Free ISACA CRISC Übungsprüfungen - Seite 24 von 65

Question #231

Which of the following would be the GREATEST challenge when implementing a corporate risk framework for a global organization?

A . Privacy risk controls
B . Business continuity
C . Risk taxonomy
D . Management support

Lösung einblenden Lösung ausblenden

Question #232

Which of the following is the BEST way to identify changes in the risk profile of an organization?

A . Monitor key risk indicators (KRIs).
B . Monitor key performance indicators (KPIs).
C . Interview the risk owner.
D . Conduct a gap analysis

Lösung einblenden Lösung ausblenden

Question #233

Which of the following scenarios represents a threat?

A . Connecting a laptop to a free, open, wireless access point (hotspot)
B . Visitors not signing in as per policy
C . Storing corporate data in unencrypted form on a laptop
D . A virus transmitted on a USB thumb drive

Lösung einblenden Lösung ausblenden

Question #234

Who is BEST suited to provide information to the risk practitioner about the effectiveness of a technical control associated with an application?

A . System owner
B . Internal auditor
C . Process owner
D . Risk owner

Lösung einblenden Lösung ausblenden

Question #235

An organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard.

Which risk treatment was adopted by the organization?

A . Acceptance
B . Transfer
C . Mitigation
D . Avoidance

Lösung einblenden Lösung ausblenden

Question #236

Because of a potential data breach, an organization has decided to temporarily shut down its online sales order system until sufficient controls can be implemented.

Which risk treatment has been selected?

A . Avoidance
B . Acceptance
C . Mitigation
D . Transfer

Lösung einblenden Lösung ausblenden

Question #237

A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management.

The BEST way to support risk-based decisions by senior management would be to:

A . map findings to objectives.
B . provide quantified detailed analysis
C . recommend risk tolerance thresholds.
D . quantify key risk indicators (KRls).

Lösung einblenden Lösung ausblenden

Question #238

Which of the following activities is PRIMARILY the responsibility of senior management?

A . Bottom-up identification of emerging risks
B . Categorization of risk scenarios against a standard taxonomy
C . Prioritization of risk scenarios based on severity
D . Review of external loss data

Lösung einblenden Lösung ausblenden

Richtige Antwort: C
C

Explanation:

The primary responsibility of senior management in risk management is to prioritize the risk scenarios based on severity. Risk scenarios are hypothetical events or situations that could affect the achievement of the objectives. Risk severity is a measure of the overall level of risk, based on the combination of the probability and impact of the risk scenario. Prioritizing the risk scenarios based on severity is the primary responsibility of senior management, because it helps to allocate the resources and actions to the most critical and urgent risks, and to align the risk management process with the organizational strategy and risk appetite. Senior management also has the authority and accountability to make the final decisions and approve the risk response plans for the prioritized risks. The other options are not the primary responsibility of senior management, although they may be involved or consulted in these activities. Bottom-up identification of emerging risks is a process of identifying and reporting the new or changing risks that may arise from the operational or tactical level of the organization. This is usually the responsibility of the risk owners or the risk practitioners, who have the knowledge and experience of the specific functions and processes. Categorization of risk scenarios against a standard taxonomy is a process of classifying and organizing the risk scenarios into predefined categories or groups, based on their nature, source, or impact. This is usually the responsibility of the risk analysts or the risk coordinators, who have the skills and tools to perform the risk analysis and assessment. Review of external loss data is a process of collecting and analyzing the data and information on the losses or incidents that occurred in other organizations or industries, due to similar or related risks. This is usually the responsibility of the risk researchers or the risk consultants, who have the access and expertise to obtain and interpret the external data and information.

Reference: = The Role of Executive Management in ERM – Corporate Compliance Insights, Guidelines on Risk Management Practices C Board and Senior Management, Risk Manager Job Description [+2023 TEMPLATE] – Workable

Question #239

An organization’s recovery team is attempting to recover critical data backups following a major flood in its data center. However, key team members do not know exactly what steps should be taken to address this crisis.

Which of the following is the MOST likely cause of this situation?

A . Failure to test the disaster recovery plan (DRP)
B . Lack of well-documented business impact analysis (BIA)
C . Lack of annual updates to the disaster recovery plan (DRP)
D . Significant changes in management personnel

Lösung einblenden Lösung ausblenden

Question #240

Which of the following is the MOST effective way to help ensure accountability for managing risk?

A . Assign process owners to key risk areas.
B . Obtain independent risk assessments.
C . Assign incident response action plan responsibilities.
D . Create accurate process narratives.

Lösung einblenden Lösung ausblenden