Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 5)

Page 5 of 238
PDF with 1895 Questions

A new international data privacy regulation requires personal data to be disposed after the specified retention period, which is different from the local regulatory requirement.
Which of the following is the risk practitioner's BEST course of action?

  1. The application code has not been version controlled.
  2. Knowledge of the applications is limited to few employees.
  3. An IT project manager is not assigned to oversee development.
  4. Controls are not applied to the applications.

Answer(s): D



A threat intelligence team has identified an indicator of compromise related to an advanced persistent threat (APT) actor.
Which of the following is the risk practitioner's BEST course of action?

  1. Review the most recent vulnerability scanning report.
  2. Determine the business criticality of the asset.
  3. Determine the adequacy of existing security controls.
  4. Review prior security incidents related to the asset.

Answer(s): B



A risk practitioner has been asked to assess the risk associated with a new critical application used by a financial process team that the risk practitioner was a member of two years ago.
Which of the following is the GREATEST concern with this request?

  1. The risk assessment team may be overly confident of its ability to identify issues.
  2. The risk practitioner may be unfamiliar with recentapplication and process changes.
  3. The risk practitioner may still have access rights to the financial system.
  4. Participation in the risk assessment may constitute a conflict of interest.

Answer(s): D

Explanation:

Participation in the risk assessment may constitute a conflict of interest, because it may create a situation where the risk practitioner's personal or professional interests or relationships interfere with their objectivity, independence, or impartiality in conducting the risk assessment. A conflict of interest is a type of risk that may compromise the integrity, quality, or validity of the risk assessment process and outcomes, and may damage the reputation or trust of the risk practitioner or the organization. A conflict of interest may arise when the risk practitioner has a direct or indirect connection or involvement with the subject or stakeholder of the risk assessment, such as a previous or current role, responsibility, or relationship, that may influence or bias theirjudgment or decision. Participation in the risk assessment may constitute a conflict of interest, as the risk practitioner may have a prior or residual interest or loyalty to the financialprocess team or the new critical application, and may not be able to assess the risk in a fair and unbiased manner.
The risk assessment team being overly confident of its ability to identify issues, the risk practitioner being unfamiliar with recent application and process changes, and the risk practitioner still having access rights to the financial system are all possible concerns with the request, but they are not the greatest concern, as they do not necessarily imply a conflict of interest, and they may be mitigated or resolved by other means, such as training, documentation, or review.



Which of the following would MOST likely result in updates to an IT risk appetite statement?

  1. External audit findings
  2. Feedback from focus groups
  3. Self-assessment reports
  4. Changes in senior management

Answer(s): D

Explanation:

An IT risk appetite statement is a document that expresses the amount and type of IT risk that an organization is willing to accept or pursue in order to achieve its objectives. An IT risk appetite statement can help guide the IT risk management process, by setting the boundaries, criteria, andtargets for IT risk identification, assessment, response, and reporting. An IT risk appetite statement should be aligned with the organization's overall risk appetite and strategy, and should be reviewed and updated periodically to reflect the changes in the internal and external environment. One of the factors that would most likely result in updates to an IT risk appetite statement is changes in senior management. Senior management is the group of executives who have the authority and responsibility for the strategic direction and performance of the organization. Changes in senior management can affect the IT risk appetite statement, as they may introduce new perspectives, priorities, expectations, or preferences for IT risk taking or avoidance. Changes in senior management can also affect the IT risk appetite statement, as they may require new or revised IT objectives, goals, or initiatives, which may entail different levelsor types of IT risk. Therefore, changes in senior management should trigger a review and update of the IT risk appetite statement, to ensure that it is consistent and compatible with the new leadership and direction of the organization. References = Organisations must define their IT risk appetite and tolerance, Risk Appetite Statements - Institute of Risk Management, Develop Your Technology Risk Appetite - Gartner.



Which of the following is the BEST indicator of executive management's support for IT risk mitigation efforts?

  1. The number of stakeholders involved in IT risk identification workshops
  2. The percentage of corporate budget allocated to IT risk activities
  3. The percentage of incidents presented to theboard
  4. The number of executives attending IT security awareness training

Answer(s): D

Explanation:

The best indicator of executive management's support for IT risk mitigation efforts is the number of executives attending IT security awareness training. This shows that the executives are committed to enhancing their knowledge and skills on IT security issues, and that they are setting a positive example for the rest of the organization. The number of stakeholders involved in IT risk identification workshops, the percentage of corporate budget allocated to IT risk activities, and the percentage of incidents presented to the board are other possible indicators, but they are not as strong as the number of executives attending IT security awareness training. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 7; CRISC Review Manual, 6th Edition, page 202.



While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach.
Which of the following controls will BES reduce the risk associated with such a data breach?

  1. Ensuring the vendordoes not know the encryption key
  2. Engaging a third party to validate operational controls
  3. Using the same cloud vendor as a competitor
  4. Using field-level encryption with a vendor supplied key

Answer(s): A

Explanation:

Encryption is a technique that transforms data into an unreadable format using a secret key, so that only authorized parties can access and decrypt the data. Encryption can help to protectsensitive data from unauthorized access or disclosure, especially when the data is stored or transmitted in the cloud1.
Ensuring the vendor does not know the encryption key is a control that will best reduce the risk associated with a data breach, because it can help to:
Prevent the vendor from accessing or disclosing the sensitive data, intentionally or unintentionally
Limit the exposure or impact of the data breach, even if the vendor's systems or networks are compromised by hackers or malicious insiders
Maintain the confidentiality and integrity of the sensitive data, regardless of the vendor's liability or responsibility
Enhance the trust and confidence of the customers and stakeholders, who may be concerned about the vendor's refusal to accept liability for a data breach23 The other options are not as effective as ensuring the vendor does not know the encryption key for reducing the risk associated with a data breach. Engaging a third party to validate operational controls is a control that can help to verify and improve the vendor's security practices and processes, but it does not guarantee that the vendor will prevent or respond to a data breach adequately or timely. Using the same cloud vendor as a competitor is not a control, but rather a business decision that may increase the risk associated with a data breach, as the vendor may have access to or disclose the sensitive data of both parties, or may favor one party over the other. Using field-level encryption with a vendor supplied key is a control that can help to encrypt specific fields or columns of data, such as names, addresses, or credit card numbers, but it does not prevent the vendor from accessing or disclosing the data, as the vendor has the encryption key4. References = Encryption - ISACA
Cloud Encryption: Using Data Encryption in The Cloud Cloud Encryption: Why You Need It and How to Do It Right Field-Level Encryption - ISACA
[CRISC Review Manual, 7th Edition]



While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:

  1. control is ineffective and should be strengthened
  2. risk is inefficiently controlled.
  3. risk is efficiently controlled.
  4. control is weak and should be removed.

Answer(s): B

Explanation:

Risk is inefficiently controlled when the annual cost of the control exceeds the annual loss expectancy (ALE) of the risk, as this means that the organization is spending more on the control than the potential loss that the control is supposed to prevent or reduce. This indicates that the control is not cost-effective or optimal, and that the organization should consider alternative or complementary controls that can lower the cost or increase the benefit of the risk management. Control is ineffective and should be strengthened when the control does not reduce the likelihood or impact of the risk to an acceptable level, regardless of the cost. Risk is efficiently controlled when the annual cost of the control is equal to or less than the annual loss expectancy (ALE) of the risk, as this means that the organization is spending less or equal on the control than the potential loss that the control is supposed to prevent or reduce. Control is weak and should be removed when the control does not provide any benefit or value to the risk management,regardless of the cost. References = CRISC Certified in Risk and Information Systems Control ­ Question205; ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 205.



Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?

  1. Better understanding of the risk appetite
  2. Improving audit results
  3. Enabling risk-based decision making
  4. Increasing process control efficiencies

Answer(s): C

Explanation:

The primary objective of promoting a risk-aware culture within an organization is enabling risk-based decision making, because this helps the organization to achieve its goals and objectives while managing its risks effectively and efficiently. A risk-aware culture is one where everyone understands the organization's approach to risk, takes personal responsibility to manage risk in everything they do, and encourages others to follow their example. A risk- aware culture also fosters communication, collaboration, and learning about risk across the organization. By promoting a risk-aware culture, the organization can empower its employees to make informed and balanced decisions that consider both the potential benefits and the potential risks of their actions. This can enhance the organization's performance, resilience, and competitiveness in a dynamic and uncertain environment. References = Risk IT Framework, ISACA, 2022, p. 17



Viewing page 5 of 238
Viewing questions 33 - 40 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts