Free ISACA CRISC Übungsprüfungen - Seite 61 von 65

Question #601

Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?

A . Maintain and review the classified data inventor.
B . Implement mandatory encryption on data
C . Conduct an awareness program for data owners and users.
D . Define and implement a data classification policy

Richtige Antwort: D
D

Explanation:

The risk associated with the leakage of confidential data is the possibility and impact of unauthorized disclosure, access, or use of sensitive information that may harm the organization or its stakeholders12.

The first step in managing the risk associated with the leakage of confidential data is to define and implement a data classification policy, which is a document that establishes the criteria, categories, roles, and responsibilities for identifying, labeling, and handling different types of data according to their sensitivity, value, and protection needs34.

Defining and implementing a data classification policy is the first step because it provides the foundation and framework for the data protection strategy, and enables the organization to prioritize and allocate the appropriate resources and controls for the most critical and confidential data34. Defining and implementing a data classification policy is also the first step because it supports the compliance with the relevant laws and regulations, such as GDPR, HIPAA, or PCI-DSS, that require the organization to classify and protect the personal or financial data of its customers or clients34.

The other options are not the first step, but rather possible subsequent steps that may depend on or follow the data classification policy.

For example:

Maintaining and reviewing the classified data inventory is a step that involves creating and updating a record of the data assets that have been classified, and verifying their accuracy and completeness over time34. However, this step is not the first step because it requires the data classification policy to provide the guidance and standards for the data inventory process34.

Implementing mandatory encryption on data is a step that involves applying a cryptographic technique that transforms the data into an unreadable format, and requires a key or a password to decrypt and access the data56. However, this step is not the first step because it requires the data classification policy to determine which data needs to be encrypted, and what level of encryption is appropriate56.

Conducting an awareness program for data owners and users is a step that involves educating and training the people who are responsible for or have access to the data, and informing them of their roles, obligations, and best practices for data protection78. However, this step is not the first step because it requires the data classification policy to define the data ownership and user rights, and the data protection policies and procedures78.

Reference: =

1: Top Four Damaging Consequences of Data Leakage | ZeroFox1

2: 8 Data Leak Prevention Strategies for 2023 | UpGuard2

3: Data Classification: What It Is, Why You Need It, and How to Do It3

4: Data Classification Policy Template – IT Governance USA4

5: Encryption: What It Is, How It Works, and Why You Need It5

6: Encryption Policy Template – IT Governance USA6

7: What Is Security Awareness Training and Why Is It Important? – Kaspersky7

8: Security Awareness Training – Cybersecurity Education Online | Proofpoint US8

Question #602

Following an acquisition, the acquiring company’s risk practitioner has been asked to update the organization’s IT risk profile.

What is the MOST important information to review from the acquired company to facilitate this task?

A . Internal and external audit reports
B . Risk disclosures in financial statements
C . Risk assessment and risk register
D . Business objectives and strategies

Lösung einblenden Lösung ausblenden

Question #603

Which of the following will BEST help an organization evaluate the control environment of several third-party vendors?

A . Review vendors‘ internal risk assessments covering key risk and controls.
B . Obtain independent control reports from high-risk vendors.
C . Review vendors performance metrics on quality and delivery of processes.
D . Obtain vendor references from third parties.

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

An organization may rely on third-party vendors to provide some of its IT systems, applications, or services, such as cloud computing, software development, or data processing. The organization should evaluate the control environment of the third-party vendors, which is the set of policies, procedures, and practices that establish the tone and culture of the vendor’s risk management and control activities. The best way to evaluate the control environment of several third-party vendors is to obtain independent control reports from high-risk vendors. Independent control reports are the documents that attest to the design, implementation, and effectiveness of the vendor’s controls, based on the standards or frameworks that are relevant and applicable for the vendor’s services, such as the ISAE 3402 or the SOC 2. Independent control reports are prepared by independent and qualified auditors, who provide an objective and reliable assessment of the vendor’s controls. High-risk vendors are the vendors that pose the highest level of risk to the organization, such as by having access to sensitive or confidential data, or by providing critical or complex services. By obtaining independent control reports from high-risk vendors, the organization can verify that the vendor’s controls are adequate and appropriate for the organization’s needs, and that the vendor complies with the contractual and regulatory requirements. The other options are not as good as obtaining independent control reports from high-risk vendors, as they may not provide sufficient or consistent information or evidence on the vendor’s control environment:

Review vendors’ internal risk assessments covering key risk and controls means that the organization examines the vendor’s own evaluation of its risks and controls, such as by reviewing the vendor’s risk register, risk matrix, or risk report. This may provide some information or insight on the vendor’s control environment, but it may not be as reliable or objective as obtaining independent control reports, as the vendor’s internal risk assessments may have biases, conflicts, or gaps in their methodology, scope, or quality.

Review vendors performance metrics on quality and delivery of processes means that the organization measures and monitors the vendor’s performance and outcomes, such as by using key performance indicators (KPIs), service level agreements (SLAs), or customer satisfaction surveys. This may provide some information or feedback on the vendor’s control environment, but it may not be as comprehensive or relevant as obtaining independent control reports, as the vendor’s performance metrics may not cover all the aspects or components of the vendor’s controls, or may not reflect the latest or updated status or results of the vendor’s controls.

Obtain vendor references from third parties means that the organization collects and verifies the testimonials or recommendations of the vendor’s services from other customers or stakeholders, such as by contacting them directly or by reading their reviews or ratings. This may provide some information or evidence on the vendor’s control environment, but it may not be as accurate or consistent as obtaining independent control reports, as the vendor’s references from third parties may have biases, conflicts, or variations in their expectations, experiences, or opinions of the vendor’s services.

Reference: = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.1.2.1, pp. 147-148.

Question #604

Which of the following is the MOST effective control to maintain the integrity of system configuration files?

A . Recording changes to configuration files
B . Implementing automated vulnerability scanning
C . Restricting access to configuration documentation
D . Monitoring against the configuration standard

Lösung einblenden Lösung ausblenden

Question #605

The PRIMARY benefit of conducting a risk workshop using a top-down approach instead of a bottom-up approach is the ability to:

A . identify specific project risk.
B . obtain a holistic view of IT strategy risk.
C . understand risk associated with complex processes.
D . incorporate subject matter expertise.

Lösung einblenden Lösung ausblenden

Question #606

Which of the blowing is MOST important when implementing an organization s security policy?

A . Obtaining management support
B . Benchmarking against industry standards
C . Assessing compliance requirements
D . Identifying threats and vulnerabilities

Lösung einblenden Lösung ausblenden

Question #607

The MAIN purpose of selecting a risk response is to.

A . ensure compliance with local regulatory requirements
B . demonstrate the effectiveness of risk management practices.
C . ensure organizational awareness of the risk level
D . mitigate the residual risk to be within tolerance

Lösung einblenden Lösung ausblenden

Question #608

Which of the following is the GREATEST concern associated with redundant data in an organization’s inventory system?

A . Poor access control
B . Unnecessary data storage usage
C . Data inconsistency
D . Unnecessary costs of program changes

Lösung einblenden Lösung ausblenden

Question #609

Which of the following BEST mitigates reputational risk associated with disinformation campaigns against an organization?

A . Monitoring digital platforms that disseminate inaccurate or misleading news stories
B . Engaging public relations personnel to debunk false stories and publications
C . Restricting the use of social media on corporate networks during specific hours
D . Providing awareness training to understand and manage these types of attacks

Lösung einblenden Lösung ausblenden

Question #610

A risk action plan has been changed during the risk mitigation effort.

Which of the following is MOST important for the risk practitioner to verify?

A . Impact of the change on inherent risk.
B . Approval for the change by the risk owner.
C . Business rationale for the change.
D . Risk to the mitigation effort due to the change.

Lösung einblenden Lösung ausblenden