Udemy CRISC Test Set 4

A risk practitioner observes that the network team responsible for maintaining the network infrastructure is severely understaffed, which could lead to operational losses. Which of the following is MOST directly affected by the risk practitioner's observation?

Likelihood rating

-Since staffing shortages directly affect the probability of network failures, this impacts the likelihood rating of IT-related risks

When documenting a risk response, which of the following provides the STRONGEST evidence to support the decision?

List of compensating controls

-When documenting a risk response, having a detailed, objective list of compensating controls provides strong evidence that the decision was based on a thorough evaluation of how the risk could be mitigated.

-offers verifiable, tangible evidence that supports the chosen risk response and demonstrates due diligence in risk management

Which of the following is the MOST important consideration when communicating the risk associated with technology end-of-life to business owners?

Security and availability

- End-of-life (EOL) technology no longer receives vendor support, security patches, or updates, making it highly vulnerable to cyber threats and operational failures.

Which of the following would be the GREATEST challenge when implementing a corporate risk framework for a global organization?

Management support

-The greatest challenge in this process is obtaining and sustaining strong management support as it requires uniform adoption and integration across all business units and regions

Which of the following represents a vulnerability?

A standard procedure for applying software patches two weeks after release

-A standard procedure for applying software patches two weeks after release is considered a vulnerability because it creates a window of opportunity during which attackers can exploit unpatched weaknesses in the system

Which of the following is the FIRST consideration to reduce risk associated with the storage of personal data?

Minimize the collection of data

- principle follows data minimization emphasize that organizations should collect only the minimum amount of personal data required for a specific purpose

Which of the following is the BEST recommendation when a key risk indicator (KRI) is generating an excessive volume of events?

Reevaluate the design of the KRIs

-By reevaluating the design of the KRIs, the organization can:

1. Adjust the thresholds to reduce noise and focus on high-risk events.

2. Ensure alignment with business risk tolerance.

3. Improve the efficiency of risk monitoring.

Which of the following is the BEST way to ensure controls are maintained consistently across the environment?

Conducting annual control assessments

-Regular control assessments (sometimes part of internal audits or self-assessments) provide objective evidence that controls are functioning consistently across all units, locations, or systems.

In addition to the risk exposure, which of the following is MOST important for senior management to understand prior to approving the use of artificial intelligence (AI) solutions?

Potential benefits from use of AI solutions

- This is critical because risk must be evaluated in the context of business value—if AI solutions provide substantial strategic or operational advantages, the risk may be justifiable

Which of the following metrics would be MOST helpful to management in understanding the effectiveness of the organization's security awareness controls?

Number of employees who have not completed training

- best measured by how well employees are informed and trained in security protocols

Which of the following key control indicators (KCIs) BEST indicates whether security requirements are identified and managed throughout a project life cycle?

Number of projects going live without a security review

-This is a direct measure of how well security is being integrated into the project management process. If projects are being launched without a formal security review, it indicates a breakdown in the control process, showing that security requirements were either missed or not properly managed during the project lifecycle.

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an organization's patch management process?

Correct answer

Percentage of systems with the latest patches

-Directly measures the success of patch deployment

-Indicates compliance with security policies and standards

-Reduces security risk

Which of the following is MOST important to ensure when continuously monitoring the performance of a client-facing application?

Objectives are confirmed with the business owner.

-For continuous performance monitoring to be effective, it must align with business objectives. suring that monitoring aligns with business needs helps in detecting performance issues that impact users and prioritizing remediation efforts effectively.

Which of the following BEST enables the development of a successful IT strategy focused on business risk mitigation?

Obtaining input from business management

-Obtaining input from business management ensures that IT risk management efforts are focused on actual business risks

Within the three lines of defense model, the responsibility for managing risk and controls resides with:

operational management

-First Line of Defense (Operational Management): - Owns and manages risk

- Implements and executes internal controls

- Ensures compliance with policies and procedures

Which of the following would be MOST helpful when communicating roles associated with the IT risk management process?

RACI (Responsible, Accountable, Consulted, and Informed) chart

-A RACI chart is a widely used tool for clearly communicating roles and responsibilities within a process, including IT risk management

An organization has implemented a system capable of comprehensive employee monitoring. Which of the following should direct how the system is used?

Organizational policy

-the specific directives for how a comprehensive employee monitoring system should be used are outlined in the organization's policies

Static code analysis has been consistently finding a significant number of critical security issues throughout an organization's internally developed applications. The risk practitioner's BEST recommendation would be to:

provide training on secure programming practices

-f static code analysis is consistently finding significant security issues, this suggests that developers are either unaware of secure coding practices or lack the necessary skills to implement them effectively

Which of the following is the PRIMARY accountability for a control owner?

Ensure the control operates effectively

-PRIMARY accountability for a control owner is to ensure the control operates effectively. The control owner is the individual responsible for designing, implementing, maintaining, and monitoring.

Which of the following BEST supports the effective adoption of risk management across the enterprise?

Participation by functions responsible for the risk

- Most effective way to drive enterprise-wide adoption of risk management is ensuring that the functions responsible for managing the risk are actively involved in the risk management process.

Due to budget constraints, an organization cannot implement encryption to all databases. Which of the following is the MOST useful information to identify high- risk databases where encryption should be applied?

Data classification scheme

- allows the organization to prioritize databases based on the sensitivity and criticality of the data they contain. helps link data protection efforts directly to business and regulatory requirements — ensuring that limited resources

Which of the following is the MOST important metric to monitor the performance of the change management process?

Percentage of changes having completed post-implementation verification

- Without post-implementation verification, changes could introduce security vulnerabilities, system instability, or operational inefficiencies.

A cloud service provider has completed upgrades to its cloud infrastructure to enhance service availability. Which of the following is the MOST important key risk indicator (KRI) for management to monitor?

Number of incidents with downtime exceeding contract threshold

- primary objective of the cloud infrastructure upgrade is to enhance service availability. Therefore, the best measure of success and risk is whether downtime still occurs beyond acceptable limits defined in service level agreements (SLAs)

An organization is moving its critical assets to the cloud. Which of the following is the MOST important key performance indicator (KPI) to include in the service level agreement (SLA)?

Percentage of standard supplier uptime

-critical assets to the cloud, the most important KPI to include in the Service Level Agreement (SLA) is the percentage of standard supplier uptime

-Uptime is the primary measure of cloud service reliability

An organization is required to comply with updates to an existing data protection regulation. Which of the following should the risk practitioner recommend be done FIRST?

Perform a gap analysis to determine if additional controls are required

- the first and foremost step is to understand the difference between the old and new requirements. This is the purpose of a gap analysis — to identify what has changed and assess whether existing controls adequately cover the new requirements, or if new controls are needed. I

Which of the following is the MOST effective way to reduce potential losses due to ongoing expense fraud?

Perform regular internal audits

-Because they directly involve detection and deterrence

-actively review expense reports, reimbursement claims, and supporting documents to identify fraudulent patterns or suspicious transactions.

Which of the following would provide the MOST helpful input to develop risk scenarios associated with hosting an organization's key IT applications in a cloud environment?

Conducting a risk workshop with key stakeholders

- risk scenarios need to reflect realistic situations that could impact the business objectives tied to those applications. Key stakeholders — including business process owners, IT leadership, compliance, legal, and security teams — have first-hand knowledge. This aligns directly with ISACA's top-down and bottom-up approaches to risk scenario development

Which of the following controls BEST enables an organization to ensure a complete and accurate IT asset inventory?

Performing network scanning for unknown devices

- Network scanning helps automate the discovery of IT assets, ensuring that all devices—whether officially recorded or not—are identified and included in the asset inventory.

-automated network scanning provides the most reliable method for maintaining an accurate inventory.

Which of the following would BEST mitigate an identified risk scenario?

Executing a risk response plan

- once risk scenario has been identified, the primary goal is to reduce its likelihood or impact. This is achieved through the execution of a risk response plan—a set of pre-determined actions tailored to mitigate, transfer, avoid, or accept the risk in a controlled manner

Which of the following BEST reduces the risk associated with the theft of a laptop containing sensitive information?

Data encryption

-Data encryption is the most effective control to reduce the risk associated with the theft of a laptop containing sensitive information.

- primary risk is the exposure of the sensitive data stored on the device

Which of the following practices MOST effectively safeguards the processing of personal data?

Personal data attributed to a specific data subject is tokenized.

- Tokenization is one of the most effective techniques for safeguarding personal data processing because it replaces sensitive data with non-sensitive placeholders (tokens) that have no exploitable value if breached

Which of the following MOST effectively enables senior management to communicate risk appetite?

Policies and procedures

- most effectively through policies and procedures, as these establish formal guidelines for acceptable risk levels across the organization.

Which of the following provides the MOST useful information for developing key risk indicators (KRIs)?

Business impact analysis (BIA) results

- because a BIA identifies critical processes, assets, and dependencies—all of which are essential inputs for defining meaningful KRIs

An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern?

Potential theft of personal information

- The primary risk is that intruders could steal, modify, or misuse this personal information, leading to significant confidentiality breaches and impacting both clients and the organization

An organization has operations in a location that regularly experiences severe weather events. Which of the following would BEST help to mitigate the risk to operations?

Develop a business continuity plan (BCP)

- A BCP is a proactive plan that ensures critical business processes continue during and after a disruption — including natural disasters like severe weather.

- ISACA emphasizes that the BCP is the key document that ensures operational resilience in the face of various types of disruptions, including severe weather events

Which of the following is the MOST important objective from a cost perspective for considering aggregated risk responses in an organization?

Address more than one risk response

-MOST important cost-related objective for considering aggregated risk responses is to find responses that address multiple risks at once, thereby achieving economies of scale and reducing the overall cost of risk treatment

When is the BEST time to identify risk associated with major projects to determine a mitigation plan?

Project initiation phase

-Risk identification and mitigation planning should begin as early as possible, ideally in the project initiation phase.

A risk practitioner identifies a database application that has been developed and implemented by the business independently of IT. Which of the following is the BEST course of action?

Include the application in IT risk assessments

-In this situation, it is critical for the organization to understand and manage the potential risks associated with that application.

In response to recent security incidents, the IT risk management team is promoting a global security plan that defines controls to be implemented in multiple regions. Which of the following BEST enables the successful deployment of this plan?

Allow each region to adapt the plan to its local requirements

- deploying a global security plan, ISACA strongly emphasizes the need for flexibility to accommodate local laws, regulatory requirements, and cultural differences

Which of the following activities should only be performed by the third line of defense?

Providing assurance on risk management processes

- Three Lines of Defense Model is internal audit, which is responsible for providing independent assurance on the effectiveness of risk management, governance, and internal controls.

Which of the following is the BEST reason to use qualitative measures to express residual risk levels related to emerging threats?

Qualitative measures are better able to incorporate expert judgment.

- Emerging threats are often unpredictable, lack historical data, and evolve rapidly, making it difficult to quantify them using precise numerical values. Qualitative risk assessment allows organizations to leverage expert judgment, industry insights, and scenario analysis to assess risk levels effectively

An information security manager has advocated for the purchase of a data loss prevention (DLP) system to reduce the impact of a potential data breach. Which of the following is the BEST way for the risk practitioner to support this recommendation?

Quantify the costs of the risk mitigation effort

- By presenting quantifiable financial data, the risk practitioner can justify the investment in a DLP system to senior management and stakeholders, making it easier to secure funding and approval. By doing a cost benefit analysis.

An operations manager has requested risk acceptance after the execution of a mitigation plan has failed. Which of the following is the risk practitioner's BEST response?

Reassess the risk scenario associated with the action plan.

-. A reassessment ensures that the risk is properly evaluated before being accepted.

Which of the following is the MOST effective control to maintain the integrity of system configuration files?

Monitoring against the configuration standard

-To maintain system configuration integrity, it is essential to continuously monitor and compare configurations against a baseline or standard. This helps:

1. Detect unauthorized or unintended changes that may introduce vulnerabilities.

2. Ensure compliance with security policies and best practices.

3. Reduce misconfigurations that could lead to system failures or security breaches.

4. Provide real-time alerts for immediate remediation.

What should be the PRIMARY consideration related to data privacy protection when there are plans for a business initiative to make use of personal information?

Do not collect or retain data that is not needed

-The PRIMARY consideration related to data privacy protection is to minimize data collection and retention to only what is absolutely necessary for the business purpose