Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 40)

Page 40 of 238
PDF with 1895 Questions

Which of the following should be considered FIRST when creating a comprehensive IT risk register?

  1. Risk management budget
  2. Risk mitigation policies
  3. Risk appetite
  4. Risk analysis techniques

Answer(s): C

Explanation:

Risk appetite is the most important factor to consider first when creating a comprehensive IT risk register, as it defines the amount and type of risk that the organization is willing to accept in pursuit of its objectives, and guides the identification, assessment, response, and monitoring of the IT risks. The other options are not the most important factors, as they are more related to theresources, actions, or methods of the IT risk management, respectively, rather than the strategy or direction of the IT risk management. References = CRISC Review Manual, 7th Edition, page 109.



A payroll manager discovers that fields in certain payroll reports have been modified without authorization.
Which of the following control weaknesses could have contributed MOST to this problem?

  1. The user requirements were not documented.
  2. Payroll files were not under the control of a librarian.
  3. The programmer had access to the production programs.
  4. The programmer did not involve the user in testing.

Answer(s): C

Explanation:

A payroll manager discovers that fields in certain payroll reports have been modified without authorization. This indicates that there is a risk of unauthorized access, use, disclosure, modification, or destruction of sensitive data, such as employee information, payroll records, tax returns, etc.
A control weakness that could have contributed most to this problem is that the programmer had access to the production programs. This means that the programmer could potentially alter the source code or configuration of the payroll software without proper authorization or approval.
The other options are not control weaknesses that could have contributed most to this problem. They are either irrelevant or less likely to cause unauthorized changes in the payroll software.
The references for this answer are:
Risk IT Framework, page 12
Information Technology & Security, page 6
Risk Scenarios Starter Pack, page 4



Which of the following is the ULTIMATE goal of conducting a privacy impact analysis (PIA)?

  1. To identify gaps in data protection controls
  2. To develop a customer notification plan
  3. To identify personally identifiable information (Pll)
  4. To determine gaps in data identification processes

Answer(s): A

Explanation:

The ultimate goal of conducting a privacy impact analysis (PIA) is to identify gaps in data protection controls, as it involves assessing the privacy risks and impacts of collecting, using,

storing, and disclosing personally identifiable information (PII), and determining the adequacy and effectiveness of the existing or proposed controls to mitigate those risks and impacts. Developing a customer notification plan, identifying PII, and determining gaps in data identification processes are possible steps or outcomes of conducting a PIA, but they are not the ultimate goal, as they do not address the root cause or solution of the privacy issues. References = CRISC Review Manual, 7th Edition, page 155.



An organization has outsourced its backup and recovery procedures to a third-party cloud provider.
Which of the following is the risk practitioner s BEST course of action?

  1. Accept the risk and document contingency plans for data disruption.
  2. Remove the associated risk scenario from the risk register due to avoidance.
  3. Mitigate the risk with compensating controls enforced by the third-party cloud provider.
  4. Validate the transfer of risk and update the register to reflect the change.

Answer(s): D

Explanation:

The risk practitioner's BEST course of action is to validate the transfer of risk and update the register to reflect the change, because outsourcing the backup and recovery procedures to a third-party cloud provider does not eliminate the risk, but rather transfers it to the service provider. The risk practitioner should verify that the service provider has adequate controls and capabilities to handle the backup and recovery procedures, and that the contractual agreement specifies the roles and responsibilities of both parties. The risk practitioner should also update the risk register to reflect the new risk owner and the residual risk level. The other options are not the best course of action, because:
Option A: Accepting the risk and documenting contingency plans for data disruption is not the best course of action, because it implies that the risk practitioner is still responsible for the risk, even though it has been transferred to the service provider. Contingency plans are also reactive measures, rather than proactive ones. Option B: Removing the associated risk scenario from the risk register due to avoidance is not the best course of action, because it implies that the risk has been eliminated, which is not the case. The risk still exists, but it has been transferred to the service provider. The risk register should reflect the current risk status and ownership. Option C: Mitigating the risk with compensating controls enforced by the third-party cloud provider is not the best course of action, because it implies that the risk practitioner is still involved in the risk management process, even though the risk has been transferred to the service provider. The risk practitioner should rely on the service provider's controls and capabilities, andmonitor their performance and compliance. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 196.



When updating the risk register after a risk assessment, which of the following is MOST important to include?

  1. Historical losses due to past risk events
  2. Cost to reduce the impact and likelihood
  3. Likelihood and impact of the risk scenario
  4. Actor and threat type of the risk scenario

Answer(s): C

Explanation:

A risk register is a document that records and tracks the information about the risks that may affect the organization's objectives, such as the risk description, category, source, cause, impact, probability, status, owner, response, etc.
When updating the risk register after a risk assessment, the most important information to include is the likelihood and impact of the risk scenario. This means that the risk registershouldreflect the current or updated estimates of the probability and consequence of the risk scenario, based on the risk analysis and evaluation methods and criteria. The likelihood and impact of the risk scenario helps to determine the risk level and priority, select the most appropriate risk response, allocate the resources and budget for risk management, and monitor and report the risk performance and outcomes. The other options are not the most important information to include when updating the risk register after a risk assessment. They are either secondary or not essential for risk management.
The references for this answer are:
Risk IT Framework, page 29
Information Technology & Security, page 23
Risk Scenarios Starter Pack, page 21



Which of the following provides the BEST evidence that a selected risk treatment plan is effective?

  1. Identifying key risk indicators (KRIs)
  2. Evaluating the return on investment (ROI)
  3. Evaluating the residual risk level
  4. Performing a cost-benefit analysis

Answer(s): C

Explanation:

A risk treatment plan is a document that describes the actions and resources required to implement the chosen risk response for a specific risk scenario. A risk response can be to accept, avoid, transfer, or mitigate the risk. The effectiveness of a risk treatment plan can be measured by how well it reduces the risk exposure and achieves the desired outcomes. The best evidence that a selected risk treatment plan is effective is to evaluate the residual risk level, which is the remaining risk after the risk treatment plan has been implemented. The residual risk level should be within the organization's risk appetite and tolerance, and should reflect the actual risk reduction and value creation of the risk treatment plan. Evaluating the residual risk level can also help to identify any gaps or issues that need to be addressed, and to monitor and report on the risk performance and improvement. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.2.2, p. 108-109



Which of the following BEST indicates how well a web infrastructure protects critical information from an attacker?

  1. Failed login attempts
  2. Simulating a denial of service attack
  3. Absence of IT audit findings
  4. Penetration test

Answer(s): D

Explanation:

A penetration test is a simulated cyberattack on a web infrastructure to evaluate its security posture and identify any vulnerabilities or weaknesses that could be exploited by an attacker. A penetration test is the best indicator of how well a web infrastructure protects critical information from an attacker, as it mimics the real-world scenarios and techniques that an attacker would use, and measures the effectiveness of the existing security controls and countermeasures. A penetration test can also provide recommendations for improving the security of the web infrastructure and reducing the risk exposure. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, Question 236. CRISC by Isaca Actual Free Exam Q&As, Question 9. CRISC:

Certified in Risk & Information Systems Control Sample Questions, Question 236. Most Asked CRISC Exam Questions and Answers, Question 10.



Which of the following BEST enables an organization to address risk associated with technical complexity?

  1. Documenting system hardening requirements
  2. Minimizing dependency on technology
  3. Aligning with a security architecture
  4. Establishing configuration guidelines

Answer(s): C

Explanation:

Addressing Technical Complexity:
Security Architecture Alignment: Aligning with a security architecture helps manage the complexity by providing a structured framework for implementing and managing security controls.
Comprehensive Framework: A security architecture ensures that all security controls are integrated and aligned with the organization's overall security strategy, reducing the risk associated with technical complexity.
Steps Involved:
Develop or Adopt a Security Architecture: Use established frameworks such as SABSA, TOGAF, or Zachman.
Implementation: Apply the security architecture across all systems and processes to ensure consistency and integration.
Monitoring and Maintenance: Continuously monitor the security architecture and update it as necessary to address new threats and technologies.
Comparison with Other Options:
Documenting System Hardening Requirements: Important but does not address the overall complexity.
Minimizing Dependency on Technology: Not always feasible and does not fully address the inherent complexity.
Establishing Configuration Guidelines: Helpful but should be part of the broader security architecture.
Best Practices:
Continuous Improvement: Regularly update and improve the security architecture to adapt to evolving threats and technologies.

Training and Awareness: Ensure that all relevant personnel understand the security architecture and their role in maintaining it.


Reference:

CRISC Review Manual: Discusses the importance of aligning with a security architecture to manage technical complexity and ensure comprehensive security controls . ISACA Standards: Emphasize the role of security architecture in providing a structured approach to managing security across the organization .



Viewing page 40 of 238
Viewing questions 313 - 320 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts