[2024年08月13日] 最新更新されたのはCRISC試験問題2024年更新
無料更新されたISACA CRISCテストエンジン問題には1426問題と解答
CRISC 資格認定を取得するには、候補者は少なくとも 3 年間の IT リスク管理および情報システムの制御に関する経験が必要であり、さらに認定試験に合格する必要があります。試験は 150 問の多肢選択問題から構成され、グローバルな IT 専門家のための協会である ISACA によって実施されます。
質問 # 799
Calculation of the recovery time objective (RTO) is necessary to determine the:
- A. annual loss expectancy (ALE).
- B. time required to restore files.
- C. point of synchronization
- D. priority of restoration.
正解:B
質問 # 800
Fred is the project manager of a large project in his organization. Fred needs to begin planning the risk management plan with the project team and key stakeholders. Which plan risk management process tool and technique should Fred use to plan risk management?
- A. Planning meetings and analysis
- B. Information gathering techniques
- C. Variance and trend analysis
- D. Data gathering and representation techniques
正解:A
解説:
Section: Volume B
Explanation:
There is only one tool and technique available for Fred to plan risk management: planning meetings and analysis. Planning Meeting and Analysis is a tool and technique in the Plan Risk Management process.
Planning meetings are organized by the project teams to develop the risk management plan. Attendees at these meetings include the following:
* Project manager
* Selected project team members
* Stakeholders
* Anybody in the organization with the task to manage risk planning
Sophisticated plans for conducting the risk management activities are defined in these meetings, responsibilities related to risk management are assigned, and risk contingency reserve application approaches are established and reviewed.
Incorrect Answers:
A, B, D: These are not plan risk management tools and techniques.
質問 # 801
The PRIMARY goal of a risk management program is to:
- A. facilitate resource availability.
- B. help prevent operational losses.
- C. safeguard corporate assets.
- D. help ensure objectives are met.
正解:D
解説:
According to the What Is Risk Management & Why Is It Important? article, risk management is the systematic process of identifying, assessing, and mitigating threats or uncertainties that can affect your organization. The primary goal of a risk management program is to help ensure objectives are met, by aligning the risk management process with the organization's strategy, vision, mission, values, and objectives. By having a risk management program, an organization can identify potential problems before they occur and have a plan for addressing them, as well as monitor and report on the effectiveness of the risk responses. This can help the organization to achieve its desired outcomes and create value for its stakeholders. References = What Is Risk Management & Why Is It Important?
質問 # 802
The PRIMARY objective for requiring an independent review of an organization's IT risk management process should be to:
- A. confirm that IT risk assessment results are expressed as business impact.
- B. verify implemented controls to reduce the likelihood of threat materialization.
- C. ensure IT risk management is focused on mitigating potential risk.
- D. assess gaps in IT risk management operations and strategic focus.
正解:D
質問 # 803
Which of the following are risk components of the COSO ERM framework?
Each correct answer represents a complete solution. Choose three.
- A. Risk response
- B. Control activities
- C. Internal environment
- D. Business continuity
正解:A、B、C
解説:
Section: Volume A
Explanation
Explanation:
The risk components defined by the COSO ERM are internal environment, objective settings, event identification, risk assessment, risk response, control objectives, information and communication, and monitoring.
Incorrect Answers:
C: Business continuity is not considered as risk component within the ERM framework.
質問 # 804
A global organization is planning to collect customer behavior data through social media advertising. Which of the following is the MOST important business risk to be considered?
- A. The data analysis may be ineffective in achieving objectives.
- B. Data sampling may be impacted by various industry restrictions.
- C. Business advertising will need to be tailored by country.
- D. Regulatory requirements may differ in each country.
正解:D
解説:
Section: Volume D
質問 # 805
Which of the following is the BEST method for assessing control effectiveness?
- A. Continuous monitoring
- B. Control self-assessment
- C. Predictive analytics
- D. Ad hoc control reporting
正解:A
質問 # 806
Tom works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks, and provides a quantitative assessment of the likely cost to complete the scheduled activities?
- A. Cost management plan
- B. Activity duration estimates
- C. Activity cost estimates
- D. Risk management plan
正解:C
解説:
Section: Volume C
Explanation:
The activity cost estimates review is valuable in identifying risks as it provides a quantitative assessment of the expected cost to complete the scheduled activities and is expressed as a range, with a width of the range indicating the degrees of risk.
Incorrect Answers:
A: The activity duration estimates review is valuable in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk.
B: This is the output of plan risk management process. A Risk management plan is a document arranged by a project manager to estimate the effectiveness, predict risks, and build response plans to mitigate them. It also consists of the risk assessment matrix.
C: The cost management plan sets how the costs on a project are managed during the project's lifecycle. It defines the format and principles by which the project costs are measured, reported, and controlled. The cost management plan identifies the person responsible for managing costs, those who have the authority to approve changes to the project or its budget, and how cost performance is quantitatively calculated and reported upon.
質問 # 807
Which of the following should be the MOST important consideration when determining controls necessary for a highly critical information system?
- A. The number of vulnerabilities to the system
- B. The level of acceptable risk to the organization
- C. The number of threats to the system
- D. The organization's available budget
正解:A
質問 # 808
Which of the following should be the MAIN consideration when validating an organization's risk appetite?
- A. Comparison against regulations.
- B. Capacity to withstand loss.
- C. Cost of risk mitigation options.
- D. Maturity of the risk culture.
正解:D
解説:
Section: Volume D
質問 # 809
Which of the following is MOST important to the successful development of IT risk scenarios?
- A. Internal and external audit reports
- B. Control effectiveness assessment
- C. Threat and vulnerability analysis
- D. Cost-benefit analysis
正解:C
質問 # 810
When performing a risk assessment of a new service to support a core business process, which of the following should be done FIRST to ensure continuity of operations?
- A. Define metrics for restoring availability.
- B. Identify conditions that may cause disruptions.
- C. Review incident response procedures.
- D. Evaluate the probability of risk events.
正解:B
解説:
When performing a risk assessment of a new service to support a core business process, the first step is to identify the conditions that may cause disruptions to the service or the process. This involves identifying the sources and causes of potential risk events, such as natural disasters, cyberattacks, human errors, equipment failures, power outages, etc. that may affect the availability, integrity, or confidentiality of the service or the process. By identifying the conditions that may cause disruptions, the risk practitioner can then analyze the probability and impact of the risk events, evaluate the risk exposure, and determine the appropriate risk responses to ensure the continuity of operations. References = CRISC Review Manual, 7th Edition, page 66.
質問 # 811
When implementing an IT risk management program, which of the following is the BEST time to evaluate current control effectiveness?
- A. During the risk assessment
- B. When evaluating risk response
- C. Before defining a framework
- D. When updating the risk register
正解:A
質問 # 812
Which of the following is the BEST indication that an organization's risk management program has not reached the desired maturity level?
- A. A steady increase in the time to recover from incidents
- B. A large number of control exceptions
- C. Significant increases in risk mitigation budgets
- D. Large fluctuations in risk ratings between assessments
正解:D
質問 # 813
FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?
- A. Never
- B. Every three years
- C. Annually
- D. Quarterly
正解:C
解説:
Explanation/Reference:
Explanation:
Inspection of FISMA is required to be done annually. Each year, agencies must have an independent evaluation of their program. The objective is to determine the effectiveness of the program. These evaluations include:
Testing for effectiveness: Policies, procedures, and practices are to be tested. This evaluation does not
test every policy, procedure, and practice. Instead, a representative sample is tested.
An assessment or report: This report identifies the agency's compliance as well as lists compliance with
FISMA. It also lists compliance with other standards and guidelines.
Incorrect Answers:
B, C, D: Auditing of compliance by external organization is done annually, not quarterly or every three year.
質問 # 814
Which of the following is the MOST important foundational element of an effective three lines of defense model for an organization?
- A. A robust risk aggregation tool set
- B. A well-established risk management committee
- C. Clearly defined roles and responsibilities
- D. Well-documented and communicated escalation procedures
正解:C
解説:
The most important foundational element of an effective three lines of defense model for an organization is clearly defined roles and responsibilities. The three lines of defense model is a framework that outlines the roles and responsibilities of different functions or groups within the organization in relation to risk management and internal control1. The three lines of defense are:
* The first line of defense, which consists of the operational management and staff who own and manage the risks associated with their activities and processes. They are responsible for identifying, assessing, and mitigating the risks, as well as designing, implementing, and operating the controls.
* The second line of defense, which consists of the specialized functions or units that provide oversight, guidance, and support to the first line of defense in managing the risks and controls. They are responsible for developing and maintaining the risk management framework, policies, and standards, as well as monitoring and reporting on the risk and control performance.
* The third line of defense, which consists of the internal audit function that provides independent and objective assurance on the effectiveness and efficiency of the risk management and internal control system. They are responsible for evaluating and testing the design and operation of the risks and controls, as well as reporting and recommending improvements to the senior management and the board.
Clearly defined roles and responsibilities are essential for ensuring that the three lines of defense model works effectively and efficiently. They help to avoid confusion, duplication, or gaps in the risk management and internal control activities, as well as to ensure accountability, coordination, and communication among the different functions or groups. They also help to establish the appropriate level of independence, authority, and competence for each line of defense, as well as to align the risk management and internal control objectives and strategies with the organization's goals and values2.
The other options are not the most important foundational element of an effective three lines of defense model for an organization, as they are either less relevant or less specific than clearly defined roles and responsibilities. A robust risk aggregation tool set is a set of methods or techniques that enable the organization to collect, consolidate, and analyze the risk data and information from different sources, levels, or perspectives. A robust risk aggregation tool set can help to enhance the risk identification, assessment, and reporting processes, as well as to support the risk decision making and prioritization.
However, a robust risk aggregation tool set is not the most important foundational element of an effective three lines of defense model for an organization, as it does not address the roles and responsibilities of the different functions or groups in relation to risk management and internal control.
A well-established risk management committee is a group of senior executives or managers who are responsible for overseeing and directing the risk management activities and performance of the organization. A well-established risk management committee can help to ensure the alignment and integration of the risk management objectives and strategies with the organization's goals and values, as well as to provide guidance and support to the different functions or groups involved in risk management and internal control. However, a well-established risk management committee is not the most important foundational element of an effective three lines of defense model for an organization, as it does not cover the roles and responsibilities of the operational management and staff, the specialized functions or units, or the internal audit function. Well-documented and communicated escalation
* procedures are the steps or actions that are taken to report and resolve any issues or incidents that may affect the risk management and internal control activities or performance of the organization.
Well-documented and communicated escalation procedures can help to ensure the timely and appropriate response and resolution of the issues or incidents, as well as to inform and involve the relevant stakeholders and authorities. However, well-documented and communicated escalation procedures are not the most important foundational element of an effective three lines of defense model for an organization, as they do not define the roles and responsibilities of the different functions or groups in relation to risk management and internal control. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.1.1, Page 85.
質問 # 815
Which of the following is the MOST effective method for indicating that the risk level is approaching a high or unacceptable level of risk?
- A. Risk register
- B. Cause and effect diagram
- C. Return on investment
- D. Risk indicator
正解:D
解説:
Explanation/Reference:
Explanation:
Risk indicators are metrics used to indicate risk thresholds, i.e., it gives indication when a risk level is approaching a high or unacceptable level of risk. The main objective of a risk indicator is to ensure tracking and reporting mechanisms that alert staff about the potential risks.
Incorrect Answers:
A: A risk register is an inventory of risks and exposure associated with those risks. Risks are commonly found in project management practices, and provide information to identify, analyze, and manage risks.
Typically a risk register contains:
A description of the risk
The impact should this event actually occur
The probability of its occurrence
Risk Score (the multiplication of Probability and Impact)
A summary of the planned response should the event occur
A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the
event)
Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved.
D: Return On Investment (ROI) is a performance measure used to evaluate the efficiency of an investment or to compare the efficiency of a number of different investments. To calculate ROI, the benefit (return) of an investment is divided by the cost of the investment; the result is expressed as a percentage or a ratio.
The return on investment formula:
ROI= (Gain from investment - Cost of investment) / Cost of investment
In the above formula "gains from investment", refers to the proceeds obtained from selling the investment of interest.
質問 # 816
Which of the following should be the FIRST consideration when establishing a new risk governance program?
- A. Embedding risk management into the organization
- B. Completing annual risk assessments on critical resources
- C. Developing an ongoing awareness and training program
- D. Creating policies and standards that are easy to comprehend
正解:A
解説:
The first consideration when establishing a new risk governance program is embedding risk management into the organization. Embedding risk management means integrating risk management principles and practices into the organization's culture, values, processes, and decision-making. Embedding risk management helps to ensure that risk management is not seen as a separate or isolated activity, but as a part of the organization's normal operations and strategic objectives. Embedding risk management also helps to create a risk-aware and risk-responsive organization, where risk management is shared and supported by all stakeholders. The other options are not the first consideration, although they may be important steps or components of the risk governance program. Developing an ongoing awareness and training program, creating policies and standards that are easy to comprehend, and completing annual risk assessments on critical resources are all activities that can help to embed risk management into the organization, but they are not the initial or primary consideration. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.2.1, page 1-8.
質問 # 817
What are the responsibilities of the CRO?
Each correct answer represents a complete solution. Choose three.
- A. Implement corrective actions
- B. Managing the risk assessment process
- C. Managing the supporting risk management function
- D. Advising Board of Directors
正解:A、B、C
解説:
Explanation/Reference:
Explanation:
Chief Risk Officer is the executive-level manager in an organization. They provide corporate, guidance, governance, and oversight over the enterprise's risk management activities. The main priority for the CRO is to ensure that the organization is in full compliance with applicable regulations. They may also deal with areas regarding insurance, internal auditing, corporate investigations, fraud, and information security.
CRO's responsibilities include:
Managing the risk assessment process
Implementation of corrective actions
Communicate risk management issues
Supporting the risk management functions
質問 # 818
Which of the following is the MOST important element of a successful risk awareness training program?
- A. Customizing content for the audience
- B. Providing incentives to participants
- C. Providing metrics for measurement
- D. Mapping to a recognized standard
正解:A
質問 # 819
Which of the following would BEST enable mitigation of newly identified risk factors related to internet of Things (loT)?
- A. Performing secure code reviews
- B. Performing periodic risk assessments of loT
- C. Implementing loT device software monitoring
- D. Introducing control procedures early in the life cycle
正解:D
質問 # 820
......
100%の合格率を試そう!更新されたのはCRISC試験問題 [2024年更新]:https://jp.fast2test.com/CRISC-premium-file.html
ベストな問題集を使おうIsaca Certificaton CRISC専門試験問題:https://drive.google.com/open?id=1cdAu8ZCLuGSBt39VnP1nUP0KTII4hDbS