Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 26)

Page 26 of 238
PDF with 1895 Questions

An organizations chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a denial-of-service (DoS) attack. In this situation, the risk practitioner's BEST course of action is to:

  1. identify key risk indicators (KRls) for ongoing monitoring
  2. validate the CTO's decision with the business process owner
  3. update the risk register with the selected risk response
  4. recommend that the CTO revisit the risk acceptance decision.

Answer(s): A

Explanation:

A denial-of-service (DoS) attack is a type of cyberattack that aims to disrupt or disable the normal functioning of a system or network by overwhelming it with excessive traffic or requests.
The chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a DoS attack. This means that the CTO has determined that the cost or effort of implementing or maintaining controls to prevent or reduce the impact of a DoS attack is not justified by the expected benefits or savings, and that the organization is willing to bear the consequences of a DoS attack if it occurs. The best course of action for the risk practitioner in this situation is to identify key risk indicators (KRIs) for ongoing monitoring. This means that the risk practitioner should define and measure the metrics that provide information about the level of exposure to the DoS attack risk, such as the frequency, duration, or severity of the attacks, the availability, performance, or security of the systems or networks, the customer satisfaction, reputation, or revenue of the organization, etc.
Identifying KRIs for ongoing monitoring helps to track and evaluate the actual results and outcomes of the risk acceptance decision, compare them with the risk appetite and tolerance ofthe organization, identify any deviations or breaches that may require attention or action, and report them to the appropriate parties for decision making or improvement actions.
The references for this answer are:
Risk IT Framework, page 15
Information Technology & Security, page 9
Risk Scenarios Starter Pack, page 7



Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?

  1. A controlself-assessment
  2. A third-party security assessment report
  3. Internal audit reports from the vendor
  4. Service level agreement monitoring

Answer(s): B

Explanation:

A third-party security assessment report is the most helpful to ensure effective security controls for a cloud service provider, because it provides an independent and objective evaluation of the cloud provider's security posture, policies, and practices. A third-party security assessment report can help to verify and validate the cloud provider's compliance with the relevant standards, regulations, and best practices, such as ISO 27001, PCI DSS, NIST, or CSA. A third-party security assessment report can also help to identify and address any gaps, weaknesses, or vulnerabilities in the cloud provider's security controls, and to provide recommendations and guidance for improvement. A third-party security assessment report can also help to increase the trust and confidence of the cloud customers, and to facilitate the due diligence and risk management processes. The other options are less helpful to ensure effective security controls for a cloud service provider. A control self-assessment is a process that enables the cloud provider to assess its own security controls, using a predefined framework or questionnaire. However, a control self-assessment may not be as reliable or comprehensive as a third-party security assessment report, as it may be biased, incomplete, or inaccurate, and it may not cover all the aspects or dimensions of security. Internal audit reports from the vendor are documents that provide the results and findings of the internal audits conducted by the cloud provider's ownauditors, to verify and validate the effectiveness and efficiency of the securitycontrols. However, internal audit reports from the vendor may not be as credible or trustworthy as a third-party security assessment report, as they may be influenced by the cloud provider's interests, objectives, or agenda, and they may not follow the same standards or criteria as the external auditors. Service level agreement monitoring is a process that measures and evaluates the performance and availability of the cloud services, based on the predefined metrics and targets agreed between the cloud provider and the cloud customer. However, service level agreement monitoring may not be sufficient or relevant to ensure effective security controls for a cloud service provider, as it may not address the security aspects or requirements of the cloud services, such as confidentiality, integrity, or accountability, and it may not reflect the actual security risks or incidents that may occur in the cloud environment. References = Cloud Security Controls:
Key Elements and 4 Control Frameworks 1



Which of the following will BEST help to ensure that information system controls are effective?

  1. Responding promptly to control exceptions
  2. Implementing compensating controls
  3. Testing controls periodically
  4. Automating manual controls

Answer(s): C

Explanation:

The best way to ensure that information system controls are effective is to test them periodically. Testing controls periodically helps to verify that the controls are operating as intended, and that they are aligned with the enterprise's objectives, policies, and standards. Testing controls periodically also helps to identify any gaps, weaknesses, or deficiencies in the controls, and to implement corrective actions or improvements. Responding promptly to control exceptions, implementing compensating controls, and automating manual controls are good practices, but they are not the best way to ensure control effectiveness. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.1.1.2, page 1071
1: ISACA Certified in Risk and Information Systems Control (CRISC®) Exam

Guide, Answer to Question 641.



What is the MOST important consideration when selecting key performance indicators (KPIs) for control monitoring?

  1. Source information is acquired at stable cost.
  2. Source information is tailored by removing outliers.
  3. Source information is readily quantifiable.
  4. Source information is consistently available.

Answer(s): D

Explanation:

The most important consideration when selecting KPIs for control monitoring is that the source information is consistently available, meaning that it can be obtained regularly, reliably, and timely from the same or equivalent data sources. This ensures that the KPIs can measure the performance of the controls over time and across different units or functions, and provide meaningful and comparable results. Source information that is acquired at stable cost, tailored by removing outliers, or readily quantifiable are also desirable, but not as essential as consistency.


Reference:

·ISACA, Risk IT Framework, 2nd Edition, 2019, p. 751 ·ISACA, Performance Measurement Metrics for IT Governance2



Which of the following should be the PRIMARY objective of a risk awareness training program?

  1. To enable risk-based decision making
  2. To promote awareness of the risk governance function
  3. To clarify fundamental risk management principles
  4. To ensure sufficient resources are available

Answer(s): A

Explanation:

The primary objective of a risk awareness training program is to enable risk-based decision making, which means making decisions that take into account the potential risks and opportunities associated with each option. A risk awareness training program should aim to develop a common understanding of risk across multiple functions and business units, achieve a better understanding of risk for competitive advantage, and build safeguards against earnings-related surprises1. A risk awareness training program should also cover the basics of risk management, such as the risk management process, the roles and responsibilities of different stakeholders, the risk appetite and tolerance of the organization, and the tools and techniques for identifying, analyzing, evaluating, and treating risks234. A risk awareness training program should also include practical examples and case studies to illustrate how risk management can beapplied in different scenarios and contexts5. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.11: Risk Awareness, pp. 34-354



Which of the following is the PRIMARY reason to update a risk register with risk assessment results?

  1. To communicate the level and priority of assessed risk to management
  2. To provide a comprehensive inventory of risk across the organization
  3. To assign a risk owner to manage the risk
  4. To enable the creation of action plans to address nsk

Answer(s): A

Explanation:

The primary reason to update a risk register with risk assessment results is to communicate the level and priority of assessed risk to management, as this enables them to make informed decisions about risk response and allocation of resources. The risk register is a tool for documenting and reporting the current status of risks, their causes, impacts, likelihood, and responses. Updating the risk register with risk assessment results ensures that the information is accurate, relevant, and timely. The risk register also helps to monitor and track the progress and effectiveness of risk management activities. The other options are not the primary reasons to update the risk register, although they may be secondary benefits or outcomes of doing so. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Assessment, page 109.



A technology company is developing a strategic artificial intelligence (Al)-driven application that has high potential business value. At what point should the enterprise risk profile be updated?

  1. After user acceptance testing (UAT)
  2. Upon approval of the business case
  3. When user stories are developed
  4. During post-implementation review

Answer(s): B



Which of the following would BEST facilitate the implementation of data classification requirements?

  1. Implementing a data toss prevention (DLP) solution
  2. Assigning a data owner
  3. Scheduling periodic audits
  4. Implementing technical controls over the assets

Answer(s): B

Explanation:

The best way to facilitate the implementation of data classification requirements is to assign a data owner. A data owner is a person who has the authority and responsibility for defining, classifying, and protecting the data. A data owner can help to facilitate the implementation of data classification requirements by providing the criteria, categories, roles, and procedures for classifying the data according to its sensitivity, value, and criticality. A data owner can also ensure that the data is handled and stored appropriately, and that the data classification policy is enforced and monitored. The other options are not as effective as assigning a data owner, as they are related to the prevention, audit, or control of the data, not the classification or protection of the data. References = Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.4: Key Control Indicators, page 211.



Viewing page 26 of 238
Viewing questions 201 - 208 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts