Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 3)

Page 3 of 238
PDF with 1895 Questions

Which of the following practices BEST mitigates risk related to enterprise-wide ethical decision making in a multi-national organization?

  1. Customized regional training on local laws and regulations
  2. Policies requiring central reporting of potential procedure exceptions
  3. Ongoing awarenesstraining to support a common risk culture
  4. Zero-tolerance policies for risk taking by middle-level managers

Answer(s): C

Explanation:

The best practice to mitigate risk related to enterprise-wide ethical decision making in a multi-national organization is to provide ongoing awareness training to support a common risk culture. A common risk culture is a set of shared values, beliefs, and behaviors that influence how the organization identifies, analyzes, responds to, and monitors risks. Ongoing awareness training can help to promote a common risk culture by educating the employees about the enterprise's risk management objectives, policies, procedures, roles, and responsibilities, as well as the ethical standards and expectations that apply to their work. Ongoing awareness training can also help to reinforce the benefits of ethical decision making and the consequences of unethical behavior. Customized regional training on local laws and regulations, policies requiring central reporting of potential procedure exceptions, and zero- tolerance policies for risk taking bymiddle-level managers are also useful practices, but they are not as effective as ongoing awareness training to support a common risk culture. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 37.



Which of the following would be the BEST way for a risk practitioner to validate the effectiveness of a patching program?

  1. Conduct penetration testing.
  2. Interview IT operations personnel.
  3. Conduct vulnerability scans.
  4. Review change control board documentation.

Answer(s): C

Explanation:

Conducting vulnerability scans is the best way for a risk practitioner to validate the effectiveness of a patching program. Vulnerability scans are automated tools that identify and report on the vulnerabilities in a system or network, such as missing patches, misconfigurations, or outdated software. Vulnerability scans can help the risk practitioner to verify that the patches have been applied correctly and consistently, and that there are no remaining or new vulnerabilities that need to be addressed. Conducting penetration testing, interviewing IT operations personnel, and reviewing change control board documentation are also useful methods to evaluate the patching program, but they are not as comprehensive,

objective, or timely as vulnerabilityscans. References = Risk and Information Systems Control Study Manual, Chapter 2, Section 2.3.3, page 2-28.



Which of the following would be the BEST recommendation if the level of risk in the IT risk profile has decreased and is now below management's risk appetite?

  1. Optimize the control environment.
  2. Realign risk appetite to the current risk level.
  3. Decrease the number of related risk scenarios.
  4. Reduce the risk management budget.

Answer(s): A

Explanation:

The level of risk in the IT risk profile is the aggregate measure of the likelihood and impact of IT-related risks that may affect the enterprise's objectives and operations. The risk appetite is the amount and type of risk that the enterprise is willing to accept in pursuit of its goals. It is usually expressed as a range or a threshold, and it is aligned with the enterprise's strategy and culture.
If the level of risk in the IT risk profile has decreased and is now below management's risk appetite, it means that the enterprise has more capacity and opportunity to take on additional risks that may offer higher rewards or benefits.
The best recommendation in this situation is to optimize the control environment, which is the set of policies, procedures, standards, and practices that provide the foundation for managing IT risks and controls. Optimizing the control environment means enhancing the efficiency and effectiveness of the controls, reducing the costs and complexity of compliance, and aligning the controls with the enterprise's objectives and values. Optimizing the control environment can help the enterprise to achieve the optimal balance between risk and return, and to leverage its risk management capabilities to create and protect value.
The other options are not the best recommendations, because they do not address the opportunity to improve the enterprise's performance and resilience. Realigning risk appetite to the current risk level may result in missing out on potential gains or advantages that could be obtained by taking more risks within the acceptable range. Decreasing the number of related risk scenarios may reduce the scope and depth of risk analysis and reporting, and impair the enterprise's ability to identify and respond to emerging or changing risks.
Reducing the risk management budget may compromise the quality and reliability of the risk management process and activities, and weaken the enterprise's risk culture and governance. References =
ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 29-30, 34-35, 38-39, 44-45 ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 145



Senior management has asked the risk practitioner for the overall residual risk level for a process that contains numerous risk scenarios.
Which of the following should be provided?

  1. The sum of residual risk levels for each scenario
  2. The loss expectancy for aggregated risk scenarios
  3. The highest loss expectancy among the risk scenarios
  4. The average of anticipated residual risk levels

Answer(s): D

Explanation:

Residual risk is the remaining risk after the risk response has been implemented. Residual risk can be expressed as a combination of the probability and impact of the risk scenario, or as a single value such as loss expectancy. Residual risk can be compared with the inherent risk, which is the risk level before considering the existing controls or responses, to evaluate the risk reduction and value creation of the risk response. Senior management has asked the risk practitioner for the overall residual risk level for a process that contains numerous risk scenarios. The best way to provide this information is to calculate the average of anticipated residual risklevels for each risk scenario, and to present it as a single value or a range. This can help to provide a comprehensive and consistent view of the residual risk exposure and performance of the process, as well as to align it with the organization's risk appetite and tolerance. The sum of residual risk levels for each scenario, the loss expectancy for aggregated risk scenarios, or the highest loss expectancy among the risk scenarios are not the best ways to provide the overall residual risk level, as they may overestimate or underestimate the risk exposure and performance of the process, and may not reflect the actual risk reduction and value creation of the risk response. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.2.2, p. 108-109



Which of the following BEST enables detection of ethical violations committed by employees?

  1. Transaction log monitoring
  2. Access control attestation
  3. Periodic job rotation
  4. Whistleblower program

Answer(s): D

Explanation:

Whistleblower Program:
Definition: A whistleblower program allows employees to report unethical or illegal activities within the organization anonymously.
Detection of Ethical Violations: Employees are often in the best position to observe unethical behavior. A well-structured whistleblower program encourages them to report such behavior without fear of retaliation.
Anonymity and Protection: Providing anonymity and protection to whistleblowers increases the likelihood that employees will report violations, thus enabling the organization to detect and address ethical issues more effectively.
Comparison with Other Options:
Transaction Log Monitoring: While useful for detecting anomalies and potential fraud, it is not specifically focused on ethical violations and may not capture all types of unethical behavior.
Access Control Attestation: This ensures that users have the correct access permissions but does not directly detect unethical behavior.
Periodic Job Rotation: This can help prevent fraud by reducing the risk of collusion and providing fresh perspectives on processes, but it does not directly detect ethical violations.
Best Practices:
Clear Reporting Channels: Ensure that the whistleblower program has clear and accessible reporting channels.
Training and Awareness: Regularly train employees on the importance of reporting unethical behavior and the protections offered by the whistleblower program. Follow-up and Action: Ensure that reports are investigated thoroughly and appropriate actions are taken to address verified violations.


Reference:

CRISC Review Manual: Emphasizes the importance of ethical behavior and the role of whistleblower programs in detecting and addressing ethical violations within organizations. ISACA Guidelines: Support the implementation of whistleblower programs as a key component of a comprehensive risk management and ethical governance framework.



Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?

  1. Occurrences of specific events
  2. A performance measurement
  3. The risk tolerance level
  4. Risk scenarios

Answer(s): A

Explanation:

Occurrences of specific events are the most likely to cause a key risk indicator (KRI) to exceed thresholds, as they represent the actual or potential realization of the risk. A KRI is a metric that measures the level of risk exposure and the effectiveness of risk response strategies, and it has predefined thresholds that indicate the acceptable or unacceptable risk status.
When a specific event occurs that affects the risk, such as a security breach, a system failure, or a compliance violation, the KRI value may change and exceed the thresholds, triggering an alert or an action. A performance measurement, the risk tolerance level, and risk scenarios are not the most likely to cause a KRI to exceed thresholds, as they do not reflect the actual or potential occurrence of the risk, but rather the expected or desired outcome, limit, or simulation of the risk. References = [CRISC Review Manual (Digital Version)], page 121; CRISC by Isaca Actual Free Exam Q&As, question 217.



Which of the following criteria associated with key risk indicators (KRIs) BEST enables effective risk monitoring?

  1. Approval by senior management
  2. Low cost of development and maintenance
  3. Sensitivity tochanges in risk levels
  4. Use of industry risk data sources

Answer(s): C

Explanation:

Key risk indicators (KRIs) are metrics that help organizations monitor and assess potential risks that may impact their operations, financial health, or overall performance1. KRIs should have certain characteristics that make them effective for risk monitoring, such as:
Ability to measure the right thing (e.g., supports the decisions that need to be made) Quantifiable (e.g., damages in dollars of profit loss) Capability to be measured precisely and accurately

Relevant (measuring the right thing associated with decisions)2 Among the four options given, only option C (sensitivity to changes in risk levels) best enables effective risk monitoring. This is because KRIs should be able to capture the changes in risk levels over time and alert organizations to emerging or escalating risks3. A high sensitivity to changes in risk levels indicates that theKRI is responsive and timely, and can help organizations take preventive or corrective actions before the risks become too severe. References = Key Risk Indicators: A Practical Guide, Key Risk Indicators: Examples & Definitions, Key Risk Indicators - Wikipedia



Which of the following would present the MOST significant risk to an organization when updating the incident response plan?

  1. Obsolete response documentation
  2. Increased stakeholder turnover
  3. Failure to audit third-party providers
  4. Undefinedassignment of responsibility

Answer(s): D

Explanation:

The most significant risk to an organization when updating the incident response plan is the undefined assignment of responsibility. An incident response plan is a document that defines the roles, responsibilities, procedures, and resources for responding to an incident that could disrupt the normal operations of the organization, or compromise its assets, reputation, or compliance. An incident response plan should clearly assign the responsibility for each task and activity involved in the incident response process, such as detection, containment, analysis, eradication, recovery, and reporting. Undefined assignment of responsibility could lead to confusion, duplication, conflict, or omission among the stakeholders, and impair the effectiveness and efficiency of the incident response process. Undefined assignment of responsibility could also increase the risk of escalation, recurrence, or impact of the incident, and affect the accountability and performance of the organization. Obsolete response documentation, increased stakeholder turnover, and failure to audit third-party providers are also risks, but they are not as significant as undefined assignment of responsibility, as they do not directly affect the execution and outcome of the incident response process. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 130.



Viewing page 3 of 238
Viewing questions 17 - 24 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts