Free ISACA CRISC Übungsprüfungen - Seite 37 von 65

Question #361

Which of the following BEST confirms the existence and operating effectiveness of information systems controls?

A . Self-assessment questionnaires completed by management
B . Review of internal audit and third-party reports
C . Management review and sign-off on system documentation
D . First-hand direct observation of the controls in operation

Question #362

Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?

A . Digital signatures
B . Encrypted passwords
C . One-time passwords
D . Digital certificates

Richtige Antwort: A
A

Explanation:

Nonrepudiation is the ability to prevent or deny the parties involved in an electronic transaction from disputing or rejecting the validity or authenticity of the transaction. Nonrepudiation ensures that the parties cannot claim that they did not send or receive the transaction, or that the transaction was altered or tampered with.

The tool that helps ensure compliance with a nonrepudiation policy requirement for electronic transactions is digital signatures, which are the electronic equivalents of handwritten signatures that are used to verify the identity and integrity of the sender and the content of the transaction. Digital signatures are generated by applying a cryptographic algorithm to the transaction, using the sender’s private key, which is a secret and unique code that only the sender knows and possesses. The digital signature can be verified by the receiver or any third party, using the sender’s public key, which is a code that is publicly available and corresponds to the sender’s private key. The digital signature can prove that the transaction was sent by the sender, and that the transaction was not altered or tampered with during the transmission.

The other options are not the tools that help ensure compliance with a nonrepudiation policy requirement for electronic transactions, because they do not provide the same level of verification and validation that digital signatures provide, and they may not be sufficient or effective to prevent or deny the parties from disputing or rejecting the transaction.

Encrypted passwords are the passwords that are converted into a secret or unreadable form, using a cryptographic algorithm, to protect them from unauthorized access or disclosure. Encrypted passwords can help to ensure the confidentiality and security of the passwords, but they are not the tools that help ensure compliance with a nonrepudiation policy requirement for electronic transactions, because they do not verify the identity and integrity of the sender and the content of the transaction, and they may not prevent or deny the parties from disputing or rejecting the transaction.

One-time passwords are the passwords that are valid or usable for only one session or transaction, and that are randomly generated or derived from a dynamic factor, such as time, location, or device. One-time passwords can help to enhance the security and authentication of the parties involved in the transaction, but they are not the tools that help ensure compliance with a nonrepudiation policy requirement for electronic transactions, because they do not verify the identity and integrity of the sender and the content of the transaction, and they may not prevent or deny the parties from disputing or rejecting the transaction.

Digital certificates are the electronic documents that contain the information and credentials of the parties involved in the transaction, such as their name, public key, expiration date, etc., and that are issued and signed by a trusted authority or entity, such as a certificate authority or a digital signature provider. Digital certificates can help to establish and confirm the identity and trustworthiness of the parties involved in the transaction, but they are not the tools that help ensure compliance with a nonrepudiation policy requirement for electronic transactions, because they do not verify the identity and integrity of the sender and the content of the transaction, and they may not prevent or deny the parties from disputing or rejecting the transaction.

Reference: =

ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 40-41, 47-48, 54-55, 58-59, 62-63 ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 197 CRISC Practice Quiz and Exam Prep

Question #363

Which of the following should be the PRIMARY focus of an IT risk awareness program?

A . Ensure compliance with the organization’s internal policies
B . Cultivate long-term behavioral change.
C . Communicate IT risk policy to the participants.
D . Demonstrate regulatory compliance.

Lösung einblenden Lösung ausblenden

Question #364

Which of the following changes would be reflected in an organization’s risk profile after the failure of a critical patch implementation?

A . Risk tolerance is decreased.
B . Residual risk is increased.
C . Inherent risk is increased.
D . Risk appetite is decreased

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

A critical patch is a software update that fixes a security vulnerability or a bug that may affect the performance, functionality, or reliability of a system or a network. A critical patch implementation is a process that applies the software update to the system or network in a timely and effective manner. The failure of a critical patch implementation is a situation where the software update is not applied or not applied correctly, which may expose the system or network to various threats, such as data theft, data corruption, data leakage, or denial of service. The failure of a critical patch implementation would be reflected in an organization’s risk profile by increasing the residual risk. Residual risk is the risk that remains after the risk response, which means the risk that is not avoided, transferred, or mitigated by the existing controls or measures. The failure of a critical patch implementation would increase the residual risk, as it would reduce the effectiveness or efficiency of the existing controls or measures that are supposed to address the security vulnerability or the bug. The failure of a critical patch implementation would also increase the likelihood or impact of the potential threats, as well as the exposure or consequences of the system or network. The other options are not the correct changes that would be reflected in an organization’s risk profile after the failure of a critical patch implementation, although they may be affected or related. Risk tolerance is the degree of variation from the risk appetite that the organization is not willing to accept. Risk tolerance may be decreased by the failure of a critical patch implementation, as the organization may become more cautious or conservative in accepting the risk, but it is not a direct or immediate change in the risk profile. Inherent risk is the risk that exists in the absence of any controls or measures, which means the risk that is inherent to the system or network or the environment. Inherent risk may be increased by the failure of a critical patch implementation, as the system or network may become more vulnerable or susceptible to the threats, but it is not a change in the risk profile, as the risk profile considers the existing controls or measures. Risk appetite is the amount and type of risk that the organization is willing to accept in pursuit of its objectives. Risk appetite may be decreased by the failure of a critical patch implementation, as the organization may become less willing or able to accept the risk, but it is not a change in the risk profile, as the risk profile reflects the actual or current risk level, not the desired or expected risk level.

Reference: = CRISC Review Manual, pages 32-331; CRISC Review Questions, Answers & Explanations Manual, page 972; What is a Critical Patch? – Definition from Techopedia3; What is Residual Risk? – Definition from Techopedia4

Question #365

What is the PRIMARY reason an organization should include background checks on roles with elevated access to production as part of its hiring process?

A . Reduce internal threats
B . Reduce exposure to vulnerabilities
C . Eliminate risk associated with personnel
D . Ensure new hires have the required skills

Lösung einblenden Lösung ausblenden

Question #366

Which of the following is the BEST method to track asset inventory?

A . Periodic asset review by management
B . Asset registration form
C . IT resource budgeting process
D . Automated asset management software

Lösung einblenden Lösung ausblenden

Question #367

A risk practitioner is developing a set of bottom-up IT risk scenarios.

The MOST important time to involve business stakeholders is when:

A . updating the risk register
B . documenting the risk scenarios.
C . validating the risk scenarios
D . identifying risk mitigation controls.

Lösung einblenden Lösung ausblenden

Question #368

After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:

Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor’s control environment?

A . External audit
B . Internal audit
C . Vendor performance scorecard
D . Regulatory examination

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

An external audit is the most reliable input to evaluate residual risk in the vendor’s control environment, as it provides an independent and objective assessment of the vendor’s financial systems and processes. An external audit is conducted by a third party, such as a certified public accountant (CPA) or a professional auditing firm, that follows the generally accepted auditing standards (GAAS) and the generally accepted accounting principles (GAAP). An external audit can help to verify the accuracy and completeness of the vendor’s financial statements, identify any material misstatements or errors, and evaluate the effectiveness and efficiency of the vendor’s internal controls. An external audit can also provide assurance and confidence to the organization and other stakeholders that the vendor is complying with the relevant laws, regulations, and contractual obligations.

The other options are not the most reliable inputs to evaluate residual risk in the vendor’s control environment. An internal audit is conducted by the vendor itself, which may introduce bias or conflict of interest. An internal audit may also have a different scope, methodology, or quality than an external audit. A vendor performance scorecard is completed by the organization, which may not have the sufficient access, expertise, or authority to assess the vendor’s control environment. A vendor performance scorecard may also focus more on the service level agreement (SLA) compliance, rather than the financial systems and processes. A regulatory examination is conducted by a regulator, such as a government agency or a standard-setting body, which may have a different purpose, criteria, or perspective than the organization. A regulatory examination may also have a limited scope, frequency, or transparency.

Reference: = Guide to Vendor Risk Assessment | Smartsheet, Understanding Inherent Vs. Residual Risk Assessments – Resolver, Assessing Internal Controls over Compliance – HCCA Official Site

Question #369

Which of the following BEST supports ethical IT risk management practices?

A . Robust organizational communication channels
B . Mapping of key risk indicators (KRIs) to corporate strategy
C . Capability maturity models integrated with risk management frameworks
D . Rigorously enforced operational service level agreements (SLAs)

Lösung einblenden Lösung ausblenden

Question #370

Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization’s risk appetite?

A . Establishing a series of key risk indicators (KRIs)
B . Adding risk triggers to entries in the risk register
C . Implementing key performance indicators (KPIs)
D . Developing contingency plans for key processes

Lösung einblenden Lösung ausblenden