Free ISACA CRISC Übungsprüfungen - Seite 3 von 65

Question #21

Which of the following would MOST effectively reduce the potential for inappropriate exposure of vulnerabilities documented in an organization’s risk register?

A . Limit access to senior management only.
B . Encrypt the risk register.
C . Implement role-based access.
D . Require users to sign a confidentiality agreement.

Lösung einblenden Lösung ausblenden

Richtige Antwort: C
C

Explanation:

A risk register is a document that contains information about potential cybersecurity risks that could threaten a project’s success, or even the business itself2. Therefore, it is important to protect the confidentiality and integrity of the risk register from unauthorized or inappropriate access, modification, or disclosure. One way to do this is to implement role-based access, which is a method of restricting access to the risk register based on the roles or responsibilities of the users1. This way, only authorized users who need to view or edit the risk register for legitimate purposes can do so, and the access rights can be revoked or modified as needed. This would most effectively reduce the potential for inappropriate exposure of vulnerabilities documented in the risk register. The other options are not as effective or feasible as option C, as they do not address the need to balance the security and availability of the risk register.

Option A, limiting access to senior management only, would compromise the availability and usefulness of the risk register, as other stakeholders such as project managers, risk owners, or auditors may need to access the risk register for risk identification, analysis, response, or monitoring purposes3.

Option B, encrypting the risk register, would enhance the security of the risk register, but it would not prevent authorized users from exposing the vulnerabilities to unauthorized parties, either intentionally or unintentionally. Encryption also adds complexity and cost to the risk register management process, and may affect the performance or usability of the risk register4.

Option D, requiring users to sign a confidentiality agreement, would rely on the compliance and ethics of the users, but it would not prevent or detect any breaches of the agreement. A confidentiality agreement also does not specify the access rights or roles of the users, and may not be legally enforceable in some cases5.

Question #22

Which of the following is the FIRST step when developing a business case to drive the adoption of a risk remediation project by senior management?

A . Calculating the cost
B . Analyzing cost-effectiveness
C . Determining the stakeholders
D . Identifying the objectives

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

The first step when developing a business case to drive the adoption of a risk remediation project by senior management is to identify the objectives of the project. The objectives are the specific, measurable, achievable, relevant, and time-bound (SMART) goals that the project aims to accomplish. The objectives should be aligned with the organization’s vision, mission, and strategy, as well as the identified business problem or opportunity. The objectives should also reflect the expected benefits and outcomes of the project, such as reducing the risk exposure, enhancing the security posture, or improving the business performance. Identifying the objectives is the first step because it provides the direction, scope, and justification for the project, and it serves as the basis for evaluating the alternative solutions, estimating the costs and benefits, and communicating the value proposition to the senior management and other stakeholders. The other options are not the first step, although they may be subsequent or concurrent steps in the business case development process. Calculating the cost is a part of the financial analysis, which estimates the total expenditure and funding sources of the project, but it does not define the purpose or the scope of the project. Analyzing cost-effectiveness is a part of the economic analysis, which compares the costs and benefits of the alternative solutions and recommends the optimal one, but it does not specify the goals or the criteria of the project. Determining the stakeholders is a part of the stakeholder analysis, which identifies and assesses the interests, expectations, and influence of the parties involved in or affected by the project, but it does not establish the objectives or the rationale of the project.

Reference: = Business case: 7 key steps to build it and use it – Twproject: project …, Guide to developing the Project Business Case – GOV.UK, How to Write a Business Case: Template & Examples | Adobe Workfront

Question #23

When updating the risk register after a risk assessment, which of the following is MOST important to include?

A . Historical losses due to past risk events
B . Cost to reduce the impact and likelihood
C . Likelihood and impact of the risk scenario
D . Actor and threat type of the risk scenario

Lösung einblenden Lösung ausblenden

Question #24

Which of the following is the PRIMARY reason for a risk practitioner to review an organization’s IT asset inventory?

A . To plan for the replacement of assets at the end of their life cycles
B . To assess requirements for reducing duplicate assets
C . To understand vulnerabilities associated with the use of the assets
D . To calculate mean time between failures (MTBF) for the assets

Lösung einblenden Lösung ausblenden

Question #25

Which of the following is the PRIMARY risk management responsibility of the second line of defense?

A . Providing assurance of control effectiveness
B . Implementing internal controls
C . Monitoring risk responses
D . Applying risk treatments

Lösung einblenden Lösung ausblenden

Question #26

When updating a risk register with the results of an IT risk assessment, the risk practitioner should log:

A . high impact scenarios.
B . high likelihood scenarios.
C . treated risk scenarios.
D . known risk scenarios.

Lösung einblenden Lösung ausblenden

Question #27

Which of the following is the PRIMARY reason to ensure policies and standards are properly documented within the risk management process?

A . It facilitates the use of a framework for risk management.
B . It establishes a means for senior management to formally approve risk practices.
C . It encourages risk-based decision making for stakeholders.
D . It provides a basis for benchmarking against industry standards.

Lösung einblenden Lösung ausblenden

Question #28

During a recent security framework review, it was discovered that the marketing department implemented a non-fungible token asset program. This was done without following established risk procedures.

Which of the following should the risk practitioner do FIRST?

A . Report the infraction.
B . Perform a risk assessment.
C . Conduct risk awareness training.
D . Discontinue the process.

Lösung einblenden Lösung ausblenden

Question #29

The PRIMARY advantage of implementing an IT risk management framework is the:

A . establishment of a reliable basis for risk-aware decision making.
B . compliance with relevant legal and regulatory requirements.
C . improvement of controls within the organization and minimized losses.
D . alignment of business goals with IT objectives.

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

An IT risk management framework is a set of principles, processes, and practices that guide and support the identification, analysis, evaluation, treatment, monitoring, and communication of IT-related risks within an organization12.

The primary advantage of implementing an IT risk management framework is the establishment of a reliable basis for risk-aware decision making, which enables the organization to balance the potential benefits and adverse effects of using IT, and to allocate resources and prioritize actions accordingly12.

A reliable basis for risk-aware decision making consists of the following elements12:

A common language and understanding of IT risk, its sources, impacts, and responses

A consistent and structured approach to IT risk identification, analysis, evaluation, and treatment A clear and transparent governance structure and accountability for IT risk management

A comprehensive and up-to-date IT risk register and profile that reflects the organization’s risk appetite and tolerance

A regular and effective IT risk monitoring and reporting process that provides relevant and timely information to stakeholders

A continuous and proactive IT risk improvement process that incorporates feedback and lessons learned

The other options are not the primary advantage, but rather possible outcomes or benefits of implementing an IT risk management framework.

For example:

Compliance with relevant legal and regulatory requirements is an outcome of implementing an IT risk management framework that ensures the organization meets its obligations and avoids penalties or sanctions12.

Improvement of controls within the organization and minimized losses is a benefit of implementing an IT risk management framework that reduces the likelihood and impact of IT-related incidents and events12.

Alignment of business goals with IT objectives is a benefit of implementing an IT risk management framework that ensures the IT strategy and activities support the organization’s mission and vision12.

Reference: =

1: Risk IT Framework, ISACA, 2009

2: IT Risk Management Framework, University of Toronto, 2017

Question #30

Which of the following BEST enables the timely detection of changes in the security control environment?

A . Control self-assessment (CSA)
B . Log analysis
C . Security control reviews
D . Random sampling checks

Lösung einblenden Lösung ausblenden