Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 41)

Page 41 of 238
PDF with 1895 Questions

Which of the following is MOST helpful to review when identifying risk scenarios associated with the adoption of Internet of Things (loT) technology in an organization?

  1. The business case for the use of loT
  2. The loT threat landscape
  3. Policy development for loT
  4. The network that loT devices can access

Answer(s): B

Explanation:

Risk scenarios: Narratives that describe potential risk events, their causes, consequences, and likelihood1.
Internet of Things (IoT): A network of interconnected devices, software, sensors, and other things that communicate and exchange data without human intervention2. IoT threat landscape: The range and types of threats and attacks that target IoT devices, systems, and networks3.
The most helpful thing to review when identifying risk scenarios associated with the adoption of IoT technology in an organization is the IoT threat landscape. The IoT threat landscape provides a comprehensive and current overview of the potential sources, methods, and impacts of cyberattacks on IoT devices, systems, and networks. Reviewing the IoT threat landscape can help an organization to:
Identify the most relevant and prevalent threats and vulnerabilities that affect IoT technology, such as weak passwords, insecure interfaces, insufficient data protection, poor device management, or lack of encryption4.
Assess the likelihood and impact of different types of attacks, such as malware infections, denial-of-service attacks, data breaches, unauthorized access, or sabotage4. Prioritize the most critical and urgent risks that need to be addressed and mitigated. Develop realistic and plausible risk scenarios that reflect the actual IoT threat environment and the organization's specific context and objectives. The other options are not as helpful as the IoT threat landscape when identifying risk scenarios associated with the adoption of IoT technology in an organization, because they do not provide a comprehensive and current view of the potential threats and attacks that target IoT technology. The business case for the use of IoT, which is the justification and rationale for adopting IoT technology based on the expected benefits, costs, and risks, may help to understand the value and purpose of IoT technology for the organization, but it does not provide detailed information on the specific threats and vulnerabilities that affect IoT technology. Policy development for IoT, which is the process of creating and implementing rules and guidelines for the governance, management, and security of IoT technology, may help to establish the standards and expectations for IoT technology within the organization, but it does not provide an overview of the external threats and attacks that target IoT

technology. The network that IoT devices can access, which is the infrastructure and system that enables the connectivity and communicationof IoT devices, may help to identify the potential entry points and attack vectors for IoT threats, but it does not provide a complete picture of the types and impacts of IoT threats.
References = Risk Scenarios Toolkit, What is the Internet of Things (IoT)? With Examples | Coursera, Top IoT security issues and challenges (2022) ­ Thales, 8 Internet of Things Threats and Security Risks - SecurityScorecard



Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?

  1. Align business objectives to the risk profile.
  2. Assess risk against business objectives
  3. Implement anorganization-specific risk taxonomy.
  4. Explain risk details to management.

Answer(s): B

Explanation:

The best way for a risk practitioner to help management prioritize risk response is to assess risk against business objectives. This means comparing the level and nature of the risks with the goals and strategies of the organization, and determining which risks pose the most significant threat or opportunity to the achievement of those objectives. By assessing risk against business objectives, the risk practitioner can help management identify the most critical and relevant risks, and prioritize the risk response actions accordingly. The risk response actions should be aligned with the organization's risk appetite, which is the amount and type of risk that the organization is willing to take in order to meet its strategic goals1. The other options are not the best ways for a risk practitioner to help management prioritize risk response, as they are either less effective orless specific than assessing risk against business objectives. Aligning business objectives to the risk profile is a way of ensuring that the organization's objectives are realistic and achievable, given the current and potential risks that the organization faces. However, this is not the same as prioritizing risk response, as it does not indicate which risks should be addressed first or howtheyshould be managed. Implementing an organization-specific risk taxonomy is a way of creating a common language and classification system for describing and categorizing risks. This can help improve the consistency and clarity of risk communication and reporting across the organization. However, this is not the same as prioritizing risk response, as it does not measure the likelihood and impact of the risks, or their relation to the organization's objectives. Explaining risk details to management is a way of providing information and insight on the sources, drivers, consequences, and responses of the risks. This can help increase the awareness and understanding of the risks among the decision makers and stakeholders. However, this is not the same as prioritizing risk response, as it does not suggest or recommend the best course of action for managing the risks. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.6, Page 57.



An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program.
Which of the following is MOST useful for this purpose?

  1. Balanced scorecard
  2. Capability maturity level
  3. Internal audit plan
  4. Control self-assessment (CSA)

Answer(s): A

Explanation:

A balanced scorecard is a strategic management tool that helps to measure and communicate the performance of an organization or a program against its goals and objectives. A balanced scorecard typicallyconsists of four perspectives: financial, customer, internal process, and learning and growth. Each perspective has a set of key performance indicators (KPIs) that reflect the critical success factors and desired outcomes of the organization or the program1. A balanced scorecard is most useful for reporting on the overall status and effectiveness of the IT risk management program, because it can provide a comprehensive and balanced view of the program's performance across multiple dimensions. A balanced scorecard can help to align the IT risk management program with the business strategy and vision, and to demonstrate the value and impact of the program to the stakeholders. A balanced scorecard can also help to identify the strengths and weaknesses of the IT risk management program, and to monitor and improve the program's processes and outcomes2. The other options are not as useful as a balanced scorecard for reporting on the overall status and effectiveness of the IT risk management program. A capability maturity level is a measure of the maturity and quality of a process or a practice, based on a predefined set of criteria andstandards. A capability maturity level can help to assess and benchmark the IT risk management program's processes and practices, but it does not provide a holistic view of the program's performance and results3. An internal audit plan is a document that outlines the scope, objectives, and methodology of an internal audit activity. An internal audit plan can help to evaluate and verify the IT risk management program's controls and compliance,

but it does not provide a strategic view of the program's goals and outcomes4. A control self- assessment (CSA) is a technique that involves the participation of the process owners and the staff in assessing the effectiveness and efficiency of their own controls. A CSA can help to enhance the awareness and ownership of the IT risk management program's controls, but it does not provide an objective and independent view of the program's performance and impact. References =
Balanced Scorecard Basics - Balanced Scorecard Institute Using the Balanced Scorecard to Measure and Manage IT Risk Capability Maturity Model Integration (CMMI) Overview Internal Audit Planning: The Basics - The IIA
[Control Self-Assessment - ISACA]



An organization with a large number of applications wants to establish a security risk assessment program.
Which of the following would provide the MOST useful information when determining the frequency of risk assessments?

  1. Feedback from end users
  2. Results of a benchmark analysis
  3. Recommendations from internal audit
  4. Prioritization from business owners

Answer(s): B

Explanation:

A benchmark analysis is a process of comparing the organization's performance, practices, and processes with those of other organizations in the same industry or sector. A benchmark analysis can provide the most useful information when determining the frequency of risk assessments, because it can help the organization to identify the best practices, standards, and expectations for security risk management in its industry. A benchmark analysis can also help the organization to assess its current level of maturity, capability, and compliance in relation to security risk management, and to determine the gaps and areas for improvement. By conducting a benchmark analysis, the organization can establish a realistic and appropriate frequency of risk assessments that aligns with its industry norms and its own risk profile. The other options are not as useful as a benchmark analysis, because they do not provide a comprehensive and relevant view of the security risk management landscape, but rather focus on specific or partial aspects of the organization's situation. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.3.2, page 18.



Which of the following stakeholders are typically included as part of a line of defense within the three lines of defense model?

  1. Board of directors
  2. Vendors
  3. Regulators
  4. Legal team

Answer(s): D

Explanation:

The three lines of defense model is a framework that describes the roles and responsibilities of different stakeholders in the risk management and internal control processes of an organization. The three lines of defense are:
The first line of defense: the operational management and staff who are responsible for identifying, assessing, and responding to the risks, as well as implementing and maintaining the controls within their areas of activity.
The second line of defense: the risk management, compliance, and security functions who are responsible for establishing the risk policies and standards, providing guidance and support, monitoring and reporting on the risk performance and compliance, and facilitating the risk management and internal control processes across the organization. The third line of defense: the internal audit function who is responsible for providing independent and objective assurance on the effectiveness and efficiency of the risk management and internal control processes, as well as recommending improvements and best practices. The stakeholders who are typically included as part of a line of defense within the three lines of defense model are the legal team, who belong to the second line of defense. The legal team is responsible for ensuring that the organization complies with the relevant laws and regulations, aswell as for advising and assisting the organization on the legal aspects and implications of the risk management and internal control processes. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.4.1, p. 32-33



Which of the following approaches to bring your own device (BYOD) service delivery provides the BEST protection from data loss?

  1. Enable data wipe capabilities
  2. Penetration testing and session timeouts
  3. Implement remote monitoring
  4. Enforce strong passwords and data encryption

Answer(s): D

Explanation:

The best approach to bring your own device (BYOD) service delivery that provides the best protection from data loss is to enforce strong passwords and data encryption. BYOD is a service delivery model that allows the users to use their own personal devices, such as smartphones, tablets, or laptops, to access the enterprise's network, applications, or data. BYOD can provide various benefits, such as increased productivity, flexibility, and satisfaction of the users, as well as reduced costs and maintenance of the enterprise. However, BYOD also poses various risks, such as data loss, data breach, malware infection, or unauthorized access, as the personal devices may not have the same level of security and control as the enterprise-owned devices. Enforcing strong passwords and data encryption is the best approach to protect the data on the personal devices, as it helps to prevent or limit the unauthorized access, disclosure, or theft of the data, especially if the devices are lost, stolen, or compromised. Enforcing strong passwords and data encryption also helps to comply with the legal and regulatory requirements for data protection and privacy. Enabling data wipe capabilities, penetration testing and session timeouts, and implementing remote monitoring are also useful approaches, but they are not as effective as enforcing strong passwords and data encryption, as they are either reactive or detective measures, rather than proactive or preventive measures. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 217.



Which of the following is the MAIN reason to continuously monitor IT-related risk?

  1. To redefine the risk appetite and risk tolerance levels based on changes in risk factors
  2. To update the risk register to reflect changes in levels of identified and new IT-related risk
  3. Toensure risk levels are within acceptable limits of the organization's risk appetite and risk tolerance
  4. To help identify root causes of incidents and recommend suitable long-term solutions

Answer(s): C

Explanation:

According to the CRISC Review Manual (Digital Version), the main reason to continuously monitor IT-related risk is to ensure risk levels are within acceptable limits of the organization'srisk appetite and risk tolerance. The risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives, while the risk tolerance is the acceptable variation in outcomes related to specific performance measures linked to objectives. Continuous monitoring is a process that tracks the security state of an information system on an ongoing basis and maintains the security authorization for the system over time.
Continuous monitoring helps to:
Provide ongoing assurance that the implemented security controls are operating effectively and efficiently
Detect changes in the risk profile of the information system and the environment of operation Identify new or emerging threats and vulnerabilities that may affect the information system Support risk-based decisions by providing timely and relevant risk information to stakeholders
Facilitate the implementation of corrective actions and risk mitigation strategies Promote accountability and transparency in the risk management process Enhance the security awareness and culture within the organization References = CRISC Review Manual (Digital Version), Chapter 4: IT Risk Monitoring and Reporting, Section 4.1: IT Risk Monitoring, pp. 213-2141



A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:

  1. updating the risk register.
  2. validating the risk scenarios.
  3. documenting the risk scenarios.
  4. identifying risk mitigation controls.

Answer(s): B

Explanation:

According to the CRISC Review Manual, the most important time to involve business stakeholders in the development of bottom-up IT risk scenarios is when validating the risk scenarios, as they can provide valuable input on the relevance, completeness, and accuracy of the scenarios and their impact on the business objectives and processes2
1: CRISC Review Questions, Answers & Explanations Database, Question ID: 100001 2:
CRISC Review Manual, 7th Edition, page 97



Viewing page 41 of 238
Viewing questions 321 - 328 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts