Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 44)

Page 44 of 238
PDF with 1895 Questions

An organization's financial analysis department uses an in-house forecasting application for business projections.
Who is responsible for defining access roles to protect the sensitive data within this application?

  1. IT risk manager
  2. IT system owner
  3. Information security manager
  4. Business owner

Answer(s): D

Explanation:

According to the Data Roles and Responsibilities article, the business owner is the person who has authority over the business process that is supported by the data. The business owner is responsible for defining the access roles to protect the sensitive data within the application, as well as approving the access requests and ensuring the compliance with the data policies andstandards. The business owner may delegate this responsibility to a data steward, who is a person who acts on behalf of the business owner to manage the data quality, security, and usage. Therefore, the answer is D. Business owner. References = Data Roles and Responsibilities



A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access.
Who is responsible for ensuring the control is designed to effectively address risk?

  1. Risk manager
  2. Control owner
  3. Control tester
  4. Risk owner

Answer(s): B

Explanation:

The control owner is the person who is responsible for ensuring that the control is designed to effectively address risk. The control owner is also responsible for implementing, operating, monitoring, and maintaining the control. The control owner should ensure that the control is aligned with the risk owner's risk appetite and tolerance, and that the control is periodically reviewed and updated to reflect changes in the risk environment. The risk manager, the control tester, and the risk owner are not directly responsible for the design of the control, although they may provide input, feedback, or approval. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.3.2, page 1-15.



Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?

  1. impact due to failure of control
  2. Frequency of failure of control
  3. Contingency plan for residual risk
  4. Cost-benefit analysis of automation

Answer(s): D

Explanation:

Automation of control monitoring is the application of technology to allow continuous or high-frequency, automated monitoring of controls to validate the effectiveness of controls designed to mitigate risk1.
Automation of control monitoring can provide benefits such as increased test coverage, improved timeliness, reduced risk velocity, greater visibility, improved consistency, and the ability to identify trends23.
However, automation of control monitoring also involves costs such as the acquisition, implementation, maintenance, and updating of the technology, as well as the training and support of the staff who use it45.
Therefore, the primary consideration when assessing the automation of control monitoring is the cost-benefit analysis of automation, which compares the expected benefits and costs of automation and determines whether the benefits outweigh the costs or vice versa45. The other options are not the primary consideration, but rather secondary or tertiary factors that may influence the decision to automate or not. For example, the impact due to failure of controland the frequency of failure of control are aspects of the risk assessment that may indicatethe need for automation, but they do not provide the basis for evaluating the feasibility and desirability of automation45. Similarly, the contingency plan for residual risk is a component of the risk response that may include automation as a risk mitigation strategy, but it does not measure the effectiveness and efficiency of automation45. References =
2: A Practical Approach to Continuous Control Monitoring, ISACA Journal, Volume 2, 2015
3: Continuous Controls Monitoring: The Next Generation Of Controls Testing, Forbes

Technology Council, June 2, 2022
1: Making Continuous Controls Monitoring Work for Everyone, ISACA Now Blog, June 13,
4: Controls Automation - Monitoring vs. Operation - Part 3, Turnkey Consulting, July 29,
5: What's Continuous Control Monitoring and Why Is It Important?, MetricStream Blog, October 15, 2019



Which group has PRIMARY ownership of reputational risk stemming from unethical behavior within the organization?

  1. Board of directors
  2. Human resources (HR)
  3. Risk management committee
  4. Audit committee

Answer(s): A

Explanation:

The group that has primary ownership of reputational risk stemming from unethical behavior within the organization is A. Board of directors. According to the CFA Institute, the board of directors is responsible for setting the tone at the top and ensuring that the company adheres to high ethical standards and values. The board of directors also oversees the company's culture, governance, and risk management practices, and holds the management accountable for any misconduct or breach of trust1 The board of directors may delegate some of its oversight functions to other committees, such as the human resources, risk management, or audit committee, but ultimately, the board of directors bears the ultimate responsibility for the company's reputation and integrity



During the initial risk identification process for a business application, it is MOST important to include which of the following stakeholders?

  1. Business process owners
  2. Business processconsumers
  3. Application architecture team
  4. Internal audit

Answer(s): A

Explanation:

The MOST important stakeholders to include during the initial risk identification process for a business application are the business process owners, because they are the ones who have the authority and responsibility for the business processes that are supported or enabled by the business application. The business process owners can provide valuable input and feedback on the business objectives, requirements, and expectations of the business application, as well as thepotential risks, impacts, and opportunities that may affect the business processes and outcomes. The other options are not as important as the business process owners, because:
Option B: Business process consumers are the ones who use or benefit from the business processes that are supported or enabled by the business application, such as customers, employees, or partners. They can provide useful information and perspectives on the user needs, preferences, and satisfaction of the business application, but they are not as important as the business process owners, who have the ultimate accountability and authority for the business processes and outcomes.
Option C: Application architecture team is the one who designs and develops the technical architecture and components of the business application, such as the hardware, software, network, and data. They can provide technical expertise and guidance on the feasibility, functionality, and security of the business application, but they are not as important as the business process owners, who have the primary stake and interest in the business application and its alignment with the business processes and objectives. Option D: Internal audit is the one who provides independent assurance and consulting services on the governance, risk management, and control processes of the organization, including the business application. They can provide objective and impartial evaluation and recommendation on the effectiveness and efficiency of the business application and its compliance with the internal and external standards and regulations, but they are not as important as the businessprocess owners, who have the direct involvement and influence on the business application and its performance and value. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 103.



A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:

  1. map findings to objectives.
  2. provide quantified detailed analysis
  3. recommend risk tolerance thresholds.
  4. quantify key risk indicators (KRls).

Answer(s): A

Explanation:

The best way to support risk-based decisions by senior management would be to map findings to objectives, because this would help them understand how the identified risks affect theachievement of the organization's goals and priorities. Mapping findings to objectives would also help senior management evaluate the trade-offs between different risk responses and allocate resources accordingly. By linking risks to objectives, the risk practitioner can communicate the value and impact of risk management in a clear and relevant way. References = Risk IT Framework, ISACA, 2022, p. 17



An organization is measuring the effectiveness of its change management program to reduce the number of unplanned production changes.
Which of the following would be the BEST metric to determine if the program is performing as expected?

  1. Decrease in the time to move changes to production
  2. Ratio of emergency fixes to total changes
  3. Ratio of system changes to total changes
  4. Decrease in number of changes without a fallback plan

Answer(s): B

Explanation:

The ratio of emergency fixes to total changes is the best metric to determine if the change management program is performing as expected, because it reflects the quality and stability of the changes that are implemented in the production environment. A high ratio of emergency fixes to total changes indicates that the change management program is not effective, as it means that many changes are causing problems or failures that require urgent correction. A low ratio of emergency fixes to total changes indicates that the change management program is effective, as it means that most changes are well-planned, tested, and approved, and do not cause significant disruptions or defects. The ratio of emergency fixes to total changes can also help identify the root causes of the problems, the gaps in the change management process, and the areas for improvement. For example, if the ratio of emergency fixes to total changes is high, it may indicate that the change management program has issues with the following aspects: - Change request and approval: The change management program may not have a clear and consistent process for requesting, reviewing, and approving changes, or the process may not be followed by all stakeholders. - Change impact analysis:

The change management program may not have acomprehensive and systematic method for assessing the potential impact of the changes on thebusiness processes, the IT systems, the users, and the customers. - Change testing and validation: The change management program may not have adequate testing and validation procedures to ensure that the changes meet the requirements and specifications, and do not introduce errors or vulnerabilities. - Change communication and training: The change management program may not have effective communication and training strategies to inform and educate the affected parties about the changes and their implications. - Change implementation and monitoring: The change management program may not have proper implementation and monitoring plans or tools to ensure that the changes are executed smoothly and successfully, and that any issues or incidents are detected and resolved promptly. Therefore, the ratio of emergency fixes to total changes is the best metric to determine if the change management program is performing as expected, as it can provide valuable feedback and insights for the change management program and its improvement. References = How to Measure Change Management Effectiveness: Metrics, Tools & Processes1, Metrics for Measuring Change Management2, Driving Value with Change Management Metrics3, Must-Know Organizational Change Management Metrics



An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level.
Which of the following should the risk practitioner do FIRST?

  1. Identify staff members who have access to the organization's sensitive data.
  2. Identify locations where the organization's sensitive data is stored.
  3. Identify risk scenarios and owners associated with possible data loss vectors.
  4. Identify existing data loss controls and their levels of effectiveness.

Answer(s): B

Explanation:

The first step in assessing the current risk level of data loss is to identify where the sensitive data is stored, such as servers, databases, laptops, mobile devices, etc. This will help to determine the scope and boundaries of the risk assessment, as well as the potential exposure and impact of data loss. Identifying staff members who have access to the data, risk scenarios and owners, and existing controls are important steps, but they should be done after identifying the data locations. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.1.1, page 51.



Viewing page 44 of 238
Viewing questions 345 - 352 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts