
[2024年10月21日] 365日更新、有効なCRISC知能問題集
ベスト品質のCRISC試験問題集でISACAテスト高得点を目指そう
質問 # 277
You work as a project manager for BlueWell Inc. You are involved with the project team on the different risk issues in your project. You are using the applications of IRGC model to facilitate the understanding and managing the rising of the overall risks that have impacts on the economy and society. One of your team members wants to know that what the need to use the IRGC is. What will be your reply?
- A. Explanation:
IRGC is aimed at building robust, integrative inter-disciplinary governance models for emerging and existing risks. The International Risk Governance Council (IRGC) is a self-governing organization whose principle is to facilitate the understanding and managing the rising overall risks that have impacts on the economy and society, human health and safety, the environment at large. IRGC's effort is to build and develop concepts of risk governance, predict main risk issues and present risk governance policy recommendations for the chief decision makers. IRGC mainly emphasizes on rising, universal risks for which governance deficits exist. Its goal is to present recommendations for how policy makers can correct them. IRGC models at constructing strong, integrative interdisciplinary governance models for up-coming and existing risks. - B. IRGC is both a concept and a tool.
- C. IRGC models aim at building robust, integrative inter-disciplinary governance models for emerging and existing risks.
- D. IRGC addresses the development of resilience and the capacity of organizations and people to face unavoidable risks.
- E. IRGC addresses understanding of the secondary impacts of a risk.
正解:C
解説:
is incorrect. As IRGC is aimed at building robust, integrative inter-disciplinary governance models for emerging and existing risks, so it is the best answer for this options D and C are incorrect. Risk governance addresses understanding of the secondary impacts of a risk, the development of resilience and the capacity of organizations and people to face unavoidable risks.
質問 # 278
Which of the following is the BEST course of action when an organization wants to reduce likelihood in order to reduce a risk level?
- A. Transfer the risk.
- B. Monitor risk controls.
- C. Implement preventive measures.
- D. Implement detective controls.
正解:C
解説:
The best course of action when an organization wants to reduce likelihood in order to reduce a risk level is to implement preventive measures. Likelihood is the probability or chance of a risk occurring, and risk level is the combination of likelihood and impact of a risk. Preventive measures are controls that are designed to prevent or deter the occurrence of a risk, such as policies, standards, procedures, guidelines, etc. Implementing preventive measures is the best course of action, because it helps to reduce the likelihood of a risk, and consequently, the risk level. Implementing preventive measures also helps to protect and enhance the organization's objectives, performance, and improvement. The other options are not the best course of action, although they may be related to the risk management process. Monitoring risk controls, implementing detective controls, and transferring the risk are all activities that can help to manage or mitigate the risks, but they do not necessarily reduce the likelihood or the risk level. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.1, page 4-21.
質問 # 279
Which of the following should be a risk practitioner's GREATEST concern upon learning of failures in a data migration activity?
- A. Integrity of data
- B. System performance
- C. Cost overruns
- D. Availability of test data
正解:A
解説:
The integrity of data should be the greatest concern for a risk practitioner upon learning of failures in a data migration activity, because it affects the accuracy, completeness, and consistency of the data that are transferred from one system or format to another. Data integrity is a property of data that ensures that the data are valid, reliable, and trustworthy, and that they have not been altered or corrupted by unauthorized or accidental means. Data migration is a process of moving or copying data from one system or format to another, usually as part of a system upgrade, consolidation, or transformation. Data migration can pose risks to the integrity of data, such as data loss, duplication, inconsistency, or corruption, due to factors such as incompatible formats, human errors, technical glitches, or malicious attacks. Therefore, the integrity of data should be the greatest concern, as it impacts the quality and usability of the data, and the performance and functionality of the system. The availability of test data, the cost overruns, and the system performance are all possible concerns for a risk practitioner, but they are not the greatest concern, as they do not directly affect the integrity of data. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.2, page 158
質問 # 280
Which of the following is the MOST important consideration when selecting either a qualitative or quantitative risk analysis?
- A. Resources available for data analysis
- B. Time available for risk analysis
- C. Expertise in both methodologies
- D. Maturity of the risk management program
正解:B
解説:
The most important consideration when selecting either a qualitative or quantitative risk analysis is the time available for risk analysis, as this affects the level of detail and accuracy that can be achieved in the risk assessment process. Qualitative risk analysis is a method that uses subjective judgments and ratings to measure and prioritize the risks based on their likelihood and impact, as well as other factors such as urgency, velocity, and persistence. Qualitative risk analysis is usually faster and simpler than quantitative risk analysis, but it may also be less precise and consistent. Quantitative risk analysis is a method that uses numerical data and mathematical models to measure and prioritize the risks based on their probability and magnitude, as well as other factors such as frequency, duration, and correlation. Quantitative risk analysis is usually more complex and time-consuming than qualitative risk analysis, but it may also provide more objective and reliable results.
The other options are not the most important considerations when selecting either a qualitative or quantitative risk analysis, although they may have some influence or relevance. Expertise in both methodologies is desirable, but it does not determine the choice of the risk analysis method, as it depends on the availability and suitability of the experts for the specific risk context and objectives. Maturity of the risk management program is important, but it does not dictate the choice of the risk analysis method, as it depends on the level of integration and alignment of the risk management activities with the enterprise's strategy and goals. Resources available for data analysis are relevant, but they do not decide the choice of the risk analysis method, as they depend on the quality and availability of the data sources and tools for the risk assessment process. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Assessment, page 81.ST
質問 # 281
Which of the following will BEST support management reporting on risk?
- A. Risk policy requirements
- B. A risk register
- C. Control self-assessment (CSA)
- D. Key performance indicators (KPIs)
正解:D
質問 # 282
Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are:
- A. independent from the business operations.
- B. members of senior management.
- C. accountable for the affected processes.
- D. authorized to select risk mitigation options.
正解:A
解説:
Section: Volume D
質問 # 283
An organization is considering outsourcing user administration controls for a critical system. The potential vendor has offered to perform quarterly self-audits of its controls instead of having annual independent audits.
Which of the following should be of GREATEST concern to the risk practitioner?
- A. The vendor will not achieve best practices
- B. The controls may not be properly tested
- C. The vendor will not ensure against control failure
- D. Lack of a risk-based approach to access control
正解:C
解説:
Section: Volume D
Explanation/Reference:
質問 # 284
Which of the following is the most accurate definition of a project risk?
- A. It is an uncertain event or condition within the project execution.
- B. It is an uncertain event that can affect at least one project objective.
- C. It is an unknown event that can affect the project scope.
- D. It is an uncertain event that can affect the project costs.
正解:B
解説:
Section: Volume B
Explanation:
Risk is an uncertain event or condition that, if it occurs, has an effect on at least one project objective.
Project risk is concerned with the expected value of one or more results of one or more future events in a project. It is an uncertain condition that, if it occurs, has an effect on at least one project objective. Objectives can be scope, schedule, cost, and quality. Project risk is always in the future.
Incorrect Answers:
A: Risk is not unknown, it is uncertain; in addition, the event can affect at least one project objective - not just the project scope.
B: This statement is almost true, but the event does not have to happen within project execution.
C: Risks can affect time, costs, or scope, rather affecting only cost.
質問 # 285
Which of the following would BEST facilitate the maintenance of data classification requirements?
- A. Assigning a data custodian
- B. Establishing a data loss prevention (DLP) solution
- C. Scheduling periodic audits
- D. Implementing technical controls over the assets
正解:C
解説:
Scheduling periodic audits is the best way to facilitate the maintenance of data classification requirements, because it helps to verify and validate that the data are classified and handled according to the established policies, standards, and guidelines, and that the data classification requirements are updated and aligned with the changes in the data environment or regulations. Data classification is a process of categorizing data according to their sensitivity, confidentiality, and value to the organization, and specifying the appropriate handling and protection measures for each category. Data classification requirements are the rules or criteria that define how data should be classified and treated. Scheduling periodic audits is the best way to ensure that the data classification requirements are followed and maintained, and that any issues or gaps are identified and addressed. Assigning a data custodian, implementing technical controls over the assets, and establishing a data loss prevention (DLP) solution are all useful ways to facilitate the maintenance of data classification requirements, but they are not the best way, as they do not provide a comprehensive and independent review and assessment of the data classification process and outcomes. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.2, page 158
質問 # 286
Which of the following is the MOST important reason to revisit a previously accepted risk?
- A. To review the risk acceptance with new stakeholders
- B. To ensure risk levels have not changed
- C. To ensure controls are still operating effectively
- D. To update risk ownership
正解:B
解説:
The most important reason to revisit a previously accepted risk is to ensure that the risk levels have not changed. A previously accepted risk is a risk that the organization has decided to tolerate or retain without taking any further action, because the risk is either low or unavoidable, or the cost or effort of mitigation outweighs the potential benefit. However, risk acceptance is not a static or permanent decision, as the risk levels may change over time due to various factors, such as new threats, vulnerabilities, impacts, or opportunities. Therefore, it is essential to revisit a previously accepted risk periodically or when there is a significant change in the internal or external environment, to verify that the risk is still within the acceptable range and that the risk acceptance rationale is still valid. If the risk levels have increased or decreased, the organization may need to revise the risk acceptance decision and consider other risk response options, such as avoidance, reduction, sharing, or exploitation. The other options are not the most important reason to revisit a previously accepted risk, although they may be relevant or necessary depending on the context and nature of the risk. Updating risk ownership is a part of the risk governance process, which ensures that the roles and responsibilities for managing the risk are clearly defined and assigned, but it does not affect the risk levels or the risk acceptance decision. Reviewing the risk acceptance with new stakeholders is a part of the risk communication process, which ensures that the risk information and the risk acceptance rationale are shared and understood by the relevant parties, but it does not change the risk levels or the risk acceptance decision.
Ensuring that the controls are still operating effectively is a part of the risk monitoring and review process, which ensures that the risk response actions are implemented and maintained properly, but it does not apply to the accepted risks, as they do not have any additional controls. References = Understanding Accepted Risk - SC Dashboard | Tenable, Risk Acceptance - ENISA, Accepting Risk - Overview, Advantages, Disadvantages, Alternatives
質問 # 287
Which of the following is MOST important to communicate to senior management during the initial implementation of a risk management program?
- A. Regulatory compliance
- B. Desired risk level
- C. Best practices
- D. Risk ownership
正解:B
質問 # 288
Which of the following should be an element of the risk appetite of an organization?
- A. The residual risk affected be preventive controls
- B. The effectiveness of compensating controls
- C. The amount of inherent risk considered appropriate
- D. The enterprise's capacity to absorb loss
正解:D
解説:
Section: Volume D
質問 # 289
Your project spans the entire organization. You would like to assess the risk of your project but worried about that some of the managers involved in the project could affect the outcome of any risk identification meeting. Your consideration is based on the fact that some employees would not want to publicly identify risk events that could declare their supervision as poor. You would like a method that would allow participants to anonymously identify risk events. What risk identification method could you use?
- A. Delphi technique
- B. Root cause analysis
- C. Isolated pilot groups
- D. SWOT analysis
正解:A
解説:
Explanation/Reference:
Explanation:
The Delphi technique uses rounds of anonymous surveys to build consensus on project risks. Delphi is a technique to identify potential risk. In this technique, the responses are gathered via a question and their inputs are organized according to their contents. The collected responses are sent back to these experts for further input, addition, and comments. The final list of risks in the project is prepared after that. The participants in this technique are anonymous and therefore it helps prevent a person from unduly influencing the others in the group. The Delphi technique helps in reaching the consensus quickly.
Incorrect Answers:
B: Root cause analysis is not an anonymous approach to risk identification.
C: Isolated pilot groups is not a valid risk identification activity.
D: SWOT analysis evaluates the strengths, weaknesses, opportunities, and threats of the project.
質問 # 290
Whose risk tolerance matters MOST when making a risk decision?
- A. Auditors, regulators and standards organizations
- B. The information security manager
- C. The business process owner of the exposed assets
- D. Customers who would be affected by a breach
正解:A
質問 # 291
Who is at the BEST authority to develop the priorities and identify what risks and impacts would occur if there were loss of the organization's private information?
- A. Explanation:
Business process owners are in best position to judge the risks and impact, as they are most knowledgeable concerning their systems. Hence they are most suitable for developing and identifying risks on business. - B. External regulatory agencies
- C. Security management
- D. Business process owners
- E. Internal auditor
正解:D
解説:
D, and A are incorrect. Internal auditors, security managers, external regulators would not understand the impact on business to the extent that business owners could. Hence business owner is the best authority.
質問 # 292
Walter is the project manager of a large construction project. He'll be working with several vendors on the project. Vendors will be providing materials and labor for several parts of the project. Some of the works in the project are very dangerous so Walter has implemented safety requirements for all of the vendors and his own project team. Stakeholders for the project have added new requirements, which have caused new risks in the project. A vendor has identified a new risk that could affect the project if it comes into fruition. Walter agrees with the vendor and has updated the risk register and created potential risk responses to mitigate the risk. What should Walter also update in this scenario considering the risk event?
- A. Project contractual relationship with the vendor
- B. is incorrect. The project scope statement is changed as part of the scope approval that
has already happened. - C. Project management plan
- D. is incorrect. The contractual relationship won't change with the vendor as far as project
risks are concerned. - E. Project scope statement
- F. Project communications plan
- G. Explanation:
When new risks are identified as part of the scope additions, Walter should update the risk register
and the project management plan to reflect the responses to the risk event.
正解:C
解説:
is incorrect. The project communications management plan may be updated if there's a
communication need but the related to the risk event, not the communication of the risks.
質問 # 293
Which of the following are risk components of the COSO ERM framework?
Each correct answer represents a complete solution. Choose three.
- A. Risk response
- B. Internal environment
- C. Business continuity
- D. Control activities
正解:A、B、D
解説:
Explanation/Reference:
Explanation:
The risk components defined by the COSO ERM are internal environment, objective settings, event identification, risk assessment, risk response, control objectives, information and communication, and monitoring.
Incorrect Answers:
C: Business continuity is not considered as risk component within the ERM framework.
質問 # 294
......
CRISC 資格認定は、IT 業界で非常に尊敬され、IT リスクおよび情報システムの管理を担当する専門家にとって有益な資格として多くの雇用主から認められています。この資格は、リスク管理、情報セキュリティ、IT 監査、およびコンプライアンスに従事する IT 専門家に最適です。
注目すべき時短になるCRISCオールインワン試験ガイド:https://jp.fast2test.com/CRISC-premium-file.html
検証された材料は決まってこれ!CRISC:https://drive.google.com/open?id=1cdAu8ZCLuGSBt39VnP1nUP0KTII4hDbS