Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 35)

Page 35 of 238
PDF with 1895 Questions

Which of the following is the MOST important consideration when sharing risk management updates with executive management?

  1. Using an aggregated view of organizational risk
  2. Ensuring relevance toorganizational goals
  3. Relying on key risk indicator (KRI) data Including
  4. Trend analysis of risk metrics

Answer(s): B

Explanation:

According to the CRISC Review Manual (Digital Version), the most important consideration when sharing risk management updates with executive management is ensuring relevance toorganizational goals, as this helps to align risk management with business strategy and performance. The risk management updates should:
Highlight the key risks that may affect the achievement of the organizational goals and objectives
Demonstrate the value and benefits of risk management in supporting decision making and enhancing business resilience
Provide clear and concise information on the current risk profile, risk appetite, risk tolerance and risk exposure of the organization
Recommend appropriate risk response actions and resource allocation to address the identified risks
Communicate the roles and responsibilities of executive management in overseeing and governing risk management
References = CRISC Review Manual (Digital Version), Chapter 4: IT Risk Monitoring and Reporting, Section 4.2: IT Risk Reporting, pp. 221-2221



Which of the following represents a vulnerability?

  1. An identity thief seeking toacquire personal financial data from an organization
  2. Media recognition of an organization's market leadership in its industry
  3. A standard procedure for applying software patches two weeks after release
  4. An employee recently fired for insubordination

Answer(s): C

Explanation:

A vulnerability is a weakness or gap in a system, application, or network that can be exploited by a threat to cause harm or gain unauthorized access1. A vulnerability can be caused by various factors, such as design flaws, coding errors, configuration errors, or outdated software2.
Among the four options given, only option C (a standard procedure for applying software patches two weeks after release) represents a vulnerability. This is because software patches are updates or fixes that address security weaknesses or bugs in software applications or systems3. By applying software patches two weeks after release, the organization is exposing itself to the risk of being attacked or compromised by malicious actors who may exploit the known vulnerabilities in the software before they are patched. This risk is especially high if the software is internet-facing or critical to the organization's operations4. References = What is a Vulnerability?, Vulnerability Definition & Meaning - Merriam- Webster, Vulnerability Patching: A Resource Guide - Rezilion, Why is Software Vulnerability Patching Crucial for Your Software and ...



Which of the following analyses is MOST useful for prioritizing risk scenarios associated with loss of IT assets?

  1. SWOT analysis
  2. Business impact analysis (BIA)
  3. Cost-benefit analysis
  4. Root cause analysis

Answer(s): B

Explanation:

Business impact analysis (BIA) is the most useful analysis for prioritizing risk scenarios associated with loss of IT assets, because it evaluates the potential consequences of disruption tocritical business functions and processes. BIA helps to identify the most significant risks and the most urgent recovery needs. SWOT analysis, cost-benefit analysis, and root cause analysis are all useful tools for different purposes, but they do not directly address the impact of risk scenarios on business continuity and resilience. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.2.1, page 143



Which of the following BEST reduces the risk associated with the theft of a laptop containing sensitive information?

  1. Cable lock
  2. Data encryption
  3. Periodic backup
  4. Biometricsaccess control

Answer(s): B

Explanation:

The best way to reduce the risk associated with the theft of a laptop containing sensitive information is to use data encryption. Data encryption is a process that transforms the data into an unreadable or unintelligible format, using a secret key or algorithm, to protect the data from unauthorized access or disclosure. Data encryption helps to reduce the risk of data theft, because even if the laptop is stolen, the data on the laptop cannot be accessed or used by the thief without the proper key or algorithm. Data encryption also helps to comply with the relevant laws, regulations, standards, and contracts that may require the protection of sensitive data. The other options are not as effective as data encryption, although they may provide some protection for the laptop or the data. A cable lock, a periodic backup, and a biometrics access control are allexamples of physical or logical controls, which may help to prevent or deter the theft of the laptop, or to recover or restore the data on the laptop, but they do not necessarily protect the data from unauthorized access or disclosure if the laptop is stolen. References = 8



A failed IT system upgrade project has resulted in the corruption of an organization's asset inventory database.
Which of the following controls BEST mitigates the impact of this incident?

  1. Encryption
  2. Authentication
  3. Configuration
  4. Backups

Answer(s): D

Explanation:

Backups are the best control to mitigate the impact of a failed IT system upgrade project that has resulted in the corruption of an organization's asset inventory database, as they allow theorganization to restore the data from a previous state and resume normal operations. Encryption, authentication, and configuration are not the best controls, as they do not address the data corruption issue, but rather the datasecurity, access, and quality issues, respectively. References = CRISC Review Manual, 7th Edition, page 153.



A risk assessment has been completed on an application and reported to the application owner. The report includes validated vulnerability findings that require mitigation.
Which of the following should be the NEXT step?

  1. Report the findings to executive management to enable treatment decisions.
  2. Reassess each vulnerability to evaluate the risk profile of the application.
  3. Conduct a penetration test to determine how to mitigate the vulnerabilities.
  4. Prepare a risk response that is aligned to the organization's risk tolerance.

Answer(s): D

Explanation:

Preparing a risk response that is aligned to the organization's risk tolerance is the next step after completing a risk assessment and reporting the validated vulnerability findings that require mitigation to the application owner, because it helps to define and implement the appropriate actions to reduce or eliminate the risk, or to prepare for and recover from the potentialconsequences. A risk response is a strategy or tactic for managing the identified risks, such as avoiding, transferring, mitigating, or accepting the risk. A risk response should be aligned to the organization's risk tolerance, which is the acceptable level of variation from the organization's objectives or expectations. A vulnerability is a weakness or flaw in an IT system or application that can be exploited by a threat or attack to cause harm or damage. A vulnerability finding is a result of a vulnerability assessment, which is a process of identifying and evaluating the vulnerabilities in an IT system or application. A vulnerability finding requires mitigation, which is a type of risk response that involves applying controls or countermeasures to reduce the likelihood or impact of the risk. Therefore, preparing a risk response that is aligned to the organization's risk tolerance is the next step, as it helps to address the vulnerability findings and to achieve the desired level of risk. Reporting the findings to executive management, reassessing each vulnerability, and conducting a penetration test are all possible steps to perform afterpreparing a risk response, but they are not the next step, as they depend on the results and approval of the risk response. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.4.2, page 103



Of the following, who is responsible for approval when a change in an application system is ready for release to production?

  1. Information security officer
  2. IT risk manager
  3. Business owner
  4. Chief risk officer (CRO)

Answer(s): C

Explanation:

The business owner is the person who is responsible for approval when a change in an application system is ready for release to production. The business owner is the person who has the authority and accountability for the business process or function that is supported by the application system. The business owner should approve the change to ensure that it meets the business requirements, objectives, and expectations, and that it does not introduce any adverse impacts or risks to the business operations. The information security officer, the IT risk manager, and the chief risk officer (CRO) are not responsible for the approval of the change, although they may provide input, feedback, or oversight. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.4.1, page 3-32.



The PRIMARY benefit of using a maturity model is that it helps to evaluate the:

  1. capability to implement new processes
  2. evolution of process improvements
  3. degree of compliance with policies and procedures
  4. control requirements.

Answer(s): B

Explanation:

A maturity model is a framework that describes the stages or levels of development and improvement of a certain domain, such as a process, a function, or an organization. A maturitymodel can help to evaluate the current state, identify the strengths and weaknesses, set the goals and objectives, and measure the performance and improvement over time. The primary benefit of using a maturity model is that it helps to evaluate the evolution of process improvements, meaning that it can help to track the progress andchanges of the processes, as well as to identify the best practices and standards. A maturity model can also help to compare the processes with the industry benchmarks and competitors, as well as to align the processes with the business strategy and vision. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.3.2.1, p. 118-119



Viewing page 35 of 238
Viewing questions 273 - 280 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts