Free ISACA CRISC Übungsprüfungen - Seite 4 von 65

Question #31

Which of the following should be included in a risk scenario to be used for risk analysis?

A . Risk appetite
B . Threat type
C . Risk tolerance
D . Residual risk

Richtige Antwort: B
B

Explanation:

A risk scenario is a hypothetical situation that describes how a risk event could adversely affect an organization’s objectives, assets, or operations. A risk scenario can be used for risk analysis, which is the process of estimating the likelihood and impact of the risk event, and evaluating the effectiveness and efficiency of the risk response1.

One of the essential components of a risk scenario is the threat type, which is the source or cause of the risk event. The threat type can be classified into various categories, such as natural, human, technical, environmental, or legal. The threat type can help to define the characteristics, motivations, capabilities, and methods of the risk event, and to identify the potential vulnerabilities and exposures of the organization. The threat type can also help to determine the frequency and severity of the risk event, and to select the appropriate risk response strategies and controls23.

The other options are not the components of a risk scenario, but rather the outcomes or inputs of

risk analysis. Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. Risk appetite can help to guide the risk analysis by providing a high-level statement of the desired level of risk taking and tolerance4. Risk tolerance is the acceptable variation in the outcomes related to specific objectives or risks. Risk tolerance can help to measure the risk analysis by providing quantitative or qualitative indicators of the acceptable range of risk exposure and performance4. Residual risk is the remaining risk after the risk response has been implemented. Residual risk can help to monitor the risk analysis by providing feedback on the effectiveness and efficiency of the risk response and the need for further action.

Reference: =

Risk Analysis – ISACA

Threat – ISACA

Threat Modeling – ISACA

Risk Appetite and Risk Tolerance – ISACA

[Residual Risk – ISACA]

[CRISC Review Manual, 7th Edition]

Question #32

A risk practitioner is performing a risk assessment of recent external advancements in quantum computing.

Which of the following would pose the GREATEST concern for the risk practitioner?

A . The organization has incorporated blockchain technology in its operations.
B . The organization has not reviewed its encryption standards.
C . The organization has implemented heuristics on its network firewall.
D . The organization has not adopted Infrastructure as a Service (laaS) for its operations.

Lösung einblenden Lösung ausblenden

Question #33

A company has located its computer center on a moderate earthquake fault.

Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?

A . The contingency plan provides for backup media to be taken to the alternative site.
B . The contingency plan for high priority applications does not involve a shared cold site.
C . The alternative site is a hot site with equipment ready to resume processing immediately.
D . The alternative site does not reside on the same fault no matter how far the distance apart.

Lösung einblenden Lösung ausblenden

Question #34

A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization.

Which of the following components of this review would provide the MOST useful information?

A . Risk appetite statement
B . Enterprise risk management framework
C . Risk management policies
D . Risk register

Lösung einblenden Lösung ausblenden

Question #35

A risk practitioner is preparing a business case for purchasing a cyber insurance policy.

Which of the following is the MOST useful and comprehensive information to include in the business case to obtain management buy-in?

A . Business impact analysis (BIA)
B . Cost-benefit analysis
C . Control gap analysis
D . Scenario analysis

Lösung einblenden Lösung ausblenden

Question #36

The PRIMARY reason for periodically monitoring key risk indicators (KRIs) is to:

A . rectify errors in results of KRIs.
B . detect changes in the risk profile.
C . reduce costs of risk mitigation controls.
D . continually improve risk assessments.

Lösung einblenden Lösung ausblenden

Question #37

Reviewing historical risk events is MOST useful for which of the following processes within the risk management life cycle?

A . Risk monitoring
B . Risk mitigation
C . Risk aggregation
D . Risk assessment

Lösung einblenden Lösung ausblenden

Question #38

Which of the following is MOST important for the organization to consider before implementing a new in-house developed artificial intelligence (Al) solution?

A . Industry trends in Al
B . Expected algorithm outputs
C . Data feeds
D . Alert functionality

Lösung einblenden Lösung ausblenden

Question #39

Which of the following should be a risk practitioner’s PRIMARY focus when tasked with ensuring organization records are being retained for a sufficient period of time to meet legal obligations?

A . Data duplication processes
B . Data archival processes
C . Data anonymization processes
D . Data protection processes

Lösung einblenden Lösung ausblenden

Question #40

The BEST indicator of the risk appetite of an organization is the

A . regulatory environment of the organization
B . risk management capability of the organization
C . board of directors‘ response to identified risk factors
D . importance assigned to IT in meeting strategic goals

Lösung einblenden Lösung ausblenden