Free ISACA CRISC Übungsprüfungen - Seite 28 von 65

Question #271

When reporting on the performance of an organization’s control environment including which of the following would BEST inform stakeholders risk decision-making?

A . The audit plan for the upcoming period
B . Spend to date on mitigating control implementation
C . A report of deficiencies noted during controls testing
D . A status report of control deployment

Lösung einblenden Lösung ausblenden

Richtige Antwort: C
C

Explanation:

A report of deficiencies noted during controls testing is the best option to inform stakeholders risk decision-making, as it provides an accurate and timely assessment of the effectiveness and efficiency of the organization’s control environment. A report of deficiencies noted during controls testing is a document that summarizes the results of the testing activities performed on the organization’s internal controls, such as design, implementation, operation, and monitoring.

A report of deficiencies noted during controls testing should include the following elements:

The scope, objectives, and methodology of the controls testing

The criteria and standards used to evaluate the controls

The findings and observations of the testing process

The root causes and impacts of the identified deficiencies

The recommendations and action plans to address the deficiencies

The roles and responsibilities of the stakeholders involved in the remediation process

A report of deficiencies noted during controls testing helps to inform stakeholders risk decision-making by providing them with relevant and reliable information on the current state of the organization’s control environment. It also helps to identify and prioritize the areas for improvement and enhancement of the control environment. A report of deficiencies noted during controls testing also facilitates the communication, collaboration, and accountability among the stakeholders involved in the risk management and control processes.

The other options are not the best options to inform stakeholders risk decision-making. The audit plan for the upcoming period is a document that outlines the scope, objectives, and methodology of the planned audit activities, but it does not provide any information on the actual performance of the organization’s control environment. Spend to date on mitigating control implementation is a measure of the resources and costs incurred to implement the risk response actions, but it does not indicate the effectiveness or efficiency of the control environment. A status report of control deployment is a document that tracks and monitors the progress and performance of the control implementation process, but it does not evaluate the quality or adequacy of the control environment.

Reference: = Internal Control Deficiencies: Identification, Reporting and Communication, IT Risk Resources | ISACA, Internal Control Testing: Techniques, Types, and Examples

Question #272

A risk practitioner has been notified that an employee sent an email in error containing customers‘ personally identifiable information (Pll).

Which of the following is the risk practitioner’s BEST course of action?

A . Report it to the chief risk officer.
B . Advise the employee to forward the email to the phishing team.
C . follow incident reporting procedures.
D . Advise the employee to permanently delete the email.

Lösung einblenden Lösung ausblenden

Question #273

Which of the following should be the FIRST course of action if the risk associated with a new technology is found to be increasing?

A . Re-evaluate current controls.
B . Revise the current risk action plan.
C . Escalate the risk to senior management.
D . Implement additional controls.

Lösung einblenden Lösung ausblenden

Question #274

Which of the following is MOST important to identify when developing generic risk scenarios?

A . The organization’s vision and mission
B . Resources required for risk mitigation
C . Impact to business objectives
D . Risk-related trends within the industry

Lösung einblenden Lösung ausblenden

Question #275

An organization has outsourced its billing function to an external service provider.

Who should own the risk of customer data leakage caused by the service provider?

A . The service provider
B . Vendor risk manager
C . Legal counsel
D . Business process owner

Lösung einblenden Lösung ausblenden

Question #276

Which of the following is the BEST way to ensure data is properly sanitized while in cloud storage?

A . Deleting the data from the file system
B . Cryptographically scrambling the data
C . Formatting the cloud storage at the block level
D . Degaussing the cloud storage media

Lösung einblenden Lösung ausblenden

Question #277

A highly regulated organization acquired a medical technology startup company that processes sensitive personal information with weak data protection controls.

Which of the following is the BEST way for the acquiring company to reduce its risk while still enabling the flexibility needed by the startup company?

A . Identify previous data breaches using the startup company’s audit reports.
B . Have the data privacy officer review the startup company’s data protection policies.
C . Classify and protect the data according to the parent company’s internal standards.
D . Implement a firewall and isolate the environment from the parent company’s network.

Lösung einblenden Lösung ausblenden

Richtige Antwort: C
C

Explanation:

Data protection is the process of safeguarding sensitive personal information from unauthorized access, use, disclosure, modification, or destruction. Data protection can help to ensure the privacy and security of the data subjects, and to comply with the legal and regulatory requirements that apply to the data processing activities1.

A highly regulated organization that acquired a medical technology startup company that processes sensitive personal information with weak data protection controls faces a high risk of data breaches, fines, lawsuits, reputational damage, or loss of customer trust. The best way for the acquiring company to reduce its risk while still enabling the flexibility needed by the startup company is to

classify and protect the data according to the parent company’s internal standards, because it can help to:

Identify and categorize the sensitive personal information based on its value, sensitivity, and criticality, such as confidential, restricted, internal, or public

Apply and enforce the appropriate data protection policies, procedures, and controls for each data category, such as encryption, access control, backup, retention, or disposal

Align and integrate the data protection practices and processes of the startup company with those of the parent company, and ensure the consistency and compliance across the organization

Balance and optimize the trade-off between data protection and data usability, and allow the startup company to leverage the data for innovation and growth, as long as it meets the data protection standards of the parent company23

The other options are not the best ways for the acquiring company to reduce its risk while still enabling the flexibility needed by the startup company, but rather some of the steps or aspects of data protection. Identify previous data breaches using the startup company’s audit reports is a step that can help to assess the current data protection status and gaps of the startup company, and to learn from the past incidents and mistakes, but it does not address the future data protection needs and challenges of the startup company. Have the data privacy officer review the startup company’s data protection policies is an aspect that can help to ensure the legal and regulatory compliance of the data protection activities of the startup company, and to provide guidance and oversight for the data protection issues and risks, but it does not ensure the technical and operational effectiveness and efficiency of the data protection controls of the startup company. Implement a firewall and isolate the environment from the parent company’s network is a control that can help to prevent or limit the external or internal attacks or threats to the data of the startup company, and to reduce the exposure or impact of a data breach, but it does not ensure the availability or accessibility of the data for the legitimate and authorized purposes of the startup company.

Reference: =

Data Protection – ISACA

Data Classification – ISACA

Data Protection Best Practices – ISACA

[CRISC Review Manual, 7th Edition]

Question #278

What is the MOST important consideration when selecting key performance indicators (KPIs) for control monitoring?

A . Source information is acquired at stable cost.
B . Source information is tailored by removing outliers.
C . Source information is readily quantifiable.
D . Source information is consistently available.

Lösung einblenden Lösung ausblenden

Question #279

Which of the following is the PRIMARY consideration when establishing an organization’s risk management methodology?

A . Business context
B . Risk tolerance level
C . Resource requirements
D . Benchmarking information

Lösung einblenden Lösung ausblenden

Question #280

Which of the following would MOST effectively reduce risk associated with an increase of online transactions on a retailer website?

A . Scalable infrastructure
B . A hot backup site
C . Transaction limits
D . Website activity monitoring

Lösung einblenden Lösung ausblenden