Pass Your Next CRISC Certification Exam Easily & Hassle Free [Q520-Q539]

Pass Your Next CRISC Certification Exam Easily & Hassle Free

Free ISACA CRISC Exam Question Practice Exams

ISACA CRISC (Certified in Risk and Information Systems Control) certification exam is designed to test an individual's knowledge of risk management and information systems control. Certified in Risk and Information Systems Control certification is highly sought after by professionals who want to demonstrate their ability to identify, assess, and evaluate risks to their organization's information systems. CRISC exam covers four domains: risk identification, assessment, response, and monitoring.

 

NEW QUESTION # 520
Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?

• A. Variances between planned and actual cost
• B. Completeness of system documentation
• C. Results of end user acceptance testing
• D. availability of in-house resources

Answer: C

Explanation:
End user acceptance testing is a process that verifies that a system or service meets the requirements and expectations of the end users, who are the actual or potential customers or beneficiaries of the system or service. End user acceptance testing is the final stage of testing before the system or service is deployed or released to the production environment. The results of end user acceptance testing are the most important consideration for a risk practitioner when making a system implementation go-live recommendation, as they indicate the quality, functionality, usability, and reliability of the system or service from the end user perspective. The results of end user acceptance testing can help to identify and resolve any defects, errors, or issues that may affect the performance, satisfaction, or acceptance of the system or service by the end users.
The results of end user acceptance testing can also help to evaluate the benefits, value, and risks of the system or service for the end users and the organization. The other options are not the most important consideration for a risk practitioner when making a system implementation go-live recommendation, although they may be relevant and useful. The completeness of system documentation is a factor that affects the maintainability, supportability, and auditability of the system or service, but it does not measure the end user experience or satisfaction. The variances between planned and actual cost is a measure of the efficiency and budget management of the system or service development or implementation, but it does not reflect the end user needs or expectations. The availability of in-house resources is a resource that supports the system or service delivery and operation, but it does not ensure the end user acceptance or approval. References = CRISC Review Manual, pages 180-1811; CRISC Review Questions, Answers & Explanations Manual, page 87

NEW QUESTION # 521
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an anti-virus program?

• A. Frequency of anti-virus software updates
• B. Percentage of IT assets with current malware definitions
• C. Number of alerts generated by the anti-virus software
• D. Number of false positives detected over a period of time

Answer: B

NEW QUESTION # 522
An audit reveals that there are changes in the environment that are not reflected in the risk profile. Which of the following is the BEST course of action?

• A. Review the risk identification process.
• B. Update the risk register.
• C. Create a risk awareness communication plan.
• D. Inform the risk scenario owners.

Answer: A

NEW QUESTION # 523
What is the GREATEST concern with maintaining decentralized risk registers instead of a consolidated risk register?

• A. Duplicate resources may be used to manage risk registers.
• B. Risk analysis may be inconsistent due to non-uniform impact and likelihood scales.
• C. Aggregated risk may exceed the enterprise's risk appetite and tolerance.
• D. Standardization of risk management practices may be difficult to enforce.

Answer: D

NEW QUESTION # 524
Which of the following is the BEST evidence that a user account has been properly authorized?

• A. Notification from human resources that the account is active
• B. Formal approval of the account by the user's manager
• C. An email from the user accepting the account
• D. User privileges matching the request form

Answer: D

Explanation:
Section: Volume D
Explanation/Reference:

NEW QUESTION # 525
You are the project manager of a HGT project that has recently finished the final compilation process. The project customer has signed off on the project completion and you have to do few administrative closure activities. In the project, there were several large risks that could have wrecked the project but you and your project team found some new methods to resolve the risks without affecting the project costs or project completion date. What should you do with the risk responses that you have identified during the project's monitoring and controlling process?

• A. Nothing. The risk responses are included in the project's risk register already.
• B. Include the responses in the project management plan.
• C. Include the risk responses in the organization's lessons learned database.
• D. Include the risk responses in the risk management plan.

Answer: C

Explanation:
Explanation/Reference:
Explanation:
The risk responses that do not exist up till then, should be included in the organization's lessons learned database so other project managers can use these responses in their project if relevant.
Incorrect Answers:
A: The responses are not in the project management plan, but in the risk response plan during the project and they'll be entered into the organization's lessons learned database.
B: The risk responses are included in the risk response plan, but after completing the project, they should be entered into the organization's lessons learned database.
D: If the new responses that were identified is only included in the project's risk register then it may not be shared with project managers working on some other project.

NEW QUESTION # 526
Which of the following is the MOST effective way to integrate business risk management with IT operations?

• A. Provide security awareness training.
• B. Perform periodic risk assessments.
• C. Perform periodic IT control self-assessments.
• D. Require a risk assessment with change requests.

Answer: B

NEW QUESTION # 527
Which of the following is the BEST control to detect an advanced persistent threat (APT)?

• A. Conducting regular penetration tests
• B. Utilizing antivirus systems and firewalls
• C. Implementing automated log monitoring
• D. Monitoring social media activities

Answer: A

Explanation:
Section: Volume D

NEW QUESTION # 528
During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall.
Which of the following controls has MOST likely been compromised?

• A. Identification
• B. Data validation
• C. Authentication
• D. Data integrity

Answer: C

Explanation:
Section: Volume D

NEW QUESTION # 529
Which of the following is the MOST important consideration when multiple risk practitioners capture risk scenarios in a single risk register?

• A. Aligning risk ownership and control ownership
• B. Maintaining up-to-date risk treatment plans
• C. Developing risk escalation and reporting procedures
• D. Using a consistent method for risk assessment

Answer: D

NEW QUESTION # 530
Which of the following is the PRIMARY reason for an organization to ensure the risk register is updated regularly?

• A. Key risk indicators (KRIs) are evaluated to validate they are still within the risk threshold.
• B. Risk assessment results are accessible to senior management and stakeholders.
• C. Risk mitigation activities are managed and coordinated.
• D. Risk information is available to enable risk-based decisions.

Answer: D

Explanation:
The PRIMARY reason for an organization to ensure the risk register is updated regularly is to make sure that risk information is available to enable risk-based decisions, because the risk register is a tool that documents and tracks the identified risks, their characteristics, their status, and their responses. The risk register provides a comprehensive and current view of the risk profile and exposure of the organization, and it supports the decision-making process and the risk management activities. The other options are not the primary reason, because:
* Option A: Risk assessment results are accessible to senior management and stakeholders is a benefit of updating the risk register regularly, but not the primary reason. Risk assessment results are the outputs of the risk analysis process, and they should be recorded and communicated to the relevant parties, but they are not the only or the most important information in the risk register.
* Option B: Risk mitigation activities are managed and coordinated is a result of updating the risk register regularly, but not the primary reason. Risk mitigation activities are the actions taken to address the identified risks, and they should be monitored and reported in the risk register, but they are not the only or the most important information in the risk register.
* Option C: Key risk indicators (KRIs) are evaluated to validate they are still within the risk threshold is a process that involves updating the risk register regularly, but not the primary reason. KRIs are indicators that measure and monitor the risk exposure and performance of the organization, and they should be compared with the risk threshold to determine if the risk level is acceptable or not, and if any action is required, but they are not the only or the most important information in the risk register. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 108.

NEW QUESTION # 531
Which of the following is the MOST important consideration when developing risk strategies?

• A. Concerns of the business process owners
• B. History of risk events
• C. Long-term organizational goals
• D. Organization's industry sector

Answer: C

Explanation:
Risk strategies are the plans and actions that an organization adopts to manage its risks and to achieve its objectives. Risk strategies should be aligned with the organization's vision, mission, values, and culture, as well as its internal and external environment. The most important consideration when developing risk strategies is the long-term organizational goals, meaning that the risk strategies should support and enable the organization to pursue and attain its desired future state and outcomes. The long-term organizational goals should guide the risk identification, assessment, response, and monitoring processes, as well as the risk appetite and tolerance levels. The long-term organizational goals should also be communicated and cascaded throughout the organization to ensure the risk awareness and engagement of all stakeholders. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.3.2, p. 27-28

NEW QUESTION # 532
Which of the following methods is the BEST way to measure the effectiveness of automated information security controls prior to going live?

• A. Reviewing the security audit report
• B. Performing a security control review
• C. Conducting a risk assessment
• D. Testing in a non-production environment

Answer: D

Explanation:
Automated information security controls are controls that are implemented or executed by software or hardware, without human intervention, to protect the confidentiality, integrity, and availability of information and systems1. Examples of automated information security controls include firewalls, antivirus software, encryption, authentication, and logging2. The effectiveness of automated information security controls refers to how well they achieve their intended objectives and outcomes, such as preventing, detecting, or responding to security threats or incidents3. The best way to measure the effectiveness of automated information security controls prior to going live is to test them in a non-production environment, which is an environment that simulates the production environment, but does not contain real or sensitive data or systems4. Testing in a non-production environment allows the organization to verify the proper and consistent configuration, functionality, and performance of the automated information security controls, without affecting the normal operations or risking the exposure of the data or systems5. Testing in a non-production environment also enables the organization to identify and resolve any issues or gaps in the automated information security controls, and to evaluate their compatibility and interoperability with other systems or controls6. Performing a security control review, reviewing the security audit report, and conducting a risk assessment are not the best ways to measure the effectiveness of automated information security controls prior to going live, as they do not provide direct and timely information on the configuration, functionality, and performance of the automated information security controls. Performing a security control review is a process that involves checking and verifying that the organization's security controls are up to date, relevant, and effective7. A security control review can help to identify and address any issues or gaps in the security controls, but it does not show the actual behavior and results of the automated information security controls in a realistic environment. Reviewing the security audit report is a process that involves reading and analyzing the findings and recommendations of an independent examination and evaluation of the organization's security controls8.
A security audit report can help to provide assurance and advice on the adequacy and effectiveness of the security controls, but it does not show the current and dynamic status and performance of the automated information security controls in a changing environment. Conducting a risk assessment is a process that involves identifying, analyzing, and evaluating the risks and their potential impacts on the organization's objectives and performance. A risk assessment can help to anticipate and prepare for the risks that may affect the organization's security, but it does not show the actual impact and outcome of the automated information security controls in a specific scenario. References = 1: Automation Support for Security Control Assessments
- NIST2: Automated Security Control Assessment: When Self-Awareness Matters3: Technology Control Automation: Improving Efficiency, Reducing ... - ISACA4: [What is a Non-Production Environment? | Definition and FAQs] 5: [Why You Need a Non-Production Environment - Plutora] 6: [Testing Automated Security Controls - SANS Institute] 7: A brief guide to assessing risks and controls | ACCA Global8: IT Risk Resources | ISACA : [Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.1: Risk Identification, pp. 57-59.]

NEW QUESTION # 533
You are the risk professional of your enterprise. You need to calculate potential revenue loss if a certain risks occurs. Your enterprise has an electronic (e-commerce) web site that is producing US $1 million of revenue each day, then if a denial of service (DoS) attack occurs that lasts half a day creates how much loss?

• A. US $100,000 loss
• B. US $1 million loss
• C. US $500,000 loss
• D. US $250,000 loss

Answer: C

Explanation:
Section: Volume B
Explanation:
Denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root name-servers. The term is generally used with regards to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management. As the total revenue of the website for the day is $1 million, and due to denial of service attack it is unavailable for half day.
Therefore,
Revenue loss = $1,000,000/2
= $500,000
Incorrect Answers:
A, C, D: These are wrong answers.

NEW QUESTION # 534
Which of the following would require updates to an organization's IT risk register?

• A. Completion of the latest internal audit
• B. Management review of key risk indicators (KRls)
• C. Discovery of an ineffectively designed key IT control
• D. Changes to the team responsible for maintaining the register

Answer: C

NEW QUESTION # 535
Which of the following is the BEST defense against successful phishing attacks?

• A. Intrusion detection system
• B. Explanation:
  Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing attacks are a type of to social engineering attack and are best defended by end-user awareness training.
• C. Application hardening
• D. Spam filters
• E. End-user awareness

Answer: E

Explanation:
is incorrect. Application hardening does not protect against phishing attacks since phishing attacks generally use e-mail as the attack vector, with the end-user as the vulnerable point, not the application. Answer:D is incorrect. Certain highly specialized spam filters can reduce the number of phishing e-mails that reach the inboxes of user, but they are not as effective in addressing phishing attack as end-user awareness. Answer:A is incorrect. An intrusion detection system does not protect against phishing attacks since phishing attacks usually do not have a particular pattern or unique signature.

NEW QUESTION # 536
Which of the following is the PRIMARY objective for automating controls?

• A. Facilitating continuous control monitoring
• B. Improving control process efficiency
• C. Reducing the need for audit reviews
• D. Complying with functional requirements

Answer: A

NEW QUESTION # 537
Which of the following BEST measures the efficiency of an incident response process?

• A. Average gap between actual and agreed response times
• B. Number of incidents lacking responses
• C. Average time between changes and updating of escalation matrix
• D. Number of incidents escalated to management

Answer: A

NEW QUESTION # 538
You are the risk official of your enterprise. Your enterprise takes important decisions without considering risk credential information and is also unaware of external requirements for risk management and integration with enterprise risk management. In which of the following risk management capability maturity levels does your enterprise exists?

• A. Level 4
• B. Level 0
• C. Level 1
• D. Level 5

Answer: B

Explanation:
Explanation/Reference:
Explanation:
0 nonexistent: An enterprise's risk management capability maturity level is 0 when:
The enterprise does not recognize the need to consider the risk management or the business impact

from IT risk.
Decisions involving risk lack credible information.

Awareness of external requirements for risk management and integration with enterprise risk

management (ERM) do not exists.
Incorrect Answers:
A, C, D: These all are much higher levels of the risk management capability maturity model and in all these enterprise do take decisions considering the risk credential information. Moreover, in these levels enterprise is aware of external requirements for risk management and integrate with ERM.

NEW QUESTION # 539
......

Ace CRISC Certification with 1478 Actual Questions: https://actualtests.torrentexam.com/CRISC-exam-latest-torrent.html