Free ISACA CRISC Übungsprüfungen - Seite 2 von 65

Question #11

An organization requires a third party for processing customer personal data.

Which of the following is the BEST approach when sharing data over a public network?

A . Include a nondisclosure agreement (NDA) for personal data in the contract.
B . Implement a digital rights protection tool to monitor data.
C . Use a virtual private network (VPN) to communicate data.
D . Transfer a read-only version of the data.

Lösung einblenden Lösung ausblenden

Question #12

Which of the following MOST effectively limits the impact of a ransomware attack?

A . Cyber insurance
B . Cryptocurrency reserve
C . Data backups
D . End user training

Lösung einblenden Lösung ausblenden

Question #13

Following a review of a third-party vendor, it is MOST important for an organization to ensure:

A . results of the review are accurately reported to management.
B . identified findings are reviewed by the organization.
C . results of the review are validated by internal audit.
D . identified findings are approved by the vendor.

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

A review of a third-party vendor is a process that involves examining and evaluating the performance, quality, and compliance of the vendor that provides a product or service to the organization1. A review of a third-party vendor can help to identify and address the risks and issues that may arise from the vendor relationship, such as data breaches, service disruptions, contract violations, or reputation damage2. Following a review of a third-party vendor, it is most important for an organization to ensure that the results of the review are accurately reported to management, as this will enable the management to make informed and timely decisions and actions based on the findings and recommendations of the review. Accurate reporting of the results of the review will also help to establish and maintain the trust and transparency between the organization and the vendor, and to demonstrate the accountability and responsibility of the organization for its vendor risk management3. Identified findings are reviewed by the organization, results of the review are validated by internal audit, and identified findings are approved by the vendor are not the most important things to ensure following a review of a third-party vendor, as they do not provide the same level of impact and value as accurate reporting of the results of the review. Identified findings are reviewed by the organization is a process that involves analyzing and interpreting the outcomes and implications of the review of a third-party vendor, and determining the appropriate risk responses and actions to address the findings4. This is an important step in the vendor risk management process, but it is not the most important thing to ensure following a review of a third-party vendor, as it does not communicate or inform the management or the vendor of the results of the review. Results of the review are validated by internal audit is a process that involves verifying and confirming the accuracy and reliability of the review of a third-party vendor, and providing assurance and advice on the adequacy and effectiveness of the vendor risk management. This is an important step in the vendor risk management process, but it is not the most important thing to ensure following a review of a third-party vendor, as it does not report or share the results of the review with the management or the vendor. Identified findings are approved by the vendor is a process that involves obtaining the consent and agreement of the vendor on the outcomes and recommendations of the review of a third-party vendor, and ensuring their cooperation and compliance with the risk responses and actions. This is an important step in the vendor risk management process, but it is not the most important thing to ensure following a review of a third-party vendor, as it does not report or inform the management of the results of the review.

Reference: = 1: The guide to third-party vendor reviews – TerraTrue HQ | TerraTrue2: 4 Tips For Organizations To Evaluate Third-Party Vendors C Forbes Advisor3: Vendor Risk Management: Best Practices for 2023 – Venminder4: [Risk and Information Systems Control Study Manual, Chapter 3: Risk Response, Section 3.1: Risk Response Options, pp. 113-115.]: [IT Risk Resources | ISACA]: Who Is Considered a Third Party or Vendor? – Venminder: [Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.1: Risk Identification, pp. 57-59.]: [Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.2: Risk Monitoring, pp. 189-191.]: [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.1: Control Design, pp. 233-235.]: [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.2: Control Implementation, pp. 243-245.]: [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.3: Control Monitoring and Maintenance, pp. 251-253.]

Question #14

Which of the following should be of GREATEST concern lo a risk practitioner reviewing the implementation of an emerging technology?

A . Lack of alignment to best practices
B . Lack of risk assessment
C . Lack of risk and control procedures
D . Lack of management approval

Lösung einblenden Lösung ausblenden

Question #15

Which of the following is the PRIMARY role of the board of directors in corporate risk governance?

A . Approving operational strategies and objectives
B . Monitoring the results of actions taken to mitigate risk
C . Ensuring the effectiveness of the risk management program
D . Ensuring risk scenarios are identified and recorded in the risk register

Lösung einblenden Lösung ausblenden

Question #16

A penetration test reveals several vulnerabilities in a web-facing application.

Which of the following should be the FIRST step in selecting a risk response?

A . Correct the vulnerabilities to mitigate potential risk exposure.
B . Develop a risk response action plan with key stakeholders.
C . Assess the level of risk associated with the vulnerabilities.
D . Communicate the vulnerabilities to the risk owner.

Lösung einblenden Lösung ausblenden

Question #17

A recent regulatory requirement has the potential to affect an organization’s use of a third party to supply outsourced business services.

Which of the following is the BEST course of action?

A . Conduct a gap analysis.
B . Terminate the outsourcing agreement.
C . Identify compensating controls.
D . Transfer risk to the third party.

Lösung einblenden Lösung ausblenden

Question #18

Of the following, who is BEST suited to assist a risk practitioner in developing a relevant set of risk scenarios?

A . Internal auditor
B . Asset owner
C . Finance manager
D . Control owner

Lösung einblenden Lösung ausblenden

Question #19

Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness?

A . To measure business exposure to risk
B . To identify control vulnerabilities
C . To monitor the achievement of set objectives
D . To raise awareness of operational issues

Lösung einblenden Lösung ausblenden

Question #20

The software version of an enterprise’s critical business application has reached end-of-life and is no longer supported by the vendor. IT has decided to develop an in-house replacement application.

Which of the following should be the PRIMARY concern?

A . The system documentation is not available.
B . Enterprise risk management (ERM) has not approved the decision.
C . The board of directors has not approved the decision.
D . The business process owner is not an active participant.

Lösung einblenden Lösung ausblenden