Free ISACA CRISC Übungsprüfungen - Seite 40 von 65

Question #391

Which of the following is the FIRST step when conducting a business impact analysis (BIA)?

A . Identifying critical information assets
B . Identifying events impacting continuity of operations;
C . Creating a data classification scheme
D . Analyzing previous risk assessment results

Question #392

Which of the following MUST be assessed before considering risk treatment options for a scenario with significant impact?

A . Risk magnitude
B . Incident probability
C . Risk appetite
D . Cost-benefit analysis

Lösung einblenden Lösung ausblenden

Question #393

During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards.

The overall control environment may still be effective if:

A . compensating controls are in place.
B . a control mitigation plan is in place.
C . risk management is effective.
D . residual risk is accepted.

Lösung einblenden Lösung ausblenden

Question #394

Which of the following approaches would BEST help to identify relevant risk scenarios?

A . Engage line management in risk assessment workshops.
B . Escalate the situation to risk leadership.
C . Engage internal audit for risk assessment workshops.
D . Review system and process documentation.

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

The best approach to identify relevant risk scenarios is to engage line management in risk assessment workshops. Risk scenarios are hypothetical situations that describe how a risk event could occur and what the consequences could be1. Identifying risk scenarios can help to understand and communicate the nature and impact of the risks, and to design and evaluate the risk responses2. To identify relevant risk scenarios, it is important to involve the people who are responsible for or affected by the risks, such as the line managers. Line managers are the managers who oversee the operational activities and processes of the organization, and who report to the senior or executive management3. By engaging line managers in risk assessment workshops, the organization can: Leverage the line managers’ knowledge and experience of the operational environment, the business objectives, the stakeholder expectations, and the potential threats and opportunities4. Encourage the line managers’ participation and collaboration in the risk identification and analysis process, and foster a risk-aware culture and mindset5.

Enhance the line managers’ ownership and accountability of the risks and the risk responses, and ensure their alignment and commitment to the risk management strategy and objectives6.

The other options are not the best approaches to identify relevant risk scenarios, because: Escalating the situation to risk leadership is not an effective or efficient way to identify risk scenarios, as it may bypass or undermine the line managers’ role and responsibility in the risk management process. Risk leadership is the function or role that provides the vision, direction, and guidance for the risk management activities and initiatives of the organization7. Escalating the situation to risk leadership may imply that the line managers are not capable or willing to identify and manage the risks, or that the risk leadership is not aware or involved in the risk management process. This may create confusion, conflict, or distrust among the risk management stakeholders, and reduce the quality and credibility of the risk scenarios.

Engaging internal audit for risk assessment workshops is not a suitable or appropriate way to identify risk scenarios, as it may violate the independence and objectivity of the internal audit function. Internal audit is an independent and objective assurance and consulting activity that evaluates and improves the effectiveness of the organization’s governance, risk management, and control processes8. Engaging internal audit for risk assessment workshops may compromise the internal audit’s role and mandate, as it may create a conflict of interest or a self-review threat. Internal audit should not be involved in the risk identification and analysis process, but rather provide assurance or advice on the adequacy and reliability of the process.

Reviewing system and process documentation is not a sufficient or comprehensive way to identify risk scenarios, as it may overlook or miss some important or emerging risks. System and process documentation are the records or artifacts that describe the structure, functions, features, and requirements of the organization’s systems and processes. Reviewing system and process documentation can help to identify some risks that are related to the design, implementation, or operation of the systems and processes, but it cannot capture all the risks that may affect the organization. Some risks may arise from external or internal factors that are not reflected or updated in the system and process documentation, such as changes in the market, technology, regulation, or stakeholder expectations.

Reference: =

Risk Scenarios Toolkit – ISACA

Risk Scenarios Starter Pack – ISACA

Line Manager – CIO Wiki

Engaging Line Managers in Risk Management – IRM

Risk Culture – CIO Wiki

Risk Ownership – CIO Wiki

Risk Leadership – CIO Wiki

Internal Audit – CIO Wiki

[System Documentation – CIO Wiki]

Question #395

Which of the following is the GREATEST risk associated with an environment that lacks documentation of the architecture?

A . Unknown vulnerabilities
B . Legacy technology systems
C . Network isolation
D . Overlapping threats

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

Architecture is the design and structure of a system or a process, such as an IT system or a business process. Architecture documentation is the document that describes and explains the architecture, such as its components, functions, relationships, requirements, constraints, or standards. Architecture documentation can help to understand, communicate, and improve the system or the process1.

An environment that lacks documentation of the architecture faces a great risk of unknown vulnerabilities, which are the weaknesses or flaws in the system or the process that could be exploited by threats or attackers, but are not identified or addressed by the organization. Unknown vulnerabilities can pose a serious risk to the organization, because they can:

Compromise the confidentiality, integrity, and availability of the system or the process, and the information or resources that it handles or supports

Cause financial, operational, reputational, or legal damages or losses to the organization, such as data breaches, fraud, errors, delays, or fines

Remain undetected or unresolved for a long time, and increase the exposure or impact of the risk over time

Require more resources or efforts to mitigate or recover from the risk, and reduce the efficiency or effectiveness of the risk management process23

Lack of documentation of the architecture can increase the risk of unknown vulnerabilities, because it can:

Prevent or hinder the identification and assessment of the vulnerabilities, and the evaluation and prioritization of the risks

Impede or delay the implementation and enforcement of the controls or safeguards to prevent or reduce the vulnerabilities, and the monitoring and reporting of the risk status and progress Obstruct or limit the communication and coordination among the stakeholders, and the awareness and accountability of the risk owners and users

Restrict or hamper the review and improvement of the system or the process, and the learning and feedback of the risk management4

The other options are not the greatest risks associated with an environment that lacks documentation of the architecture, but rather some of the possible causes or consequences of it. Legacy technology systems are outdated or obsolete systems that are still in use by the organization, but are no longer supported or maintained by the vendors or developers. Legacy technology systems can be a cause of lack of documentation of the architecture, as they may have been developed or acquired without proper documentation, or the documentation may have been lost or discarded over time. Network isolation is the separation or segregation of a network or a system from other networks or systems, either physically or logically, to prevent or limit the access or communication between them. Network isolation can be a consequence of lack of documentation of the architecture, as it may result from the inability or difficulty to integrate or connect the system or the process with other systems or processes. Overlapping threats are threats that affect more than one system or process, or have similar or related sources or causes, such as natural disasters, cyberattacks, or human errors. Overlapping threats can be a consequence of lack of documentation of the architecture, as they may arise from the lack of understanding or coordination of the system or the process with other systems or processes.

Reference: =

Architecture Documentation – ISACA

Vulnerability – ISACA

The Risks of Not Having a Vulnerability Management Program The Importance of Architecture Documentation – ISACA [The Risk of Poor Document Control – ComplianceBridge] [CRISC Review Manual, 7th Edition]

Question #396

Which of the following is the BEST approach for obtaining management buy-in to implement additional IT controls?

A . List requirements based on a commonly accepted IT risk management framework.
B . Provide information on new governance, risk, and compliance (GRC) platform functionalities.
C . Describe IT risk impact on organizational processes in monetary terms.
D . Present new key risk indicators (KRIs) based on industry benchmarks.

Lösung einblenden Lösung ausblenden

Question #397

Which of the following factors will have the GREATEST impact on the implementation of a risk mitigation strategy for an organization?

A . Cost-benefit analysis
B . Risk tolerance
C . Known vulnerabilities
D . Cyber insurance

Lösung einblenden Lösung ausblenden

Question #398

An organization with a large number of applications wants to establish a security risk assessment program.

Which of the following would provide the MOST useful information when determining the frequency of risk assessments?

A . Feedback from end users
B . Results of a benchmark analysis
C . Recommendations from internal audit
D . Prioritization from business owners

Lösung einblenden Lösung ausblenden

Question #399

The PRIMARY objective of a risk identification process is to:

A . evaluate how risk conditions are managed.
B . determine threats and vulnerabilities.
C . estimate anticipated financial impact of risk conditions.
D . establish risk response options.

Lösung einblenden Lösung ausblenden

Question #400

Which of the following is the PRIMARY risk management responsibility of the second line of defense?

A . Monitoring risk responses
B . Applying risk treatments
C . Implementing internal controls
D . Providing assurance of control effectiveness

Lösung einblenden Lösung ausblenden