Free ISACA CRISC Übungsprüfungen - Seite 6 von 65

Question #51

The risk associated with an asset before controls are applied can be expressed as:

A . a function of the likelihood and impact
B . the magnitude of an impact
C . a function of the cost and effectiveness of control.
D . the likelihood of a given threat

Question #52

Reviewing which of the following would provide the MOST useful information when preparing to evaluate the effectiveness of existing controls?

A . Previous audit reports
B . Control objectives
C . Risk responses in the risk register
D . Changes in risk profiles

Lösung einblenden Lösung ausblenden

Question #53

Which of the following BEST reduces the probability of laptop theft?

A . Cable lock
B . Acceptable use policy
C . Data encryption
D . Asset tag with GPS

Lösung einblenden Lösung ausblenden

Question #54

An organization’s IT team has proposed the adoption of cloud computing as a cost-saving measure for the business.

Which of the following should be of GREATEST concern to the risk practitioner?

A . Due diligence for the recommended cloud vendor has not been performed.
B . The business can introduce new Software as a Service (SaaS) solutions without IT approval.
C . The maintenance of IT infrastructure has been outsourced to an Infrastructure as a Service (laaS) provider.
D . Architecture responsibilities may not be clearly defined.

Lösung einblenden Lösung ausblenden

Question #55

Which of the following provides the MOST useful information to trace the impact of aggregated risk across an organization’s technical environment?

A . Business case documentation
B . Organizational risk appetite statement
C . Enterprise architecture (EA) documentation
D . Organizational hierarchy

Lösung einblenden Lösung ausblenden

Richtige Antwort: C
C

Explanation:

Enterprise architecture (EA) documentation provides the most useful information to trace the impact of aggregated risk across the organization’s technical environment, because it describes the structure and behavior of the organization’s IT systems, applications, infrastructure, and processes, and how they support and enable the organization’s strategy and objectives. EA documentation also defines the principles, standards, and guidelines that govern the design and implementation of the IT solutions and services. Aggregated risk is the total or combined level of risk that the organization faces from multiple or interrelated sources or scenarios. Aggregated risk may have a greater impact than the sum of the individual risks, due to the synergistic or compounding effects of the risks. The technical environment is the set of IT components and capabilities that support the organization’s business functions and processes. Tracing the impact of aggregated risk across the technical environment is a process of identifying and assessing the potential or actual consequences of the aggregated risk on the performance, functionality, or security of the IT systems, applications, infrastructure, or processes. EA documentation provides the most useful information, as it helps to understand and analyze the interdependencies and relationships of the IT components and capabilities, and to evaluate the effect of the aggregated risk on the alignment and integration of IT with the organization’s strategy and objectives. Business case documentation, organizational risk appetite statement, and organizational hierarchy are all possible sources of information to trace the impact of aggregated risk, but they are not the most useful information, as they do not provide a comprehensive and detailed view of the technical environment and its architecture.

Reference: = Risk and Information Systems Control Study Manual, Chapter 5, Section 5.2.1, page 183

Question #56

Which stakeholders are PRIMARILY responsible for determining enterprise IT risk appetite?

A . Audit and compliance management
B . The chief information officer (CIO) and the chief financial officer (CFO)
C . Enterprise risk management and business process owners
D . Executive management and the board of directors

Lösung einblenden Lösung ausblenden

Question #57

An organization recently implemented new technologies that enable the use of robotic process automation.

Which of the following is MOST important to reassess?

A . Risk profile
B . Risk tolerance
C . Risk capacity
D . Risk appetite

Lösung einblenden Lösung ausblenden

Question #58

Optimized risk management is achieved when risk is reduced:

A . with strategic initiatives.
B . to meet risk appetite.
C . within resource availability.
D . below risk appetite.

Lösung einblenden Lösung ausblenden

Question #59

Which of the following would be MOST helpful in assessing the risk associated with data loss due to human vulnerabilities?

A . Reviewing password change history
B . Performing periodic access recertification
C . Conducting social engineering exercises
D . Reviewing the results of security awareness surveys

Lösung einblenden Lösung ausblenden

Question #60

During an internal IT audit, an active network account belonging to a former employee was identified.

Which of the following is the BEST way to prevent future occurrences?

A . Conduct a comprehensive review of access management processes.
B . Declare a security incident and engage the incident response team.
C . Conduct a comprehensive awareness session for system administrators.
D . Evaluate system administrators‘ technical skills to identify if training is required.

Lösung einblenden Lösung ausblenden