Free ISACA CRISC Übungsprüfungen - Seite 59 von 65

Question #581

Which of the following is the BEST method to identify unnecessary controls?

A . Evaluating the impact of removing existing controls
B . Evaluating existing controls against audit requirements
C . Reviewing system functionalities associated with business processes
D . Monitoring existing key risk indicators (KRIs)

Question #582

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process?

A . Percentage of vulnerabilities remediated within the agreed service level
B . Number of vulnerabilities identified during the period
C . Number of vulnerabilities re-opened during the period
D . Percentage of vulnerabilities escalated to senior management

Lösung einblenden Lösung ausblenden

Question #583

An internally developed payroll application leverages Platform as a Service (PaaS) infrastructure from the cloud.

Who owns the related data confidentiality risk?

A . IT infrastructure head
B . Human resources head
C . Supplier management head
D . Application development head

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

Data confidentiality risk is the risk that the data may be accessed, disclosed, or modified by unauthorized parties, resulting in breaches of privacy, trust, or compliance1. Platform as a Service (PaaS) is a cloud computing model that provides a platform for developing, testing, and deploying applications, without requiring the users to manage the underlying infrastructure2. An internally developed payroll application is an application that is created and maintained by the organization itself, rather than by a third-party vendor, and that is used to process and manage the payroll data of the organization’s employees3. The owner of the data confidentiality risk is the person or entity that has the authority and accountability for the data and its protection, and that is responsible for identifying, assessing, and mitigating the risk. The owner of the data confidentiality risk related to an internally developed payroll application that leverages PaaS infrastructure from the cloud is the human resources head, as they are the person who oversees the human resources function and the payroll data of the organization. The human resources head has the best understanding of the sensitivity, value, and usage of the payroll data, and the potential impacts and implications of a data confidentiality breach. The human resources head also has the ability and responsibility to define and implement the policies, procedures, and controls that are necessary to protect the payroll data, and to monitor and report on the performance and compliance of the data confidentiality risk management. The IT infrastructure head, the supplier management head, and the application development head are not the best choices for owning the data confidentiality risk related to an internally developed payroll application that leverages PaaS infrastructure from the cloud, as they do not have the same level of authority and accountability as the human resources head. The IT infrastructure head is the person who oversees the IT infrastructure function and the PaaS infrastructure of the organization. The IT infrastructure head may be involved in providing input and feedback to the human resources head on the data confidentiality risk management, especially those related to the PaaS infrastructure, but they do not have the final say or the overall responsibility for the payroll data and its protection. The supplier management head is the person who oversees the supplier management function and the relationship with the cloud service provider that provides the PaaS infrastructure. The supplier management head may be involved in negotiating and enforcing the service level agreements and the security requirements with the cloud service provider, but they do not have the authority or the expertise to manage the data confidentiality risk of the payroll data. The application development head is the person who oversees the application development function and the development, testing, and deployment of the payroll application. The application development head may be involved in designing and implementing the security features and controls of the payroll application, but they do not have the perspective or the influence to manage the data confidentiality risk of the payroll data.

Reference: = 3: Payroll Software: What Is It & How Does It Work? | QuickBooks2: What is Platform as a Service (PaaS)? | IBM1: Data Confidentiality:

Identifying and Protecting Assets Against Data …: [Risk Ownership – Risk Management]: [Human Resources and Payroll Security Policy – University of …]: [Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.1: IT Risk Concepts, pp. 17-19.]: [Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.1: Risk Identification, pp. 57-59.]: [Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.2: Risk Monitoring, pp. 189-191.]: [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.1: Control Design, pp. 233-235.]: [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.2: Control Implementation, pp. 243-245.]: [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.3: Control Monitoring and Maintenance, pp. 251-253.]

Question #584

Which of the following provides the MOST helpful reference point when communicating the results of a risk assessment to stakeholders?

A . Risk tolerance
B . Risk appetite
C . Risk awareness
D . Risk policy

Lösung einblenden Lösung ausblenden

Question #585

Which of the following stakeholders define risk tolerance for an enterprise?

A . IT compliance and IT audit
B . Regulators and shareholders
C . The board and executive management
D . Enterprise risk management (ERM)

Lösung einblenden Lösung ausblenden

Question #586

Which of the following is the MOST important consideration when performing a risk assessment of a fire suppression system within a data center?

A . Insurance coverage
B . Onsite replacement availability
C . Maintenance procedures
D . Installation manuals

Lösung einblenden Lösung ausblenden

Question #587

Which of the following is the BEST method for identifying vulnerabilities?

A . Batch job failure monitoring
B . Periodic network scanning
C . Annual penetration testing
D . Risk assessments

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

The best method for identifying vulnerabilities is periodic network scanning. Network scanning is a process of scanning and probing the network devices, systems, and applications to discover and analyze their security weaknesses, such as configuration errors, outdated software, or open ports. Network scanning can help to identify the vulnerabilities that could be exploited by attackers to gain unauthorized access, compromise data, or disrupt services. Periodic network scanning is the best method, because it can provide a regular and comprehensive view of the network security posture, and it can detect and address the new or emerging vulnerabilities in a timely manner. Periodic network scanning can also help to comply with the legal and regulatory requirements and standards for network security, such as the ISO/IEC 27001, the NIST SP 800-53, or the PCI DSS123. The other options are not the best method, although they may be useful or complementary to periodic network scanning. Batch job failure monitoring is a process of monitoring and reporting the failures or errors that occur during the execution of batch jobs, such as data processing, backup, or synchronization. Batch job failure monitoring can help to identify the operational or technical issues that affect the performance or availability of the network services, but it does not directly identify the security vulnerabilities or the potential threats. Annual penetration testing is a process of simulating a real-world attack on the network devices, systems, and applications to evaluate their security defenses and resilience. Penetration testing can help to identify and exploit the vulnerabilities that could be used by attackers to compromise the network security, and to provide recommendations for improvement. However, annual penetration testing is not the best method, because it is not frequent or consistent enough to keep up with the changing and evolving network security landscape, and it may not cover all the network components or scenarios. Risk assessments are a process of identifying, analyzing, and evaluating the risks associated with the network devices, systems, and applications. Risk assessments can help to estimate the probability and impact of the vulnerabilities and the threats, and to prioritize and respond to the risks accordingly. However, risk assessments are not the same as or a substitute for vulnerability identification, as they rely on the vulnerability information as an input, rather than an output.

Reference: = Vulnerability Testing: Methods, Tools, and 10 Best Practices, ISO/IEC 27001 Information Security Management, NIST SP 800-53 Rev. 5

Question #588

A risk practitioner has identified that the agreed recovery time objective (RTO) with a Software as a Service (SaaS) provider is longer than the business expectation.

Which ot the following is the risk practitioner’s BEST course of action?

A . Collaborate with the risk owner to determine the risk response plan.
B . Document the gap in the risk register and report to senior management.
C . Include a right to audit clause in the service provider contract.
D . Advise the risk owner to accept the risk.

Lösung einblenden Lösung ausblenden

Question #589

Which of the following is MOST important when discussing risk within an organization?

A . Adopting a common risk taxonomy
B . Using key performance indicators (KPIs)
C . Creating a risk communication policy
D . Using key risk indicators (KRIs)

Lösung einblenden Lösung ausblenden

Question #590

Which of the following should be the FIRST consideration when establishing a new risk governance program?

A . Developing an ongoing awareness and training program
B . Creating policies and standards that are easy to comprehend
C . Embedding risk management into the organization
D . Completing annual risk assessments on critical resources

Lösung einblenden Lösung ausblenden