Free ISACA CRISC Übungsprüfungen - Seite 17 von 65

Question #161

An organization has determined a risk scenario is outside the defined risk tolerance level.

What should be the NEXT course of action?

A . Develop a compensating control.
B . Allocate remediation resources.
C . Perform a cost-benefit analysis.
D . Identify risk responses

Lösung einblenden Lösung ausblenden

Question #162

Which of the following should be initiated when a high number of noncompliant conditions are observed during review of a control procedure?

A . Disciplinary action
B . A control self-assessment
C . A review of the awareness program
D . Root cause analysis

Lösung einblenden Lösung ausblenden

Question #163

When communicating changes in the IT risk profile, which of the following should be included to BEST enable stakeholder decision making?

A . List of recent incidents affecting industry peers
B . Results of external attacks and related compensating controls
C . Gaps between current and desired states of the control environment
D . Review of leading IT risk management practices within the industry

Lösung einblenden Lösung ausblenden

Richtige Antwort: C
C

Explanation:

The best thing to include when communicating changes in the IT risk profile is the gaps between the current and desired states of the control environment, as this shows the stakeholders the extent and impact of the changes, and the actions and resources needed to address them. The control environment is the set of policies, processes, and systems that provide reasonable assurance that the IT risks are identified, assessed, and treated effectively and efficiently. The current state of the control environment reflects the existing level and performance of the controls, and the residual risk that remains after the controls are applied. The desired state of the control environment reflects the target level and performance of the controls, and the risk appetite and tolerance of the organization. The gaps between the current and desired states of the control environment indicate the areas of improvement or enhancement for the IT risk management process, and the priorities and strategies for risk response. The other options are not the best things to include when communicating changes in the IT risk profile, although they may be useful or relevant information. A list of recent incidents affecting industry peers can provide some context and comparison for the IT risk profile, but it does not measure or explain the changes in the IT risk level or the control environment. Results of external attacks and related compensating controls can demonstrate the security and resilience of the IT systems and networks, but they do not cover the entire scope or spectrum of the IT risk profile or the control environment. A review of leading IT risk management practices within the industry can provide some insights and benchmarks for the IT risk management process, but it does not reflect the specific situation or needs of the organization or the stakeholders.

Reference: = Risk and Information Systems Control Study Manual, Chapter 5: Risk and Control Monitoring and Reporting, page 181.

Question #164

Effective risk communication BEST benefits an organization by:

A . helping personnel make better-informed decisions
B . assisting the development of a risk register.
C . improving the effectiveness of IT controls.
D . increasing participation in the risk assessment process.

Lösung einblenden Lösung ausblenden

Question #165

An organization uses a biometric access control system for authentication and access to its server room.

Which control type has been implemented?

A . Detective
B . Deterrent
C . Preventive
D . Corrective

Lösung einblenden Lösung ausblenden

Question #166

What is the MOST important consideration when aligning IT risk management with the enterprise risk management (ERM) framework?

A . Risk and control ownership
B . Senior management participation
C . Business unit support
D . Risk nomenclature and taxonomy

Lösung einblenden Lösung ausblenden

Question #167

Which of the following will provide the BEST measure of compliance with IT policies?

A . Evaluate past policy review reports.
B . Conduct regular independent reviews.
C . Perform penetration testing.
D . Test staff on their compliance responsibilities.

Lösung einblenden Lösung ausblenden

Question #168

A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security.

Which of the following observations would be MOST relevant to escalate to senior management?

A . An increase in attempted distributed denial of service (DDoS) attacks
B . An increase in attempted website phishing attacks
C . A decrease in achievement of service level agreements (SLAs)
D . A decrease in remediated web security vulnerabilities

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

A web-based service provider is an organization that offers online services or applications to its customers or users, such as e-commerce, social media, cloud computing, etc. A web-based service provider depends on the availability, reliability, and security of its web servers, networks, and systems to deliver its services or applications.

A low risk appetite for system outages means that the organization is not willing to accept a high level or frequency of system outages, which are interruptions or disruptions in the normal operation or functionality of the web servers, networks, or systems. System outages can cause customer dissatisfaction, revenue loss, reputation damage, or legal liability for the web-based service provider. A current risk profile for online security is the current state or condition of the online security risks that may affect the web-based service provider’s objectives and operations. It includes the identification, analysis, and evaluation of the online security risks, and the prioritization and response to them based on their significance and urgency.

The most relevant observation to escalate to senior management is an increase in attempted distributed denial of service (DDoS) attacks, which are malicious attacks that aim to overwhelm or overload the web servers, networks, or systems with a large volume or frequency of requests or traffic, and prevent them from responding to legitimate requests or traffic. An increase in attempted DDoS attacks indicates a high likelihood and impact of system outages, and a high level of threat or vulnerability for the web-based service provider’s online security. Escalating this observation to senior management can help them to understand the severity and urgency of the risk, and to decide on the appropriate risk response and allocation of resources.

The other options are not the most relevant observations to escalate to senior management, because they do not indicate a high likelihood or impact of system outages, and they may not be relevant or actionable for senior management.

An increase in attempted website phishing attacks means an increase in malicious attempts to deceive or trick the web-based service provider’s customers or users into providing their personal or financial information, such as usernames, passwords, credit card numbers, etc., by impersonating the web-based service provider’s website or email. An increase in attempted website phishing attacks indicates a high level of threat or vulnerability for the web-based service provider’s online security, but it may not directly cause system outages, unless the phishing attacks are used to compromise the web servers, networks, or systems. Escalating this observation to senior management may not be the most relevant, because it may not reflect the web-based service provider’s risk appetite for system outages, and it may not require senior management’s involvement or approval.

A decrease in achievement of service level agreements (SLAs) means a decrease in the extent or degree to which the web-based service provider meets or exceeds the agreed or expected standards or criteria for the quality, performance, or availability of its services or applications, as specified in the contracts or agreements with its customers or users. A decrease in achievement of SLAs indicates a low level of customer satisfaction, retention, or loyalty, and a low level of competitiveness or profitability for the web-based service provider. Escalating this observation to senior management may not be the most relevant, because it may not reflect the web-based service provider’s risk appetite for system outages, and it may not require senior management’s involvement or approval. A decrease in remediated web security vulnerabilities means a decrease in the number or percentage of web security vulnerabilities that have been identified and resolved or mitigated by the web-based service provider. Web security vulnerabilities are weaknesses or flaws in the web servers, networks, or systems that can be exploited by malicious attackers to compromise or damage the web-based service provider’s online security. A decrease in remediated web security vulnerabilities indicates a low level of effectiveness or efficiency for the web-based service provider’s web security

controls or processes. Escalating this observation to senior management may not be the most relevant, because it may not reflect the web-based service provider’s risk appetite for system outages, and it may not require senior management’s involvement or approval.

Reference: = ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 19-20, 23-24, 27-28, 31-32, 40-41, 47-48, 54-55, 58-59, 62-63 ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 161 CRISC Practice Quiz and Exam Prep

Question #169

An audit reveals that there are changes in the environment that are not reflected in the risk profile.

Which of the following is the BEST course of action?

A . Review the risk identification process.
B . Inform the risk scenario owners.
C . Create a risk awareness communication plan.
D . Update the risk register.

Lösung einblenden Lösung ausblenden

Question #170

Which of the following is the MOST relevant information to include in a risk management strategy?

A . Quantified risk triggers
B . Cost of controls
C . Regulatory requirements
D . Organizational goals

Lösung einblenden Lösung ausblenden