Free ISACA CRISC Übungsprüfungen - Seite 51 von 65

Question #501

Which of the following is the BEST way to determine the value of information assets for risk management purposes?

A . Assess the loss impact if the information is inadvertently disclosed.
B . Calculate the overhead required to keep the information secure throughout its life cycle.
C . Calculate the replacement cost of obtaining the information from alternate sources.
D . Assess the market value offered by consumers of the information.

Question #502

Which of the following should be of GREATEST concern to a risk practitioner when determining the effectiveness of IT controls?

A . Configuration updates do not follow formal change control.
B . Operational staff perform control self-assessments.
C . Controls are selected without a formal cost-benefit
D . analysis-Management reviews security policies once every two years.

Lösung einblenden Lösung ausblenden

Question #503

Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?

A . Number of tickets for provisioning new accounts
B . Average time to provision user accounts
C . Password reset volume per month
D . Average account lockout time

Lösung einblenden Lösung ausblenden

Question #504

Well-developed, data-driven risk measurements should be:

A . reflective of the lowest organizational level.
B . a data feed taken directly from operational production systems.
C . reported to management the same day data is collected.
D . focused on providing a forward-looking view.

Lösung einblenden Lösung ausblenden

Question #505

Concerned about system load capabilities during the month-end close process, management requires monitoring of the average time to complete tasks and monthly reporting of the findings.

What type of measure has been established?

A . Service level agreement (SLA)
B . Critical success factor (CSF)
C . Key risk indicator (KRI)
D . Key performance indicator (KPI)

Lösung einblenden Lösung ausblenden

Question #506

Which of the following is the BEST way to help ensure risk will be managed properly after a business process has been re-engineered?

A . Reassessing control effectiveness of the process
B . Conducting a post-implementation review to determine lessons learned
C . Reporting key performance indicators (KPIs) for core processes
D . Establishing escalation procedures for anomaly events

Lösung einblenden Lösung ausblenden

Question #507

A PRIMARY advantage of involving business management in evaluating and managing risk is that management:

A . better understands the system architecture.
B . is more objective than risk management.
C . can balance technical and business risk.
D . can make better-informed business decisions.

Lösung einblenden Lösung ausblenden

Question #508

Which of the following is the PRIMARY purpose of periodically reviewing an organization’s risk profile?

A . Align business objectives with risk appetite.
B . Enable risk-based decision making.
C . Design and implement risk response action plans.
D . Update risk responses in the risk register

Lösung einblenden Lösung ausblenden

Question #509

An organization is adopting block chain for a new financial system.

Which of the following should be the GREATEST concern for a risk practitioner evaluating the system’s production readiness?

A . Limited organizational knowledge of the underlying technology
B . Lack of commercial software support
C . Varying costs related to implementation and maintenance
D . Slow adoption of the technology across the financial industry

Lösung einblenden Lösung ausblenden

Question #510

Which of the following is the MOST important consideration when selecting either a qualitative or quantitative risk analysis?

A . Expertise in both methodologies
B . Maturity of the risk management program
C . Time available for risk analysis
D . Resources available for data analysis

Lösung einblenden Lösung ausblenden

Richtige Antwort: C
C

Explanation:

The most important consideration when selecting either a qualitative or quantitative risk analysis is the time available for risk analysis, as this affects the level of detail and accuracy that can be achieved in the risk assessment process. Qualitative risk analysis is a method that uses subjective judgments and ratings to measure and prioritize the risks based on their likelihood and impact, as well as other factors such as urgency, velocity, and persistence. Qualitative risk analysis is usually faster and simpler than quantitative risk analysis, but it may also be less precise and consistent. Quantitative risk analysis is a method that uses numerical data and mathematical models to measure and prioritize the risks based on their probability and magnitude, as well as other factors such as frequency, duration, and correlation. Quantitative risk analysis is usually more complex and time-consuming than qualitative risk analysis, but it may also provide more objective and reliable results. The other options are not the most important considerations when selecting either a qualitative or quantitative risk analysis, although they may have some influence or relevance. Expertise in both methodologies is desirable, but it does not determine the choice of the risk analysis method, as it depends on the availability and suitability of the experts for the specific risk context and objectives. Maturity of the risk management program is important, but it does not dictate the choice of the risk analysis method, as it depends on the level of integration and alignment of the risk management activities with the enterprise’s strategy and goals. Resources available for data analysis are relevant, but they do not decide the choice of the risk analysis method, as they depend on the quality and availability of the data sources and tools for the risk assessment process.

Reference: = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Assessment, page 81.ST