Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 28)

Page 28 of 238
PDF with 1895 Questions

A risk practitioner is reviewing a vendor contract and finds there is no clause to control privileged access to the organization's systems by vendor employees.
Which of the following is the risk practitioner's BEST course of action?

  1. Contact the control owner to determine if a gap in controls exists.
  2. Add this concern to the risk register and highlight it for management review.
  3. Report this concern to the contracts department for further action.
  4. Document this concern as a threat and conduct an impact analysis.

Answer(s): C

Explanation:

According to the CRISC Review Manual1, the contracts department is responsible for drafting, reviewing, and negotiating contracts with vendors and other third parties. The contracts department should ensure that the contracts include adequate clauses and terms to address the risks and controls related to the vendor services and activities. Therefore, the best course of action for the risk practitioner when finding a missing clause to control privileged access to the organization's systems by vendor employees is to report this concern to the contracts department for further action. The contracts department can then revise the contract to include the necessary clause, or seek alternative solutions to mitigate the risk of unauthorized or inappropriate access by vendor employees. References = CRISC Review Manual1, page 229.



Which of the following presents the GREATEST concern associated with the use of artificial intelligence (Al) systems?

  1. Al systems need to be available continuously.
  2. Al systems can be affected by bias.
  3. Al systems are expensive to maintain.
  4. Al systems can provide false positives.

Answer(s): B



Which of the following should an organization perform to forecast the effects of a disaster?

  1. Develop a business impact analysis (BIA).
  2. Define recovery time objectives (RTO).
  3. Analyze capability maturity model gaps.
  4. Simulate a disaster recovery.

Answer(s): A

Explanation:

A business impact analysis (BIA) is a process that identifies and evaluates the potential effects of a disaster on the critical functions and processes of an organization1. A BIA helps to forecast the operational, financial, legal, and reputational impacts of a disaster, as well as the recovery priorities and resources needed to resume normal operations2. A BIA also helps to determine the recovery time objectives (RTO), which are the maximum acceptable time frames for restoring the critical functions and processes after a disaster3. Therefore, developing a BIA is the most important step for an organization to forecast the effects of a disaster and plan for its recovery. Defining RTOs is a part of the BIA process, not a separate activity. Analyzing capability maturity model gaps is a method to assess the effectiveness and efficiency of the organization's processes and practices, but it does not directly forecast the effects of adisaster4. Simulating a disaster recovery is a way to test and validate the recovery plans and procedures, but it does not forecast the effects of a disaster either5. References = Risk and Information Systems Control Study Manual, Chapter 5: Risk Response and Mitigation, Section 5.3: Business Continuity Planning, pp. 227-238.



Which of the following is the BEST way to ensure ongoing control effectiveness?

  1. Establishing policies and procedures
  2. Periodically reviewing control design
  3. Measuringtrends in control performance
  4. Obtaining management control attestations

Answer(s): C

Explanation:

The best way to ensure ongoing control effectiveness is to measure trends in control performance. This will help to monitor and evaluate how well the controls are achieving their objectives, and to identify any deviations or anomalies that may indicate control failures or weaknesses. Measuring trends in control performance also helps to provide feedback and assurance to the stakeholders and decision makers, and to support continuous improvement andoptimization of the control environment. Establishing policies and procedures, periodically reviewing control design, and obtaining management control attestations are good practices, but they are not the best way to ensure control effectiveness. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section

3.1.1.2, page 1071
1: ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide, Answer to Question 650.



Which of the following BEST mitigates the risk of violating privacy laws when transferring personal information lo a supplier?

  1. Encrypt the data while in transit lo the supplier
  2. Contractuallyobligate the supplier to follow privacy laws.
  3. Require independent audits of the supplier's control environment
  4. Utilize blockchain during the data transfer

Answer(s): B

Explanation:

Contractually obligating the supplier to follow privacy laws is the best way to mitigate the risk of violating privacy laws when transferring personal information to a supplier, because it ensures that the supplier is legally bound to comply with the applicable laws and regulations that protect the privacy and security of the personal information. This also creates a clear accountability andliability for the supplier in case of a privacy breach, and defines the rights and obligations of both parties in relation to the personal information. The other options are not the best ways to mitigate the risk of violating privacy laws, although they may also be helpful in reducing the likelihood or impact of a privacy breach. Encrypting the data while in transit to the supplier, requiring independent audits of the supplier's control environment, and utilizing blockchain during the data transfer are examples of technical or assurance controls that aim to protect the confidentiality, integrity, and availability of the personal information, but they do not address the legal or contractual aspects of the privacy laws. References = CRISC: Certified in Risk & Information Systems Control Sample Questions



Which of the following is the MOST important data attribute of key risk indicators (KRIs)?

  1. The data is measurable.
  2. The data is calculated continuously.
  3. The data is relevant.
  4. The data is automatically produced.

Answer(s): C

Explanation:

Key risk indicators (KRIs) are metrics that provide information about the level of exposure to a specific risk or a group of risks.
The most important data attribute of KRIs is that the data is relevant. This means that the data reflects the current state of the risk, the potential impact of the risk, and the effectiveness of the risk response. Relevant data helps to monitor and measure the risk performance and to make informed decisions about risk management.
The other options are not the most important data attributes of KRIs. They are either secondary or not essential for KRIs.
The references for this answer are:
Risk IT Framework, page 15
Information Technology & Security, page 9
Risk Scenarios Starter Pack, page 7



Which of the following would BEST mitigate an identified risk scenario?

  1. Conducting awareness training
  2. Executing a risk response plan
  3. Establishing an organization's risk tolerance
  4. Performing periodic audits

Answer(s): B

Explanation:

The best way to mitigate an identified risk scenario is to execute a risk response plan. A risk response plan is a document that describes the actions and resources that are needed to address the risk scenario. A risk response plan can include one or more of the following strategies: avoid, transfer, mitigate, accept, or exploit. By executing a risk response plan, the organization can reduce the likelihood and/or impact of the risk scenario, or take advantage of the opportunities that the risk scenario may present. The other options are not as effective as executing a riskresponse plan, as they are related to the awareness, assessment, or monitoring of the risk scenario, not the actual treatment of the risk scenario. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Response, Section 3.2: IT Risk Response Options, page 133.



Which of the following is the PRIMARY benefit of using an entry in the risk register to track the aggregate risk associated with server failure?

  1. It provides a cost-benefit analysis oncontrol options available for implementation.
  2. It provides a view on where controls should be applied to maximize the uptime of servers.
  3. It provides historical information about the impact of individual servers malfunctioning.
  4. It provides a comprehensive view of the impact should the servers simultaneously fail.

Answer(s): D

Explanation:

Using an entry in the risk register to track the aggregate risk associated with server failure provides a comprehensive view of the impact should the servers simultaneously fail, as it considers the combined effect of the server failure on the enterprise's objectives and operations. The risk register is a document that records and tracks the identified risks, their likelihood, impact, and mitigation strategies. By aggregating the risk associated with server failure, the risk register can help to estimate the worst-case scenario and to prioritize the risk response accordingly. It provides a cost-benefit analysis on controloptions available for implementation, it provides a view on where controls should be applied to maximize the uptime of servers, and it provides historical information about the impact of individual servers malfunctioning are not the primary benefits of using an entry in the risk register to track the aggregate risk associated with server failure, but rather the possible outcomes or actions of using the risk register. References = CRISC Certified in Risk and Information Systems Control ­Question220; ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 220.



Viewing page 28 of 238
Viewing questions 217 - 224 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts