Free ISACA CRISC Übungsprüfungen - Seite 31 von 65

Question #301

A risk practitioner notices a risk scenario associated with data loss at the organization’s cloud provider is assigned to the provider who should the risk scenario be reassigned to.

A . Senior management
B . Chief risk officer (CRO)
C . Vendor manager
D . Data owner

Lösung einblenden Lösung ausblenden

Question #302

Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?

A . To build an organizational risk-aware culture
B . To continuously improve risk management processes
C . To comply with legal and regulatory requirements
D . To identify gaps in risk management practices

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

Global standards related to risk management are documents that provide the principles, guidelines, and best practices for managing risk in a consistent, effective, and efficient manner across different organizations, sectors, and regions12.

The primary reason for a risk practitioner to use global standards related to risk management is to continuously improve risk management processes, which are the activities and tasks that enable the organization to identify, analyze, evaluate, treat, monitor, and communicate the risks that may affect its objectives, performance, and value creation34.

Continuously improving risk management processes is the primary reason because it helps the organization to enhance its risk management capabilities and maturity, and to adapt to the changing risk environment and stakeholder expectations34.

Continuously improving risk management processes is also the primary reason because it supports the achievement of the organization’s goals and the delivery of value to the stakeholders, which are the ultimate purpose and outcome of risk management34.

The other options are not the primary reason, but rather possible benefits or objectives that may result from using global standards related to risk management.

For example:

Building an organizational risk-aware culture is a benefit of using global standards related to risk management that involves creating and maintaining a shared understanding, attitude, and behavior towards risk among the organization’s employees and leaders, and fostering a culture of accountability, transparency, and learning34. However, this benefit is not the primary reason because it is an enabler and a consequence of continuously improving risk management processes, rather than a driver or a goal34.

Complying with legal and regulatory requirements is an objective of using global standards related to risk management that involves meeting and exceeding the expectations and obligations of the external authorities or bodies that govern or oversee the organization’s activities and operations, such as laws, regulations, standards, or contracts34. However, this objective is not the primary reason because it is a constraint and a challenge of continuously improving risk management processes, rather than a motivation or a benefit34.

Identifying gaps in risk management practices is an objective of using global standards related to risk management that involves assessing and comparing the current and desired state of the organization’s risk management processes, and identifying the areas or aspects that need to be improved or addressed34. However, this objective is not the primary reason because it is a step and a tool of continuously improving risk management processes, rather than a reason or a result34.

Reference: =

1: ISO – ISO 31000 ― Risk management1

2: Risk Management Standards2

3: Risk IT Framework, ISACA, 2009

4: IT Risk Management Framework, University of Toronto, 2017

Question #303

Which of the following would BEST prevent an unscheduled application of a patch?

A . Network-based access controls
B . Compensating controls
C . Segregation of duties
D . Change management

Lösung einblenden Lösung ausblenden

Question #304

A PRIMARY function of the risk register is to provide supporting information for the development of an organization’s risk:

A . strategy.
B . profile.
C . process.
D . map.

Lösung einblenden Lösung ausblenden

Question #305

Which of the following would MOST likely cause a risk practitioner to reassess risk scenarios?

A . A change in the risk management policy
B . A major security incident
C . A change in the regulatory environment
D . An increase in intrusion attempts

Lösung einblenden Lösung ausblenden

Richtige Antwort: C
C

Explanation:

The most likely cause for a risk practitioner to reassess risk scenarios is a change in the regulatory environment. A regulatory environment is the set of laws, rules, and standards that apply to an organization and its activities, such as data privacy, security, compliance, or governance. A change in the regulatory environment can occur due to various factors, such as new legislation, court rulings, enforcement actions, or industry trends. A change in the regulatory environment can affect the risk scenarios that the organization faces, as it may introduce new or modified risks, or alter the probability or impact of existing risks. For example, a new regulation may require the organization to implement additional or different controls, or to report or disclose more information, which may increase the cost, complexity, or vulnerability of the organization’s processes and systems. A change in the regulatory environment may also affect the risk appetite, tolerance, and capacity of the organization, as it may impose different requirements or expectations for the organization’s risk management performance and outcomes. Therefore, a risk practitioner should reassess the risk scenarios when there is a change in the regulatory environment, to ensure that the risk scenarios are accurate, complete, and relevant, and that the risk response strategies and plans are appropriate, effective, and compliant. The other options are not the most likely cause, although they may be related or influential to the risk scenarios. A change in the risk management policy is a change in the rules and guidelines that define how the organization manages its risks, such as the roles and responsibilities, the processes and procedures, the tools and techniques, or the reporting and communication. A change in the risk management policy can affect the risk scenarios, as it may change the way the organization identifies, analyzes, evaluates, and responds to the risks, but it does not directly create or modify the risks themselves. A major security incident is an event or situation that compromises the confidentiality, integrity, or availability of the organization’s information or systems, such as a data breach, a denial-of-service attack, or a ransomware infection. A major security incident can affect the risk scenarios, as it may indicate or reveal the existence or severity of the risks, or trigger or escalate the consequences of the risks, but it is not a cause, rather it is an effect of the risks. An increase in intrusion attempts is an increase in the frequency or intensity of the unauthorized or malicious attempts to access or exploit the organization’s information or systems, such as phishing, malware, or brute-force attacks. An increase in intrusion attempts can affect the risk scenarios, as it may increase the likelihood or impact of the risks, or expose or exacerbate the vulnerabilities of the organization’s processes and systems, but it is not a cause, rather it is a manifestation of the risks.

Reference: = Risk Scenarios Toolkit – ISACA, How to Write Strong Risk Scenarios and Statements – ISACA, The Impact of Regulatory Change on Business – Deloitte

Question #306

An IT department originally planned to outsource the hosting of its data center at an overseas location to reduce operational expenses. After a risk assessment, the department has decided to keep the data center in-house.

How should the risk treatment response be reflected in the risk register?

A . Risk mitigation
B . Risk avoidance
C . Risk acceptance
D . Risk transfer

Lösung einblenden Lösung ausblenden

Question #307

Who should have the authority to approve an exception to a control?

A . information security manager
B . Control owner
C . Risk owner
D . Risk manager

Lösung einblenden Lösung ausblenden

Question #308

Which of the following is the BEST indication of a mature organizational risk culture?

A . Corporate risk appetite is communicated to staff members.
B . Risk owners understand and accept accountability for risk.
C . Risk policy has been published and acknowledged by employees.
D . Management encourages the reporting of policy breaches.

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

Organizational risk culture is the term describing the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose. Organizational risk culture influences how the organization identifies, assesses, and manages risks, and how it aligns its risk appetite and tolerance with its objectives and strategies1.

The best indication of a mature organizational risk culture is that risk owners understand and accept accountability for risk, because it means that the organization:

Clearly defines and assigns the roles and responsibilities of the risk owners, who are the individuals or groups who have the authority and ability to manage the risks within their scope or domain Empowers and supports the risk owners to perform their risk management duties, such as identifying, assessing, responding, monitoring, and reporting the risks

Holds the risk owners accountable for the outcomes and consequences of the risks, and evaluates their performance and compliance with the risk policies, standards, and procedures

Encourages and rewards the risk owners for demonstrating risk awareness and competence, and for contributing to the risk management improvement and learning23

The other options are not the best indications of a mature organizational risk culture, but rather some of the elements or aspects of it. Corporate risk appetite is the amount and type of risk that the organization is willing to accept in order to achieve its objectives. Corporate risk appetite is communicated to staff members to guide their risk decision making and behavior, and to ensure the consistency and alignment of the risk taking and tolerance across the organization. Risk policy is the document that establishes the principles, framework, and process for managing the risks within the organization. Risk policy is published and acknowledged by employees to ensure their awareness and compliance with the risk management expectations and requirements. Management is the group of individuals who have the authority and responsibility to direct and control the organization’s activities and resources. Management encourages the reporting of policy breaches to ensure the transparency and accountability of the risk management performance and outcomes, and to identify and address the risk management issues and gaps4.

Reference: = Risk culture – Institute of Risk Management

Risk Owner – ISACA

Taking control of organizational risk culture | McKinsey

[CRISC Review Manual, 7th Edition]

Question #309

An organization has established workflows in its service desk to support employee reports of security-related concerns.

Which of the following is the MOST efficient approach to analyze these concerns?

A . Map concerns to organizational assets.
B . Sort concerns by likelihood.
C . Align concerns to key vendors.
D . Prioritize concerns based on frequency of reports.

Lösung einblenden Lösung ausblenden

Question #310

When of the following provides the MOST tenable evidence that a business process control is effective?

A . Demonstration that the control is operating as designed
B . A successful walk-through of the associated risk assessment
C . Management attestation that the control is operating effectively
D . Automated data indicating that risk has been reduced

Lösung einblenden Lösung ausblenden