Free ISACA CRISC Übungsprüfungen - Seite 63 von 65

Question #621

What is the MAIN benefit of using a top-down approach to develop risk scenarios?

A . It describes risk events specific to technology used by the enterprise.
B . It establishes the relationship between risk events and organizational objectives.
C . It uses hypothetical and generic risk events specific to the enterprise.
D . It helps management and the risk practitioner to refine risk scenarios.

Question #622

A large organization needs to report risk at all levels for a new centralized visualization project to reduce cost and improve performance.

Which of the following would MOST effectively represent the overall risk of the project to senior management?

A . Aggregated key performance indicators (KPls)
B . Key risk indicators (KRIs)
C . Centralized risk register
D . Risk heat map

Lösung einblenden Lösung ausblenden

Question #623

Which of the following would BEST help to ensure that suspicious network activity is identified?

A . Analyzing intrusion detection system (IDS) logs
B . Analyzing server logs
C . Using a third-party monitoring provider
D . Coordinating events with appropriate agencies

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

An intrusion detection system (IDS) is a network security tool that monitors and analyzes network traffic for signs of malicious or suspicious activity, such as unauthorized access, data exfiltration, malware infection, or denial-of-service attack. An IDS can detect and alert the organization to potential threats based on predefined rules or signatures, or based on anomalies or deviations from normal network behavior. An IDS can also generate logs that record the details of the network events and incidents, such as the source, destination, content, and context of the network traffic. By analyzing the IDS logs, the organization can identify and validate the suspicious network activity, and determine its scope, impact, and root cause. The organization can also use the IDS logs to support the incident response and remediation process, and to improve the network security and resilience. The other options are less effective ways to ensure that suspicious network activity is identified. Analyzing server logs can provide some information about the network activity, but it may not be sufficient or timely to detect and validate the suspicious or malicious activity, as server logs only capture the events or activities that occur on the server, and not on the entire network. Using a third-party monitoring provider can help to outsource the network monitoring and analysis function, but it may not be the best option, as it may introduce additional risks, such as data privacy, vendor reliability, or service quality issues. Coordinating events with appropriate agencies can help to share information and resources with other organizations or authorities, such as law enforcement, regulators, or industry peers, but it may not be the best option, as it may depend on the availability and cooperation of the agencies, and it may not be feasible or desirable to disclose the network activity to external parties.

Reference: = Monitoring for Suspicious Network Activity: Key Tips to Secure Your Network 1

Question #624

An organization’s risk tolerance should be defined and approved by which of the following?

A . The chief risk officer (CRO)
B . The board of directors
C . The chief executive officer (CEO)
D . The chief information officer (CIO)

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

The organization’s risk tolerance should be defined and approved by the board of directors, as they are the highest governing body of the organization and have the ultimate responsibility and accountability for the strategic direction and oversight of the risk management process. The board of directors should establish and communicate the risk appetite and tolerance of the organization, and ensure that they are aligned with the organization’s vision, mission, values, and goals. The board of directors should also monitor and review the risk management performance and outcomes, and provide guidance and support to the management and staff. The other options are not the correct answers, as they do not have the authority or responsibility to define and approve the organization’s risk tolerance, although they may have some roles or involvement in the risk management process. The chief risk officer (CRO) is the senior executive who leads and coordinates the risk management activities across the organization, and reports to the board of directors and the chief executive officer (CEO). The CRO should advise and assist the board of directors in defining and approving the risk tolerance, but they cannot do it on their own. The chief executive officer (CEO) is the highest-ranking manager of the organization and has the responsibility and accountability for the execution and implementation of the risk management process. The CEO should support and communicate the risk tolerance defined and approved by the board of directors, but they cannot do it on their own. The chief information officer (CIO) is the senior executive who oversees and manages the information and technology functions and resources of the organization. The CIO should ensure that the IT risks and controls are aligned with the risk tolerance defined and approved by the board of directors, but they cannot do it on their own.

Reference: = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, page 24.

Question #625

Which of the following would provide the BEST evidence of an effective internal control environment/?

A . Risk assessment results
B . Adherence to governing policies
C . Regular stakeholder briefings
D . Independent audit results

Lösung einblenden Lösung ausblenden

Question #626

Which of the following statements in an organization’s current risk profile report is cause for further action by senior management?

A . Key performance indicator (KPI) trend data is incomplete.
B . New key risk indicators (KRIs) have been established.
C . Key performance indicators (KPIs) are outside of targets.
D . Key risk indicators (KRIs) are lagging.

Lösung einblenden Lösung ausblenden

Richtige Antwort: C
C

Explanation:

A risk profile report is a document that summarizes the current status and trends of the risks that an organization faces, as well as the actions taken or planned to manage them1. A risk profile report is a useful tool for senior management to monitor and oversee the organization’s risk management performance and to make informed decisions and adjustments as needed2. One of the key components of a risk profile report is the key performance indicators (KPIs), which are metrics used to measure and evaluate the achievement of the organization’s objectives and strategies3. KPIs are aligned with the organization’s risk appetite and tolerance, and they have specific targets or benchmarks that indicate the desired level of performance4. Therefore, if the KPIs are outside of targets, it means that the organization is not meeting its objectives and strategies, and that there may be gaps or issues in the risk management process or the risk response actions. This is a cause for further action by senior management, as they need to investigate the root causes of the deviation, assess the impact and implications of the underperformance, and take corrective or preventive measures to improve the situation and bring the KPIs back to the targets. Incomplete KPI trend data, new KRIs, and lagging KRIs are not the most critical statements in a risk profile report that require further action by senior management, as they do not directly indicate a failure or a problem in the risk management performance or the achievement of the objectives and strategies. Incomplete KPI trend data means that there is missing or insufficient information on the historical or projected changes in the KPIs over time. This may affect the accuracy and reliability of the risk profile report, but it does not necessarily mean that the KPIs are outside of targets or that the objectives and strategies are not met. Senior management may need to request or obtain the complete KPI trend data, but this is not as urgent or important as addressing the KPIs that are outside of targets. New KRIs means that there are additional or revised metrics used to measure and monitor the level of risk associated with a particular process, activity, or system within the organization. This may reflect the changes or updates in the risk environment, the risk appetite and tolerance, or the risk assessment methodology. However, new KRIs do not directly indicate a failure or a problem in the risk management performance or the achievement of the objectives and strategies. Senior management may need to review and approve the new KRIs, but this is not as urgent or important as addressing the KPIs that are outside of targets. Lagging KRIs means that there are metrics that measure and monitor the level of risk after a risk event has occurred or a risk response has been implemented. This may provide useful feedback and lessons learned for the risk management process, but it does not directly indicate a failure or a problem in the risk management performance or the achievement of the objectives and strategies. Senior management may need to analyze and evaluate the lagging KRIs, but this is not as urgent or important as addressing the KPIs that are outside of targets.

Reference: = Risk and Information Systems Control Study Manual, Chapter 4: Risk and

Control Monitoring and Reporting, Section 4.3: Risk Reporting, pp. 201-205.

Question #627

Which of the following is MOST helpful in providing a high-level overview of current IT risk severity*?