Free ISACA CRISC Übungsprüfungen - Seite 48 von 65

Question #471

Which of the following provides the MOST important information to facilitate a risk response decision?

A . Audit findings
B . Risk appetite
C . Key risk indicators
D . Industry best practices

Richtige Antwort: B
B

Explanation:

Risk appetite is the amount and type of risk that an enterprise is willing to accept in pursuit of its objectives. Risk appetite provides the most important information to facilitate a risk response decision, as it defines the boundaries and expectations for the risk management process. Risk appetite helps to determine the acceptable level of variation around the objectives, and to prioritize and allocate resources for the risk responses. Risk appetite also helps to align the risk management program with the enterprise’s strategy, culture, and values. The other options are not as important as risk appetite, as they provide different types of information for the risk management process:

Audit findings are the results of the independent and objective examination of the risk management program, such as by internal or external auditors. Audit findings provide assurance and feedback on the effectiveness and efficiency of the risk management program, and may identify gaps or weaknesses that need to be addressed. Audit findings may influence the risk response decision, but they are not as essential as risk appetite, as they are based on the existing or past performance of the risk management program, and may not reflect the future or potential risks or opportunities. Key risk indicators are the metrics that measure the changes in the level of risk exposure, such as by monitoring the risk drivers, triggers, or events. Key risk indicators provide information on the current or emerging risks, and may alert the enterprise to take action or adjust the risk response. Key risk indicators may influence the risk response decision, but they are not as essential as risk appetite, as they are based on the observed or estimated data or trends, and may not account for the uncertainties or complexities of the risks.

Industry best practices are the methods or techniques that have been proven to be effective or efficient in managing risks, such as by benchmarking or adopting standards or frameworks. Industry best practices provide guidance and direction on how to implement the risk management program, and may improve the quality or consistency of the risk response. Industry best practices may influence the risk response decision, but they are not as essential as risk appetite, as they are based on the experiences or recommendations of other enterprises, and may not be suitable or applicable for the specific context or objectives of the enterprise.

Reference: = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 1, Section 1.2.1.1, pp. 18-19.

Question #472

Which of the following would BEST facilitate the implementation of data classification requirements?

A . Assigning a data owner
B . Scheduling periodic audits
C . Implementing technical controls over the assets
D . Implementing a data loss prevention (DLP) solution

Lösung einblenden Lösung ausblenden

Question #473

Which of the following is MOST effective against external threats to an organizations confidential information?

A . Single sign-on
B . Data integrity checking
C . Strong authentication
D . Intrusion detection system

Lösung einblenden Lösung ausblenden

Richtige Antwort: C
C

Explanation:

Strong authentication is the most effective measure against external threats to an organization’s confidential information. Confidential information is any data or information that is sensitive, proprietary, or valuable to the organization, and that should not be disclosed to unauthorized parties1. External threats are malicious actors outside the organization who attempt to gain unauthorized access to the organization’s networks, systems, and data, using various methods such as malware, hacking, or social engineering2. Strong authentication is a method of verifying the identity and legitimacy of a user or device before granting access to the organization’s resources or data3. Strong authentication typically involves the use of multiple factors or methods of authentication, such as passwords, tokens, biometrics, or certificates4. Strong authentication can prevent or reduce the risk of external threats to the organization’s confidential information, by making it more difficult and costly for the attackers to compromise the credentials or devices of the authorized users, and by limiting the access to the data or resources that are relevant and necessary for the users’ roles and responsibilities5. The other options are not the most effective measures against external threats to the organization’s confidential information, as they are either less secure or less relevant than strong authentication. Single sign-on is a method of allowing a user to access multiple systems or applications with a single set of credentials, without having to log in separately for each system or application6. Single sign-on can improve the user experience and convenience, as well as reduce the administrative burden and cost of managing multiple accounts and passwords. However, single sign-on is not the most effective measure against external threats to the organization’s confidential information, as it can also increase the risk of credential compromise or misuse, and create a single point of failure or attack for the attackers to access multiple systems or data. Data integrity checking is a method of ensuring that the data or information is accurate, complete, and consistent, and that it has not been altered or corrupted by unauthorized parties or processes. Data integrity checking can involve the use of techniques such as checksums, hashes, digital signatures, or encryption. Data integrity checking can enhance the quality and reliability of the data or information, as well as detect and prevent any unauthorized or malicious changes or tampering. However, data integrity checking is not the most effective measure against external threats to the organization’s confidential information, as it does not prevent or reduce the risk of data theft or leakage, and it does not verify the identity or legitimacy of the users or devices accessing the data. Intrusion detection system is a system that monitors the network or system activities and events, and detects and alerts any suspicious or malicious behaviors or anomalies that may indicate an attempted or successful breach or attack. Intrusion detection system can help to identify and respond to external threats to the organization’s networks, systems, and data, by providing visibility and awareness of the network or system status and activities, and by enabling timely and appropriate actions or countermeasures. However, intrusion detection system is not the most effective measure against external threats to the organization’s confidential information, as it is a reactive or passive system that does not prevent or block the attacks, and it may generate false positives or negatives that can affect its accuracy and efficiency.

Reference: = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.2.1, Page 189.

Question #474

An organization has identified that terminated employee accounts are not disabled or deleted within the time required by corporate policy. Unsure of the reason, the organization has decided to monitor the situation for three months to obtain more information. As a result of this decision, the risk has been:

A . avoided.
B . accepted.
C . mitigated.
D . transferred.

Lösung einblenden Lösung ausblenden

Question #475

Which of the following would be a risk practitioner’s BEST course of action when a project team has accepted a risk outside the established risk appetite?

A . Reject the risk acceptance and require mitigating controls.
B . Monitor the residual risk level of the accepted risk.
C . Escalate the risk decision to the project sponsor for review.
D . Document the risk decision in the project risk register.

Lösung einblenden Lösung ausblenden

Question #476

A risk practitioner has been asked to assess the risk associated with a new critical application used by a financial process team that the risk practitioner was a member of two years ago.

Which of the following is the GREATEST concern with this request?

A . The risk assessment team may be overly confident of its ability to identify issues.
B . The risk practitioner may be unfamiliar with recent application and process changes.
C . The risk practitioner may still have access rights to the financial system.
D . Participation in the risk assessment may constitute a conflict of interest.

Lösung einblenden Lösung ausblenden

Question #477

The analysis of which of the following will BEST help validate whether suspicious network activity is malicious?

A . Logs and system events
B . Intrusion detection system (IDS) rules
C . Vulnerability assessment reports
D . Penetration test reports

Lösung einblenden Lösung ausblenden

Question #478

Which of the following is the MOST important consideration when prioritizing risk response?

A . Requirements for regulatory obligations.
B . Cost of control implementation.
C . Effectiveness of risk treatment.
D . Number of risk response options.

Lösung einblenden Lösung ausblenden

Question #479

Which of the following is a risk practitioner’s BEST recommendation regarding disaster recovery management (DRM) for Software as a Service (SaaS) providers?

A . Conduct inoremental backups of data in the SaaS environment to a local data center.
B . Implement segregation of duties between multiple SaaS solution providers.
C . Codify availability requirements in the SaaS provider’s contract.
D . Conduct performance benchmarking against other SaaS service providers.

Lösung einblenden Lösung ausblenden

Question #480

Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization’s risk appetite?

A . Developing contingency plans for key processes
B . Implementing key performance indicators (KPIs)
C . Adding risk triggers to entries in the risk register
D . Establishing a series of key risk indicators (KRIs)

Lösung einblenden Lösung ausblenden