Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 7)

Page 7 of 238
PDF with 1895 Questions

Which of the following is the MOST effective control to ensure user access is maintained on a least-privilege basis?

  1. User authorization
  2. User recertification
  3. Change log review
  4. Access log monitoring

Answer(s): B

Explanation:

User recertification is the most effective control to ensure user access is maintained on a least-privilege basis, as it involves a periodic review and validation of user access rights and privileges by the appropriate authority. User recertification helps to identify and remove any unnecessary, excessive, or obsolete access rights and privileges that may pose a security risk or violate the principle of least privilege. User recertification also helps to ensure that user access rights and privileges are aligned with the current business needs, roles, and responsibilities of the users.
The other options are not the most effective controls to ensure user access is maintained on a least-privilege basis. User authorization is the process of granting or denying access rights and privileges to users based on their identity, role, and credentials, but it does not verify or update the existing access rights and privileges of the users. Change log review is the process of examining and analyzing the records of changes made to the system, configuration, or data, but it does not directly address the user access rights and privileges. Access log monitoring is the process of tracking and auditing the user activities and actions on the system or network, but it does not validate or modify the user access rights and privileges. References = What Is the Principle of Least Privilege and Why is it Important?, Principle of Least Privilege: Definition, Methods & Examples, IT Risk Resources | ISACA



A risk practitioner is concerned with potential data loss in the event of a breach at a hosted third-party provider.
Which of the following is the BEST way to mitigate this risk?

  1. Include an indemnification clause in the provider's contract.
  2. Monitor provider performance against service level agreements (SLAs).
  3. Purchasecyber insurance to protect against data breaches.
  4. Ensure appropriate security controls are in place through independent audits.

Answer(s): D

Explanation:

Conducting independent audits to verify that appropriate security controls are in place is the most effective way to mitigate the risk of data loss at a third-party provider. These audits provide assurance that the provider adheres to security best practices and complies with relevant standards and regulations.
While contractual clauses and insurance can provide financial remedies post-incident, proactive verification of security controls helps prevent breaches from occurring in the first place.


Reference:

ISACA CRISC Review Manual, 7th Edition, Chapter 3: Risk Response and Reporting, Section: Third-Party Risk Management.



Risk appetite should be PRIMARILY driven by which of the following?

  1. Enterprise security architecture roadmap
  2. Stakeholder requirements
  3. Legal and regulatory requirements
  4. Business impact analysis (BIA)

Answer(s): B

Explanation:

Risk appetite should be primarily driven by stakeholder requirements. Stakeholder requirements are the needs and expectations of the internal and external parties that have an interest or influence in the organization's objectives or operations, such as the board, management, employees, customers, regulators, investors, etc. Risk appetite is the amount and type of risk that the organization is willing to accept or pursue in order to achieve its objectives. Risk appetite should be driven by stakeholder requirements, because they reflect the organization's mission, vision, values, and strategy, and they provide the basis and direction for the organization's risk management activities. Risk appetite should also be aligned and communicated with stakeholder requirements, because they affect the organization's performance and reputation, and they require the organization's accountability and transparency. The other options are not the primary drivers of risk appetite, although they may be considered or influenced by risk appetite. Enterprise security architecture roadmap, legal and regulatory requirements, and businessimpactanalysis (BIA) are all factors that could affect the organization's risk profile, risk assessment, or risk response, but they do not necessarily determine or reflect the organization's risk appetite. References = Risk and Information Systems Control Study Manual, Chapter 2, Section 2.3.1, page 2-23.



Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery test of critical business processes?

  1. Percentage of job failures identified and resolved during the recovery process
  2. Percentage of processes recovered within the recovery time and point objectives
  3. Number of current test plans and procedures
  4. Number of issues and action items resolved during the recovery test

Answer(s): D

Explanation:

The best key performance indicator (KPI) to measure the effectiveness of a disaster recovery test of critical business processes is the percentage of processes recovered within the recovery time and point objectives. Recovery time objective (RTO) is the maximum acceptable time period within which a business process or an IT service must be restored after a disruption. Recovery point objective (RPO) is the maximum acceptable amount of data loss measured in time before the disruption. The percentage of processes recovered within the RTO and RPO indicates how well the disaster recovery test meets the business continuity and recoveryrequirements and expectations, and how effectively the disaster recovery plan and procedures are executed. The percentage of processes recovered within the RTO and RPO canalso help to identify the gaps, weaknesses, and opportunities for improvement in the disaster recovery capabilities. Percentage of job failures identified and resolved during the recovery process, number of current test plans and procedures, and number of issues and action items resolved during the recovery test are not as good as the percentage of processes recovered within the RTO and RPO, as they do not directly measure the achievement of the recovery objectives, and may not reflect the actual impact and performance of the disaster recovery test. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 130.



Which of the following is the MOST critical element to maximize the potential for a successful security implementation?

  1. The organization's knowledge
  2. Ease of implementation
  3. The organization's culture
  4. industry-leading security tools

Answer(s): C

Explanation:

According to the CRISC Review Manual, the organization's culture is the most critical element to maximize the potential for a successful security implementation, because it influences the behavior, attitude, and perception of the stakeholders towards security. The organization's culture includes the values, beliefs, norms, and practices that are shared by the members of the organization. A positive and supportive culture can foster the awareness, commitment, and collaboration of the stakeholders in achieving the security objectives and complying with the security policies and standards. The other options are not the most critical elements, as they are less influential or less challenging than the organization's culture. The organization's knowledge is the collective understanding and expertise of the organization regardingsecurity, which can be enhanced through training and education. Ease of implementation is the degree of difficulty and complexity of implementing security, which can be reduced by using appropriate methods and tools. Industry-leading security tools are the best-in-class solutions and technologies that can provide effective and efficient security, which can be acquired through market research and evaluation. References = CRISC Review Manual, 7th Edition, Chapter 1, Section 1.3.1, page 32.



Which of the following criteria is MOST important when developing a response to an attack that would compromise data?

  1. The recovery time objective (RTO)
  2. The likelihood of a recurring attack
  3. The organization's risk tolerance
  4. The business significance of the information

Answer(s): D

Explanation:

According to the CRISC Review Manual (Digital Version), the business significance of the information is the most important criterion when developing a response to an attack that would compromise data, as it determines the impact and severity of the attack on the organization's objectives and performance. The business significance of the information helps to:
Assess the value and sensitivity of the data that is compromised or at risk of compromise Evaluate the potential losses or damages that the organization may incur due to the data compromise
Prioritize the data recovery and restoration activities based on the criticality and urgency of the data
Communicate and coordinate the data breach response and notification with the relevant stakeholders, such as the data owners, the customers, the regulators, and the media

Enhance the data protection and security measures to prevent or mitigate future data compromise incidents
References = CRISC Review Manual (Digital Version), Chapter 3: IT Risk Response, Section 3.3: Risk Response Options, pp. 174-1751



Which of the following is performed after a risk assessment is completed?

  1. Defining risk taxonomy
  2. Identifying vulnerabilities
  3. Conducting an impact analysis
  4. Defining risk response options

Answer(s): D

Explanation:

Defining risk response options is performed after a risk assessment is completed. A risk assessment is the process of identifying, analyzing, and evaluating the risks that affect the enterprise's objectives and operations. After a risk assessment is completed, the enterprise needs to define the risk response options, which are the actions that can be taken to address the risks.The risk response options include accepting, avoiding, transferring, mitigating, or exploiting the risks. Defining risk response options helps to select the most appropriate and effective strategy to manage the risks. Defining risk taxonomy, identifying vulnerabilities, and conducting an impact analysis are performed before or during a risk assessment, not after. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.1.4, page 541
1: ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide, Answer to Question 644.



Which of the following BEST enables the development of a successful IT strategy focused on business risk mitigation?

  1. Providing risk awareness training for business units
  2. Obtaining input from business management
  3. Understanding the business controls currently in place
  4. Conducting a business impact analysis (BIA)

Answer(s): B

Explanation:

Obtaining input from business management is the best way to enable the development of a successful IT strategy focused on business risk mitigation, because it helps to align and integrate the IT objectives and activities with the business goals and priorities. An IT strategy is a plan that defines how IT supports and enables the organization's vision, mission, and strategy. A business risk mitigation is a process that aims to reduce or eliminate the risks that may affect the achievement of the business objectives or expectations. Obtaining input from business management is the best way to ensure that the IT strategy is relevant, realistic, and responsive to the business needs and challenges, and that the IT risks are identified, assessed, and managed in accordance with the business risk appetite and tolerance. Providing risk awareness training for business units, understanding the business controls currently in place, and conducting a businessimpact analysis (BIA) are all useful ways to support the development of an IT strategy focused on business risk mitigation, but they are not the best way, as they do not directly involve the input and feedback from business management. References = Risk and Information Systems Control Study Manual, Chapter 2, Section 2.1.1, page 37



Viewing page 7 of 238



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts