Free ISACA CRISC Übungsprüfungen - Seite 52 von 65

Question #511

An organization has decided to implement an emerging technology and incorporate the new capabilities into its strategic business plan. Business operations for the technology will be outsourced.

What will be the risk practitioner’s PRIMARY role during the change?

A . Managing third-party risk
B . Developing risk scenarios
C . Managing the threat landscape
D . Updating risk appetite

Lösung einblenden Lösung ausblenden

Question #512

A risk practitioner shares the results of a vulnerability assessment for a critical business application with the business manager.

Which of the following is the NEXT step?

A . Develop a risk action plan to address the findings.
B . Evaluate the impact of the vulnerabilities to the business application.
C . Escalate the findings to senior management and internal audit.
D . Conduct a penetration test to validate the vulnerabilities from the findings.

Lösung einblenden Lösung ausblenden

Question #513

Which of the following is the BEST indication that an organization’s risk management program has not reached the desired maturity level?

A . Significant increases in risk mitigation budgets
B . Large fluctuations in risk ratings between assessments
C . A steady increase in the time to recover from incidents
D . A large number of control exceptions

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

A risk management program is a set of processes, policies, and tools that enable an enterprise to identify, analyze, evaluate, treat, monitor, and communicate its risks. The maturity level of a risk management program indicates how well the program is integrated, standardized, and aligned with the enterprise’s objectives, culture, and values. The best indication that an organization’s risk management program has not reached the desired maturity level is large fluctuations in risk ratings between assessments. Risk ratings are the measures of the impact and likelihood of the risks, and they should be consistent and comparable across the enterprise and over time. Large fluctuations in risk ratings between assessments suggest that the risk management program is not stable, reliable, or effective, and that the risk identification and analysis methods are not robust, accurate, or transparent. The other options are not as indicative of the maturity level of the risk management program, as they involve different aspects or outcomes of the risk management program: Significant increases in risk mitigation budgets means that the enterprise is spending more resources on implementing risk responses, such as controls, policies, or procedures. This may indicate that the enterprise is facing more or higher risks, or that the risk responses are more costly or complex, but it does not necessarily reflect the maturity level of the risk management program, as it may also depend on the enterprise’s risk appetite, tolerance, and strategy.

A steady increase in the time to recover from incidents means that the enterprise is taking longer to restore its normal operations after a disruption or a loss. This may indicate that the enterprise is not prepared or resilient enough to deal with the incidents, or that the incidents are more frequent or severe, but it does not necessarily reflect the maturity level of the risk management program, as it may also depend on the nature and source of the incidents, or the availability and effectiveness of the recovery plans.

A large number of control exceptions means that the enterprise is deviating from the established controls, policies, or procedures, either intentionally or unintentionally. This may indicate that the enterprise is not complying with the risk management program, or that the controls are not adequate or appropriate for the enterprise’s needs, but it does not necessarily reflect the maturity level of the risk management program, as it may also depend on the reasons and justifications for the exceptions, or the approval and monitoring processes for the exceptions.

Reference: = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 1, Section 1.1.3.1, pp. 14-15.

Question #514

Which of the following describes the relationship between risk appetite and risk tolerance?

A . Risk appetite is completely independent of risk tolerance.
B . Risk tolerance is used to determine risk appetite.
C . Risk appetite and risk tolerance are synonymous.
D . Risk tolerance may exceed risk appetite.

Lösung einblenden Lösung ausblenden

Question #515

Which of the following is the ULTIMATE objective of utilizing key control indicators (KCIs) in the risk management process?

A . To provide a basis for determining the criticality of risk mitigation controls
B . To provide early warning signs of a potential change in risk level
C . To provide benchmarks for assessing control design effectiveness against industry peers
D . To provide insight into the effectiveness of the intemnal control environment

Lösung einblenden Lösung ausblenden

Question #516

Which of the following is the MOST important consideration for prioritizing risk treatment plans when faced with budget limitations?

A . Inherent risk and likelihood
B . Management action plans associated with audit findings
C . Residual risk relative to appetite and tolerance
D . Key risk indicator (KRI) trends

Lösung einblenden Lösung ausblenden

Question #517

Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?

A . Changes in control design
B . A decrease in the number of key controls
C . Changes in control ownership
D . An increase in residual risk

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

An IT risk and control self-assessment (RCSA) is a process that helps organizations identify and evaluate operational risks and assess the effectiveness of their control measures12. It is a structured approach that involves identifying, assessing, mitigating, and monitoring risks across all levels of an organization12.

A report to senior management is a document that summarizes and communicates the results and findings of the RCSA, and provides recommendations and action plans for improving the risk management and control processes34.

The most important aspect of an IT risk and control self-assessment to include in a report to senior management is an increase in residual risk, which is the risk remaining after risk treatment, and represents the exposure or potential impact of the risk on the organization’s objectives56.

An increase in residual risk is the most important aspect because it indicates the level of risk that the organization is willing to accept or tolerate, and the gap between the current and desired risk profile56.

An increase in residual risk is also the most important aspect because it requires the attention and decision of the senior management, who are responsible for defining the organization’s risk appetite, strategy, and criteria, and for ensuring that the residual risk is within the acceptable range56.

The other options are not the most important aspects, but rather possible components or outcomes of an IT risk and control self-assessment that may support or complement the report to senior management.

For example:

Changes in control design are components of an IT risk and control self-assessment that involve modifying or updating the control measures to address the changes in the risk environment or the organization’s objectives56. However, changes in control design are not the most important aspect because they do not measure or reflect the residual risk, which is the ultimate goal of the risk treatment56.

A decrease in the number of key controls is an outcome of an IT risk and control self-assessment that indicates the improvement or optimization of the control processes, and the reduction of the complexity or redundancy of the control measures56. However, a decrease in the number of key controls is not the most important aspect because it does not indicate or imply the residual risk, which may depend on other factors such as the effectiveness or efficiency of the controls56. Changes in control ownership are components of an IT risk and control self-assessment that involve assigning or reassigning the responsibility and accountability for the control processes to the appropriate individuals or groups within the organization56. However, changes in control ownership are not the most important aspect because they do not affect or determine the residual risk, which is independent of the control owners56.

Reference: =

1: Risk and control self-assessment – KPMG Global1

2: Control Self Assessments – PwC2

3: How-To Guide: Implementing Risk Control Self-Assessment Steps4

4: RISK MANAGEMENT SELF-ASSESSMENT TEMPLATE – Smartsheet5

5: Risk IT Framework, ISACA, 2009

6: IT Risk Management Framework, University of Toronto, 2017

Question #518

For a large software development project, risk assessments are MOST effective when performed:

A . before system development begins.
B . at system development.
C . at each stage of the system development life cycle (SDLC).
D . during the development of the business case.

Lösung einblenden Lösung ausblenden

Question #519

The PRIMARY purpose of using control metrics is to evaluate the:

A . amount of risk reduced by compensating controls.
B . amount of risk present in the organization.
C . variance against objectives.
D . number of incidents.

Lösung einblenden Lösung ausblenden

Question #520

Which of the following is necessary to enable an IT risk register to be consolidated with the rest of

the organization’s risk register?

A . Risk taxonomy
B . Risk response
C . Risk appetite
D . Risk ranking

Lösung einblenden Lösung ausblenden