effective risk management by focusing on risks that could impact key business outcomes.
Comparison with Other Options:
A . The scenario is aligned to business control processes:
Purpose: Control processes are important but secondary to business objectives. B . The scenario is aligned to the organization's risk appetite and tolerance:
Purpose: Important for overall risk management but not the primary characteristic of a good risk scenario.
D . The scenario is aligned to known vulnerabilities in information technology:
Purpose: While addressing vulnerabilities is important, the primary focus should be on how these vulnerabilities affect business objectives.


Reference:

ISACA CRISC Review Manual, Chapter 2, "IT Risk Assessment", which emphasizes the need for risk scenarios to be aligned with business objectives for effective risk management.



Which of the following would BEST help to address the risk associated with malicious outsiders modifying application data?

  1. Multi-factor authentication
  2. Role-basedaccess controls
  3. Activation of control audits
  4. Acceptable use policies

Answer(s): B

Explanation:

Role-based access controls (RBAC) are a type of preventive control that limit the access and actions of users based on their roles and responsibilities within the organization. RBAC can help to address the risk of malicious outsiders modifying application data by restricting their access to the data and the functions they can perform on it. RBAC can also enforce the principle of least privilege, which means that users only have the minimum level of access required to perform their tasks. RBAC can be implemented through policies, procedures, and technical mechanisms such as access control lists, encryption, and authentication. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.2.1.1, p. 178-179



Which of the following is the BEST key performance indicator (KPI) to measure the ability to deliver uninterrupted IT services?

  1. Mean time between failures (MTBF)
  2. Mean time to recover (MTTR)
  3. Planned downtime
  4. Unplanned downtime

Answer(s): A

Explanation:

Mean time between failures (MTBF) is a key performance indicator (KPI) that measures the average time that a system or component operates without interruption or failure. MTBF is a common metric for reliability and availability of IT services. A higher MTBF indicates a lower frequency of failures and a higher ability to deliver uninterrupted IT services. According to the CRISC Review Manual 2022, MTBF is one of the KPIs for IT service delivery1. According to the CRISC Review Questions, Answers & Explanations Manual 2022, MTBF is the correct answer to this question2. Mean time to recover (MTTR), planned downtime, and unplanned downtime are not the best KPIs to measure the ability to deliver uninterrupted IT services. MTTR measures the average time that it takes to restore a system or component to normal operation after a failure. Planned downtime measures the scheduled time that a system or component is not available for use due to maintenance or upgrades. Unplanned downtime measures the unscheduled time that a system or component is not available for use due to failures or incidents. These

KPIs are useful for measuring the impact and duration of service interruptions, but they do not directly reflect the ability to prevent or avoid service interruptions.



Viewing page 23 of 238
Viewing questions 177 - 184 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts