Free ISACA CRISC Übungsprüfungen - Seite 7 von 65

Question #61

A cote data center went offline abruptly for several hours affecting many transactions across multiple locations.

Which of the to" owing would provide the MOST useful information to determine mitigating controls?

A . Forensic analysis
B . Risk assessment
C . Root cause analysis
D . Business impact analysis (BlA)

Lösung einblenden Lösung ausblenden

Question #62

The MOST important reason to aggregate results from multiple risk assessments on interdependent information systems is to:

A . establish overall impact to the organization
B . efficiently manage the scope of the assignment
C . identify critical information systems
D . facilitate communication to senior management

Lösung einblenden Lösung ausblenden

Question #63

What is the BEST information to present to business control owners when justifying costs related to controls?

A . Loss event frequency and magnitude
B . The previous year’s budget and actuals
C . Industry benchmarks and standards
D . Return on IT security-related investments

Lösung einblenden Lösung ausblenden

Question #64

An organizational policy requires critical security patches to be deployed in production within three weeks of patch availability.

Which of the following is the BEST metric to verify adherence to the policy?

A . Maximum time gap between patch availability and deployment
B . Percentage of critical patches deployed within three weeks
C . Minimum time gap between patch availability and deployment
D . Number of critical patches deployed within three weeks

Lösung einblenden Lösung ausblenden

Question #65

Which of the following would be of GREATEST concern regarding an organization’s asset management?

A . Lack of a mature records management program
B . Lack of a dedicated asset management team
C . Decentralized asset lists
D . Incomplete asset inventory

Lösung einblenden Lösung ausblenden

Question #66

A zero-day vulnerability has been discovered in a globally used brand of hardware server that allows hackers to gain access to affected IT systems.

Which of the following is MOST likely to change as a result of this situation?

A . Control effectiveness
B . Risk appetite
C . Risk likelihood
D . Key risk indicator (KRI)

Lösung einblenden Lösung ausblenden

Richtige Antwort: C
C

Explanation:

The most likely factor to change as a result of a zero-day vulnerability being discovered in a globally used brand of hardware server that allows hackers to gain access to affected IT systems is the risk likelihood. Risk likelihood is the probability or frequency of a risk event occurring, or the possibility of a risk event occurring within a given time period. Risk likelihood is one of the key dimensions of risk analysis, along with the risk impact. Risk likelihood helps to determine the severity and priority of the risk, and to select the most appropriate and effective risk response. Risk likelihood also helps to evaluate the cost-benefit and trade-off of the risk response, and to measure the residual risk and the risk performance. The risk likelihood is likely to change as a result of a zero-day vulnerability, because a zero-day vulnerability is a security flaw that has been discovered but not yet patched by the vendor, which means that it can be exploited by hackers before the affected systems can be updated or protected. A zero-day vulnerability increases the risk likelihood, because it creates a window of opportunity for hackers to launch attacks that could compromise the affected systems, and because it may not be detected or prevented by the existing security controls or measures. The other options are not as likely to change as the risk likelihood, although they may also be affected or influenced by the zero-day vulnerability. Control effectiveness, risk appetite, and key risk indicator (KRI) are all factors that could change as a result of a zero-day vulnerability, but they are not the most likely factor to change. Control effectiveness is the extent to which the risk controls or responses achieve the intended risk objectives or outcomes. Control effectiveness could change as a result of a zero-day vulnerability, because the existing controls may not be able to detect or prevent the exploitation of the vulnerability, or because new or additional controls may be needed to address the vulnerability. However, control effectiveness is not the most likely factor to change, because it depends on the type and level of the controls that are already in place or that can be implemented, and because it may not change until the vulnerability is actually exploited or the risk response is executed. Risk appetite is the amount and type of risk that the organization is willing to accept or pursue in order to achieve its objectives. Risk appetite could change as a result of a zero-day vulnerability, because the vulnerability could affect the organization’s objectives or operations, and because the organization may need to adjust its risk tolerance or threshold to cope with the vulnerability. However, risk appetite is not the most likely factor to change, because it is a strategic and long-term decision that is driven by the organization’s mission, vision, values, and strategy, and because it may not change until the vulnerability is resolved or the risk impact is realized. Key risk indicator (KRI) is a metric that measures the likelihood and impact of risks, and helps monitor and prioritize the most critical risks. KRI could change as a result of a zero-day vulnerability, because the vulnerability could increase the likelihood and impact of the risks, and because the organization may need to update or revise its KRI to reflect the current risk situation. However, KRI is not the most likely factor to change, because it is a monitoring and reporting tool that is derived from the risk analysis and response, and because it may not change until the vulnerability is exploited or the risk response is implemented.

Reference: = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.1, page 4-25.

Question #67

Which of the following is MOST important to consider before determining a response to a vulnerability?

A . The likelihood and impact of threat events
B . The cost to implement the risk response
C . Lack of data to measure threat events
D . Monetary value of the asset

Lösung einblenden Lösung ausblenden

Question #68

Which of the following is the PRIMARY benefit of consistently recording risk assessment results in the risk register?

A . Assessment of organizational risk appetite
B . Compliance with best practice
C . Accountability for loss events
D . Accuracy of risk profiles

Lösung einblenden Lösung ausblenden

Question #69

A deficient control has been identified which could result in great harm to an organization should a low frequency threat event occur.

When communicating the associated risk to senior management the risk practitioner should explain:

A . mitigation plans for threat events should be prepared in the current planning period.
B . this risk scenario is equivalent to more frequent but lower impact risk scenarios.
C . the current level of risk is within tolerance.
D . an increase in threat events could cause a loss sooner than anticipated.

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

The risk practitioner should explain to senior management that mitigation plans for threat events should be prepared in the current planning period, as this would demonstrate a proactive and responsible approach to risk management. Mitigation plans are documents that outline the actions and resources needed to reduce the likelihood and/or impact of a specific risk scenario.

Mitigation plans should include the following elements:

Risk scenario description and risk ID

Risk owner and other stakeholders

Risk response strategy and objectives

Risk response actions and tasks

Resources, costs, and benefits

Roles and responsibilities

Timeline and milestones

Performance indicators and monitoring mechanisms

Contingency plans and triggers

Mitigation plans help to address the gap between the current and desired risk levels and align the risk response with the organizational risk appetite and objectives. Mitigation plans also facilitate the communication, coordination, and collaboration among the risk owners and other stakeholders involved in the risk response process. Mitigation plans should be prepared in the current planning period, as this would allow the organization to act timely and effectively in the event of a low frequency threat event. Preparing mitigation plans in advance would also help to avoid or minimize the potential harm to the organization and its reputation.

The other options are not the best ways to communicate the associated risk to senior management. Explaining that this risk scenario is equivalent to more frequent but lower impact risk scenarios may not accurately reflect the true nature and severity of the risk. Explaining that the current level of risk is within tolerance may not convey the urgency and importance of addressing the risk. Explaining that an increase in threat events could cause a loss sooner than anticipated may not provide a clear and actionable solution for the risk.

Reference: = Four steps for managing risk at the CEO level, IT Risk Resources | ISACA, How to Communicate Risk to Stakeholders | Anitian

Question #70

Which of the following has the GREATEST positive impact on ethical compliance within the risk management process?

A . Senior management demonstrates ethics in their day-to-day decision making.
B . An independent ethics investigation team has been established.
C . Employees are required to complete ethics training courses annually.
D . The risk practitioner is required to consult with the ethics committee.

Lösung einblenden Lösung ausblenden