Free ISACA CRISC Übungsprüfungen - Seite 19 von 65

Question #181

Which of the following would be- MOST helpful to understand the impact of a new technology system on an organization’s current risk profile?

A . Hire consultants specializing m the new technology.
B . Review existing risk mitigation controls.
C . Conduct a gap analysis.
D . Perform a risk assessment.

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

A risk assessment is a process of measuring and comparing the likelihood and impact of various risk scenarios, and prioritizing them based on their significance and urgency. A risk assessment can help the organization to understand and document the risks that may affect its objectives and operations, and to support the decision making and planning for the risk management.

Performing a risk assessment would be the most helpful to understand the impact of a new technology system on an organization’s current risk profile, because it can help the organization to address the following questions:

What are the potential benefits and challenges of implementing the new technology system, and how do they align with the organization’s objectives and needs?

What are the existing or emerging risks that may affect the new technology system, and how do they relate to the organization’s current risk profile?

How likely and severe are the risks that may affect the new technology system, and what are the possible consequences or impacts for the organization and its stakeholders?

How can the risks that may affect the new technology system be mitigated or prevented, and what are the available or feasible options or solutions?

Performing a risk assessment can help the organization to understand the impact of the new technology system on its current risk profile by providing the following benefits:

It can enable the comparison and evaluation of the current and desired state and performance of the organization’s risk management function, and to identify and quantify the gaps or opportunities for improvement.

It can provide useful references and benchmarks for the alignment and integration of the new technology system with the organization’s risk management function, and for the compliance with the organization’s risk policies and standards.

It can support the implementation and monitoring of the new technology system, and for the allocation and optimization of the resources, time, and budget for the new technology system.

The other options are not the most helpful to understand the impact of a new technology system on an organization’s current risk profile, because they do not provide the same level of detail and insight that performing a risk assessment provides, and they may not be specific or applicable to the organization’s objectives and needs.

Hiring consultants specializing in the new technology means engaging or contracting external experts or professionals that have the skills and knowledge on the new technology system, and that can provide advice or guidance on the implementation and management of the new technology system. Hiring consultants specializing in the new technology can help the organization to enhance its competence and performance on the new technology system, but it is not the most helpful, because it does not measure and compare the likelihood and impact of the risks that may affect the new technology system, and it may not be relevant or appropriate for the organization’s current risk profile.

Reviewing existing risk mitigation controls means examining and evaluating the adequacy and effectiveness of the controls or countermeasures that are intended to reduce or eliminate the risks that may affect the organization’s objectives and operations. Reviewing existing risk mitigation controls can help the organization to improve and optimize its risk management function, but it is not the most helpful, because it does not identify and prioritize the risks that may affect the new technology system, and it may not cover all the relevant or significant risks that may affect the new technology system.

Conducting a gap analysis means comparing and contrasting the current and desired state and performance of the organization’s objectives and operations, and identifying and quantifying the gaps or differences that need to be addressed or corrected. Conducting a gap analysis can help the organization to identify and document its improvement needs and opportunities, but it is not the most helpful, because it does not measure and compare the likelihood and impact of the risks that may affect the new technology system, and it may not be aligned or integrated with the organization’s current risk profile.

Reference: = ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 19-20, 23-24, 27-28, 31-32, 40-41, 47-48, 54-55, 58-59, 62-63 ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 208 CRISC Practice Quiz and Exam Prep

Question #182

Which of the following is MOST important to review when evaluating the ongoing effectiveness of the IT risk register?

A . The costs associated with mitigation options
B . The status of identified risk scenarios
C . The cost-benefit analysis of each risk response
D . The timeframes for risk response actions

Lösung einblenden Lösung ausblenden

Question #183

Which of the following is the GREATEST benefit when enterprise risk management (ERM) provides oversight of IT risk management?

A . Aligning IT with short-term and long-term goals of the organization
B . Ensuring the IT budget and resources focus on risk management
C . Ensuring senior management’s primary focus is on the impact of identified risk
D . Prioritizing internal departments that provide service to customers

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

Enterprise risk management (ERM) is a holistic and strategic approach to managing the risks that an organization faces across its various functions, processes, and activities. ERM aims to align the organization’s risk appetite and tolerance with its objectives and vision, and to optimize the value and performance of the organization1.

IT risk management is a subset of ERM that focuses on identifying, assessing, and mitigating the risks related to the use of information technology (IT) in the organization. IT risk management aims to ensure the confidentiality, integrity, and availability of IT resources and information, and to support the IT governance and strategy of the organization2.

The greatest benefit when ERM provides oversight of IT risk management is aligning IT with short-term and long-term goals of the organization, because it can help to:

Integrate IT risk management with the overall business strategy and risk management, and ensure that IT risks are considered and addressed at the enterprise level

Align IT risk appetite and tolerance with the business risk appetite and tolerance, and ensure that IT risks are balanced with the expected benefits and opportunities

Enhance IT risk awareness and communication among the stakeholders, and ensure that IT risks are reported and escalated appropriately

Optimize IT risk response and control, and ensure that IT risks are managed efficiently and effectively Demonstrate IT risk value and impact, and ensure that IT risks are measured and monitored against the business objectives and performance34

The other options are not the greatest benefit when ERM provides oversight of IT risk management, but rather some of the outcomes or consequences of it. Ensuring the IT budget and resources focus on risk management is a benefit that can help to allocate and prioritize the IT resources and funds according to the IT risk level and the business needs. Ensuring senior management’s primary focus is on the impact of identified risk is a benefit that can help to increase the senior management’s

involvement and accountability in IT risk management, and to support the IT risk decision making and reporting. Prioritizing internal departments that provide service to customers is a benefit that can help to improve the quality and efficiency of the IT service delivery and customer satisfaction.

Reference: =

Enterprise Risk Management – ISACA

IT Risk Management – ISACA

Aligning IT risks with Enterprise Risk Management (ERM)

Five Benefits of Enterprise Risk Management: Articles: Resources … [CRISC Review Manual, 7th Edition]

Question #184

An organization is planning to acquire a new financial system.

Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?

A . Project sponsor
B . Process owner
C . Risk manager
D . Internal auditor

Lösung einblenden Lösung ausblenden

Question #185

Which of the following is MOST important for a risk practitioner to verify when evaluating the effectiveness of an organization’s existing controls?

A . Senior management has approved the control design.
B . Inherent risk has been reduced from original levels.
C . Residual risk remains within acceptable levels.
D . Costs for control maintenance are reasonable.

Lösung einblenden Lösung ausblenden

Question #186

Which of the following risk impacts should be the PRIMARY consideration for determining recovery priorities in a disaster recovery situation?

A . Data security
B . Recovery costs
C . Business disruption
D . Recovery resource availability

Lösung einblenden Lösung ausblenden

Question #187

Which of the following represents a vulnerability?

A . An identity thief seeking to acquire personal financial data from an organization
B . Media recognition of an organization’s market leadership in its industry
C . A standard procedure for applying software patches two weeks after release
D . An employee recently fired for insubordination

Lösung einblenden Lösung ausblenden

Question #188

The BEST way for an organization to ensure that servers are compliant to security policy is to review:

A . change logs.
B . configuration settings.
C . server access logs.
D . anti-malware compliance.

Lösung einblenden Lösung ausblenden

Question #189

After entering a large number of low-risk scenarios into the risk register, it is MOST important for the risk practitioner to:

A . prepare a follow-up risk assessment.
B . recommend acceptance of the risk scenarios.
C . reconfirm risk tolerance levels.
D . analyze changes to aggregate risk.

Lösung einblenden Lösung ausblenden

Question #190

To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:

A . risk mitigation approach
B . cost-benefit analysis.
C . risk assessment results.
D . vulnerability assessment results

Lösung einblenden Lösung ausblenden