Free ISACA CRISC Übungsprüfungen - Seite 18 von 65

Question #171

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an anti-virus program?

A . Frequency of anti-virus software updates
B . Number of alerts generated by the anti-virus software
C . Number of false positives detected over a period of time
D . Percentage of IT assets with current malware definitions

Lösung einblenden Lösung ausblenden

Question #172

The acceptance of control costs that exceed risk exposure is MOST likely an example of:

A . low risk tolerance.
B . corporate culture misalignment.
C . corporate culture alignment.
D . high risk tolerance

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

Corporate culture is the set of values, beliefs, and norms that shape the behavior and attitude of an organization and its people. Corporate culture alignment is the degree of consistency and compatibility between the corporate culture and the organization’s vision, mission, strategy, and objectives. Corporate culture misalignment is the situation where the corporate culture is not aligned with the organization’s goals and expectations, and may hinder or undermine the achievement of those goals. The acceptance of control costs that exceed risk exposure is most likely an example of corporate culture misalignment, as it indicates that the organization is not following a rational and optimal approach to risk management. The organization is spending more resources on controlling risks than the potential benefits or losses that the risks entail, which may result in inefficiency, waste, or opportunity cost. The organization may also be overemphasizing the importance of risk avoidance or mitigation, and neglecting the potential value creation or innovation that may arise from taking or accepting some risks. The other options are not the best answers, as they do not explain the situation of accepting control costs that exceed risk exposure. Low risk tolerance is the degree of variation from the risk appetite that the organization is not willing to accept. Low risk tolerance may lead to excessive or unnecessary controls, but it does not necessarily mean that the control costs exceed the risk exposure. High risk tolerance is the degree of variation from the risk appetite that the organization is willing to accept. High risk tolerance may lead to insufficient or ineffective controls, but it does not imply that the control costs exceed the risk exposure. Corporate culture alignment is the situation where the corporate culture is aligned with the organization’s goals and expectations, and supports and facilitates the achievement of those goals. Corporate culture alignment would not result in accepting control costs that exceed risk exposure, as it would imply a balanced and rational approach to risk management.

Reference: = CRISC Review Manual, pages 22-231; CRISC Review Questions, Answers & Explanations Manual, page 812

Question #173

Which of the following is the PRIMARY reason for a risk practitioner to report changes and trends in the IT risk profile to senior management?

A . To ensure risk owners understand their responsibilities
B . To ensure IT risk is managed within acceptable limits
C . To ensure the organization complies with legal requirements
D . To ensure the IT risk awareness program is effective

Lösung einblenden Lösung ausblenden

Question #174

Which element of an organization’s risk register is MOST important to update following the commissioning of a new financial reporting system?

A . Key risk indicators (KRIs)
B . The owner of the financial reporting process
C . The risk rating of affected financial processes
D . The list of relevant financial controls

Lösung einblenden Lösung ausblenden

Question #175

It is MOST important to the effectiveness of an IT risk management function that the associated processes are:

A . aligned to an industry-accepted framework.
B . reviewed and approved by senior management.
C . periodically assessed against regulatory requirements.
D . updated and monitored on a continuous basis.

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

The effectiveness of an IT risk management function depends on how well it can identify, analyze, evaluate, and treat the IT-related risks that may affect the organization’s objectives and performance. To achieve this, the IT risk management function needs to have processes that are updated and monitored on a continuous basis, so that they can capture the changes in the IT environment, the business context, the risk appetite and tolerance, and the regulatory requirements. Updating and monitoring the IT risk management processes also helps to ensure that they are consistent, reliable, and efficient, and that they provide timely and accurate information for decision making and reporting12. Aligning the IT risk management processes to an industry-accepted framework is important, but not the most important factor for the effectiveness of the function. A framework provides a common language, structure, and methodology for IT risk management, but it does not guarantee that the processes are updated and monitored on a continuous basis. A framework also needs to be customized and adapted to the specific needs and context of the organization3. Reviewing and approving the IT risk management processes by senior management is important, but not the most important factor for the effectiveness of the function. Senior management support and endorsement are essential for establishing the tone and culture of IT risk management, as well as for allocating the necessary resources and authority for the function. However, senior management review and approval alone do not ensure that the processes are updated and monitored on a continuous basis. Senior management also need to oversee and evaluate the performance and outcomes of the IT risk management function4. Periodically assessing the IT risk management processes against regulatory requirements is important, but not the most important factor for the effectiveness of the function. Regulatory compliance is one of the objectives and drivers of IT risk management, and it requires the function to adhere to the applicable laws, rules, and standards. However, regulatory requirements are not the only source of IT risk, and they may not cover all the aspects and dimensions of IT risk management. Moreover, periodic assessment may not be sufficient to capture the dynamic and evolving nature of IT risk. Therefore, the IT risk management processes need to be updated and monitored on a continuous basis, not only to meet the regulatory requirements, but also to address the other sources and impacts of IT risk5.

Reference: = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Response,

Section 3.1: Risk Response Process, pp. 121-123.

Question #176

Which of the following BEST assists in justifying an investment in automated controls?

A . Cost-benefit analysis
B . Alignment of investment with risk appetite
C . Elimination of compensating controls
D . Reduction in personnel costs

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

A cost-benefit analysis is the best method to assist in justifying an investment in automated controls, as it helps to compare and evaluate the costs and benefits of the investment and to determine its feasibility and profitability. A cost-benefit analysis is a process of identifying, measuring, and comparing the expected costs and benefits of a project or a decision, such as investing in automated controls. A cost-benefit analysis can help to justify an investment in automated controls by providing the following benefits:

It enables a data-driven and evidence-based approach to decision making, rather than relying on subjective or qualitative judgments.

It facilitates a consistent and standardized way of assessing and communicating the value and impact of the investment across the organization and to the external stakeholders.

It supports the alignment of the investment with the organizational strategy and objectives, and helps to evaluate the achievement of the desired outcomes.

It helps to identify and prioritize the opportunities and challenges of the investment, and to develop and implement appropriate strategies and actions to address them.

It provides feedback and learning opportunities for the investment and its outcomes, and helps to foster a culture of continuous improvement and innovation.

The other options are not the best methods to assist in justifying an investment in automated controls. Alignment of investment with risk appetite is an important aspect of risk management, but it does not directly address the costs and benefits of the investment. Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. Alignment of investment with risk appetite helps to ensure that the investment is consistent with the organizational risk tolerance and preferences, and does not expose the organization to excessive or unacceptable risk. Elimination of compensating controls is a possible benefit of investing in automated controls, but it is not a method to justify the investment. Compensating controls are alternative or additional controls that are implemented to mitigate the risk when the primary or preferred controls are not feasible or effective. Elimination of compensating controls can help to reduce the complexity and costs of the control environment, and to improve the efficiency and reliability of the controls. Reduction in personnel costs is a possible benefit of investing in automated controls, but it is not a method to justify the investment. Personnel costs are the expenses related to the staff and employees involved in the processes or functions that are automated. Reduction in personnel costs can help to increase the profitability and productivity of the organization, and to allocate the resources more effectively and efficiently.

Reference: = Cost Benefit Analysis: An Expert Guide | Smartsheet, IT Risk Resources | ISACA, Automation – Efficiency, Cost-Savings, Robotics | Britannica

Question #177

The risk associated with data loss from a website which contains sensitive customer information is BEST owned by:

A . the third-party website manager
B . the business process owner
C . IT security
D . the compliance manager

Lösung einblenden Lösung ausblenden

Question #178

The operational risk associated with attacks on a web application should be owned by the individual in charge of:

A . network operations.
B . the cybersecurity function.
C . application development.
D . the business function.

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

The operational risk associated with attacks on a web application should be owned by the individual in charge of the business function, because they are the primary stakeholder and beneficiary of the web application, and they are responsible for defining and achieving the business objectives and requirements that the web application supports or enables. An operational risk is a risk of loss or damage resulting from inadequate or failed internal processes, people, or systems, or from external events. An attack on a web application is a type of operational risk that involves a malicious or unauthorized attempt to compromise the confidentiality, integrity, or availability of the web application, such as a denial-of-service attack, a SQL injection attack, or a cross-site scripting attack. A web application is an application that runs on a web server and can be accessed or used through a web browser, such as an online shopping site, a social media platform, or a web-based email service. A business function is a set of activities or tasks that support or enable the organization’s vision, mission, and strategy, such as marketing, sales, or customer service. A risk owner is a person or role that has the authority and accountability to manage a specific risk, and to implement and monitor the risk response and controls. The individual in charge of the business function should be the risk owner, as they have the best understanding and interest of the web application and its business value and impact, and they have the ability and responsibility to manage the operational risk associated with the attacks on the web application. The individual in charge of network operations, the cybersecurity function, or application development are all possible candidates for the risk owner, but they are not the best choice, as they may not have the same level of stake and influence in the web application and its business objectives and requirements, and they may have different or conflicting priorities or perspectives on the operational risk and its management.

Reference: = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.4.1, page 101

Question #179

Which of the following is MOST important for senior management to review during an acquisition?

A . Risk appetite and tolerance
B . Risk framework and methodology
C . Key risk indicator (KRI) thresholds
D . Risk communication plan

Lösung einblenden Lösung ausblenden

Question #180

Following a significant change to a business process, a risk practitioner believes the associated risk has been reduced. The risk practitioner should advise the risk owner to FIRST

A . review the key risk indicators.
B . conduct a risk analysis.
C . update the risk register
D . reallocate risk response resources.

Lösung einblenden Lösung ausblenden