Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 8)

Page 8 of 238
PDF with 1895 Questions

Which of the following provides The MOST useful information when determining a risk management program's maturity level?

  1. Risk assessment results
  2. A recently reviewed risk register
  3. Key performance indicators (KPIs)
  4. The organization's risk framework

Answer(s): C

Explanation:

Key performance indicators (KPIs) are measurable values that demonstrate how effectively an organization is achieving its key objectives. KPIs can be used to evaluate the progress and performance of a risk management program, as well as to identify the areas for improvement and alignment with the organization's strategy. KPIs can provide the most useful information when determining a risk management program's maturity level, because they can reflect the extent to which the program is integrated, consistent, proactive, and value-adding. KPIs can also be compared with industry benchmarks or best practices to assess the program's maturity level relative to other organizations. The other options are not as useful as KPIs, because they do not provide a clear and comprehensive picture of the risk management program's maturity level, but rather focus on specific aspects or outputs of the program. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.3.2, page 18.



Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk?

  1. A dataextraction tool
  2. An access control list
  3. An intrusion detection system (IDS)
  4. An acceptable usage policy

Answer(s): D

Explanation:

According to the CRISC Review Manual1, an acceptable usage policy is a document that defines the rules and guidelines for the appropriate and secure use of IT resources within an organization. It helps to mitigate data leakage risk by establishing the roles and responsibilities of users, the types and purposes of data that can be shared or transmitted, the authorized methods and channels of communication, the security controls and measures to protect data, and the consequences of non-compliance. An acceptable usage policy also educates and raises awareness among users about the potential risks and threats associated with instant messaging and other forms of online communication. Therefore, before implementing instant messaging within an organization using a public solution, an acceptable usage policy should be in place to mitigate data leakage risk. References = CRISC Review Manual1, page 237.



Which of the following should be included in a risk assessment report to BEST facilitate senior management's understanding of the results?

  1. Benchmarking parameters likely to affect theresults
  2. Tools and techniques used by risk owners to perform the assessments
  3. A risk heat map with a summary of risk identified and assessed
  4. The possible impact of internal and external risk factors on the assessment results

Answer(s): C

Explanation:

A risk heat map is a graphical tool that displays the level of risk for each risk area based on the impact and likelihood of occurrence. It also provides a summary of the risk assessment results, such as the number and severity of risks, the risk appetite and tolerance, and the risk response strategies. A risk heat map can help senior management to understand the risk profile of the organization, prioritize the risks that need attention, and allocate resources accordingly. A risk heat map is more effective than the other options because it can communicate complex information in a simple and visual way, and it can highlight the key risk areas and trends. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.4.2, page 97.



Which of the following is the BEST recommendation of a risk practitioner for an organization that recently changed its organizational structure?

  1. Communicate the new risk profile.
  2. Implement a new risk assessment process.
  3. Revalidate the corporate risk appetite.
  4. Review and adjust key risk indicators (KRIs).

Answer(s): A

Explanation:

Communicating the new risk profile is the best recommendation for a risk practitioner for an organization that recently changed its organizational structure, because it helps to inform and align the stakeholders on the current state of risks and their implications for the organization's objectives and strategy. A risk profile is a summary of the key risks that an organization faces, along with their likelihood, impact, and response strategies. An organizational structure is the way that an organization arranges its people, roles, and responsibilities to achieve its goals and deliver its value proposition. A change in the organizational structure may affect the risk profile, as it may introduce new sources or types of risk, or alter the existing risk levels orresponses. Therefore, communicating the new risk profile is the best recommendation, as it helps to ensure that the stakeholders are aware of and prepared for the changes and challenges that the new organizational structure may bring. Implementing a new risk assessment process, revalidating the corporate risk appetite, and reviewing and adjusting key risk indicators (KRIs) are all important tasks to perform after communicating the new risk profile, but they are not the best recommendation, as they depend on the communication and understanding of the new risk profile. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.2.3, page 91



Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process?

  1. Percentage of vulnerabilities remediatedwithin the agreed service level
  2. Number of vulnerabilities identified during the period
  3. Number of vulnerabilities re-opened during the period
  4. Percentage of vulnerabilities escalated to senior management

Answer(s): A

Explanation:

A vulnerability management process is a process that identifies, analyzes, prioritizes, and remediates the vulnerabilities in the IT systems and applications. The effectiveness of a vulnerability management process can be measured by the key performance indicators (KPIs) that reflect the achievement of the process objectives and the alignment with the enterprise's risk appetite and tolerance. The best KPI to measure the effectiveness of a vulnerability management process is the percentage of vulnerabilities remediated within the agreed service level. This KPI indicates how well the process is able to address the vulnerabilities in a timely and efficient manner, and reduce the exposure and impact of the risks associated with the vulnerabilities. The other options are not as good as the percentage of vulnerabilities remediated within the agreed service level, as they may not reflect the quality or timeliness of the remediation actions, or the alignment with the enterprise's risk appetite and tolerance. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.3.2.1, pp. 171-172.



When a high-risk security breach occurs, which of the following would be MOST important to the person responsible for managing the incident?

  1. An analysis of the security logs that illustrate the sequence of events
  2. An analysis of the impact of similar attacks in other organizations
  3. A business case for implementing stronger logical access controls
  4. A justification of corrective action taken

Answer(s): A

Explanation:

An analysis of the security logs that illustrate the sequence of events is the most important information for the person responsible for managing the incident, as it can help to identify the source, scope, and impact of the security breach, and to determine the appropriate response actions. An analysis of the security logs can also provide evidence for forensic investigation and legal action, and help to prevent or mitigate future incidents by identifying the root causes and vulnerabilities. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, Question 235. CRISC by Isaca Actual FreeExam Q&As, Question 9. CRISC: Certified in Risk & Information Systems Control Sample Questions, Question 235. CRISC Sample Questions 2024, Question 235.



A hospital recently implemented a new technology to allow virtual patient appointments.
Which of the following should be the risk practitioner's FIRST course of action?

  1. Reassess the risk profile.
  2. Modify the risk taxonomy.
  3. Increase the risk tolerance.
  4. Review the risk culture.

Answer(s): A

Explanation:

Reassessing the risk profile is the first course of action that a risk practitioner should take after a hospital recently implemented a new technology to allow virtual patient appointments. This is because reassessing therisk profile can help identify, analyze, and evaluate the new or changed risks that the new technology may introduce or affect, such as data privacy, security, quality, reliability, or compliance risks. Reassessing the risk profile can also help determine the appropriate risk response and mitigation strategies, as well as monitor and report the risk performance and outcomes. According to the CRISC Review Manual 2022, reassessing the risk profile is one of the key steps in the IT risk management process1. According to the web search results, reassessing the risk profile is a common and recommended practice for addressing the risks of virtual patient appointments



Which of the following provides the MOST mitigation value for an organization implementing new Internet of Things (loT) devices?

  1. Performing a vulnerability assessment on the loT devices
  2. Designing loT architecture with IT security controls from the start
  3. Implementing key risk indicators (KRIs) for loT devices
  4. To ensurerisk trend data is collected and reported

Answer(s): B



Viewing page 8 of 238
Viewing questions 57 - 64 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts