Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 64 )

Updated On: 28-Feb-2026
Page 64 of 380
PDF with 1895 Questions

Which of the following BEST indicates how well a web infrastructure protects critical information from an attacker?

  1. Failed login attempts
  2. Simulating a denial of service attack
  3. Absence of IT audit findings
  4. Penetration test

Answer(s): D

Explanation:

A penetration test is a simulated cyberattack on a web infrastructure to evaluate its security posture and identify any vulnerabilities or weaknesses that could be exploited by an attacker. A penetration test is the best indicator of how well a web infrastructure protects critical information from an attacker, as it mimics the real-world scenarios and techniques that an attacker would use, and measures the effectiveness of the existing security controls and countermeasures. A penetration test can also provide recommendations for improving the security of the web infrastructure and reducing the risk exposure. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, Question 236. CRISC by Isaca Actual Free Exam Q&As, Question 9. CRISC:

Certified in Risk & Information Systems Control Sample Questions, Question 236. Most Asked CRISC Exam Questions and Answers, Question 10.



Which of the following BEST enables an organization to address risk associated with technical complexity?

  1. Documenting system hardening requirements
  2. Minimizing dependency on technology
  3. Aligning with a security architecture
  4. Establishing configuration guidelines

Answer(s): C

Explanation:

Addressing Technical Complexity:
Security Architecture Alignment: Aligning with a security architecture helps manage the complexity by providing a structured framework for implementing and managing security controls.
Comprehensive Framework: A security architecture ensures that all security controls are integrated and aligned with the organization's overall security strategy, reducing the risk associated with technical complexity.
Steps Involved:
Develop or Adopt a Security Architecture: Use established frameworks such as SABSA, TOGAF, or Zachman.
Implementation: Apply the security architecture across all systems and processes to ensure consistency and integration.
Monitoring and Maintenance: Continuously monitor the security architecture and update it as necessary to address new threats and technologies.
Comparison with Other Options:
Documenting System Hardening Requirements: Important but does not address the overall complexity.
Minimizing Dependency on Technology: Not always feasible and does not fully address the inherent complexity.
Establishing Configuration Guidelines: Helpful but should be part of the broader security architecture.
Best Practices:
Continuous Improvement: Regularly update and improve the security architecture to adapt to evolving threats and technologies.

Training and Awareness: Ensure that all relevant personnel understand the security architecture and their role in maintaining it.


Reference:

CRISC Review Manual: Discusses the importance of aligning with a security architecture to manage technical complexity and ensure comprehensive security controls . ISACA Standards: Emphasize the role of security architecture in providing a structured approach to managing security across the organization .



Which of the following is MOST helpful to review when identifying risk scenarios associated with the adoption of Internet of Things (loT) technology in an organization?

  1. The business case for the use of loT
  2. The loT threat landscape
  3. Policy development for loT
  4. The network that loT devices can access

Answer(s): B

Explanation:

Risk scenarios: Narratives that describe potential risk events, their causes, consequences, and likelihood1.
Internet of Things (IoT): A network of interconnected devices, software, sensors, and other things that communicate and exchange data without human intervention2. IoT threat landscape: The range and types of threats and attacks that target IoT devices, systems, and networks3.
The most helpful thing to review when identifying risk scenarios associated with the adoption of IoT technology in an organization is the IoT threat landscape. The IoT threat landscape provides a comprehensive and current overview of the potential sources, methods, and impacts of cyberattacks on IoT devices, systems, and networks. Reviewing the IoT threat landscape can help an organization to:
Identify the most relevant and prevalent threats and vulnerabilities that affect IoT technology, such as weak passwords, insecure interfaces, insufficient data protection, poor device management, or lack of encryption4.
Assess the likelihood and impact of different types of attacks, such as malware infections, denial-of-service attacks, data breaches, unauthorized access, or sabotage4. Prioritize the most critical and urgent risks that need to be addressed and mitigated. Develop realistic and plausible risk scenarios that reflect the actual IoT threat environment and the organization's specific context and objectives. The other options are not as helpful as the IoT threat landscape when identifying risk scenarios associated with the adoption of IoT technology in an organization, because they do not provide a comprehensive and current view of the potential threats and attacks that target IoT technology. The business case for the use of IoT, which is the justification and rationale for adopting IoT technology based on the expected benefits, costs, and risks, may help to understand the value and purpose of IoT technology for the organization, but it does not provide detailed information on the specific threats and vulnerabilities that affect IoT technology. Policy development for IoT, which is the process of creating and implementing rules and guidelines for the governance, management, and security of IoT technology, may help to establish the standards and expectations for IoT technology within the organization, but it does not provide an overview of the external threats and attacks that target IoT

technology. The network that IoT devices can access, which is the infrastructure and system that enables the connectivity and communicationof IoT devices, may help to identify the potential entry points and attack vectors for IoT threats, but it does not provide a complete picture of the types and impacts of IoT threats.
References = Risk Scenarios Toolkit, What is the Internet of Things (IoT)? With Examples | Coursera, Top IoT security issues and challenges (2022) ­ Thales, 8 Internet of Things Threats and Security Risks - SecurityScorecard



Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?

  1. Align business objectives to the risk profile.
  2. Assess risk against business objectives
  3. Implement anorganization-specific risk taxonomy.
  4. Explain risk details to management.

Answer(s): B

Explanation:

The best way for a risk practitioner to help management prioritize risk response is to assess risk against business objectives. This means comparing the level and nature of the risks with the goals and strategies of the organization, and determining which risks pose the most significant threat or opportunity to the achievement of those objectives. By assessing risk against business objectives, the risk practitioner can help management identify the most critical and relevant risks, and prioritize the risk response actions accordingly. The risk response actions should be aligned with the organization's risk appetite, which is the amount and type of risk that the organization is willing to take in order to meet its strategic goals1. The other options are not the best ways for a risk practitioner to help management prioritize risk response, as they are either less effective orless specific than assessing risk against business objectives. Aligning business objectives to the risk profile is a way of ensuring that the organization's objectives are realistic and achievable, given the current and potential risks that the organization faces. However, this is not the same as prioritizing risk response, as it does not indicate which risks should be addressed first or howtheyshould be managed. Implementing an organization-specific risk taxonomy is a way of creating a common language and classification system for describing and categorizing risks. This can help improve the consistency and clarity of risk communication and reporting across the organization. However, this is not the same as prioritizing risk response, as it does not measure the likelihood and impact of the risks, or their relation to the organization's objectives. Explaining risk details to management is a way of providing information and insight on the sources, drivers, consequences, and responses of the risks. This can help increase the awareness and understanding of the risks among the decision makers and stakeholders. However, this is not the same as prioritizing risk response, as it does not suggest or recommend the best course of action for managing the risks. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.6, Page 57.



An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program.
Which of the following is MOST useful for this purpose?

  1. Balanced scorecard
  2. Capability maturity level
  3. Internal audit plan
  4. Control self-assessment (CSA)

Answer(s): A

Explanation:

A balanced scorecard is a strategic management tool that helps to measure and communicate the performance of an organization or a program against its goals and objectives. A balanced scorecard typicallyconsists of four perspectives: financial, customer, internal process, and learning and growth. Each perspective has a set of key performance indicators (KPIs) that reflect the critical success factors and desired outcomes of the organization or the program1. A balanced scorecard is most useful for reporting on the overall status and effectiveness of the IT risk management program, because it can provide a comprehensive and balanced view of the program's performance across multiple dimensions. A balanced scorecard can help to align the IT risk management program with the business strategy and vision, and to demonstrate the value and impact of the program to the stakeholders. A balanced scorecard can also help to identify the strengths and weaknesses of the IT risk management program, and to monitor and improve the program's processes and outcomes2. The other options are not as useful as a balanced scorecard for reporting on the overall status and effectiveness of the IT risk management program. A capability maturity level is a measure of the maturity and quality of a process or a practice, based on a predefined set of criteria andstandards. A capability maturity level can help to assess and benchmark the IT risk management program's processes and practices, but it does not provide a holistic view of the program's performance and results3. An internal audit plan is a document that outlines the scope, objectives, and methodology of an internal audit activity. An internal audit plan can help to evaluate and verify the IT risk management program's controls and compliance,

but it does not provide a strategic view of the program's goals and outcomes4. A control self- assessment (CSA) is a technique that involves the participation of the process owners and the staff in assessing the effectiveness and efficiency of their own controls. A CSA can help to enhance the awareness and ownership of the IT risk management program's controls, but it does not provide an objective and independent view of the program's performance and impact. References =
Balanced Scorecard Basics - Balanced Scorecard Institute Using the Balanced Scorecard to Measure and Manage IT Risk Capability Maturity Model Integration (CMMI) Overview Internal Audit Planning: The Basics - The IIA
[Control Self-Assessment - ISACA]



Viewing page 64 of 380
Viewing questions 316 - 320 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

CRISC Exam Discussions & Posts

AI Tutor