Free ISACA CRISC Übungsprüfungen - Seite 50 von 65

Question #491

A risk practitioner has learned that an effort to implement a risk mitigation action plan has stalled due to lack of funding.

The risk practitioner should report that the associated risk has been:

A . mitigated
B . accepted
C . avoided
D . deferred

Lösung einblenden Lösung ausblenden

Question #492

Business areas within an organization have engaged various cloud service providers directly without assistance from the IT department.

What should the risk practitioner do?

A . Recommend the IT department remove access to the cloud services.
B . Engage with the business area managers to review controls applied.
C . Escalate to the risk committee.
D . Recommend a risk assessment be conducted.

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

The best action for the risk practitioner to take when business areas within an organization have engaged various cloud service providers directly without assistance from the IT department is to recommend a risk assessment be conducted. A risk assessment is a process of identifying, analyzing, and evaluating the risks associated with the use of cloud services, such as financial, privacy, compliance, security, performance, quality, and technical risks12. A risk assessment can help to determine the current and potential risk exposure and impact of the cloud services, as well as the effectiveness and efficiency of the existing or proposed controls. A risk assessment can also help to prioritize the risks and to develop and implement appropriate risk response strategies and plans, such as risk avoidance, reduction, sharing, or acceptance. Recommending a risk assessment is the best action, because it can provide valuable information and guidance to the business areas and the IT department for managing the cloud services in a consistent, effective, and efficient manner, and for aligning the cloud services with the organizational objectives, strategy, and risk appetite. The other options are not the best action, although they may be related or subsequent steps in the risk management process. Recommending the IT department remove access to the cloud services is a drastic and impractical action, as it may disrupt the business operations and services, and it may not address the underlying causes or drivers of the cloud service adoption. Engaging with the business area managers to review controls applied is a useful and collaborative action, as it can help to understand and evaluate the current state and practices of the cloud service usage, and to identify and address any gaps or issues in the control environment. However, this action should be based on or supported by a risk assessment, rather than preceding or replacing it. Escalating to the risk committee is a reporting and communication action, as it can help to inform and involve the senior management and other stakeholders in the risk management process, and to obtain their support and approval for the risk response actions. However, this action should be done after or along with a risk assessment, rather than before or instead of it.

Reference: = Best Practices to Manage Risks in the Cloud – ISACA, Cloud Risk Management – PwC UK

Question #493

Which of the following is the MOST important concern when assigning multiple risk owners for an identified risk?

A . Accountability may not be clearly defined.
B . Risk ratings may be inconsistently applied.
C . Different risk taxonomies may be used.
D . Mitigation efforts may be duplicated.

Lösung einblenden Lösung ausblenden

Question #494

To help identify high-risk situations, an organization should:

A . continuously monitor the environment.
B . develop key performance indicators (KPIs).
C . maintain a risk matrix.
D . maintain a risk register.

Lösung einblenden Lösung ausblenden

Question #495

Which of the following is the MOST important reason to communicate control effectiveness to senior management?

A . To demonstrate alignment with industry best practices
B . To assure management that control ownership is assigned
C . To ensure management understands the current risk status
D . To align risk management with strategic objectives

Lösung einblenden Lösung ausblenden

Question #496

Which of the following should a risk practitioner do FIRST when an organization decides to use a cloud service?

A . Review the vendor selection process and vetting criteria.
B . Assess whether use of service falls within risk tolerance thresholds.
C . Establish service level agreements (SLAs) with the vendor.
D . Check the contract for appropriate security risk and control provisions.

Lösung einblenden Lösung ausblenden

Question #497

Which of the following is BEST measured by key control indicators (KCIs)?

A . Historical trends of the organizational risk profile
B . Cost efficiency of risk treatment plan projects
C . Comprehensiveness of risk assessment procedures
D . Effectiveness of organizational defense in depth

Lösung einblenden Lösung ausblenden

Question #498

The MOST important measure of the effectiveness of risk management in project implementation is the percentage of projects:

A . introduced into production without high-risk issues.
B . having the risk register updated regularly.
C . having key risk indicators (KRIs) established to measure risk.
D . having an action plan to remediate overdue issues.

Lösung einblenden Lösung ausblenden

Question #499

Which of the following is the BEST recommendation to address recent IT risk trends that indicate social engineering attempts are increasing in the organization?

A . Conduct a simulated phishing attack.
B . Update spam filters
C . Revise the acceptable use policy
D . Strengthen disciplinary procedures

Lösung einblenden Lösung ausblenden

Question #500

Which of the following is MOST essential for an effective change control environment?

A . Business management approval of change requests
B . Separation of development and production environments
C . Requirement of an implementation rollback plan
D . IT management review of implemented changes

Lösung einblenden Lösung ausblenden