Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 45)

Page 45 of 238
PDF with 1895 Questions

Which of the following statements BEST describes risk appetite?

  1. The amount ofrisk an organization is willing to accept
  2. The effective management of risk and internal control environments
  3. Acceptable variation between risk thresholds and business objectives
  4. The acceptable variation relative to the achievement of objectives

Answer(s): A

Explanation:

Risk appetite is defined as "the amount of risk that an organization is willing to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk."1 It represents a balance between the potential benefits of innovation and the threats that change inevitably brings. Risk appetite reflects the organization's risk attitude and its willingness to accept risk in specific scenarios, with a governance model in place for risk oversight. Risk appetite helps to guide the organization's approach to risk and risk management, and to align its risk decisions with its business objectives and context. The other options are not the best descriptions of risk appetite, as they are either too vague (the effective management of risk and internal control environments), too narrow (acceptable variation between risk thresholds and business objectives), or confusing (the acceptable variation relative to the achievement of objectives). References = Risk Appetite vs. Risk Tolerance: What is the Difference?



Which of the following statements describes the relationship between key risk indicators (KRIs) and key control indicators (KCIs)?

  1. KRI design must precededefinition of KCIs.
  2. KCIs and KRIs are independent indicators and do not impact each other.
  3. A decreasing trend of KRI readings will lead to changes to KCIs.
  4. Both KRIs and KCIs provide insight to potential changes in the level of risk.

Answer(s): D

Explanation:

KRIs and KCIs are both metrics that measure and monitor the risk and control environment of an enterprise. KRIs are indicators that reflect the level and trend of risk exposure, and help to identify potential risk events or issues. KCIs are indicators that reflect the performance andeffectiveness of the risk controls, and help to ensure that the controls are operating as intended and mitigating the risk. Both KRIs and KCIs provide insight to potential changes in the level of risk, as they can signal the need for risk response actions, such as enhancing, modifying, or implementing new controls, or adjusting the risk strategy and objectives. References = Most Asked CRISC Exam Questions and Answers. CRISC:
Certified in Risk & Information Systems Control Sample Questions, Question 240.



An organization has just implemented changes to close an identified vulnerability that impacted a critical business process.
What should be the NEXT course of action?

  1. Redesign the heat map.
  2. Review the risk tolerance.
  3. Perform a business impact analysis (BIA)
  4. Update the risk register.

Answer(s): D

Explanation:

According to the CRISC Review Manual1, the risk register is a tool that records the results of risk identification, analysis, evaluation, and treatment. It should be updated whenever there is a change in the risk profile, such as when a vulnerability is closed or a new threat is identified. Updating the risk register allows the organization to monitor the current status of risks and the effectiveness of risk responses. Therefore, the next course of action after implementing changes to close an identifiedvulnerability is to update the risk register with the new information. References = CRISC Review Manual1, page 191.



Which of the following is MOST important to include in a risk assessment of an emerging technology?

  1. Risk response plans
  2. Risk and control ownership
  3. Key controls
  4. Impact and likelihood ratings

Answer(s): D

Explanation:

The most important thing to include in a risk assessment of an emerging technology is the impact and likelihood ratings of the risks associated with the technology. Impact and likelihood ratings are the measures of the potential consequences and probabilities of the risk events that could affect the achievement of the enterprise's objectives. Impact and likelihood ratings can help to evaluate the level andnature of the risk exposure, and to prioritize the risks for further analysis and response. Impact and likelihood ratings can also help to communicate the risk profile and appetite of the enterprise, and to support the risk-based decision making. Risk response plans, risk and control ownership, and key controls are not as important as impact and likelihood ratings, as they are the outputs or outcomes of the risk assessment process, and not the inputs or components of the risk assessment process. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 49.



Prudent business practice requires that risk appetite not exceed:

  1. inherent risk.
  2. risk tolerance.
  3. risk capacity.
  4. residual risk.

Answer(s): C

Explanation:

Risk appetite is the amount and type of risk that an organization is willing to accept in order to achieve its objectives. Risk appetite reflects the organization's risk attitude and its willingness to take on risk in specific scenarios. Risk appetite is usually expressed in a qualitative statement approved by the board of directors1. Risk capacity is the maximum amount of risk that an organization can responsibly take on without jeopardizing its financial stability or other key objectives. Risk capacity is determined by objective factors like income, assets, liabilities, debts, insurance coverage, dependents, and time horizon. Risk capacity is usually expressed in a quantitative measure that sets the limit of how much risk the organization can handle2. Prudent business practice requires that risk appetite not exceed risk capacity, because this would mean that the organization is taking on more risk than it can afford or sustain. If the risk appetiteis higher than the risk capacity, the organization may face serious consequences such as insolvency, bankruptcy, reputational damage, legal liability, or regulatory sanctions. Therefore, the organization should align its risk appetite with its risk capacity, and ensure that its risk exposure is within its risk tolerance3. The other options are not correct. Inherent risk is the level of risk that exists in the absence of controls or mitigations. It is the natural level of risk inherent in a process or activity. Residual risk is the level of riskthat remains after the controls or mitigations have been applied. It is the remaining risk after the risk response has been implemented. Risk tolerance is the acceptable variation in the outcomes related to specific objectives or risks. It is the range of risk exposure that the organization is prepared to accept4. None of these concepts are directly comparable torisk appetite, and none of them represent the limit of how much risk the organization can take on. References =
Risk Appetite vs. Risk Tolerance: What is the Difference? - ISACA What Is the Difference Between Risk Tolerance and Risk Capacity? - Investopedia Risk Management: Understanding Risk Capacity, Appetite, and Tolerance - Consulting Edge

[CRISC Review Manual, 7th Edition]



Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?

  1. Temporarily mitigate the OS vulnerabilities
  2. Document and implement a patching process
  3. Evaluate permanent fixes such as patches and upgrades
  4. Identify the vulnerabilities and applicableOS patches

Answer(s): B

Explanation:

The best way to mitigate the ongoing risk associated with operating system (OS) vulnerabilities is to document and implement a patching process. A patching process is a set of procedures and guidelines that define how to identify, evaluate, test, apply, and monitor patches for the OS. Patches are updates or fixes that address the known vulnerabilities or bugs in the OS. By documenting and implementing a patching process, the organization can ensure that the OS is regularly updated and protected from the potential exploits or attacks that may exploit the vulnerabilities. The other options are not as effective as documenting and implementing a patching process, as they are related to the temporary, partial, or reactive measures to deal with the OS vulnerabilities, not the proactive and continuous measures to prevent or reduce the OS vulnerabilities. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Response, Section 3.3: IT Risk Response Implementation, page 145.



A risk practitioner has been notified of a social engineering attack using artificial intelligence (Al) technology to impersonate senior management personnel.
Which of the following would BEST mitigate the impact of such attacks?

  1. Training and awareness of employees for increased vigilance
  2. Increased monitoring of executive accounts
  3. Subscription to data breach monitoring sites
  4. Suspension and takedown of malicious domains oraccounts

Answer(s): A

Explanation:

Understanding the Questio n:
The question is about mitigating the impact of social engineering attacks that use AI technology to impersonate senior management personnel.
Analyzing the Options:
A . Training andawareness of employees for increased vigilance:This is the most proactive approach. Educating employees about the risks and signs of social engineering attacks enhances their ability to recognize and respond appropriately to such threats. B . Increased monitoring of executive accounts:Useful but reactive; it doesn't prevent initial attempts.
C . Subscription to data breach monitoring sites:Helps detect breaches but doesn't directly mitigate impersonation attacks.
D . Suspension and takedown of malicious domains or accounts:Reactive measure and might not be immediate or comprehensive.

Importance of Training:Employees are often the first line of defense against social engineering attacks. Regular training ensures they are aware of the tactics used in such attacks, including those leveraging AI, and how to respond effectively. Proactive Measure:Training increases vigilance and the likelihood of early detection, reducing the potential impact of the attack.


Reference:

CRISC Review Manual, Chapter 3: Risk Response and Reporting, discusses the importance of training and awareness programs in mitigating social engineering risks .



An internally developed payroll application leverages Platform as a Service (PaaS) infrastructure from the cloud.
Who owns the related data confidentiality risk?

  1. IT infrastructure head
  2. Human resources head
  3. Supplier management head
  4. Application development head

Answer(s): B

Explanation:

Data confidentiality risk is the risk that the data may be accessed, disclosed, or modified by unauthorized parties, resulting in breaches of privacy, trust, or compliance1. Platform as a Service (PaaS) is a cloud computing model that provides a platform for developing, testing,

and deploying applications, without requiring the users to manage the underlying infrastructure2. An internally developed payroll application is an application that is created and maintained by the organization itself, rather than by a third-party vendor, and that is used to process and manage the payroll data of the organization's employees3. The owner of the data confidentiality risk is the person or entity that has the authority and accountability for the data and its protection, and that is responsible for identifying, assessing, and mitigating the risk. The owner of the data confidentiality risk related to an internally developed payroll application that leverages PaaS infrastructure from the cloud is the human resources head, as they are the person who oversees the human resources function and the payroll data of the organization. The human resources head has the best understanding of the sensitivity, value, and usage of the payroll data, and the potential impacts and implications of a data confidentiality breach. The human resources head also has the ability and responsibility to define and implement the policies, procedures, and controls that are necessary to protect the payroll data, and to monitor and report on the performance and compliance of the data confidentiality risk management. The IT infrastructure head, the supplier management head, and the application development head are not the best choices for owning the data confidentiality risk related to an internally developed payrollapplication that leverages PaaS infrastructure from the cloud, as they do not have the same level of authority and accountability as the human resources head. The IT infrastructure head is the person who oversees the IT infrastructure function and the PaaS infrastructure of the organization. The IT infrastructure head may be involved in providing input and feedback to the human resources head on the data confidentiality risk management, especially those related to the PaaS infrastructure, but they do not have the final say or the overall responsibility for the payroll data and its protection. The supplier management head is the person who oversees the supplier management function and the relationship with the cloud service provider that provides the PaaS infrastructure. The supplier management head may be involved in negotiating and enforcing the service level agreements and the security requirements with the cloud service provider, but they do not have the authority or the expertise to manage the data confidentiality risk of the payroll data. The application development head is the person who oversees the application development function and the development, testing, and deployment of the payroll application. The application development head may be involved in designing and implementing the security features and controls of the payroll application, but they do not have the perspective or the influence to manage the data confidentiality risk of the payroll data. References = 3: Payroll Software: What Is It & How Does It Work? | QuickBooks2: What is Platform as a Service (PaaS)? | IBM1: Data Confidentiality:
Identifyingand Protecting Assets Against Data ... : [Risk Ownership - Risk Management] :
[Human Resources and Payroll Security Policy - University of ...] : [Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.1: IT Risk Concepts, pp. 17-19.] : [Risk andInformation Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.1: Risk Identification, pp. 57-59.] : [Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting,

Section 4.2: Risk Monitoring, pp. 189-191.] : [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.1:
Control Design, pp. 233-235.] : [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.2: Control Implementation, pp. 243-245.] : [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.3: Control Monitoring and Maintenance, pp. 251-253.]



Viewing page 45 of 238
Viewing questions 353 - 360 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts