あなたを必ず合格させるCRISC問題集PDF 2025年最新のに更新されたのは1519問あります
ISACA CRISCリアル試験問題と解答を無料で提供いたします
質問 # 175
When prioritizing risk response, management should FIRST:
- A. determine which risk factors have high remediation costs
- B. evaluate the risk response of similar organizations.
- C. evaluate the organization s ability and expertise to implement the solution.
- D. address high risk factors that have efficient and effective solutions.
正解:D
解説:
According to the Risk and Information Systems Control Study Manual, the first step in prioritizing risk response is to address the high risk factors that have efficient and effective solutions. This means that management should focus on the risks that have the most impact on the organization's objectives and can be mitigated with the least amount of resources and effort. This approach helps to optimize the risk response process and achieve the best results in terms of risk reduction and value creation. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 5, Section 5.3.2, Page 223.
質問 # 176
Marie has identified a risk event in her project that needs a mitigation response. Her response actually creates a new risk event that must now be analyzed and planned for. What term is given to this newly created risk event?
- A. Residual risk
- B. Populated risk
- C. Infinitive risk
- D. Secondary risk
正解:D
解説:
Section: Volume B
Explanation:
Secondary risks are the risks that come about as a result of implementing a risk response. This new risk event must be recorded, analyzed, and planned for management.
Incorrect Answers:
A: A residual risk event is similar to a secondary risk, but is often small in probability and impact, so it may just be accepted.
C: Infinitive risk is not a valid project management term.
D: Populated risk event is not a valid project management term.
質問 # 177
A risk owner has identified a risk with high impact and very low likelihood. The potential loss is covered by insurance. Which of the following should the risk practitioner do NEXT?
- A. Update the risk register.
- B. Evaluate outsourcing the process.
- C. Recommend avoiding the risk.
- D. Validate the risk response with internal audit.
正解:D
質問 # 178
Which of the following provides the BEST evidence that risk mitigation plans have been implemented effectively?
- A. Mitigation plan progress reports
- B. Self-assessments by process owners
- C. Change in the level of residual risk
- D. Risk owner attestation
正解:C
質問 # 179
You are the project manager of the NGQQ Project for your company. To help you communicate project status to your stakeholders, you are going to create a stakeholder register. All of the following information should be included in the stakeholder register except for which one?
- A. Identification information for each stakeholder
- B. Assessment information of the stakeholders' major requirements, expectations, and potential influence
- C. Stakeholder classification of their role in the project
- D. Stakeholder management strategy
正解:D
解説:
Explanation/Reference:
Explanation:
The stakeholder management strategy is generally not included in the stakeholder registry because it may contain sensitive information that should not be shared with project team members or certain other individuals that could see the stakeholder register. The stakeholder register is a project management document that contains a list of the stakeholders associated with the project. It assesses how they are involved in the project and identifies what role they play in the organization. The information in this document can be very perceptive and is meant for limited exchange only. It also contains relevant information about the stakeholders, such as their requirements, expectations, and influence on the project.
Incorrect Answers:
B, C, D: Stakeholder identification, Assessment information, and Stakeholder classification should be included in the stakeholder register.
質問 # 180
Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?
- A. To build an organizational risk-aware culture
- B. To comply with legal and regulatory requirements
- C. To continuously improve risk management processes
- D. To identify gaps in risk management practices
正解:C
解説:
Section: Volume D
Explanation
質問 # 181
Which of the following events refer to loss of integrity?
Each correct answer represents a complete solution. Choose three.
- A. Someone makes unauthorized changes to a Web site
- B. Someone sees company's secret formula
- C. A virus infects a file
- D. An e-mail message is modified in transit
正解:A、C、D
解説:
Section: Volume C
Explanation:
Loss of integrity refers to the following types of losses:
* An e-mail message is modified in transit A virus infects a file
* Someone makes unauthorized changes to a Web site
Incorrect Answers:
A: Someone sees company's secret formula or password comes under loss of confidentiality.
質問 # 182
Which of the following would BEST enable mitigation of newly identified risk factors related to internet of Things (loT)?
- A. Performing secure code reviews
- B. Introducing control procedures early in the life cycle
- C. Performing periodic risk assessments of loT
- D. Implementing loT device software monitoring
正解:B
質問 # 183
The risk associated with an asset before controls are applied can be expressed as:
- A. the magnitude of an impact
- B. a function of the likelihood and impact
- C. a function of the cost and effectiveness of control.
- D. the likelihood of a given threat
正解:C
質問 # 184
An organization wants to grant remote access to a system containing sensitive data to an overseas third party. Which of the following should be of GREATEST concern to management?
- A. Transborder data transfer restrictions
- B. Lack of after-hours incident management support
- C. Differences in regional standards
- D. Lack of monitoring over vendor activities
正解:D
質問 # 185
Which of the following is the best reason for performing risk assessment?
- A. is incorrect. Budgeting appropriately is one the results of risk assessment but is not the
reason for performing the risk assessment. - B. To analyze the effect on the business
- C. To budget appropriately for the application of various controls
- D. To determine the present state of risk
- E. is incorrect. Analyzing the effect of risk on an enterprise is the part of the process while
performing risk assessment, but is not the reason for doing it. - F. Explanation:
Risk assessment is a process of analyzing the identified risk, both quantitatively and qualitatively. Quantitative risk assessment requires calculations of two components of risk, the magnitude of the potential loss, and the probability that the loss will occur. While qualitatively risk assessment
checks the severity of risk. Hence risk assessment helps in determining the present state of the
risk. - G. To satisfy regulatory requirements
正解:D
解説:
is incorrect. Performing risk assessment may satisfy the regulatory requirements, but is
not the reason to perform risk assessment.
質問 # 186
Which of the following controls is an example of non-technical controls?
- A. Encryption
- B. Access control
- C. Intrusion detection system
- D. Physical security
正解:D
解説:
Section: Volume A
Explanation:
Physical security is an example of non-technical control. It comes under the family of operational controls.
Incorrect Answers:
A, C, D: Intrusion detection system, access control, and encryption are the safeguards that are incorporated into computer hardware, software or firmware, hence they refer to as technical controls.
質問 # 187
Which of the following MOST effectively limits the impact of a ransomware attack?
- A. Data backups
- B. Cyber insurance
- C. End user training
- D. Cryptocurrency reserve
正解:A
解説:
The most effective way to limit the impact of a ransomware attack is to have data backups. Data backups are copies of the data that are stored in a separate location or device, and can be used to restore the data in case of a loss or corruption. Data backups can help to recover the data that is encrypted or deleted by the ransomware, and to avoid paying the ransom to the attackers. Data backups also help to reduce the downtime and disruption caused by the ransomware attack, and to maintain the business continuity and availability of the data. Cyber insurance, cryptocurrency reserve, and end user training are not the most effective ways to limit the impact of a ransomware attack, as they may not prevent or recover the data loss, and may incur additional costs or risks for the enterprise. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 5, Section 5.1.1.1, page 2281
1: ISACA Certified in Risk and Information Systems Control (CRISC) Exam Guide, Answer to Question
657.
質問 # 188
Adrian is a project manager for a new project using a technology that has recently been released and there's relatively little information about the technology. Initial testing of the technology makes the use of it look promising, but there's still uncertainty as to the longevity and reliability of the technology. Adrian wants to consider the technology factors a risk for her project. Where should she document the risks associated with this technology so she can track the risk status and responses?
- A. Risk low-level watch list
- B. Project scope statement
- C. Risk register
- D. Project charter
正解:C
解説:
Explanation/Reference:
Explanation:
A risk register is an inventory of risks and exposure associated with those risks. Risks are commonly found in project management practices, and provide information to identify, analyze, and manage risks. Typically a risk register contains:
A description of the risk
The impact should this event actually occur
The probability of its occurrence
Risk Score (the multiplication of Probability and Impact)
A summary of the planned response should the event occur
A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the
event)
Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved.
It records the initial risks, the potential responses, and tracks the status of each identified risk in the
project.
Incorrect Answers:
A: The project scope statement does document initially defined risks but it is not a place that will record risks responses and status of risks.
B: The project charter does not define risks.
C: The risk low-level watch list is for identified risks that have low impact and low probability in the project.
質問 # 189
A recent regulatory requirement has the potential to affect an organization's use of a third party to supply outsourced business services. Which of the following is the BEST course of action?
- A. Identify compensating controls.
- B. Conduct a gap analysis.
- C. Terminate the outsourcing agreement.
- D. Transfer risk to the third party.
正解:B
質問 # 190
An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?
- A. Invoke the disaster recovery plan during an incident.
- B. Prepare a cost-benefit analysis of alternatives available
- C. Implement redundant infrastructure for the application.
- D. Reduce the recovery time by strengthening the response team.
正解:B
質問 # 191
Which of the following is the MAIN reason for documenting the performance of controls?
- A. Obtaining management sign-off
- B. Demonstrating effective risk mitigation
- C. Justifying return on investment
- D. Providing accurate risk reporting
正解:D
解説:
The main reason for documenting the performance of controls is to provide accurate risk reporting. Risk reporting is a process that communicates and discloses the relevant and reliable information about the risks and their management to the stakeholders and decision makers. Risk reporting is an essential component of the risk management process, as it helps to monitor and evaluate the effectiveness and efficiency of the risk identification, assessment, response, and monitoring activities, as well as to support and inform the risk governance and oversight functions. Documenting the performance of controls is a technique that records and tracks the results and outcomes of the controls that are implemented to address the risks, such as the control objectives,
質問 # 192
An enterprise has taken delivery of software patches that address vulnerabilities in its core business software.
Prior to implementation, which of the following is the MOST important task to be performed?
- A. Determine in advance an off-peak period to apply the patches.
- B. Seek information from the software vendor to enable effective application of the patches.
- C. Survey other enterprises regarding their experiences with applying these patches.
- D. Assess the impact of applying the patches on the production environment.
正解:D
解説:
Assessing the impact of applying the patches on the production environment is the most important task to be performed prior to implementation, because it helps to identify and mitigate any potential risks or issues that may arise from the patching process. Patching is a process of applying updates or fixes to software or hardware to address vulnerabilities, bugs, or performance issues. Patching is essential for maintaining the security and functionality of IT systems, but it also introduces the risk of introducing new problems or breaking existing features. Therefore, before applying patches, the organization should assess the impact of the patches on the production environment, such as compatibility, performance, availability, functionality, and security. Surveying other enterprises regarding their experiences with applying these patches, seeking information from the software vendor to enable effective application of the patches, and determining in advance an off-peak period to apply the patches are all helpful tasks to be performed prior to implementation, but they are not the most important task, as they do not directly address the impact of the patches on the production environment. References = Risk and Information Systems Control Study Manual, Chapter 5, Section 5.4.2, page 211
質問 # 193
You are the risk official at Bluewell Inc. There are some risks that are posing threat on your enterprise. You are measuring exposure of those risk factors, which has the highest potential, by examining the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values. Which type of analysis you are performing?
- A. Explanation:
Sensitivity analysis is the quantitative risk analysis technique that: Assist in determination of risk factors that have the most potential impact Examines the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values - B. Sensitivity analysis
- C. Cause-and-effect analysis
- D. Scenario analysis
- E. Fault tree analysis
正解:B
解説:
is incorrect. Fault tree analysis provides a systematic description of the combination of possible undesirable occurrences in a system. It does not measure the extent of uncertainty. Answer:C is incorrect. Cause-and-effect analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes, and not the extent of uncertainty. Answer:D is incorrect. Scenario analysis provides ability to see a range of values across several scenarios to identify risk in specific situation. It provides ability to identify those inputs which will provide the greatest level of uncertainty. But it plays no role in determining the extent of uncertainty.
質問 # 194
Which of tie following is We MOST important consideration when implementing ethical remote work monitoring?
- A. Reporting on nonproductive employees is sent to management on a scheduled basis
- B. Multiple data monitoring sources are integrated into security incident response procedures
- C. Monitoring is only conducted between official hours of business
- D. Employees are informed of how they are bong monitored
正解:D
質問 # 195
You are the product manager in your enterprise. You have identified that new technologies, products and services are introduced in your enterprise time-to-time. What should be done to prevent the efficiency and effectiveness of controls due to these changes?
- A. Nothing, efficiency and effectiveness of controls are not affected by these changes
- B. Perform Business Impact Analysis (BIA)
- C. Add more controls
- D. Receive timely feedback from risk assessments and through key risk indicators, and update controls
正解:D
解説:
Explanation/Reference:
Explanation:
As new technologies, products and services are introduced, compliance requirements become more complex and strict; business processes and related information flows change over time. These changes can often affect the efficiency and effectiveness of controls. Formerly effective controls become inefficient, redundant or obsolete and have to be removed or replaced.
Therefore, the monitoring process has to receive timely feedback from risk assessments and through key risk indicators (KRIs) to ensure an effective control life cycle.
Incorrect Answers:
B: Most of the time, the addition of controls results in degradation of the efficiency and profitability of a process without adding an equitable level of corresponding risk mitigation, hence better controls are adopted in place of adding more controls.
C: A BIA is a discovery process meant to uncover the inner workings of any process. It helps to identify about actual procedures, shortcuts, workarounds and the types of failure that may occur. It involves determining the purpose of the process, who performs the process and its output. It also involves determining the value of the process output to the enterprise.
D: Efficiency and effectiveness of controls are not affected by the changes in technology or product, so some measure should be taken.
質問 # 196
......
CRISC試験に備えるには、受験者はISACAのトレーニングと認定資源を活用することができます。これらには、学習教材、オンラインコース、試験準備ワークショップが含まれます。試験は挑戦的であり、受験者は試験を受ける前に数ヶ月間勉強する必要があります。しかし、献身と努力により、受験者はCRISC試験に合格し、ITリスク管理とコントロールの分野で高く尊敬される認定を取得することができます。
合格できるISACA CRISC試験情報と無料練習テスト:https://jp.fast2test.com/CRISC-premium-file.html
2025年最新のの問題CRISC問題集を試そう!更新されたISACA試験が合格できます:https://drive.google.com/open?id=1p_OjPRaWkElIj0hf8XPmaUFRJFrGZqPn