Free ISACA CRISC Übungsprüfungen - Seite 11 von 65

Question #101

Which of the following is MOST important when developing risk scenarios?

A . The scenarios are based on industry best practice.
B . The scenarios focus on current vulnerabilities.
C . The scenarios are relevant to the organization.
D . The scenarios include technical consequences.

Lösung einblenden Lösung ausblenden

Question #102

The risk associated with a high-risk vulnerability in an application is owned by the:

A . security department.
B . business unit
C . vendor.
D . IT department.

Lösung einblenden Lösung ausblenden

Question #103

The BEST way to validate that a risk treatment plan has been implemented effectively is by reviewing:

A . results of a business impact analysis (BIA).
B . the original risk response plan.
C . training program and user awareness documentation.
D . a post-implementation risk and control self-assessment (RCSA).

Lösung einblenden Lösung ausblenden

Question #104

Which of the following approaches to bring your own device (BYOD) service delivery provides the BEST protection from data loss?

A . Enable data wipe capabilities
B . Penetration testing and session timeouts
C . Implement remote monitoring
D . Enforce strong passwords and data encryption

Lösung einblenden Lösung ausblenden

Question #105

Which of the following should be a risk practitioner’s NEXT step after learning of an incident that has affected a competitor?

A . Activate the incident response plan.
B . Implement compensating controls.
C . Update the risk register.
D . Develop risk scenarios.

Lösung einblenden Lösung ausblenden

Question #106

An organization is measuring the effectiveness of its change management program to reduce the number of unplanned production changes.

Which of the following would be the BEST metric to determine if the program is performing as expected?

A . Decrease in the time to move changes to production
B . Ratio of emergency fixes to total changes
C . Ratio of system changes to total changes
D . Decrease in number of changes without a fallback plan

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

The ratio of emergency fixes to total changes is the best metric to determine if the change management program is performing as expected, because it reflects the quality and stability of the changes that are implemented in the production environment. A high ratio of emergency fixes to total changes indicates that the change management program is not effective, as it means that many changes are causing problems or failures that require urgent correction. A low ratio of emergency fixes to total changes indicates that the change management program is effective, as it means that most changes are well-planned, tested, and approved, and do not cause significant disruptions or defects. The ratio of emergency fixes to total changes can also help identify the root causes of the problems, the gaps in the change management process, and the areas for improvement. For example, if the ratio of emergency fixes to total changes is high, it may indicate that the change management program has issues with the following aspects: – Change request and approval: The change management program may not have a clear and consistent process for requesting, reviewing, and approving changes, or the process may not be followed by all stakeholders. – Change impact analysis: The change management program may not have a comprehensive and systematic method for assessing the potential impact of the changes on the business processes, the IT systems, the users, and the customers. – Change testing and validation: The change management program may not have adequate testing and validation procedures to ensure that the changes meet the requirements and specifications, and do not introduce errors or vulnerabilities. – Change communication and training: The change management program may not have effective communication and training strategies to inform and educate the affected parties about the changes and their implications. – Change implementation and monitoring: The change management program may not have proper implementation and monitoring plans or tools to ensure that the changes are executed smoothly and successfully, and that any issues or incidents are detected and resolved promptly. Therefore, the ratio of emergency fixes to total changes is the best metric to determine if the change management program is performing as expected, as it can provide valuable feedback and insights for the change management program and its improvement.

Reference: = How to Measure Change Management Effectiveness: Metrics, Tools & Processes1, Metrics for Measuring Change Management2, Driving Value with Change Management Metrics3, Must-Know Organizational Change Management Metrics

Question #107

Which of the following BEST enables the identification of trends in risk levels?

A . Correlation between risk levels and key risk indicators (KRIs) is positive.
B . Measurements for key risk indicators (KRIs) are repeatable
C . Quantitative measurements are used for key risk indicators (KRIs).
D . Qualitative definitions for key risk indicators (KRIs) are used.

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

Key risk indicators (KRIs) are metrics or measures that provide information on the current or potential exposure and performance of an organization in relation to specific risks. KRIs can help to monitor and track the changes or trends in the risk level and the risk response over time, identify and alert the risk issues or events that require attention or action, evaluate and report the effectiveness and efficiency of the risk management processes and practices, and support and inform the risk decision making and improvement1.

The best way to enable the identification of trends in risk levels is to ensure that the correlation between risk levels and KRIs is positive, because it means that the KRIs are aligned with and reflective of the risk levels, and that they can capture and indicate the variations or movements in the risk levels accurately and reliably. A positive correlation between risk levels and KRIs can be achieved by:

Selecting and defining the KRIs that are relevant and appropriate for the specific risks that the organization faces, and that are consistent and comparable across different domains and contexts Collecting and analyzing the data and information that are reliable and sufficient for the KRIs, and that are sourced from various methods and sources, such as risk assessments, audits, monitoring, alerts, or incidents

Applying and using the tools and techniques that are suitable and feasible for the KRIs, such as risk matrices, risk registers, risk indicators, or risk models

Reviewing and updating the KRIs periodically or as needed, and ensuring that they reflect the current or accurate risk levels, which may change over time or due to external factors23

The other options are not the best ways to enable the identification of trends in risk levels, but rather some of the factors or aspects of KRIs. Measurements for KRIs are repeatable is a factor that can enhance the reliability and validity of the KRIs, as it means that the KRIs can produce the same or similar results under the same or similar conditions. However, repeatability does not necessarily imply accuracy or sensitivity, and it may not capture or reflect the changes or trends in the risk levels. Quantitative measurements are used for KRIs is an aspect that can improve the objectivity and precision of the KRIs, as it means that the KRIs are expressed in numerical or measurable values, such as percentages, probabilities, or monetary amounts. However, quantitative measurements may not be suitable or feasible for all types of risks or KRIs, and they may not capture or reflect the complexity or uncertainty of the risk levels. Qualitative definitions for KRIs are used is an aspect that can enhance the understanding and communication of the KRIs, as it means that the KRIs are expressed in descriptive or subjective terms, such as high, medium, or low, based on criteria such as likelihood, impact, or severity. However, qualitative definitions may not be consistent or comparable

across different risks or KRIs, and they may not capture or reflect the magnitude or variation of the risk levels.

Reference: =

Key Risk Indicators: What They Are and How to Use Them

Key Risk Indicators: A Practical Guide | SafetyCulture

Key Risk Indicators: Types and Examples

[CRISC Review Manual, 7th Edition]

Question #108

Which of the following BEST enables effective risk-based decision making?

A . Performing threat modeling to understand the threat landscape
B . Minimizing the number of risk scenarios for risk assessment
C . Aggregating risk scenarios across a key business unit
D . Ensuring the risk register is updated to reflect changes in risk factors

Lösung einblenden Lösung ausblenden

Question #109

The maturity of an IT risk management program is MOST influenced by:

A . the organization’s risk culture
B . benchmarking results against similar organizations
C . industry-specific regulatory requirements
D . expertise available within the IT department

Lösung einblenden Lösung ausblenden

Question #110

Which of the following situations would BEST justify escalation to senior management?

A . Residual risk exceeds acceptable limits.
B . Residual risk is inadequately recorded.
C . Residual risk remains after controls have been applied.
D . Residual risk equals current risk.

Lösung einblenden Lösung ausblenden