ISACA CRISC Exam Questions

Page 10 of 25

181.

Privacy and data protection are increasingly important to enterprises. 

Which is the MOST impactful regulation that applies to this domain?

  • GDPR

  • ISACA

  • HIPAA

  • SOX

Correct answer: GDPR

GDPR is the European Union General Data Protection Regulation Act. It applies to data stored anywhere in the European Union and also puts limitations on data associated with EU citizens. 

ISACA is an international professional association focused on IT governance. 

The SOX Act of 2002 is a US law that mandates certain practices in financial record keeping and reporting. 

HIPAA is a US law in place to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.

182.

What is the name of the model used to outline the roles and responsibilities of various stakeholders in an organization and to clearly show the relationships and interactions between the stakeholders?

  • RACI

  • Three Lines of Defense

  • COSO

  • ISO 31000

Correct answer: RACI

The RACI model helps clarify who is responsible for what within an organization for specific projects, processes, or tasks. The letters in RACI mean the following:

  • R = Responsible, which is those who do the work.    
  • A = Accountable, which are those who are answerable for the end result.  
  • C = Consulted, which are those whose opinions or subject matter expertise is sought out.  
  • I = Informed, which are those who are kept up to date. 

The Three Lines of Defense model delineates the roles and responsibilities in risk management into three distinct areas.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) model is for enterprise risk management. 

The ISO 31000 standard provides guidelines for managing risk faced by organizations. It consists of principles, a framework, and a process for managing risk.

183.

What is a reason why the need for information security awareness has increased?

  • People are storing more data

  • People are using fewer devices

  • Business and personal data are always kept separate

  • All sensitive information is encrypted

Correct answer: People are storing more data

The exponential increase in the amount of data being stored is driven by the rise of cloud computing, the proliferation of digital devices, and data-intensive applications. More data storage increases the need for information security awareness to protect against data breaches, unauthorized access, and other cyber threats. 

The number of people who use computers is orders of magnitude higher. 

In many cases, business and personal data often overlap, especially with the adoption of Bring Your Own Device (BYOD) policies, remote work, and cloud storage. 

While encryption is a critical security measure, not all sensitive information is encrypted.

184.

What is a major cause of employees inadvertently taking action and providing information that results in security breaches?

  • Inadequate separation of duties

  • Strong separation of duties

  • Least privilege policy

  • Decreased access to data

Correct answer: Inadequate separation of duties

Separation of duties means that no one individual has data access and authorization that is outside their scope of responsibility. Limiting these capabilities ensures that employees have limits to their actions and activities.

Strong separation of duties helps prevent security breaches by ensuring that no single individual has too much control or access to critical functions. 

The principle of least privilege restricts users to the minimum level of access they need to perform their jobs. 

Limiting access to data generally enhances security.

185.

What control reporting technique simplifies risk reporting by aggregating performance across functional areas and assigning a numerical value to each?

  • Scorecard

  • Scatter plot

  • Bar chart

  • Line diagram

Correct answer: Scorecard

Scorecards combine performance metrics into specific functional areas. Scores are assigned to each area. The scorecard provides an overview of the organization's risk environment at a summarized yet comprehensive level.

Scatter plots are used to display the relationship between two variables and do not aggregate performance data or assign numerical values.

While bar charts visualize data comparisons, they do not aggregate performance across functional areas or assign a numerical value in the same manner as a scorecard.

Line diagrams are used to show trends over time rather than aggregating and simplifying risk reporting across different functional areas.

186.

An organizational asset is something of either tangible or intangible value that is worth protecting. Data is one of an organization's most important assets. However, protecting all of it all the time using the same approach can be cost-prohibitive. 

When using a security categorization process, what is the appropriate FIRST step to take to safeguard data?

  • Identify information type

  • Select provisional impact levels

  • Adjust information impact levels

  • Assign system security category

Correct answer: Identify information type

Not all data is created equal in terms of value. To ensure the proper handling, use, and safeguarding of data in the most cost-effective way, the enterprise should clearly categorize the data. The first step in this is to identify the information type.

Selecting provisional impact levels is the second step in security categorization.

Adjusting information impact levels occurs after reviewing provisional impact levels.

Assigning a system security category is the last step in the process.

187.

The key to developing effective risk scenarios is to focus on real and relevant risk events. 

Which of the following is NOT an example?

  • Unsubstantiated assumptions from previous events

  • Natural disasters

  • Changes in government regulations

  • New competitors entering the marketplace

Correct answer: Unsubstantiated assumptions from previous events

Real risk events need to be specific, measurable, relevant, and time-bound. Events that do not need to be considered include such topics as extreme improbabilities/hypotheticals, overgeneralized scenarios, or scenarios based on personal biases, opinions, or unsubstantiated assumptions.

Natural disasters are significant risk events that can have a substantial impact on an organization’s operations.

Changes in government regulations are relevant risks that can affect compliance, operations, and financial performance.

New competitors entering the marketplace is a tangible risk that can impact market share and profitability.

188.

As it relates to risk response, which factor has to do with ensuring that skills exist in the organization to execute the selected risk response?

  • Staff expertise

  • Outsourcing options

  • Resource availability

  • Project timelines

Correct answer: Staff expertise

Staff expertise is essential to being able to operationalize the risk response. This requires training and risk awareness across the organization.

Outsourcing options can be considered to address skill gaps or resource needs but are not directly related to the internal expertise available to execute risk responses.

Resource availability refers to the availability of resources such as financial, physical, or technological assets needed to address risks.

Project timelines concerns scheduling and deadlines rather than the skills and expertise required for managing risk responses.

189.

Which IT operations function related to risk management has to do with how system parameters are set and architected to work together?

  • Configurations

  • Incidents

  • Policies and procedures

  • Assessments

Correct answer: Configurations

Configurations establish the technical components that are in the environment. Configurations also determine the settings and parameters for those components.

Incidents refer to unexpected events that disrupt normal operations or compromise the security of IT systems. 

Policies and procedures provide guidelines and rules for managing IT operations, including security measures and best practices. While policies and procedures are essential for establishing a framework for IT operations, they do not directly involve configuring system parameters or architecture. 

Assessments, such as risk assessments or vulnerability assessments, involve evaluating the security posture of IT systems to identify potential risks and vulnerabilities.

190.

Which risk assessment leverages expert opinion that is gathered using questionnaires?

  • Delphi method

  • Decision tree

  • Event register

  • Cause and consequence analysis

Correct answer: Delphi method

The Delphi method uses information gathered from at least two rounds of questionnaires. The information is summarized and communicated to experts by a facilitator. The experts then build consensus using the information.

A decision tree involves creating a tree-like model of decisions and their possible consequences.

An event register tracks incidents or events but does not use expert questionnaires for risk assessment.

Cause and consequence analysis analyzes the causes and potential consequences of risks but does not involve gathering expert opinions via questionnaires.

191.

What is the biggest project risk that a push to market strategy creates?

  • Unrealistic timelines

  • High customer involvement

  • Relaxed project deadlines

  • Unlimited budget

Correct answer: Unrealistic timelines

Rushing a project completion to market often involves attempting to compress the timeline. This can create risk to the project outcome and quality.

High customer involvement can reduce risk by ensuring the product meets customer needs, not increase it.

Relaxed project deadlines typically reduce pressure, not create risk.

An unlimited budget would lower financial constraints, not increase risk.

192.

What type of changeover approach allows an organization the quickest means of rolling back if the new system does not work?

  • Parallel

  • Flashback

  • Phased

  • Staged

Correct answer: Parallel

A parallel changeover means that the new system and old system are running simultaneously. That means if there is any issue with the new system, the organization can immediately roll back to the old system because it is still running.

A flashback is a database-specific term that refers to restoring data to a previous point in time.

A phased changeover involves implementing changes gradually over time. 

A staged changeover is similar to a phased changeover, involving a gradual implementation of changes.

193.

What does governance attempt to balance in an organization to meet stakeholder needs and deliver value?

  • Performance and conformance

  • Growth and acquisition

  • Innovation and differentiation

  • Services and stability

Correct answer: Performance and conformance

Performance has to do with the delivery of business results. Conformance is defined as the process of following guidelines and rules such as regulatory and compliance. Organizations are required to deliver both, and governance is the framework that helps them accomplish that.

Growth and acquisition is a strategic archetype focusing on growing revenues. 

Innovation and differentiation is a strategy archetype that focuses on offering new services or products to clients. 

Services and stability is a strategy archetype that focuses on stable client-oriented services.

194.

As it relates to risk response, which option is selected when it is impractical or impossible to bring the risk of an activity into line with the risk appetite and tolerance parameters?

  • Risk avoidance

  • Risk elimination

  • Risk mitigation

  • Risk transfer

Correct answer: Risk avoidance

The goal of risk management is to ensure that risks incurred fall within the parameters of an organization's risk appetite and tolerance. If this cannot be done, the best choice may be risk avoidance, which means exiting the activities or conditions that could give rise to the risk.

Risk elimination is used to eliminate risks, but it's not always possible. 

Risk mitigation involves reducing the likelihood or impact of a risk and is used when avoidance is not feasible.

Risk transfer involves transferring the risk to a third party, such as through insurance.

195.

Which of the following consequences of an organization's noncompliance with the laws and regulations of the jurisdictions in which they operate is the MOST harmful?

  • Loss of license

  • Fines

  • Increased audits

  • Employee dissatisfaction

Correct answer: Loss of license

Penalties come in various forms. Losing a license to operate is often the most harmful consequence because it directly impacts the organization’s ability to conduct business. 

Fines are often one-time financial penalties that, while burdensome, might not cripple an organization and are less severe than losing the ability to operate entirely.

Increased audits can be a nuisance and lead to additional scrutiny, but they do not impact the organization’s ability to operate. 

Employee dissatisfaction can affect morale, productivity, and turnover rates, but it is usually an internal issue that can be managed over time.

196.

As it relates to risk control implementation, which organization provides guidelines that focus on information security?

  • ISO

  • FCC

  • PCI DSS

  • CISA

Correct answer: ISO

The International Standards Organization (ISO) is a series of standards that are available for organizations to leverage when building risk controls. Specifically, the 27000-series standards focus on information security.

The Federal Communications Commission (FCC) regulates communications, such as radio, TV, and the Internet, but does not provide guidelines or standards focused on information security.

The Payment Card Industry Data Security Standard (PCI DSS) focuses solely on securing payment card data. 

The Cybersecurity and Infrastructure Security Agency (CISA) focuses on securing U.S. critical infrastructure and offers guidance and tools for cybersecurity but does not develop formal information security standards like ISO.

197.

When migrating from one system to another, which type of risk impacts the quality of the data?

  • Data integrity

  • Data perpetuity

  • Data availability

  • Data redundancy

Correct answer: Data integrity 

Data integrity has to do with the currency and accuracy of data. Data migration activities can cause data integrity to decrease. This has a significant business impact because users need accurate data to conduct business operations and make decisions.

Data perpetuity refers to the ongoing existence or durability of data over time, but it does not relate to the quality of data during migration.

Data availability refers to ensuring that data is accessible when needed, but it does not address the quality or correctness of the data itself.

Data redundancy refers to the duplication of data, which can help with backup, but does not directly relate to the quality of the data being migrated.

198.

In what phase of the Systems Development Life Cycle (SDLC) is the system purchased?

  • Acquisition

  • Discovery

  • Initiation

  • Disposal

Correct answer: Acquisition

New systems can either be developed in-house or purchased off the shelf. In either case, the acquired system meets the requirements identified in the previous phase.

Discovery is not a formal phase in the SDLC but may refer to initial research or information gathering.

Initiation is the phase where the project is first identified and the scope, objectives, and feasibility are defined.

Disposal is the final phase of the SDLC where the system is retired or decommissioned.

199.

An electronics company is implementing a new risk governance framework to enhance its risk management practices. The success of this initiative heavily depends on having strong support from the top levels of the organization to ensure adequate resources, commitment, and alignment with the company’s strategic goals. 

Which of the following BEST describes the critical element that is needed to ensure the success of the risk governance framework?

  • Executive sponsorship

  • Policy 

  • Lines of defense

  • Best practices

Correct answer: Executive sponsorship

Executive sponsorship refers to strong support and commitment from top management. It is the critical element that ensures the success of the risk governance framework.

Policies are important for establishing guidelines but do not specifically refer to top-level support.

Lines of defense relates to the roles in managing risks but doesn't address the importance of executive backing for successful implementation.

Best practices refer to recommended procedures, but they do not emphasize the role of executive leadership in ensuring success.

200.

As it relates to the data lifecycle, what official guideline can mandate the data archival period?

  • Regulations

  • Company bylaws

  • Procedures

  • Policy

Correct answer: Regulations

Laws and regulations are enacted by governing bodies or institutions with authority. They mandate that required data is archived for specific periods of time before being deleted.

Company bylaws are internal rules governing the company's operations and typically do not mandate data archival periods.

Procedures outline the steps employees should take to manage tasks, but they are not legal mandates.

Policies are company-specific guidelines that define the organization’s approach to data retention.