Free ISACA CRISC Übungsprüfungen - Seite 27 von 65

Question #261

An organization has decided to commit to a business activity with the knowledge that the risk exposure is higher than the risk appetite.

Which of the following is the risk practitioner’s MOST important action related to this decision?

A . Recommend risk remediation
B . Change the level of risk appetite
C . Document formal acceptance of the risk
D . Reject the business initiative

Lösung einblenden Lösung ausblenden

Question #262

During the initial risk identification process for a business application, it is MOST important to include which of the following stakeholders?

A . Business process owners
B . Business process consumers
C . Application architecture team
D . Internal audit

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

The MOST important stakeholders to include during the initial risk identification process for a business application are the business process owners, because they are the ones who have the authority and responsibility for the business processes that are supported or enabled by the business application. The business process owners can provide valuable input and feedback on the business objectives, requirements, and expectations of the business application, as well as the potential risks, impacts, and opportunities that may affect the business processes and outcomes. The other options are not as important as the business process owners, because:

Option B: Business process consumers are the ones who use or benefit from the business processes that are supported or enabled by the business application, such as customers, employees, or partners. They can provide useful information and perspectives on the user needs, preferences, and satisfaction of the business application, but they are not as important as the business process owners, who have the ultimate accountability and authority for the business processes and outcomes.

Option C: Application architecture team is the one who designs and develops the technical architecture and components of the business application, such as the hardware, software, network, and data. They can provide technical expertise and guidance on the feasibility, functionality, and security of the business application, but they are not as important as the business process owners, who have the primary stake and interest in the business application and its alignment with the business processes and objectives.

Option D: Internal audit is the one who provides independent assurance and consulting services on the governance, risk management, and control processes of the organization, including the business application. They can provide objective and impartial evaluation and recommendation on the effectiveness and efficiency of the business application and its compliance with the internal and external standards and regulations, but they are not as important as the business process owners, who have the direct involvement and influence on the business application and its performance and value.

Reference: = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 103.

Question #263

During a review of the asset life cycle process, a risk practitioner identified several unreturned and unencrypted laptops belonging to former employees.

Which of the following is the GREATEST concern with this finding?

A . Insufficient laptops for existing employees
B . Abuse of leavers‘ account privileges
C . Unauthorized access to organizational data
D . Financial cost of replacing the laptops

Lösung einblenden Lösung ausblenden

Question #264

A risk practitioner recently discovered that sensitive data from the production environment is required for testing purposes in non-production environments.

Which of the following i the BEST recommendation to address this situation?

A . Enable data encryption in the test environment
B . Implement equivalent security in the test environment.
C . Prevent the use of production data for test purposes
D . Mask data before being transferred to the test environment.

Lösung einblenden Lösung ausblenden

Question #265

Which of the following will be MOST effective to mitigate the risk associated with the loss of company data stored on personal devices?

A . An acceptable use policy for personal devices
B . Required user log-on before synchronizing data
C . Enforced authentication and data encryption
D . Security awareness training and testing

Lösung einblenden Lösung ausblenden

Richtige Antwort: C
C

Explanation:

The risk associated with the loss of company data stored on personal devices is that the data may be accessed, disclosed, or modified by unauthorized parties, resulting in confidentiality, integrity, or availability breaches1. The most effective way to mitigate this risk is to enforce authentication and data encryption on the personal devices that store company data. Authentication is a process that verifies the identity of the user or device that is accessing the data, and prevents unauthorized access by requiring a password, a code, a biometric factor, or a combination of these2. Data encryption is a technique that transforms the data into an unreadable format, and requires a key to decrypt and restore the data to its original format3. By enforcing authentication and data encryption on the personal devices, the organization can ensure that only authorized users or devices can access the company data, and that the data is protected from unauthorized disclosure or modification even if the device is lost or stolen4. An acceptable use policy for personal devices, required user log-on before synchronizing data, and security awareness training and testing are not the most effective ways to mitigate the risk associated with the loss of company data stored on personal devices, as they do not provide the same level of protection as authentication and data encryption. An acceptable use policy for personal devices is a document that defines the rules and guidelines for using personal devices for work purposes, such as the types of devices, data, and applications that are allowed, the security measures that are required, and the responsibilities and liabilities of the users and the organization5. An acceptable use policy for personal devices can help to establish a common understanding and expectation for the use of personal devices, but it does not enforce or guarantee the compliance or effectiveness of the security measures. Required user log-on before synchronizing data is a technique that requires the user to enter their credentials before they can transfer or update the data between their personal device and the company network or system6. Required user log-on before synchronizing data can help to prevent unauthorized synchronization of data, but it does not protect the data that is already stored on the personal device. Security awareness training and testing is a process that educates and evaluates the users on the security risks and best practices for using personal devices for work purposes, such as the importance of using strong passwords, updating software, avoiding phishing emails, and reporting incidents7. Security awareness training and testing can help to increase the knowledge and behavior of the users, but it does not ensure or monitor the implementation or performance of the security measures.

Reference: = 1: BYOD security: What are the risks and how can they be mitigated?2: What is Multi-Factor Authentication (MFA)? | Duo Security3: [What is Data Encryption? | Definition and FAQs] 4: How to mitigate the risks of using personal devices in the workplace5: BYOD Policy Template – Get Free Sample6: How to Sync Your Phone With Windows 10 | PCMag7: Security Awareness Training: What Is It and Why Is It Important?

Question #266

An organization has detected unauthorized logins to its client database servers.

Which of the following should be of GREATEST concern?

A . Potential increase in regulatory scrutiny
B . Potential system downtime
C . Potential theft of personal information
D . Potential legal risk

Lösung einblenden Lösung ausblenden

Richtige Antwort: C
C

Explanation:

Potential theft of personal information should be of greatest concern for an organization that has detected unauthorized logins to its client database servers, as it poses a serious threat to the confidentiality, integrity, and availability of the client data and the reputation and trust of the organization. Potential theft of personal information is a scenario that involves the unauthorized access, disclosure, or use of the client data by malicious actors, such as hackers, competitors, or insiders. Potential theft of personal information can have significant impacts and consequences for the organization and its clients, such as:

It can compromise the privacy and security of the client data, and expose the clients to identity theft, fraud, or blackmail.

It can violate the legal and regulatory obligations and requirements of the organization, such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI DSS), and result in fines, penalties, or lawsuits.

It can damage the reputation and credibility of the organization, and erode the confidence and loyalty of the clients, and lead to loss of business or market share.

The other options are not the greatest concerns for an organization that has detected unauthorized logins to its client database servers. Potential increase in regulatory scrutiny is a possible consequence of the unauthorized logins, as it may trigger audits, investigations, or sanctions by the relevant authorities, but it is not the most critical or immediate concern. Potential system downtime is a possible consequence of the unauthorized logins, as it may disrupt or degrade the performance or availability of the database servers or the applications that depend on them, but it is not the most severe or lasting concern. Potential legal risk is a possible consequence of the unauthorized logins, as it may expose the organization to litigation or liability claims by the affected clients or parties, but it is not the most direct or urgent concern.

Reference: = Data Breach Response: A Guide for Business – Federal Trade Commission, IT Risk Resources | ISACA, How to Prevent Unauthorized Access to Your Database – ScaleGrid

Question #267

Which of the following should be the PRIMARY driver for the prioritization of risk responses?

A . Residual risk
B . Risk appetite
C . Mitigation cost
D . Inherent risk

Lösung einblenden Lösung ausblenden

Question #268

An organization practices the principle of least privilege.

To ensure access remains appropriate, application owners should be required to review user access rights on a regular basis by obtaining:

A . business purpose documentation and software license counts
B . an access control matrix and approval from the user’s manager
C . documentation indicating the intended users of the application
D . security logs to determine the cause of invalid login attempts

Lösung einblenden Lösung ausblenden

Question #269

Which of the following will BEST support management repotting on risk?

A . Risk policy requirements
B . A risk register
C . Control self-assessment
D . Key performance Indicators

Lösung einblenden Lösung ausblenden

Question #270

Which of the following should be the HIGHEST priority when developing a risk response?

A . The risk response addresses the risk with a holistic view.
B . The risk response is based on a cost-benefit analysis.
C . The risk response is accounted for in the budget.
D . The risk response aligns with the organization’s risk appetite.

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

A risk response is the action or plan that is taken to address a specific risk that has been identified, analyzed, and evaluated. It can be one of the following types: mitigate, transfer, avoid, or accept. The highest priority when developing a risk response is to ensure that it aligns with the organization’s risk appetite, which is the amount and type of risk that the organization is willing to accept in pursuit of its goals. The risk appetite is usually expressed as a range or a threshold, and it is aligned with the organization’s strategy and culture.

Aligning the risk response with the organization’s risk appetite ensures that the risk response is consistent, appropriate, and proportional to the level and nature of the risk, and that it supports the organization’s objectives and values. It also helps to optimize the balance between risk and return, and to create and protect value for the organization and its stakeholders.

The other options are not the highest priority when developing a risk response, because they do not address the fundamental question of whether the risk response is suitable and acceptable for the organization.

The risk response addresses the risk with a holistic view means that the risk response considers the interrelationships and dependencies among the risk sources, events, impacts, and responses, and the potential secondary and residual effects of the risk response. This is important to ensure that the risk response is comprehensive and effective, and that it does not create new or unintended risks, but it is not the highest priority when developing a risk response, because it does not indicate whether the risk response is aligned with the organization’s risk appetite.

The risk response is based on a cost-benefit analysis means that the risk response compares the expected costs and benefits of implementing the risk response, and selects the risk response that provides the most favorable net outcome. This is important to ensure that the risk response is efficient and economical, and that it maximizes the return on investment, but it is not the highest priority when developing a risk response, because it does not indicate whether the risk response is aligned with the organization’s risk appetite.

The risk response is accounted for in the budget means that the risk response is included in the financial plan and allocation of resources for the organization or the project. This is important to ensure that the risk response is feasible and realistic, and that it has the necessary funding and support, but it is not the highest priority when developing a risk response, because it does not indicate whether the risk response is aligned with the organization’s risk appetite.

Reference: = ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 29-30, 34-35, 38-39, 44-45, 50-51, 54-55 ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 147