Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 43)

Page 43 of 238
PDF with 1895 Questions

Which of the following actions should a risk practitioner do NEXT when an increased industry trend of external cyber attacks is identified?

  1. Conduct a threat and vulnerability analysis.
  2. Notify senior management of the new risk scenario.
  3. Update the risk impact rating in the risk register.
  4. Update the key risk indicator (KRI) in the risk register.

Answer(s): A

Explanation:

A possible action that a risk practitioner should do next when an increased industry trend of external cyber attacks is identified is A. Conduct a threat and vulnerability analysis. A threat and vulnerability analysis is a process of identifying and assessing the potential sources and methodsof cyber attacks, as well as the weaknesses and gaps in the organization's information systems and security controls12 By conducting a threat and vulnerability analysis, a risk practitioner can determine the level of exposure and risk that the organization faces from external cyber attacks, and prioritize the actions and resources needed to mitigate or prevent them3 A threat and vulnerability analysis can also help to update the risk impact rating and the key risk indicator in the risk register, as well as to notify senior management of the new risk scenario, but these are subsequent steps that follow after the analysis is completed. Therefore, the first action that a risk practitioner should do next is to conduct a threat and vulnerability analysis.



Which of the following practices would be MOST effective in protecting personality identifiable information (Ptl) from unauthorized access m a cloud environment?

  1. Apply data classification policy
  2. Utilize encryption with logical access controls
  3. Require logical separation of company data
  4. Obtain the right to audit

Answer(s): B

Explanation:

The most effective practice in protecting personally identifiable information (PII) from unauthorized access in a cloud environment is to utilize encryption with logical access controls. Encryption is a technique that transforms the data into an unreadable or unintelligible form, making it inaccessible or unusable by unauthorized parties. Logical access controls are the mechanisms or rules that regulate who can access, view, modify, or delete the data, based on their identity, role, or privilege. By utilizing encryption with logical access controls, the PII can be protected from unauthorized access, disclosure, or theft, both in transit and at rest, in a cloud environment. The other options are not as effective as utilizing encryption with logical access controls, as they are related to the classification, separation, or audit of the data, not the protection or security of the data. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Response, Section 3.3:
IT Risk Response Implementation, page 145.



Which of the following would be the GREATEST challenge when implementing a corporate risk framework for a global organization?

  1. Privacy risk controls
  2. Business continuity
  3. Risk taxonomy
  4. Management support

Answer(s): D

Explanation:

The greatest challenge when implementing a corporate risk framework for a global organization is the management support. A corporate risk framework is a set of principles,

policies, standards, and processes that guide and govern the risk management activities across the organization. Acorporate risk framework helps to establish a consistent and integrated approach to risk management, and to align the risk management objectives and strategies with the business goals and values. Implementing a corporate risk framework for a global organization requires the management support, which is the commitment, involvement, and endorsement of the senior management and the board. Management support is essential for providing the vision, direction, and resources for the risk management initiatives, and for ensuring the accountability, responsibility, and ownership of the risk management roles and functions. Management support is also critical for creating and sustaining a risk-aware culture, and for promoting the risk management awareness and communication among the stakeholders. Management support can be challenging to obtain and maintain, especially for a global organization, as it may face various barriers, such as different expectations, priorities, preferences, or perspectives of the management, lack of trust or confidence in the risk management value or performance, resistance to change or innovation, or competing interests or agendas. Privacy risk controls, business continuity, and risk taxonomy are not as challenging as management support, as they are thecomponents or outcomes of the corporate risk framework, andthey can be addressed or improved by applying the appropriate methods, techniques, or tools. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 35.



In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data?

  1. Establishing anintellectual property agreement
  2. Evaluating each of the data sources for vulnerabilities
  3. Periodically reviewing big data strategies
  4. Benchmarking to industry best practice

Answer(s): C

Explanation:

Periodically reviewing big data strategies is the best option to minimize the risk of inaccurate data, because it allows the organization to assess the quality, validity, and reliability of the data sources and the analytics methods. It also enables the organization to identify and address any gaps, errors, or inconsistencies in the data and the results. By reviewing the big data strategies, the organization can ensure that the data analytics are aligned with the business objectives and the risk appetite.
Establishing an intellectual property agreement is not relevant to the risk of inaccurate data, as it is a legal measure to protect the ownership and use of the data, not its quality or accuracy.
Evaluating each of the data sources for vulnerabilities is a good practice, but it is not sufficient to minimize the risk of inaccurate data, as it only focuses on the security aspect of the data, not the validity or reliability of the data itself. Benchmarking to industry best practice is a useful way to compare the performance and results of the data analytics, but it does not directly address the risk of inaccurate data, as it assumes that the data and the methods are already valid and reliable. References = Risk IT Framework, 2nd Edition, ISACA, 2019, page 62-63.



Which of the following would BEST help minimize the risk associated with social engineering threats?

  1. Enforcing employees' sanctions
  2. Conducting phishing exercises
  3. Enforcing segregation of dunes
  4. Reviewing the organization's risk appetite

Answer(s): B

Explanation:

Conducting phishing exercises would best help minimize the risk associated with social engineering threats, because they can help to raise awareness and educate employees about the common techniques and tactics used by social engineers, such as sending deceptive emails or text messages that ask for sensitive information or direct users to malicious websites. Phishing exercises are simulated attacks that test the employees' ability to recognize and respond to social engineering attempts, and provide feedback and guidance on how to improve their security behavior. By conducting phishing exercises, the organization can measure and improve the employees' level of security awareness and resilience, and reduce the likelihood and impact of falling victim to social engineering attacks. The other options are less effective ways to minimize the risk associated with social engineering threats. Enforcing employees' sanctions can help to deter and punish employees who violate the security policies or procedures, but it may not prevent or reduce the occurrence of social engineering attacks, as they may target employees who are unaware, careless, or coerced by the attackers. Enforcing segregation of duties can help to prevent or limit the damage caused by social engineering attacks, by restricting the access and authority of employees to perform certain tasks or functions, but it may not address the root cause or source of the attacks, which is the human factor. Reviewing the organization's risk appetite can help to define and communicate the amount and type of risk that the organization is willing to accept in pursuit of its objectives, but it may not directly affect or influence the employees' behavior or attitude toward social engineering threats, which may depend on their individual or situational factors. References = How to Prevent and Mitigate Social Engineering Attacks 1



An organization has adopted an emerging technology without following proper processes.
Which of the following is the risk practitioner's BEST course of action to address this risk?

  1. Accept the risk because the technology has already been adopted.
  2. Propose a transfer of risk to a third party with subsequent monitoring.
  3. Conduct a risk assessmentto determine risk exposure.
  4. Recommend to senior management to decommission the technology.

Answer(s): C

Explanation:

Conducting a risk assessment allows the organization to evaluate the exposure created by adopting the technology. This step ensures informed decision-making and aligns with the principles ofRisk Identification and Assessmentfor managing emerging risks effectively.



Which of the following is MOST effective in continuous risk management process improvement?

  1. Periodic assessments
  2. Change management
  3. Awareness training
  4. Policy updates

Answer(s): A

Explanation:

Continuous risk management process improvement is the practice of evaluating and enhancing the risk management process on a regular basis, to ensure that it is effective, efficient, and aligned with the business objectives and strategy. Continuous risk management processimprovement can help identify and address the gaps, weaknesses, or opportunities for improvement in the risk management process, and ensure that the process is responsive and adaptable to the changing risk environment. The most effective method for continuous risk management process improvement is periodic assessments, which are systematic and objective evaluations of the risk management process, performed at predefined intervals or after significant events. Periodic assessments can help measure and monitor the performance and maturity of the risk management process, using criteria such as the risk management framework, standards, policies, procedures, methods, tools, roles, responsibilities, and results. Periodic assessments can also help identify and analyze the strengths, weaknesses, threats, and opportunities of the risk management process, and provide feedback and recommendations for improvement. Periodic assessments can also help communicate and report the status and progress of the risk management process to the stakeholders, and obtain their input and support for improvement actions. References = Continuous Risk Management

Guidebook, p. 7-8, ISO 31000: riskmanagement and its continuous improvement, How Continuous Monitoring Drives Risk Management.



Which of the following is the MOST important component of effective security incident response?

  1. Network time protocol synchronization
  2. Identification of attack sources
  3. Early detection of breaches
  4. A documented communications plan

Answer(s): D

Explanation:

The most important component of effective security incident response is a documented communications plan. A communications plan defines the roles and responsibilities, channels and methods, frequency and timing, and content and format of the communications that take place during and after a security incident. A communications plan helps to ensure that the relevant stakeholders are informed and updated about the incident status and outcome, and that the incident response activities are coordinated and consistent. A communications plan also helps to manage the expectations and perceptions of the stakeholders, and to maintain the trust and reputation of the enterprise. Network time protocol synchronization, identification of attack sources, and early detection of breaches are also important components of effective security incident response, but they are not as important as a documented communications plan. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.2.1.2, page 1931
1: ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide, Answer to Question 660.



Viewing page 43 of 238
Viewing questions 337 - 344 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts