Free ISACA CRISC Übungsprüfungen - Seite 38 von 65

Question #371

Which of the following risk scenarios would be the GREATEST concern as a result of a single sign-on implementation?

A . User access may be restricted by additional security.
B . Unauthorized access may be gained to multiple systems.
C . Security administration may become more complex.
D . User privilege changes may not be recorded.

Lösung einblenden Lösung ausblenden

Question #372

Which of the following is the BEST Key control indicator KCO to monitor the effectiveness of patch management?

A . Percentage of legacy servers out of support
B . Percentage of severs receiving automata patches
C . Number of unpremeditated vulnerabilities
D . Number of intrusion attempts

Lösung einblenden Lösung ausblenden

Question #373

Of the following, whose input is ESSENTIAL when developing risk scenarios for the implementation of a third-party mobile application that stores customer data?

A . Information security manager
B . IT vendor manager
C . Business process owner
D . IT compliance manager

Lösung einblenden Lösung ausblenden

Question #374

Which of the following will help ensure the elective decision-making of an IT risk management committee?

A . Key stakeholders are enrolled as members
B . Approved minutes ate forwarded to senior management
C . Committee meets at least quarterly
D . Functional overlap across the business is minimized

Lösung einblenden Lösung ausblenden

Question #375

Which of the following is the MOST important factor affecting risk management in an organization?

A . The risk manager’s expertise
B . Regulatory requirements
C . Board of directors‘ expertise
D . The organization’s culture

Lösung einblenden Lösung ausblenden

Question #376

An organization’s internal audit department is considering the implementation of robotics process automation (RPA) to automate certain continuous auditing tasks.

Who would own the risk associated with ineffective design of the software bots?

A . Lead auditor
B . Project manager
C . Chief audit executive (CAE)
D . Chief information officer (CIO)

Lösung einblenden Lösung ausblenden

Question #377

It was discovered that a service provider’s administrator was accessing sensitive information without the approval of the customer in an Infrastructure as a Service (laaS) model.

Which of the following would BEST protect against a future recurrence?

A . Data encryption
B . Intrusion prevention system (IPS)
C . Two-factor authentication
D . Contractual requirements

Lösung einblenden Lösung ausblenden

Question #378

Which of the following is the MOST important technology control to reduce the likelihood of fraudulent payments committed internally?

A . Automated access revocation
B . Daily transaction reconciliation
C . Rule-based data analytics
D . Role-based user access model

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

A role-based user access model is a type of technology control that assigns access rights and permissions to users based on their roles and responsibilities within the organization. A role-based user access model can reduce the likelihood of fraudulent payments committed internally, because it can help to:

Enforce the principle of least privilege, which means that users only have the minimum level of access required to perform their duties

Implement segregation of duties, which means that users cannot perform conflicting or incompatible functions, such as initiating and approving payments

Prevent unauthorized or inappropriate access to sensitive data or systems, such as payment information or applications

Detect and deter fraud attempts by creating audit trails and logs of user activities and transactions Simplify and streamline the management and maintenance of user access rights and permissions, such as adding, modifying, or deleting users or roles12

The other options are not as important as a role-based user access model for reducing the likelihood of fraudulent payments committed internally. Automated access revocation is a technology control that automatically revokes or suspends user access rights and permissions when certain conditions are met, such as termination of employment, change of role, or expiration of password. Automated access revocation can help to prevent fraud by former or inactive users, but it does not address the risk of fraud by current or active users3. Daily transaction reconciliation is a technology control that compares and verifies the transactions recorded in different systems or sources, such as bank statements and accounting records. Daily transaction reconciliation can help to detect fraud by identifying discrepancies or anomalies in the transactions, but it does not prevent fraud from occurring in the first place4. Rule-based data analytics is a technology control that applies predefined rules or criteria to analyze data and identify patterns, trends, or outliers. Rule-based data analytics can help to monitor fraud by generating alerts or reports of suspicious or unusual transactions, but it does not prevent fraud from happening or being attempted5.

Reference: = Role-Based Access Control (RBAC) – ISACA

Role-Based Access Control: What It Is and How It Works

Automated Access Revocation – ISACA

Reconciliation – ISACA

Rule-Based Data Analytics – ISACA

[CRISC Review Manual, 7th Edition]

Question #379

The PRIMARY goal of a risk management program is to:

A . facilitate resource availability.
B . help ensure objectives are met.
C . safeguard corporate assets.
D . help prevent operational losses.

Lösung einblenden Lösung ausblenden

Question #380

Risk mitigation procedures should include:

A . buying an insurance policy.
B . acceptance of exposures
C . deployment of counter measures.
D . enterprise architecture implementation.

Lösung einblenden Lösung ausblenden