Free ISACA CRISC Übungsprüfungen - Seite 36 von 65

Question #351

Which of the following is the PRIMARY reason to establish the root cause of an IT security incident?

A . Update the risk register.
B . Assign responsibility and accountability for the incident.
C . Prepare a report for senior management.
D . Avoid recurrence of the incident.

Question #352

A business unit is implementing a data analytics platform to enhance its customer relationship management (CRM) system primarily to process data that has been provided by its customers.

Which of the following presents the GREATEST risk to the organization’s reputation?

A . Third-party software is used for data analytics.
B . Data usage exceeds individual consent.
C . Revenue generated is not disclosed to customers.
D . Use of a data analytics system is not disclosed to customers.

Lösung einblenden Lösung ausblenden

Question #353

Which of the following is the FIRST step in risk assessment?

A . Review risk governance
B . Asset identification
C . Identify risk factors
D . Inherent risk identification

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

The first step in risk assessment is asset identification, which is the process of identifying and documenting the assets that are relevant and valuable to the organization, such as people, information, systems, processes, or infrastructure1.

Asset identification can help to:

Establish the scope and boundaries of the risk assessment, and ensure that all the assets within the scope are considered and covered2.

Determine the criticality and priority of the assets, and assign them appropriate values or ratings based on their importance and contribution to the organization’s objectives3.

Identify the potential threats and vulnerabilities that may affect the assets, and assess their likelihood and impact on the assets4.

The other options are not the first step in risk assessment, because:

Review risk governance is not the first step, but rather a prerequisite or a foundation for risk assessment. Risk governance is the system of principles, policies, roles, and responsibilities that guide and oversee the risk management activities and initiatives of the organization5. Reviewing risk

governance can help to ensure that the risk assessment is aligned with the organization’s risk strategy, culture, and appetite, and that the risk assessment process is consistent, effective, and efficient6.

Identify risk factors is not the first step, but rather a subsequent or a parallel step to asset identification. Risk factors are the elements or conditions that influence or contribute to the occurrence or outcome of a risk event7. Identifying risk factors can help to understand the causes and sources of the risks, and to analyze and evaluate the risks based on their probability and severity. Inherent risk identification is not the first step, but rather a later or a dependent step on asset identification and risk factor identification. Inherent risk is the level of risk that exists before the implementation of risk responses. Identifying inherent risk can help to measure the exposure or uncertainty of the assets, and to determine the need and extent of the risk responses.

Reference: =

Risk Governance – CIO Wiki

Risk Governance Framework – CIO Wiki

Asset Identification – CIO Wiki

Asset Identification and Valuation – ISACA

Asset Criticality – CIO Wiki

Threat and Vulnerability Assessment – CIO Wiki

Risk Factor – CIO Wiki

[Risk Factor Analysis – CIO Wiki]

[Inherent Risk – CIO Wiki]

[Inherent Risk Assessment – CIO Wiki]

[Risk Assessment – CIO Wiki]

Question #353

Which of the following is the FIRST step in risk assessment?

A . Review risk governance
B . Asset identification
C . Identify risk factors
D . Inherent risk identification

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

The first step in risk assessment is asset identification, which is the process of identifying and documenting the assets that are relevant and valuable to the organization, such as people, information, systems, processes, or infrastructure1.

Asset identification can help to:

Establish the scope and boundaries of the risk assessment, and ensure that all the assets within the scope are considered and covered2.

Determine the criticality and priority of the assets, and assign them appropriate values or ratings based on their importance and contribution to the organization’s objectives3.

Identify the potential threats and vulnerabilities that may affect the assets, and assess their likelihood and impact on the assets4.

The other options are not the first step in risk assessment, because:

Review risk governance is not the first step, but rather a prerequisite or a foundation for risk assessment. Risk governance is the system of principles, policies, roles, and responsibilities that guide and oversee the risk management activities and initiatives of the organization5. Reviewing risk

governance can help to ensure that the risk assessment is aligned with the organization’s risk strategy, culture, and appetite, and that the risk assessment process is consistent, effective, and efficient6.

Identify risk factors is not the first step, but rather a subsequent or a parallel step to asset identification. Risk factors are the elements or conditions that influence or contribute to the occurrence or outcome of a risk event7. Identifying risk factors can help to understand the causes and sources of the risks, and to analyze and evaluate the risks based on their probability and severity. Inherent risk identification is not the first step, but rather a later or a dependent step on asset identification and risk factor identification. Inherent risk is the level of risk that exists before the implementation of risk responses. Identifying inherent risk can help to measure the exposure or uncertainty of the assets, and to determine the need and extent of the risk responses.

Reference: =

Risk Governance – CIO Wiki

Risk Governance Framework – CIO Wiki

Asset Identification – CIO Wiki

Asset Identification and Valuation – ISACA

Asset Criticality – CIO Wiki

Threat and Vulnerability Assessment – CIO Wiki

Risk Factor – CIO Wiki

[Risk Factor Analysis – CIO Wiki]

[Inherent Risk – CIO Wiki]

[Inherent Risk Assessment – CIO Wiki]

[Risk Assessment – CIO Wiki]

Question #355

An organization plans to implement a new Software as a Service (SaaS) speech-to-text solution.

Which of the following is MOST important to mitigate risk associated with data privacy?

A . Secure encryption protocols are utilized.
B . Multi-factor authentication is set up for users.
C . The solution architecture is approved by IT.
D . A risk transfer clause is included in the contact

Lösung einblenden Lösung ausblenden

Question #356

Which of the following BEST indicates how well a web infrastructure protects critical information from an attacker?

A . Failed login attempts
B . Simulating a denial of service attack
C . Absence of IT audit findings
D . Penetration test

Lösung einblenden Lösung ausblenden

Question #357

Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?

A . A decrease in control layering effectiveness
B . An increase in inherent risk
C . An increase in control vulnerabilities
D . An increase in the level of residual risk

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

The control environment is the set of internal and external factors and conditions that influence and shape the organization’s governance, risk management, and control functions. It includes the organization’s culture, values, ethics, structure, roles, responsibilities, policies, standards, etc. Uncontrolled changes are changes or modifications to the control environment that are not planned, authorized, documented, or monitored, and that may have unintended or adverse consequences for the organization. Uncontrolled changes may be caused by various drivers or events, such as technological innovations, market trends, regulatory changes, customer preferences, competitor actions, environmental issues, etc.

The greatest concern when uncontrolled changes are made to the control environment is an increase in the level of residual risk, which is the amount and type of risk that remains after the implementation and execution of the risk responses or controls. An increase in the level of residual risk means that the risk responses or controls are not effective or sufficient to mitigate or prevent the risks, and that the organization may face unacceptable or intolerable consequences if the risks materialize.

An increase in the level of residual risk is the greatest concern when uncontrolled changes are made to the control environment, because it indicates that the organization’s risk profile and performance have deteriorated, and that the organization may not be able to achieve its objectives or protect its value. It also indicates that the organization’s risk appetite and tolerance have been violated, and that the organization may need to take corrective or compensating actions to restore the balance between risk and return.

The other options are not the greatest concerns when uncontrolled changes are made to the control environment, because they do not indicate the actual or potential impact or outcome of the risks, and they may not be relevant or actionable for the organization.

A decrease in control layering effectiveness means a decrease in the extent or degree to which the organization uses multiple or overlapping controls to address the same or related risks, and to provide redundancy or backup in case of failure or compromise of one or more controls. A decrease in control layering effectiveness may indicate a weakness or gap in the organization’s control design or implementation, but it does not indicate the actual or potential impact or outcome of the risks, and it may not be relevant or actionable for the organization, unless the control layering is required or recommended by the organization’s policies or standards.

An increase in inherent risk means an increase in the amount and type of risk that exists in the absence of any risk responses or controls, and that is inherent to the nature or characteristics of the risk source, event, cause, or impact. An increase in inherent risk may indicate a change or variation in the organization’s risk exposure or level, but it does not indicate the actual or potential impact or outcome of the risks, and it may not be relevant or actionable for the organization, unless the inherent risk exceeds the organization’s risk appetite or tolerance.

An increase in control vulnerabilities means an increase in the number or severity of the weaknesses or flaws in the organization’s risk responses or controls that can be exploited or compromised by the threats or sources of harm that may affect the organization’s objectives or operations. An increase in control vulnerabilities may indicate a weakness or gap in the organization’s control design or implementation, but it does not indicate the actual or potential impact or outcome of the risks, and it may not be relevant or actionable for the organization, unless the control vulnerabilities are exploited or compromised by the threats or sources of harm.

Reference: = ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 19-20, 23-24, 27-28, 31-32, 40-41, 47-48, 54-55, 58-59, 62-63 ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 174 CRISC Practice Quiz and Exam Prep

Question #358

An organization’s control environment is MOST effective when:

A . controls perform as intended.
B . controls operate efficiently.
C . controls are implemented consistent
D . control designs are reviewed periodically

Lösung einblenden Lösung ausblenden

Question #359

Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges.

This behavior BEST represents:

A . a threat.
B . a vulnerability.
C . an impact
D . a control.

Lösung einblenden Lösung ausblenden

Question #360

Which of the following is MOST important for a multinational organization to consider when developing its security policies and standards?

A . Regional competitors‘ policies and standards
B . Ability to monitor and enforce compliance
C . Industry-standard templates
D . Differences in regulatory requirements

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

Differences in regulatory requirements are the most important factor for a multinational organization to consider when developing its security policies and standards. This is because different countries or regions may have different laws, regulations, or standards that govern the protection of information and data, such as the General Data Protection Regulation (GDPR) in the European Union, the Health Insurance Portability and Accountability Act (HIPAA) in the United States, or the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. A multinational organization must

comply with the applicable regulatory requirements in each jurisdiction where it operates, or it may face legal, financial, or reputational risks. Therefore, the organization should develop its security policies and standards in a way that meets or exceeds the minimum regulatory requirements, and also aligns with its business objectives and risk appetite. According to the CRISC Review Manual 2022, one of the key elements of IT governance is to ensure compliance with external laws and regulations1. According to the CRISC Review Questions, Answers & Explanations Manual 2022, differences in regulatory requirements is the correct answer to this question2.

Regional competitors’ policies and standards, ability to monitor and enforce compliance, and industry-standard templates are not the most important factors for a multinational organization to consider when developing its security policies and standards. These factors may be useful or relevant, but they are not as critical or mandatory as the differences in regulatory requirements. Regional competitors’ policies and standards may provide some insights or benchmarks, but they may not reflect the organization’s specific needs or risks. Ability to monitor and enforce compliance is an important aspect of implementing and maintaining security policies and standards, but it does not determine the content or scope of the policies and standards. Industry-standard templates may offer some guidance or best practices, but they may not cover all the regulatory requirements or the organization’s unique circumstances.