Free ISACA CRISC Übungsprüfungen - Seite 54 von 65

Question #531

An organization recently implemented a cybersecurity awareness program that includes phishing simulation exercises for all employees.

What type of control is being utilized?

A . Preventive
B . Compensating
C . Deterrent
D . Detective

Lösung einblenden Lösung ausblenden

Question #532

Which of the following should be the FIRST step when a company is made aware of new regulatory requirements impacting IT?

A . Perform a gap analysis.
B . Prioritize impact to the business units.
C . Perform a risk assessment.
D . Review the risk tolerance and appetite.

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

New regulatory requirements impacting IT are those that impose new obligations, restrictions, or standards on how an organization uses, manages, or secures its IT systems, data, or services1. Examples of such regulations include the GDPR, the CCPA, the HIPAA, or the PCI-DSS2. New regulatory requirements impacting IT can pose significant challenges and risks for an organization, such as:

Compliance costs and efforts, such as updating policies, procedures, and systems, training staff, or hiring experts

Noncompliance penalties and consequences, such as fines, lawsuits, sanctions, or reputational damages

Operational disruptions or inefficiencies, such as system changes, data migrations, or service interruptions

Competitive disadvantages or opportunities, such as losing or gaining customers, partners, or markets3

The first step that should be done when a company is made aware of new regulatory requirements impacting IT is to review the risk tolerance and appetite. Risk tolerance is the acceptable level of variation that an organization is willing to accept around its risk appetite. Risk appetite is the amount and type of risk that an organization is willing to take in order to meet its strategic objectives. By reviewing the risk tolerance and appetite, the company can:

Establish a clear and consistent understanding of the organization’s goals, values, and expectations regarding the new regulatory requirements impacting IT

Assess the current and potential impacts of the new regulatory requirements impacting IT on the organization’s performance, operations, or assets

Determine the level of risk exposure and acceptance that the organization is comfortable with, and identify the risk thresholds or limits that should not be exceeded

Align the risk management strategies and actions with the organization’s risk tolerance and appetite, and prioritize the most critical and urgent risks to be addressed

Communicate and report the risk tolerance and appetite to the stakeholders and regulators, and ensure transparency and accountability

Reference: = Regulating emerging technology | Deloitte Insights, Ten Key Regulatory Challenges of 2024 – kpmg.com, The Risks of Non-Compliance with Data Protection Laws, [Risk Tolerance – COSO], [Risk Appetite – COSO], [Risk Appetite and Tolerance – IRM]

Question #533

Which type of cloud computing deployment provides the consumer the GREATEST degree of control over the environment?

A . Community cloud
B . Private cloud
C . Hybrid cloud
D . Public cloud

Lösung einblenden Lösung ausblenden

Question #534

Which of the following is the MOST important outcome of reviewing the risk management process?

A . Assuring the risk profile supports the IT objectives
B . Improving the competencies of employees who performed the review
C . Determining what changes should be made to IS policies to reduce risk
D . Determining that procedures used in risk assessment are appropriate

Lösung einblenden Lösung ausblenden

Question #535

An organization retains footage from its data center security camera for 30 days when the policy requires 90-day retention The business owner challenges whether the situation is worth remediating Which of the following is the risk manager s BEST response‘

A . Identify the regulatory bodies that may highlight this gap
B . Highlight news articles about data breaches
C . Evaluate the risk as a measure of probable loss
D . Verify if competitors comply with a similar policy

Lösung einblenden Lösung ausblenden

Question #536

Which of the following is MOST useful input when developing risk scenarios?

A . Common attacks in other industries.
B . Identification of risk events.
C . Impact on critical assets.
D . Probability of disruptive risk events.

Lösung einblenden Lösung ausblenden

Question #537

An organization has agreed to a 99% availability for its online services and will not accept availability that falls below 98.5%.

This is an example of:

A . risk mitigation.
B . risk evaluation.
C . risk appetite.
D . risk tolerance.

Lösung einblenden Lösung ausblenden

Question #538

Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?

A . The risk tolerance level
B . Occurrences of specific events
C . Risk scenarios
D . A performance measurement

Lösung einblenden Lösung ausblenden

Question #539

Which of the following would be the GREATEST risk associated with a new implementation of single sign-on?

A . Complex security administration
B . Single point of failure
C . Inability to access key information
D . User resistance to single sign-on

Lösung einblenden Lösung ausblenden

Question #540

The PRIMARY objective for requiring an independent review of an organization’s IT risk management process should be to:

A . assess gaps in IT risk management operations and strategic focus.
B . confirm that IT risk assessment results are expressed as business impact.
C . verify implemented controls to reduce the likelihood of threat materialization.
D . ensure IT risk management is focused on mitigating potential risk.

Lösung einblenden Lösung ausblenden