Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 72 )

Updated On: 28-Feb-2026
Page 72 of 380
PDF with 1895 Questions

A risk practitioner has been notified of a social engineering attack using artificial intelligence (Al) technology to impersonate senior management personnel.
Which of the following would BEST mitigate the impact of such attacks?

  1. Training and awareness of employees for increased vigilance
  2. Increased monitoring of executive accounts
  3. Subscription to data breach monitoring sites
  4. Suspension and takedown of malicious domains oraccounts

Answer(s): A

Explanation:

Understanding the Questio n:
The question is about mitigating the impact of social engineering attacks that use AI technology to impersonate senior management personnel.
Analyzing the Options:
A . Training andawareness of employees for increased vigilance:This is the most proactive approach. Educating employees about the risks and signs of social engineering attacks enhances their ability to recognize and respond appropriately to such threats. B . Increased monitoring of executive accounts:Useful but reactive; it doesn't prevent initial attempts.
C . Subscription to data breach monitoring sites:Helps detect breaches but doesn't directly mitigate impersonation attacks.
D . Suspension and takedown of malicious domains or accounts:Reactive measure and might not be immediate or comprehensive.

Importance of Training:Employees are often the first line of defense against social engineering attacks. Regular training ensures they are aware of the tactics used in such attacks, including those leveraging AI, and how to respond effectively. Proactive Measure:Training increases vigilance and the likelihood of early detection, reducing the potential impact of the attack.


Reference:

CRISC Review Manual, Chapter 3: Risk Response and Reporting, discusses the importance of training and awareness programs in mitigating social engineering risks .



An internally developed payroll application leverages Platform as a Service (PaaS) infrastructure from the cloud.
Who owns the related data confidentiality risk?

  1. IT infrastructure head
  2. Human resources head
  3. Supplier management head
  4. Application development head

Answer(s): B

Explanation:

Data confidentiality risk is the risk that the data may be accessed, disclosed, or modified by unauthorized parties, resulting in breaches of privacy, trust, or compliance1. Platform as a Service (PaaS) is a cloud computing model that provides a platform for developing, testing,

and deploying applications, without requiring the users to manage the underlying infrastructure2. An internally developed payroll application is an application that is created and maintained by the organization itself, rather than by a third-party vendor, and that is used to process and manage the payroll data of the organization's employees3. The owner of the data confidentiality risk is the person or entity that has the authority and accountability for the data and its protection, and that is responsible for identifying, assessing, and mitigating the risk. The owner of the data confidentiality risk related to an internally developed payroll application that leverages PaaS infrastructure from the cloud is the human resources head, as they are the person who oversees the human resources function and the payroll data of the organization. The human resources head has the best understanding of the sensitivity, value, and usage of the payroll data, and the potential impacts and implications of a data confidentiality breach. The human resources head also has the ability and responsibility to define and implement the policies, procedures, and controls that are necessary to protect the payroll data, and to monitor and report on the performance and compliance of the data confidentiality risk management. The IT infrastructure head, the supplier management head, and the application development head are not the best choices for owning the data confidentiality risk related to an internally developed payrollapplication that leverages PaaS infrastructure from the cloud, as they do not have the same level of authority and accountability as the human resources head. The IT infrastructure head is the person who oversees the IT infrastructure function and the PaaS infrastructure of the organization. The IT infrastructure head may be involved in providing input and feedback to the human resources head on the data confidentiality risk management, especially those related to the PaaS infrastructure, but they do not have the final say or the overall responsibility for the payroll data and its protection. The supplier management head is the person who oversees the supplier management function and the relationship with the cloud service provider that provides the PaaS infrastructure. The supplier management head may be involved in negotiating and enforcing the service level agreements and the security requirements with the cloud service provider, but they do not have the authority or the expertise to manage the data confidentiality risk of the payroll data. The application development head is the person who oversees the application development function and the development, testing, and deployment of the payroll application. The application development head may be involved in designing and implementing the security features and controls of the payroll application, but they do not have the perspective or the influence to manage the data confidentiality risk of the payroll data. References = 3: Payroll Software: What Is It & How Does It Work? | QuickBooks2: What is Platform as a Service (PaaS)? | IBM1: Data Confidentiality:
Identifyingand Protecting Assets Against Data ... : [Risk Ownership - Risk Management] :
[Human Resources and Payroll Security Policy - University of ...] : [Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.1: IT Risk Concepts, pp. 17-19.] : [Risk andInformation Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.1: Risk Identification, pp. 57-59.] : [Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting,

Section 4.2: Risk Monitoring, pp. 189-191.] : [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.1:
Control Design, pp. 233-235.] : [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.2: Control Implementation, pp. 243-245.] : [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.3: Control Monitoring and Maintenance, pp. 251-253.]



A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within theorganization of the following, who should review the completed list and select the appropriate KRIs for implementation?

  1. IT security managers
  2. IT control owners
  3. IT auditors
  4. IT risk owners

Answer(s): D

Explanation:

IT risk owners are the most appropriate people to review the completed list of potential key risk indicators (KRIs) and select the ones that should be implemented. IT risk owners are the individuals who have the authority and accountability to manage the IT risks within their scope of responsibility. They are also responsible for defining the risk appetite, tolerance, and thresholds for their IT operations, and for ensuring that the KRIs are aligned with the business objectives and risk management strategy. IT security managers, IT control owners, and IT auditors are also involved in the risk management process, but they do not have the same level of authority and accountability as IT risk owners, and they may have different perspectives and priorities on the selection of KRIs. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.3.1, page 1-13.



Which of the following is the PRIMARY objective of a risk awareness program?

  1. To demonstrate senior management support
  2. To enhance organizational risk culture
  3. To increase awareness of risk mitigation controls
  4. To clearly define ownership of risk

Answer(s): B

Explanation:

A risk awareness program is a set of activities and communication methods that aim to increase the understanding and knowledge of risk among the stakeholders of an organization. The primary objective of a risk awareness program is to enhance the organizational risk culture, which is the shared values, beliefs, and attitudes that influence how risk is perceived and managed in the organization. A risk awareness program can help to promote a risk-aware culture by:
·Educating stakeholders on the concepts and benefits of risk management ·Aligning risk management with the organization's vision, mission, and objectives ·Encouraging stakeholder participation and collaboration in risk management processes ·Fostering a positive attitude towards risk taking and learning from failures ·Reinforcing risk management roles and responsibilities ·Recognizing and rewarding good risk management practices


Reference:

The answer is based on the following sources:
·CRISC Review Manual, 7th Edition, Chapter 2: IT Risk Assessment, page 781 ·Developing Collective Risk Leadership Through CRISC2



An organization has recently been experiencing frequent data corruption incidents. Implementing a file corruption detection tool as a risk response strategy will help to:

  1. reduce the likelihood of future events
  2. restore availability
  3. reduce the impact of future events
  4. address the root cause

Answer(s): C

Explanation:

Implementing a file corruption detection tool as a risk response strategy will help to reduce the impact of future events, as it will enable the organization to identify and correct the corrupted files before they cause further damage or loss. A file corruption detection tool is a software that scans and verifies the integrity and validity of the files, and alerts the users or administrators of any anomalies or errors. This helps to minimize the disruption and downtime caused by the data corruption incidents, and to preserve the quality and reliability of the data. Implementing a file corruption detection tool will not reduce the likelihood of future events, as it does not prevent or mitigate the causes or sources of the data corruption incidents. It will not restore availability, as it does not recover or restore the corrupted files, but only detects them. It will not address the root cause, as it does not analyze or eliminate the underlying factors that lead to the data corruption incidents. References = CRISC Certified in Risk and Information Systems Control ­ Question215; ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 215.



Viewing page 72 of 380
Viewing questions 356 - 360 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

CRISC Exam Discussions & Posts

AI Tutor