Free ISACA CRISC Übungsprüfungen - Seite 44 von 65

Question #431

Who is the BEST person to an application system used to process employee personal data?

A . Compliance manager
B . Data privacy manager
C . System administrator
D . Human resources (HR) manager

Question #432

Who should be responsible for strategic decisions on risk management?

A . Chief information officer (CIO)
B . Executive management team
C . Audit committee
D . Business process owner

Richtige Antwort: B
B

Explanation:

Strategic decisions on risk management are the decisions that involve setting the direction, objectives, and priorities for risk management within an organization, as well as aligning them with the organization’s overall strategy, vision, and mission1. Strategic decisions on risk management also involve defining the organization’s risk appetite and tolerance, which are the amount and level of risk that the organization is willing and able to accept to achieve its goals2. The responsibility for strategic decisions on risk management should belong to the executive management team, which is the group of senior leaders who have the authority and accountability for the organization’s performance and governance3. The executive management team has the best understanding of the organization’s strategic context, environment, and stakeholders, and can make informed and balanced decisions that consider the benefits and costs of risk-taking4. The executive management team also has the ability and responsibility to communicate and cascade the strategic decisions on risk management to the rest of the organization, and to monitor and evaluate their implementation and outcomes5. The chief information officer (CIO), the audit committee, and the business process owner are not the best choices for being responsible for strategic decisions on risk management, as they do not have the same level of authority and accountability as the executive management team. The CIO is the senior leader who oversees the organization’s information and technology strategy, resources, and systems6. The CIO may be involved in providing input and feedback to the executive management team on the strategic decisions on risk management, especially those related to IT risk, but they do not have the final say or the overall responsibility for them. The audit committee is a subcommittee of the board of directors that oversees the organization’s financial reporting, internal controls, and external audits7. The audit committee may be involved in reviewing and approving the strategic decisions on risk management, as well as ensuring their compliance with the relevant laws and standards, but they do not have the authority or the expertise to make or implement them. The business process owner is the person who has the authority and accountability for a business process that supports or enables the organization’s objectives and functions. The business process owner may be involved in executing and reporting on the strategic decisions on risk management, as well as identifying and mitigating the risks related to their business process, but they do not have the perspective or the influence to make or communicate them.

Reference: = 1: Strategic Risk Management: Complete Overview (With Examples)2: [Risk Appetite and Tolerance – ISACA] 3: [Senior Management – Definition, Roles and Responsibilities] 4: Stanford Strategic Decision and Risk Management | Stanford Online5: A 7-Step Process for Strategic Risk Management ― RiskOptics – Reciprocity6: [Chief Information Officer (CIO) – Gartner IT Glossary] 7: [Audit Committee – Overview, Functions, and Responsibilities]: [Business Process Owner – Gartner IT Glossary]: [Business Process Owner – Roles and Responsibilities]: [Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.1: IT Risk Concepts, pp. 17-19.]

Question #433

Which of the following tools is MOST effective in identifying trends in the IT risk profile?

A . Risk self-assessment
B . Risk register
C . Risk dashboard
D . Risk map

Lösung einblenden Lösung ausblenden

Richtige Antwort: C
C

Explanation:

A risk dashboard is a graphical tool that displays the key indicators and metrics of the organization’s IT risk profile, such as the risk level, status, trend, performance, etc., using charts, graphs, tables, etc. A risk dashboard can help the organization to monitor and communicate the IT risk profile, and to support the decision making and planning for the IT risk management.

A risk dashboard is the most effective tool in identifying trends in the IT risk profile, because it provides a visual and intuitive representation of the changes and variations in the IT risk profile over time, and highlights the most significant and relevant IT risks that need to be addressed or monitored. A risk dashboard can also help to compare and contrast the IT risk profile with the organization’s IT objectives and risk appetite, and to identify the gaps or opportunities for improvement.

The other options are not the most effective tools in identifying trends in the IT risk profile, because they do not provide the same level of visibility and clarity that a risk dashboard provides, and they may not be updated or aligned with the organization’s IT objectives and risk appetite.

A risk self-assessment is a process of identifying, analyzing, and evaluating the IT risks that may affect the organization’s objectives and operations, using the input and feedback from the individuals or groups that are involved or responsible for the IT activities or functions. A risk self-assessment can help the organization to understand and document the IT risk profile, and to align it with the organization’s IT strategy and culture, but it is not the most effective tool in identifying trends in the IT risk profile, because it may not reflect the current or accurate state and performance of the IT risk profile, and it may not cover all the relevant or emerging IT risks that may exist or arise.

A risk register is a document that records and tracks the information and status of the identified IT risks and their responses. It includes the IT risk description, category, source, cause, impact, probability, priority, response, owner, action plan, status, etc. A risk register can help the organization to identify, analyze, evaluate, and communicate the IT risks and their responses, and to align them with the organization’s IT strategy and culture, but it is not the most effective tool in identifying trends in the IT risk profile, because it may not provide a visual and intuitive representation of the changes and variations in the IT risk profile over time, and it may not highlight the most significant and relevant IT risks that need to be addressed or monitored.

A risk map is a graphical tool that displays the results of the IT risk analysis in a matrix format, using colors and symbols to indicate the level and priority of the IT risks. A risk map can show the distribution and comparison of the IT risks based on various criteria, such as likelihood, impact, category, source, etc. A risk map can help the organization to assess and prioritize the IT risks, and to design and implement appropriate controls or countermeasures to mitigate or prevent the IT risks, but it is not the most effective tool in identifying trends in the IT risk profile, because it may not provide a visual and intuitive representation of the changes and variations in the IT risk profile over time, and it may not reflect the organization’s IT objectives and risk appetite.

Reference: =

ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 19-20, 23-24, 27-28, 31-32, 40-41, 47-48, 54-55, 58-59, 62-63

ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 180 CRISC Practice Quiz and Exam Prep

Question #434

A risk practitioner has determined that a key control does not meet design expectations.

Which of the following should be done NEXT?

A . Document the finding in the risk register.
B . Invoke the incident response plan.
C . Re-evaluate key risk indicators.
D . Modify the design of the control.

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

The next step after determining that a key control does not meet design expectations is to document the finding in the risk register, because this helps to record and track the information about the identified risk, such as its description, likelihood, impact, response, and status. A key control is a control that addresses a significant risk or supports a critical business process or objective. A control design expectation is a criterion or requirement that defines how the control should operate or perform to achieve its objective. If a key control does not meet its design expectation, it means that there is a gap, weakness, or deficiency in the control that may compromise its effectiveness or efficiency, and increase the risk exposure or impact. By documenting the finding in the risk register, the risk practitioner can communicate and report the risk issue to the relevant stakeholders, such as the risk owner, the management, or the auditor, and initiate the appropriate risk response actions, such as modifying the design of the control, implementing a compensating control, or accepting the risk. The other options are not the best next steps after determining that a key control does not meet design expectations. Invoking the incident response plan is a reactive measure that is triggered when a risk event occurs or is imminent, and requires immediate action to contain, mitigate, or recover from the incident. However, in this case, the risk event has not occurred yet, and there may be time to prevent or reduce it by improving the control design. Re-evaluating key risk indicators is a monitoring activity that measures and evaluates the level and impact of risks, and provides timely signals that something may be going wrong or needs urgent attention. However, in this case, the risk practitioner has already identified the risk issue, and needs to document and address it, rather than re-evaluate it. Modifying the design of the control is a possible risk response action that may be taken to improve the control and reduce the risk, but it is not the next step after determining that the key control does not meet design expectations. The next step is to document the finding in the risk register, and then decide on the best risk response action, which may or may not be modifying the design of the control, depending on the cost-benefit analysis, the risk assessment, and the risk response strategy.

Reference: = Risk IT Framework, ISACA, 2022, p. 13

Question #435

An organization’s board of directors is concerned about recent data breaches in the news and wants to assess its exposure to similar scenarios.

Which of the following is the BEST course of action?

A . Evaluate the organization’s existing data protection controls.
B . Reassess the risk appetite and tolerance levels of the business.
C . Evaluate the sensitivity of data that the business needs to handle.
D . Review the organization’s data retention policy and regulatory requirements.

Lösung einblenden Lösung ausblenden

Question #436

When assessing the maturity level of an organization’s risk management framework, which of the following deficiencies should be of GREATEST concern to a risk practitioner?

A . Unclear organizational risk appetite
B . Lack of senior management participation
C . Use of highly customized control frameworks
D . Reliance on qualitative analysis methods

Lösung einblenden Lösung ausblenden

Question #437

A risk practitioner has discovered a deficiency in a critical system that cannot be patched.

Which of the following should be the risk practitioner’s FIRST course of action?