Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 6)

Page 6 of 238
PDF with 1895 Questions

Which of the following is MOST important to ensure when continuously monitoring the performance of a client-facing application?

  1. Objectives are confirmed with the business owner.
  2. Control owners approve control changes.
  3. End-user acceptance testing has been conducted.
  4. Performance information in the log is encrypted.

Answer(s): A

Explanation:

The performance of a client-facing application is the measure of how well the application meets the expectations and requirements of the clients who use it. The performance of a client-facing application can be affected by various factors, such as functionality, usability, reliability, availability, security, and scalability. Continuously monitoring the performance of a client-facing application is the process of collecting, analyzing, and reporting on the performance data and metrics of the application over time. Continuously monitoring the performance of a client-facing application can help identify and resolve issues, improve quality, optimize resources, and enhance client satisfaction. The most important thing to ensure when continuously monitoring the performance of a client-facing application is that the objectives are confirmed with the business owner. The business owner is the person or entity who has the authority and responsibility for the business value and outcomes of the application. The business owner defines the objectives, goals, and requirements of the application, and sets the performance criteria and targets. Confirming the objectives with the business owner can help ensure that the performance monitoring is aligned with the business needs and expectations, and that the performance data and metrics are relevant, accurate, and meaningful. References = Risk and Information SystemsControl Study Manual, Chapter 4:
Risk and Control Monitoring and Reporting, Section 4.3: Continuous Monitoring, p. 203- 205.



An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:

  1. reduce the risk to an acceptable level.
  2. communicate the consequences for violations.
  3. implement industry best practices.
  4. reduce the organization's risk appetite

Answer(s): A

Explanation:

According to the CRISC Review Manual (Digital Version), the primary goal of a risk awareness program is to reduce the risk to an acceptable level by increasing the knowledge and understanding of the risk among the stakeholders. A risk awareness program should:
Educate the stakeholders about the sources, types and impacts of IT-related risks Explain the roles and responsibilities of the stakeholders in the risk management process Promote a risk-aware culture that supports the risk appetite and risk tolerance of the organization
Provide guidance and tools for identifying, assessing, responding and monitoring IT-related risks
Encourage the reporting and escalation of risk issues and incidents Reinforce the benefits and value of effective risk management References = CRISC Review Manual (Digital Version), Chapter 4: IT Risk Monitoring and Reporting, Section 4.2: IT Risk Reporting, pp. 224-2251



Which of the following is the PRIMARY risk management responsibility of the second line of defense?

  1. Monitoring risk responses
  2. Applying risk treatments
  3. Providing assurance of control effectiveness
  4. Implementing internal controls

Answer(s): A

Explanation:

The primary risk management responsibility of the second line of defense is to monitor the risk responses. The second line of defense is the function that oversees and supports the risk management activities of the first line of defense, which is the function that owns and manages the risks. The second line of defense includes the risk management, compliance, and quality assurance functions, among others. The second line of defense is responsible for monitoring the risk responses, which are the actions taken to address the risks, such as avoiding, transferring, mitigating, or accepting the risks. The second line of defense monitors the risk responses to ensure that they are implemented effectively and efficiently, that they achieve the desired outcomes, and that they are aligned with the risk appetite and tolerance of the organization. The second line of defense also provides guidance, advice, and feedback to the first line of defense on the risk responses, and reports the results and issues to the senior management and the board. Applying risk treatments, providing assurance of control effectiveness, and implementing internal controls are not the primary risk management responsibilities of the second line of defense, as they are either the responsibilities of the first line of defense or the third line ofdefense, which is the function that provides independent assurance of the risk management activities, such as the internal audit function. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 36.



Which of the following is MOST important to have in place to ensure the effectiveness of risk and security metrics reporting?

  1. Organizational reporting process
  2. Incident reporting procedures
  3. Regularly scheduled audits
  4. Incident management policy

Answer(s): A

Explanation:

The most important factor to have in place to ensure the effectiveness of risk and security metrics reporting is an organizational reporting process. An organizational reporting process is a set of procedures that defines the roles, responsibilities, frequency, format, and distribution of the risk and security metrics reports. An organizational reporting process helps to ensure that the risk and security metrics are relevant, accurate, consistent, and timely, and that they provide useful information for decision making and performance improvement. An organizational reporting process also helps to align the risk and security metrics reporting with the enterprise's objectives, strategies, and policies, and to communicate the risk and security status and issues to the appropriate stakeholders. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 5, Section 5.3.2, page 2421



Which of the following would be- MOST helpful to understand the impact of a new technology system on an organization's current risk profile?

  1. Hire consultants specializing m the new technology.
  2. Review existing risk mitigation controls.
  3. Conduct a gap analysis.
  4. Perform a risk assessment.

Answer(s): D

Explanation:

A risk assessment is a process of measuring and comparing the likelihood and impact of various risk scenarios, and prioritizing them based on their significance and urgency. A risk assessmentcan help the organization to understand and document the risks that may affect its objectives and operations, and to support the decision making and planning for the risk management.
Performing a risk assessment would be the most helpful to understand the impact of a new technology system on an organization's current risk profile, because it can help the organization to address the following questions:
What are the potential benefits and challenges of implementing the new technology system, and how do they align with the organization's objectives and needs? What are the existing or emerging risks that may affect the new technology system, and how do they relate to the organization's current risk profile? How likely and severe are the risks that may affect the new technology system, and what are the possible consequences or impacts for the organization and its stakeholders? How can the risks that may affect the new technology system be mitigated or prevented, and what are the available or feasible options or solutions? Performing a risk assessment can help the organization to understand the impact of the new technology system on its current risk profile by providing the following benefits:
It can enable the comparison and evaluation of the current and desired state and performance of the organization's risk management function, and to identify and quantify the gaps or opportunities for improvement.

It can provide useful references and benchmarks for the alignment and integration of the new technology system with the organization's risk management function, and for the compliance with the organization's risk policies and standards. It can support the implementation and monitoring of the new technology system, and for the allocation and optimization of the resources, time, and budget for the new technology system.
The other options are not the most helpful to understand the impact of a new technology system on an organization's current risk profile, because they do not provide the same level of detail and insight that performing a risk assessment provides, and they may not be specific or applicable to the organization's objectives and needs.

Hiring consultants specializing in the new technology means engaging or contracting external experts or professionals that have the skills and knowledge on the new technology system, and that can provide advice or guidance on the implementation and management of the new technology system. Hiring consultants specializing in the new technology can help the organization to enhance its competence and performance on the new technology system, but it is not the most helpful, because it does not measure and compare the likelihood and impact of the risks that may affect the new technology system, and it may not be relevant or appropriate for the organization's current risk profile. Reviewing existing risk mitigation controls means examining and evaluating the adequacy and effectiveness of the controls or countermeasures that are intended to reduce or eliminate the risksthat may affect the organization's objectives and operations. Reviewing existing risk mitigation controls can help the organization to improve and optimize its risk management function, but it is not the most helpful, because it does not identify and prioritize the risks that may affect the newtechnology system, and it may not cover all the relevant or significant risks that may affect the new technology system.
Conducting a gap analysis means comparing and contrasting the current and desired state and performance of the organization's objectives and operations, and identifying and quantifying the gaps or differences that need to be addressed or corrected. Conducting a gap analysis can help the organization to identify and document its improvement needs and opportunities, but it is not the most helpful, because it does not measure and compare the likelihood and impact of the risks that may affect the new technology system, and it may not be aligned or integrated with the organization's current risk profile. References = ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 19-20, 23-24, 27-28, 31-32, 40-41, 47-48, 54-55, 58-59, 62-63
ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 208 CRISC Practice Quiz and Exam Prep



Which of the following is the MOST comprehensive resource for prioritizing the implementation of information systems controls?

  1. Data classification policy
  2. Emerging technology trends
  3. The IT strategicplan
  4. The risk register

Answer(s): D

Explanation:

The most comprehensive resource for prioritizing the implementation of information systems controls is the risk register. The risk register is a document that records the identified risks, their analysis, and their responses. The risk register provides a holistic and systematic view of the risk profile and the risk treatment of the organization. The risk register can help to prioritize the implementation of information systems controls by providing the information on the likelihood, impact, and exposure of the risks, the effectiveness and efficiency of the controls, and the gaps or issues of the control environment. The other options are not as comprehensive as the risk register, as they are related to the specific aspects or components of the information systems controls, not the overall assessment and evaluation of the information systems controls. References = Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.4: IT Risk Response, page 87.



An organization wants to grant remote access to a system containing sensitive data to an overseas third party.
Which of the following should be of GREATEST concern to management?

  1. Transborder data transfer restrictions
  2. Differences in regional standards
  3. Lack of monitoring over vendor activities
  4. Lack of after-hours incident management support

Answer(s): A



A new risk practitioner finds that decisions for implementing risk response plans are not being made.
Which of the following would MOST likely explain this situation?

  1. Risk ownership is not being assigned properly.
  2. The organization has a high level of risk appetite.
  3. Risk management procedures are outdated.
  4. The organization's risk awareness program is ineffective.

Answer(s): A



Viewing page 6 of 238
Viewing questions 41 - 48 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts