Free ISACA CRISC Übungsprüfungen - Seite 13 von 65

Question #121

Which of the following BEST enables a proactive approach to minimizing the potential impact of unauthorized data disclosure?

A . Key risk indicators (KRIs)
B . Data backups
C . Incident response plan
D . Cyber insurance

Lösung einblenden Lösung ausblenden

Richtige Antwort: C
C

Explanation:

Unauthorized data disclosure: The exposure of sensitive or confidential information to unauthorized parties, either intentionally or unintentionally1.

Proactive approach: An approach that anticipates and prevents potential problems or threats before they occur, rather than reacting to them after they happen2.

Incident response plan: A set of policies, procedures, and tools that guide an organization’s actions in the event of a data breach or security incident3.

A proactive approach to minimizing the potential impact of unauthorized data disclosure is to have an incident response plan. An incident response plan helps an organization to: Detect and contain the incident as quickly as possible

Analyze the scope, cause, and impact of the incident

Eradicate the threat and restore normal operations

Communicate with internal and external stakeholders

Learn from the incident and improve security measures

An incident response plan enables an organization to reduce the damage and disruption caused by unauthorized data disclosure, as well as to comply with relevant laws and regulations that require timely notification and remediation of data breaches3.

The other options are not as effective as an incident response plan in minimizing the potential impact of unauthorized data disclosure, because they do not address the root cause or the response of the incident. Key risk indicators (KRIs), which are metrics that measure the level of risk exposure or the likelihood of a risk event, may help to monitor and manage the risk of unauthorized data disclosure, but they do not prevent or respond to the incident. Data backups, which are copies of data stored in a separate location or medium, may help to recover the data that was lost or corrupted due to unauthorized data disclosure, but they do not protect the data that was exposed or stolen. Cyber insurance, which is a type of insurance that covers the financial losses and liabilities arising from cyberattacks or data breaches, may help to mitigate some of the costs and risks associated with unauthorized data disclosure, but it does not prevent or resolve the incident.

Reference: = What is Unauthorized Data Disclosure? | Egnyte, Proactive vs. Reactive: What’s the Difference?, Incident Response Planning: Best Practices for Businesses

Question #122

Which of the following is the BEST indicator of an effective IT security awareness program?

A . Decreased success rate of internal phishing tests
B . Decreased number of reported security incidents
C . Number of disciplinary actions issued for security violations
D . Number of employees that complete security training

Lösung einblenden Lösung ausblenden

Question #123

While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:

A . control is ineffective and should be strengthened
B . risk is inefficiently controlled.
C . risk is efficiently controlled.
D . control is weak and should be removed.

Lösung einblenden Lösung ausblenden

Question #124

Which of the following is MOST helpful to review when identifying risk scenarios associated with the adoption of Internet of Things (loT) technology in an organization?

A . The business case for the use of loT
B . The loT threat landscape
C . Policy development for loT
D . The network that loT devices can access

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

Risk scenarios: Narratives that describe potential risk events, their causes, consequences, and likelihood1.

Internet of Things (IoT): A network of interconnected devices, software, sensors, and other things that communicate and exchange data without human intervention2.

IoT threat landscape: The range and types of threats and attacks that target IoT devices, systems, and networks3.

The most helpful thing to review when identifying risk scenarios associated with the adoption of IoT technology in an organization is the IoT threat landscape. The IoT threat landscape provides a comprehensive and current overview of the potential sources, methods, and impacts of cyberattacks on IoT devices, systems, and networks. Reviewing the IoT threat landscape can help an organization to:

Identify the most relevant and prevalent threats and vulnerabilities that affect IoT technology, such as weak passwords, insecure interfaces, insufficient data protection, poor device management, or lack of encryption4.

Assess the likelihood and impact of different types of attacks, such as malware infections, denial-of-service attacks, data breaches, unauthorized access, or sabotage4.

Prioritize the most critical and urgent risks that need to be addressed and mitigated.

Develop realistic and plausible risk scenarios that reflect the actual IoT threat environment and the organization’s specific context and objectives.

The other options are not as helpful as the IoT threat landscape when identifying risk scenarios associated with the adoption of IoT technology in an organization, because they do not provide a comprehensive and current view of the potential threats and attacks that target IoT technology. The business case for the use of IoT, which is the justification and rationale for adopting IoT technology based on the expected benefits, costs, and risks, may help to understand the value and purpose of IoT technology for the organization, but it does not provide detailed information on the specific threats and vulnerabilities that affect IoT technology. Policy development for IoT, which is the process of creating and implementing rules and guidelines for the governance, management, and security of IoT technology, may help to establish the standards and expectations for IoT technology within the organization, but it does not provide an overview of the external threats and attacks that target IoT technology. The network that IoT devices can access, which is the infrastructure and system that enables the connectivity and communication of IoT devices, may help to identify the potential entry points and attack vectors for IoT threats, but it does not provide a complete picture of the types and impacts of IoT threats.

Reference: = Risk Scenarios Toolkit, What is the Internet of Things (IoT)? With Examples | Coursera, Top IoT security issues and challenges (2022) C Thales, 8 Internet of Things Threats and Security Risks – SecurityScorecard

Question #125

An organization is preparing to transfer a large number of customer service representatives to the sales department. Of the following, who is responsible for mitigating the risk associated with residual system access?

A . IT service desk manager
B . Sales manager
C . Customer service manager
D . Access control manager

Lösung einblenden Lösung ausblenden

Question #126

Risk management strategies are PRIMARILY adopted to:

A . take necessary precautions for claims and losses.
B . achieve acceptable residual risk levels.
C . avoid risk for business and IT assets.
D . achieve compliance with legal requirements.

Lösung einblenden Lösung ausblenden

Question #127

Deviation from a mitigation action plan’s completion date should be determined by which of the following?

A . Change management as determined by a change control board
B . Benchmarking analysis with similar completed projects
C . Project governance criteria as determined by the project office
D . The risk owner as determined by risk management processes

Lösung einblenden Lösung ausblenden

Question #128

Which of the following would BEST ensure that identified risk scenarios are addressed?

A . Reviewing the implementation of the risk response
B . Creating a separate risk register for key business units
C . Performing real-time monitoring of threats
D . Performing regular risk control self-assessments

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

The best way to ensure that identified risk scenarios are addressed is to review the implementation of the risk response. The risk response is the action or plan that is taken to reduce, avoid, transfer, or accept the risk, depending on the chosen risk treatment option1. Reviewing the implementation of the risk response means checking whether the risk response actions are executed as planned, whether they are effective and efficient in mitigating the risk, and whether they are aligned with the organization’s objectives and risk appetite2. Reviewing the implementation of the risk response helps to monitor and control the risk, identify any gaps or issues, and make any necessary adjustments or improvements. The other options are not the best ways to ensure that identified risk scenarios are addressed, as they are either less comprehensive or less specific than reviewing the implementation of the risk response. Creating a separate risk register for key business units is a way of documenting and tracking the risks that affect different parts of the organization. However, this is not the same as addressing the risk scenarios, as it does not indicate how the risks are treated or resolved. Performing real-time monitoring of threats is a way of detecting and responding to any changes or events that may increase the likelihood or impact of the risks. However, this is not the same as addressing the risk scenarios, as it does not measure the effectiveness or efficiency of the risk response actions. Performing regular risk control self-assessments is a way of evaluating and testing the design and operation of the controls that are implemented to mitigate the risks. However, this is not the same as addressing the risk scenarios, as it does not cover the other aspects of the risk response, such as risk avoidance, transfer, or acceptance.

Reference: = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.7, Page 59.

Question #129

Which of the following is the GREATEST concern associated with business end users developing their own applications on end user spreadsheets and database programs?

A . An IT project manager is not assigned to oversee development.
B . Controls are not applied to the applications.
C . There is a lack of technology recovery options.
D . The applications are not captured in the risk profile.

Lösung einblenden Lösung ausblenden

Question #130

An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application.

Which of the following should be the NEXT course of action?

A . Invoke the disaster recovery plan during an incident.
B . Prepare a cost-benefit analysis of alternatives available
C . Implement redundant infrastructure for the application.
D . Reduce the recovery time by strengthening the response team.

Lösung einblenden Lösung ausblenden