Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 32)

Page 32 of 238
PDF with 1895 Questions

A large organization needs to report risk at all levels for a new centralized visualization project to reduce cost and improve performance.
Which of the following would MOST effectively represent the overall risk of the project to senior management?

  1. Aggregated key performance indicators (KPls)
  2. Key risk indicators (KRIs)
  3. Centralized risk register
  4. Risk heat map

Answer(s): D

Explanation:

A risk heat map is a graphical tool that displays the overall risk of the project to senior management by showing the probability and impact of individual risks in a matrix format. A risk heat map can help to prioritize the risks, communicate the risk exposure, and monitor the risk response. A risk heat map can also show the risk appetite and tolerance levels of the organization, as well as the residual risk after the risk response. The other options are not the most effective ways to represent the overall risk of the project to senior management, although they may be useful or complementary to the risk heat map. Aggregated key performance indicators (KPIs) are metrics that measure the performance of the project against the objectives, but they do not show the uncertainty or variability of the project outcomes. Key risk indicators (KRIs) are metrics that measure the level of risk or the effectiveness of the risk response, but they do not show the relationship between the probability and impact of the risks. A centralizedrisk register is a document that records the details of the individual risks, such as the description, category, cause, effect, probability, impact, response, and status, but it does not show the overall risk of the project in a visual or concise way. References = Managing overall project risk, Project Risk Management ­ Quick Reference Guide, 10 Common Project Risks (Plus the Steps To Solve Them), What Is Project Risk Management: Benefits, Challenges, Best Practices



Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?

  1. To provide input to the organization's risk appetite
  2. To monitor the vendor's control effectiveness
  3. To verify the vendor's ongoing financial viability
  4. To assess the vendor's risk mitigation plans

Answer(s): B

Explanation:

The primary reason to perform periodic vendor risk assessments is to monitor the vendor's control effectiveness. A vendor risk assessment is a process of evaluating the risks associated with outsourcing a service or function to a third-party vendor. The assessment should be performed periodically to ensure that the vendor is complying with the contractual obligations, service level agreements, and security standards, and that the vendor's controls are operating effectively to mitigate the risks. Providing input to the organization's risk appetite, verifying the vendor's ongoing financial viability, and assessing the vendor's risk mitigation plans are otherpossible reasons, but they are not as important as monitoring the vendor's control effectiveness. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 11; CRISC Review Manual, 6th Edition, page 144.



An organization is planning to move its application infrastructure from on-premises to the cloud.
Which of the following is the BEST course of the actin to address the risk associated with data transfer if the relationship is terminated with the vendor?

  1. Meet with the business leaders to ensure the classification of their transferred data is in place
  2. Ensure the language in the contract explicitly states who is accountable for each step of the data transfer process
  3. Collect requirements for the environment to ensure the infrastructure as a service (IaaS) is configured appropriately.
  4. Work closely with the information security officer to ensure the company has the proper security controls in place.

Answer(s): B

Explanation:

The best course of action to address the risk associated with data transfer if the relationship is terminated with the vendor is to ensure the language in the contract explicitly states who is accountable for each step of the data transfer process. This can help to avoid ambiguity, confusion, or disputes over the ownership, responsibility, and liability of the data and the data transfer process. Meeting with the business leaders, collecting requirements, and working with the information security officer are important activities, but they are not as effective as ensuring the contractual agreement is clear and enforceable. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 4; CRISC Review Manual, 6th Edition, page 153.



Who is MOST appropriate to be assigned ownership of a control

  1. The individual responsible for control operation
  2. The individualinformed of the control effectiveness
  3. The individual responsible for resting the control
  4. The individual accountable for monitoring control effectiveness

Answer(s): D

Explanation:

A control is a measure or action that is implemented to reduce the likelihood or impact of a risk event, or to enhance the benefits or opportunities of a risk event. A control owner is a person who is assigned the responsibility and authority for the design, implementation, operation, and maintenance of a control. The most appropriate person to be assigned ownership of a control is the individual accountable for monitoring control effectiveness, which is the process of measuring and evaluating the performance and compliance of the control. By assigning the control ownership to the individual accountable for monitoring control effectiveness, the organization can ensure that the control is aligned with the risk objectives, operates as intended, and delivers the expected results. References = 4



An organization outsources the processing of us payroll data A risk practitioner identifies a control weakness at the third party trial exposes the payroll data.
Who should own this risk?

  1. The third party's IT operations manager
  2. The organization's process owner
  3. The third party's chief risk officer (CRO)
  4. The organization's risk practitioner

Answer(s): B

Explanation:

The organization's process owner should own the risk of exposing the payroll data due to a control weakness at the third party, because the process owner is the person who is responsible for the business process that generates, uses, or transfers the payroll data. The process owner should also ensure that the third party complies with the contractual obligations and service level agreements that define the expected performance and security standards of the payroll data processing. The other options are not the correct answers, because they are not the primary owners of the risk, although they may also be involved in the risk management process. The third party's IT operations manager, the third party's chief risk officer (CRO), and the organization's risk practitioner are examples of secondary owners or stakeholders of the risk, who may provide support, guidance, or oversight to the risk owner, but they are not accountable for the risk or the risk response strategy. References = CRISC: Certified in Risk & Information Systems Control Sample Questions



Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

  1. a gap analysis
  2. a root cause analysis.
  3. an impact assessment.
  4. a vulnerabilityassessment.

Answer(s): B

Explanation:

The most effective way to resolve the situation and define a comprehensive risk treatment plan would be to perform a root cause analysis. A root cause analysis is a method of identifying and addressing the underlying factors or causes that led to the occurrence of a problem or incident1. In this case, the problem or incident is the malware infection that affected the organization. By performing a root cause analysis, the organization can determine how and why the malware was able to infect the systems, what vulnerabilities or weaknesses were exploited, what controls orprocesses failed or were missing, and what actions or decisions contributed to the situation. A root cause analysis can help the organization to prevent or reduce the recurrence of similar incidents, as well as to improve the effectiveness and efficiency of the risk management process. A root cause analysis can also help the organization to define a comprehensive risk treatment plan, which is a set of actions or measures that are taken to modify the risk, such as reducing, avoiding, transferring, or accepting the risk2. Based on the findings and recommendations of the root cause analysis, the organization can select and implement the most appropriate risk treatment option for the malware risk, as well as for any other related or emerging risks. The risk treatment plan should also include the roles and responsibilities, resources, timelines, and performance indicators for the risk treatmentactions3. The other options are not the most effective ways to resolve the situation and define a comprehensive risk treatment plan, as they are either less thorough or less relevant than a root cause analysis. A gap analysis is a method of comparing the current state and the desired state of a process, system, or organization, and identifying the gaps or differences between them4. A gap analysis can help the organization to identify the areas of improvement or enhancement, as well as the opportunities or challenges for achieving the desired state. However, a gap analysis is not the most effective wayto resolve the situation and define a comprehensive risk treatment plan, as it does not address the causes or consequences of the malware infection, or the actions or measures to mitigate the risk. An impact assessment is a method of estimating the potential effects or consequences of a change, decision, or action on a process, system, or organization5. An impact assessment can help the organization to evaluate the benefits and costs, as well as the risks and opportunities, of a proposed or implemented change, decision, or action. However, an impact assessment is not the most effective way to resolve the situation and define a comprehensive risk treatment plan, as it does not investigate the origin or nature of the malware infection, or the solutions or alternatives to manage the risk. A vulnerability assessment is a method of identifying and analyzing the weaknesses or flaws in a process, system, or organization that can be exploited by threats to cause harm or loss6. A vulnerability assessment can help the organization to discover and prioritize the vulnerabilities, as well as to recommend and implement the controls or measures to reduce or eliminate them. However, a vulnerability assessment is not the most effective way to resolve the situation and define a comprehensive risk treatment plan, as it does not consider the root causes or impacts of the malware infection, or the risk treatment options or plans to address the risk. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.8, Page 61.



The MAIN reason for creating and maintaining a risk register is to:

  1. assess effectiveness of different projects.
  2. define the risk assessment methodology.
  3. ensure assets have low residual risk.
  4. account for identified key risk factors.

Answer(s): D

Explanation:

A risk register is a tool used to identify, assess, and prioritize risks in an organization. It typically includes a detailed description of each identified risk, an assessment of its likelihood and potential impact, and a plan for managing or mitigating the risk1. A risk register is usually created at the beginning of a project or a process, and is updated regularly throughout the risk management life cycle2.
The main reason for creating and maintaining a risk register is to account for identified key risk factors. This means that the risk register helps to:
Document and track all the relevant risks that may affect the project or the organization, and their sources, causes, and consequences
Provide a comprehensive and consistent view of the risk profile and exposure of the project or the organization
Support the decision-making and prioritization of the risk responses and controls, based on the risk appetite and tolerance of the project or the organization Communicate and report the risk information and status to the stakeholders and regulators, and ensure transparency and accountability
Enable the continuous improvement and learning from the risk management process and outcomes3
References = What is a risk register and why is it important?, Purpose of a risk register:
Here's what a risk register is used for, Risk Register: A Project Manager's Guide with Examples [2024], Risk Register - Wikipedia



An external security audit has reported multiple findings related to control noncompliance.
Which of the following would be MOST important for the risk practitioner to communicate to senior management?

  1. A recommendation for internal audit validation
  2. Plans for mitigating the associated risk
  3. Suggestions for improving risk awareness training
  4. The impact to the organization's risk profile

Answer(s): D

Explanation:

The risk profile of an organization is a summary of the key risks that affect its objectives, operations, and performance. The risk profile can help senior management understand the current and potential exposure of the organization to various sources of uncertainty, and prioritize the risk response accordingly. An external security audit can reveal multiple findings related to control noncompliance, which indicate that the existing controls are not adequate, effective, or aligned with the organization's risk appetite. These findings can have a significant impact on the organization's risk profile, as they can increase the likelihood and/or impact of adverse events, such as data breaches, cyberattacks, regulatory fines, reputational damage, etc. Therefore, the most important information that the risk practitioner should communicate to senior management is the impact to the organization's risk profile, as it can help them make informed decisions about the risk response and allocation of resources. References = Risk and Information Systems Control Study Manual, Chapter 4:
Risk and Control Monitoring and Reporting, Section 4.1: Risk Profile, p. 193-195.



Viewing page 32 of 238
Viewing questions 249 - 256 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts