Free ISACA CRISC Übungsprüfungen - Seite 25 von 65

Question #241

An organization uses a vendor to destroy hard drives.

Which of the following would BEST reduce the risk of data leakage?

A . Require the vendor to degauss the hard drives
B . Implement an encryption policy for the hard drives.
C . Require confirmation of destruction from the IT manager.
D . Use an accredited vendor to dispose of the hard drives.

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

Data leakage is the unauthorized or accidental disclosure of sensitive or confidential data to unauthorized parties. Data leakage can cause serious damages or losses to the organization, such as data breaches, fines, lawsuits, reputational harm, or loss of customer trust. Data leakage can occur due to various reasons, such as human errors, malicious attacks, or inadequate controls1.

An organization that uses a vendor to destroy hard drives faces a risk of data leakage, as the vendor may not properly or securely destroy the hard drives, or may access or misuse the data stored on them. The best way to reduce this risk is to use an accredited vendor to dispose of the hard drives, because it means that the vendor:

Has been certified or verified by a reputable or recognized authority or organization, such as ISACA, NAID, or R2, to provide hard drive destruction services

Follows the industry standards and best practices for hard drive destruction, such as NIST 800-88 or DoD 5220.22-M, and ensures the compliance with the legal and regulatory requirements, such as HIPAA, PCI DSS, or GDPR

Provides a secure and transparent process for hard drive destruction, such as using a specialized shredder, issuing a certificate of destruction, or allowing the customer to witness the destruction Maintains a high level of professionalism and integrity, and does not compromise the confidentiality or security of the customer’s data234

The other options are not the best ways to reduce the risk of data leakage, but rather some of the steps or aspects of hard drive destruction. Require the vendor to degauss the hard drives is a step that can help to erase the data on the hard drives by using a strong magnetic field. However, degaussing may not be effective or reliable for some types of hard drives, such as solid state drives (SSDs), and it may not prevent the vendor from accessing or misusing the data before degaussing5. Implement an encryption policy for the hard drives is an aspect that can help to protect the data on the hard drives by using a cryptographic algorithm to make it unreadable without a key. However, encryption may not be sufficient or applicable for some types of data, such as metadata, and it may not prevent the vendor from accessing or misusing the key or the encrypted data6. Require confirmation of destruction from the IT manager is a step that can help to verify that the hard drives have been destroyed by the vendor, and to document the process and the outcome. However, confirmation of destruction may not be accurate or authentic, and it may not prevent the vendor from accessing or misusing the data before destruction7.

Reference: = Data Leakage – ISACA

Hard Drive Shredding Services | Hard Drive Destruction & Disposal Hard Drive Shredding and Destruction Service | CompuCycle Electronic Destruction & Recycling | Shred Nations Degaussing – ISACA

Encryption – ISACA

Certificate of Destruction – ISACA

[CRISC Review Manual, 7th Edition]

Question #242

A risk practitioner is reviewing a vendor contract and finds there is no clause to control privileged access to the organization’s systems by vendor employees.

Which of the following is the risk practitioner’s BEST course of action?

A . Contact the control owner to determine if a gap in controls exists.
B . Add this concern to the risk register and highlight it for management review.
C . Report this concern to the contracts department for further action.
D . Document this concern as a threat and conduct an impact analysis.

Lösung einblenden Lösung ausblenden

Question #243

Which of the following is MOST important for a risk practitioner to ensure once a risk action plan has been completed?

A . The risk owner has validated outcomes.
B . The risk register has been updated.
C . The control objectives are mapped to risk objectives.
D . The requirements have been achieved.

Lösung einblenden Lösung ausblenden

Question #244

Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?

A . A companion of risk assessment results to the desired state
B . A quantitative presentation of risk assessment results
C . An assessment of organizational maturity levels and readiness
D . A qualitative presentation of risk assessment results

Lösung einblenden Lösung ausblenden

Question #245

A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

A . identification.
B . treatment.
C . communication.
D . assessment

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

A risk heat map is a graphical tool that displays the results of a risk analysis in a matrix format, using colors and symbols to indicate the level and priority of the risks. A risk heat map can show the distribution and comparison of the risks based on various criteria, such as likelihood, impact, category, source, etc.

A risk heat map is most commonly used as part of an IT risk analysis to facilitate risk assessment, which is the process of determining the significance and urgency of the risks that may affect the organization’s objectives and operations. Risk assessment involves measuring and comparing the likelihood and impact of various risk scenarios, and prioritizing them based on their magnitude and importance.

A risk heat map can help to facilitate risk assessment by providing a visual and intuitive representation of the risk profile, and highlighting the most critical and relevant risks that need to be addressed or monitored. A risk heat map can also help to communicate and report the risk analysis results to different stakeholders, and to support the decision making and planning for the risk response and treatment.

The other options are not the most common uses of a risk heat map as part of an IT risk analysis, because they do not address the main purpose and benefit of a risk heat map, which is to facilitate risk assessment.

Risk identification is the process of finding and describing the risks that may affect the organization’s objectives and operations. Risk identification involves defining the risk sources, events, causes, and impacts, and documenting them in a risk register. A risk heat map is not commonly used to facilitate risk identification, because it does not provide the detailed and comprehensive information that is needed to identify and describe the risks, and it may not cover all the relevant or potential risks that may exist or emerge.

Risk treatment is the process of selecting and implementing the appropriate actions or plans to address the risks that have been identified, analyzed, and evaluated. Risk treatment involves choosing one of the following types of risk responses: mitigate, transfer, avoid, or accept. A risk heat map is not commonly used to facilitate risk treatment, because it does not provide the specific and feasible information that is needed to select and implement the risk responses, and it may not reflect the cost-benefit or feasibility analysis of the risk responses.

Risk communication is the process of exchanging and sharing the information and knowledge about the risks and their responses among the relevant stakeholders. Risk communication involves informing, consulting, and involving the stakeholders in the risk management process, and ensuring that they understand and agree on the risk objectives, criteria, and outcomes. A risk heat map is not commonly used to facilitate risk communication, because it does not provide the complete and accurate information that is needed to communicate and share the risks and their responses, and it may not address the different needs, expectations, and perspectives of the stakeholders.

Reference: = ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 19-20, 23-24, 27-28, 31-32, 40-41, 47-48, 54-55, 58-59, 62-63 ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 169 CRISC Practice Quiz and Exam Prep

Question #246

During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall.

Which of the following controls has MOST likely been compromised?

A . Data validation
B . Identification
C . Authentication
D . Data integrity

Lösung einblenden Lösung ausblenden

Richtige Antwort: C
C

Explanation:

Authentication is a control that verifies the identity of a user or a system that tries to access a computer system or network. Authentication can be based on something the user or system knows (such as a password or a PIN), something the user or system has (such as a token or a smart card), or something the user or system is (such as a fingerprint or a retina scan). Authentication is a crucial control for preventing unauthorized or malicious access to a system or network, as well as for ensuring the accountability and traceability of the actions performed by the user or system. If the authentication control is compromised, it means that the user or system can bypass or break the verification process and gain access to the system or network without being identified or authorized. This can expose the system or network to various threats, such as data theft, data corruption, data leakage, or denial of service. Therefore, the authentication control has most likely been compromised if a system administrator identifies unusual activity indicating an intruder within a firewall. A firewall is a device or a software that monitors and filters the incoming and outgoing network traffic based on predefined rules and policies. A firewall can help to protect the system or network from external or internal attacks by blocking or allowing the traffic based on the source, destination, protocol, or content. However, a firewall cannot prevent an intruder from accessing the system or network if the intruder has already authenticated or impersonated a legitimate user or system. The other options are not the most likely controls to be compromised if a system administrator identifies unusual activity indicating an intruder within a firewall, although they may be affected or related. Data validation is a control that checks the accuracy, completeness, and quality of the data that is entered, processed, or stored by a system or a network. Data validation can

help to prevent or detect data errors, anomalies, or inconsistencies that may affect the performance, functionality, or reliability of the system or network. However, data validation does not prevent or detect unauthorized or malicious access to the system or network, as it only focuses on the data, not the user or system. Identification is a control that assigns a unique identifier to a user or a system that tries to access a computer system or network. Identification can be based on a username, an email address, a phone number, or a certificate. Identification is a necessary but not sufficient control for preventing unauthorized or malicious access to a system or network, as it only declares who or what the user or system is, but does not prove it. Identification needs to be combined with authentication to verify the identity of the user or system. Data integrity is a control that ensures that the data is accurate, consistent, and complete throughout its lifecycle. Data integrity can be achieved by implementing various controls, such as encryption, hashing, checksum, digital signature, or backup. Data integrity can help to protect the data from unauthorized or accidental modification, deletion, or corruption that may affect the value, meaning, or usability of the data. However, data integrity does not prevent or detect unauthorized or malicious access to the system or network, as it only protects the data, not the user or system.

Reference: = CRISC Review Manual, pages 164-1651; CRISC Review Questions, Answers & Explanations Manual, page 952; What is Authentication? – Definition from Techopedia3; What is a Firewall? – Definition from Techopedia4

Question #247

While reviewing an organization’s monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially.

Which of the following would be the BEST approach for the risk practitioner to take?

A . Temporarily suspend emergency changes.
B . Document the control deficiency in the risk register.
C . Conduct a root cause analysis.
D . Continue monitoring change management metrics.

Lösung einblenden Lösung ausblenden

Question #248

Which of the following is the GREATEST risk associated with inappropriate classification of data?

A . Inaccurate record management data
B . Users having unauthorized access to data
C . Inaccurate recovery time objectives (RTOs)
D . Lack of accountability for data ownership

Lösung einblenden Lösung ausblenden

Question #249

Which of the following is the BEST metric to demonstrate the effectiveness of an organization’s change management process?

A . Increase in the frequency of changes
B . Percent of unauthorized changes
C . Increase in the number of emergency changes
D . Average time to complete changes

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

A change management process is a set of procedures and activities that aim to ensure that changes in an organization’s IT systems and services are implemented in a controlled and coordinated manner. The effectiveness of a change management process can be measured by how well it reduces the risks and costs associated with changes, and how well it supports the business objectives and customer expectations. One of the best metrics to demonstrate the effectiveness of a change management process is the percent of unauthorized changes. Unauthorized changes are changes that are made without following the established change management process, such as obtaining approval, documenting the change, testing the change, and communicating the change. Unauthorized changes can introduce errors, defects, security breaches, and disruptions to the IT systems and services, and can negatively affect the business performance and customer satisfaction. Therefore, a low percent of unauthorized changes indicates that the change management process is effective in ensuring that changes are properly planned, approved, executed, and monitored. The other options are not the best metrics to demonstrate the effectiveness of a change management process, as they do not directly reflect the quality and control of the changes. An increase in the frequency of changes may indicate that the organization is agile and responsive to the changing business needs and customer demands, but it does not necessarily mean that the changes are well-managed and beneficial. An increase in the number of emergency changes may indicate that the organization is able to handle urgent and critical situations, but it may also suggest that the organization is reactive and lacks proper planning and analysis of the changes. The average time to complete changes may indicate the efficiency and speed of the change management process, but it does not measure the effectiveness and value of the changes.

Reference: = CRISC Review Manual, pages 156-1571; CRISC Review Questions, Answers & Explanations Manual, page 712

Question #250

Which of the following requirements is MOST important to include in an outsourcing contract to help ensure sensitive data stored with a service provider is secure?

A . A third-party assessment report of control environment effectiveness must be provided at least annually.
B . Incidents related to data toss must be reported to the organization immediately after they occur.
C . Risk assessment results must be provided to the organization at least annually.
D . A cyber insurance policy must be purchased to cover data loss events.

Lösung einblenden Lösung ausblenden