Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 25)

Page 25 of 238
PDF with 1895 Questions

A multinational company needs to implement a new centralized security system. The risk practitioner has identified a conflict between the organization's data-handling policy and local privacy regulations.
Which of the following would be the BEST recommendation?

  1. Request a policy exception from senior management.
  2. Comply with the organizational policy.
  3. Report the noncompliance to the local regulatory agency.
  4. Request an exception from the local regulatory agency.

Answer(s): D



Which of the following should be the MOST important consideration when performing a vendor risk assessment?

  1. Results of the last risk assessment of the vendor
  2. Inherent risk of the business process supported by thevendor
  3. Risk tolerance of the vendor
  4. Length of time since the last risk assessment of the vendor

Answer(s): B

Explanation:

The most important consideration when performing a vendor risk assessment is the inherent risk of the business process supported by the vendor, which is the risk that exists before any controls or mitigating factors are applied. The inherent risk reflects the potential impact and likelihood of the vendor's failure or disruption on the enterprise's objectives, operations, and reputation. The higher the inherent risk, the more rigorous and frequent the vendor risk assessment should be. The results of the last risk assessment of the vendor, the risk tolerance of the vendor, and the length of time since the last risk assessment of the vendor are not the most important considerations, as they do not directly measure the level of exposure and dependency that the enterprise has on the vendor. References = CRISC Certified in Risk and Information Systems Control ­ Question204; ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 204.



Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)?

  1. Management approval
  2. Annual review
  3. Relevance
  4. Automation

Answer(s): C

Explanation:

The most important factor to the effectiveness of key performance indicators (KPIs) is relevance. KPIs are metrics that measure the achievement of the objectives or the performance of the processes. Relevance means that the KPIs are aligned with and support the strategic goals and priorities of the organization, and that they reflect the current and desired state of the outcomes or outputs. Relevance also means that the KPIs are meaningful and useful for the decision makers and stakeholders, and that they provide clear and actionable information for improvement or optimization. The other options are not as important as relevance, as they arerelated to the approval, review, or automation of the KPIs, not the quality or value of the KPIs. References = Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.2: Key Performance Indicators, page 183.



Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?

  1. Continuous monitoring
  2. A control self-assessment
  3. Transactionlogging
  4. Benchmarking against peers

Answer(s): A

Explanation:

Events exceeding risk thresholds are situations or occurrences that result in the actual level of risk exceeding the acceptable or tolerable level of risk, as defined by the organization's risk appetite, criteria, and objectives12.
The most effective way to enable a business operations manager to identify events exceeding risk thresholds is to implement continuous monitoring, which is a process that involves collecting and analyzing data and information on the performance and status of the business processes, systems, and controls, and detecting and reporting any deviations, anomalies, or issues that may indicate a risk event34.
Continuous monitoring is the most effective way because it provides timely and accurate visibility and insight into the risk landscape, and enables the business operations manager to identify and respond to the events exceeding risk thresholds before they escalate or cause significant harm or damage to the organization34.

Continuous monitoring is also the most effective way because it supports the risk management process and objectives, which are to identify and address the risks that may affect the achievement of the organization's goals and the delivery of value to the stakeholders34.
The other options are not the most effective ways, but rather possible tools or techniques that may complement or enhance the continuous monitoring. For example:
A control self-assessment is a technique that involves engaging and empowering the business process owners and operators to evaluate and report on the effectiveness and efficiency of the controls that are designed and implemented to mitigate the risks56. However, this technique is not the most effective way because it is periodic rather than continuous, and it may not capture or communicate the events exceeding risk thresholds in a timely or consistent manner56.
Transaction logging is a tool that involves recording and storing the details and history of the transactions or activities that are performed by the business processes or systems, and providing an audit trail for verification or investigation purposes78. However, this tool is not the most effective way because it is passive rather than active, and it may not detect or report the events exceeding risk thresholds unless they are analyzed or queried78. Benchmarking against peers is a technique that involves comparing and contrasting the performance and practices of the business processes or systems with those of the similar or leading organizations in the same or related industry, and identifying the gaps or opportunities for improvement . However, this technique is not the most effective way because it is external rather than internal, and it may not reflect or align with the organization's specific risk appetite, criteria, and objectives . References =
1: Risk IT Framework, ISACA, 2009
2: IT Risk Management Framework, University of Toronto, 2017
3: Continuous Monitoring - ISACA1
4: Continuous Monitoring: A New Approach to Risk Management - ISACA Journal2
5: Risk and control self-assessment - KPMG Global3
6: Control Self Assessments - PwC4
7: Transaction Log - Wikipedia5
8: Transaction Logging - IBM6
Benchmarking - Wikipedia7
Benchmarking: Definition, Types, Process, Advantages & Examples



A risk action plan has been changed during the risk mitigation effort.
Which of the following is MOST important for the risk practitioner to verify?

  1. Impact of the changeon inherent risk
  2. Approval for the change by the risk owner
  3. Business rationale for the change
  4. Risk to the mitigation effort due to the change

Answer(s): B

Explanation:

Risk owner approval ensures accountability and alignment of the changes with the enterprise's risk management strategy. It reflects adherence to the principles ofRisk Ownership and Governance, critical for maintaining control over mitigation activities.



Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?

  1. Customer database manager
  2. Customer data custodian
  3. Data privacy officer
  4. Audit committee

Answer(s): C

Explanation:

A data privacy officer is a role that is responsible for ensuring that the organization complies with the applicable laws, regulations, and standards regarding the collection, processing, storage, and disclosure of customer data1. A data privacy officer is also responsible for developing and implementing policies, procedures, and controls to protect the privacy and security of customer data, and to prevent or mitigate the risk of customer data loss2. A data privacy officer is the most helpful role in providing a high-level view of risk related to customer data loss, because:
A data privacy officer has the knowledge and expertise of the legal and ethical requirements and best practices for customer data protection, and can identify and assess the potential threats and vulnerabilities that may compromise customer data3. A data privacy officer has the authority and accountability to oversee and monitor the customer data lifecycle, and to ensure that the organization follows the principles of data minimization, purpose limitation, accuracy, integrity, confidentiality, and accountability4. A data privacy officer has the visibility and communication skills to report and advise the management and other stakeholders on the customer data risk profile, and to recommend and implement appropriate risk responses and improvement actions5. The other options are not the most helpful roles in providing a high-level view of risk related to customer data loss, because:

A customer database manager is a role that is responsible for designing, developing, maintaining, and optimizing the database systems that store and manage customer data6. A customer database manager may have some technical skills and knowledge to protect the customer data from unauthorized access, modification, or deletion, but may not have the comprehensive or holistic view of the customer data risk, as they may focus only on the database level, and not on the organizational or regulatory level. A customer data custodian is a role that is responsible for handling, processing, and storing customer data according to the instructions and permissions of the data owner7. A customer data custodian may have some operational duties and responsibilities to safeguard the customer data from accidental or intentional loss, damage, or disclosure, but may not have the strategic or analyticalview of the customer data risk, as they may follow only the predefined rules and procedures, and not the risk management principles and practices. An audit committee is a group of independent directors or members that is responsible for overseeing and evaluating the organization's financial reporting, internal control, and auditfunctions. An audit committee may have some oversight and assurance roles andresponsibilities to review and verify the organization's compliance and performance regarding customer data protection, but may not have the direct or proactive view of the customer data risk, as they may rely only on the audit reports and findings, and not on the risk assessment and analysis.
References =
Data Privacy Officer - CIO Wiki
What is a Data Protection Officer (DPO)? - Definition from Techopedia Data Privacy Officer: Roles and Responsibilities - ISACA Data Protection Principles - CIO Wiki
Data Privacy Officer: How to Be One and Why You Need One - ISACA Database Manager - CIO Wiki
Data Custodian - CIO Wiki
[Audit Committee - CIO Wiki]



Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization's risk appetite?

  1. Establishing a series ofkey risk indicators (KRIs).
  2. Adding risk triggers to entries in the risk register.
  3. Implementing key performance indicators (KPIs).
  4. Developing contingency plans for key processes.

Answer(s): A

Explanation:

KRIs provide predictive metrics to monitor changes in risk levels, enabling timely interventions to maintain risks within the organization's appetite. This aligns with theRisk Monitoring and Reportingframework, which emphasizes proactive identification of risk thresholds.



An unauthorized individual has socially engineered entry into an organization's secured physical premises.
Which of the following is the BEST way to prevent future occurrences?

  1. Employ security guards.
  2. Conduct security awareness training.
  3. Install security cameras.
  4. Require security access badges.

Answer(s): B

Explanation:

Social engineering is a technique that involves manipulating or deceiving people into performing actions or divulging information that may compromise the security of an organization or its data12.
Entry into an organization's secured physical premises is a form of physical access that allows an unauthorized individual to access, steal, or damage the organization's assets, such as equipment, documents, or systems34.
The best way to prevent future occurrences of social engineering entry into an organization's secured physical premises is to conduct security awareness training, which is an educational program that aims to equip the organization's employees with the knowledge and skills they need to protect the organization's data and sensitive information from cyber threats, such as hacking, phishing, or other breaches56.
Security awareness training is the best way because it helps the employees to recognize and resist the common and emerging social engineering techniques, such as tailgating,impersonation, or pretexting, that may be used by the attackers to gain physical access to the organization's premises56.
Security awareness training is also the best way because it fosters a culture of security and responsibility among the employees, and encourages them to follow the best practices andpolicies for physical security, such as locking the doors, verifying the identity of visitors, or reporting any suspicious activities or incidents56. The other options are not the best way, but rather possible measures or controls that may supplement or enhance the security awareness training. For example:

Employing security guards is a measure that involves hiring or contracting professional personnel who are trained and authorized to monitor, patrol, and protect the organization's premises from unauthorized access or intrusion78. However, this measure is not the best way because it may not be sufficient or effective to prevent or deter all types of social engineering attacks, especially if the attackers are able to bypass, deceive, or coerce the security guards78.
Installing security cameras is a control that involves using electronic devices that capture and record the visual images of the organization's premises, and provide evidence or alerts of any unauthorized access or activity . However, this control is not the best way because it is reactive rather than proactive, and may not prevent or stop the social engineering attacks before they cause any harm or damage to the organization . Requiring security access badges is a control that involves using physical or electronic cards that identify and authenticate the employees or authorized visitors who are allowed to enter the organization's premises, and restrict or deny the access to anyone else . However, this control is not the best way because it may not be foolproof or reliable to prevent or detect the social engineering attacks, especially if the attackers are able to steal, forge, or clone the security access badges . References =
1: What is Social Engineering? | Types & Examples of Social Engineering Attacks1
2: Social Engineering: What It Is and How to Prevent It | Digital Guardian2
3: What is physical Social Engineering and why is it important? - Integrity3603
4: What Is Tailgating (Piggybacking) In Cyber Security? - Wlan Labs4
5: What Is Security Awareness Training and Why Is It Important? - Kaspersky5
6: Security Awareness Training - Cybersecurity Education Online | Proofpoint US6
7: Security Guard - Wikipedia7
8: Security Guard Services - Allied Universal8
Security Camera - Wikipedia
Security Camera Systems - The Home Depot
Access Badge - Wikipedia
Access Control Systems - HID Global



Viewing page 25 of 238
Viewing questions 193 - 200 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts