2025年02月 ISACA CRISC実際にある問題と100%カバー率リアル試験問題 [Q560-Q578]

Share

2025年02月 ISACA CRISC実際にある問題と100%カバー率リアル試験問題

CRISC無料試験問題と解答PDF最新問題2025年02月


CRISC認定は、リスク管理、情報システムコントロール、およびITガバナンスに経験があるプロフェッショナルを対象としています。候補者は、これらの分野で最低3年以上の経験を持ち、リスク管理戦略の設計と実装の経験を持つ必要があります。この認定は、ヘルスケア、金融、テクノロジーなどの業界で働く個人や、リスク管理サービスを提供するコンサルティング企業で働く人々に最適です。


ISACA CRISC(Certified in Risk and Information Systems Control)試験は、情報技術(IT)分野で世界的に認められた認定資格です。この認定資格は、ITリスク管理とコントロールに関するバックグラウンドを持つ専門家が、自己の組織内でITリスクを効果的に管理し軽減するために必要なスキルと知識を開発するのに役立ちます。試験は、候補者のITリスク管理、コントロール、およびガバナンスに関する知識を総合的に評価するものです。

 

質問 # 560
Malicious code protection is which type control?

  • A. Personal security control
  • B. Media protection control
  • C. System and information integrity control
  • D. Configuration management control

正解:C

解説:
Section: Volume D
Explanation:
Malware, short for malicious software, is software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. As malicious code protection lists steps to protect against malware, it preserves the information integrity of the enterprise.
Hence Malicious code protection is System and information integrity control. This family of controls provides information to maintain the integrity of systems and data.
Incorrect Answers:
A: Malicious code protection is not a Configuration management control.
Configuration management control is the family of controls that addresses both configuration management and change management. Change control practices prevent unauthorized changes.
C: Malicious code protection is not a Media protection control.
Media Protection includes removable digital media such as tapes, external hard drives, and USB flash drives. It also includes non-digital media such as paper and film. This family of controls covers the access, marking, storage, transport, and sanitization of media.
D: Malicious code protection is not a Personal security control.
The Personal security control is a family of controls including aspects of personnel security. It includes personnel screening, termination, and transfer.


質問 # 561
A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?

  • A. The organization's strategic risk management projects
  • B. The organizations risk appetite and tolerance
  • C. Senior management allocation of risk management resources
  • D. Senior management roles and responsibilities

正解:B


質問 # 562
Which of the following represents lack of adequate controls?

  • A. is incorrect. Threat is the potential cause of unwanted incident.
  • B. is incorrect. Impact is the measure of the financial loss that the threat event may have.
  • C. Impact
  • D. Vulnerability
  • E. Asset
  • F. Explanation:
    Vulnerability is a weakness or lack of safeguard that can be exploited by a threat, thus causing
    harm to the information systems or networks. It can exist in hardware, operating systems,
    firmware, applications, and configuration files. Hence lack of adequate controls represents
    vulnerability and would ultimately cause threat to the enterprise.
  • G. Threat

正解:D

解説:
is incorrect. Assets are economic resources that are tangible or intangible, and is
capable of being owned or controlled to produce value.


質問 # 563
You are the project manager of GHT project. Your hardware vendor left you a voicemail saying that the delivery of the equipment you have ordered would not arrive on time. She wanted to give you a heads-up and asked that you return the call. Which of the following statements is TRUE?

  • A. is incorrect. A contingency plan is a plan devised for a specific situation when things go
    wrong. Contingency plans are often devised by governments or businesses who want to be
    prepared for anything that could happen.
    Here there are no such plans.
  • B. This is a trigger.
  • C. This is a residual risk.
  • D. is incorrect. Residual risk is the risk that remains after applying controls. But here in this
    scenario, risk event has not occurred yet.
  • E. This is a secondary risk.
  • F. Explanation:
    Triggers are warning signs of an upcoming risk event. Here delay in delivery signifies that there
    may be a risk event like delay in completion of project. Hence it is referred to as a trigger.
  • G. This is a contingency plan.

正解:B

解説:
is incorrect. Secondary risks are risks that come about as a result of implementing a
risk response. But here in this scenario, risk event has not occurred yet.


質問 # 564
Which of the following is the MOST useful information for a risk practitioner when planning response activities after risk identification?

  • A. Risk heat maps
  • B. Risk priorities
  • C. Risk register
  • D. Risk appetite

正解:D


質問 # 565
Capability maturity models are the models that are used by the enterprise to rate itself in terms of the least mature level to the most mature level. Which of the following capability maturity levels shows that the enterprise does not recognize the need to consider the risk management or the business impact from IT risk?

  • A. Level 1
  • B. Level 2
  • C. Level 0
  • D. Level 3

正解:C

解説:
Section: Volume B
Explanation:
0 nonexistent: An enterprise's risk management capability maturity level is 0 when:
* The enterprise does not recognize the need to consider the risk management or the business impact from IT risk.
* Decisions involving risk lack credible information.
* Awareness of external requirements for risk management and integration with enterprise risk management (ERM) do not exists.
Incorrect Answers:
A, C, D: These all are higher levels of capability maturity model and in this enterprise is mature enough to recognize the importance of risk management.


質問 # 566
Which stakeholders are PRIMARILY responsible for determining enterprise IT risk appetite?

  • A. Audit and compliance management
  • B. The chief information officer (CIO) and the chief financial officer (CFO)
  • C. Executive management and the board of directors
  • D. Enterprise risk management and business process owners

正解:C

解説:
The stakeholders who are PRIMARILY responsible for determining enterprise IT risk appetite are the executive management and the board of directors, because they are the ones who set the strategic direction and objectives of the enterprise, and who define the acceptable level of risk exposure and tolerance for achieving those objectives. The other options are not the primary stakeholders, because:
* Option A: Audit and compliance management are responsible for providing assurance and oversight on the effectiveness of the risk management process and the compliance with internal and external requirements, but they do not determine the enterprise IT risk appetite.
* Option B: The CIO and the CFO are responsible for managing the IT resources and the financial resources of the enterprise, respectively, but they do not determine the enterprise IT risk appetite.
* Option C: Enterprise risk management and business process owners are responsible for identifying, assessing, and responding to the risks that affect their domains, but they do not determine the enterprise IT risk appetite. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 83.


質問 # 567
Which of the following BEST balances the costs and benefits of managing IT risk*?

  • A. Prioritizing and addressing risk in line with risk appetite
    . Eliminating risk through preventive and detective controls
  • B. Considering risk that can be shared with a third party
  • C. Evaluating the probability and impact of risk scenarios

正解:A

解説:
Risk appetite is the broad-based amount of risk that an organization is willing to accept in its activities. Risk appetite reflects the level of risk that the organization is prepared to take to achieve its strategic goals, and provides guidance and boundaries for the risk management activities and decisions. The best way to balance the costs and benefits of managing IT risk is to prioritize and address risk in line with risk appetite, which means that the organization should identify, assess, treat, monitor, and communicate the risks that are within or exceed the risk appetite, and allocate the resources and efforts accordingly. By doing so, the organization can optimize its risk-return trade-off, align its risk exposure with its strategic objectives, and enhance its risk culture and performance. References = 5


質問 # 568
Which of the following is the MOST important consideration when developing an organization's risk taxonomy?

  • A. Leading industry frameworks
  • B. IT strategy
  • C. Regulatory requirements
  • D. Business context

正解:D

解説:
Section: Volume D


質問 # 569
You are the project manager of GHT project. You are performing cost and benefit analysis of control. You come across the result that costs of specific controls exceed the benefits of mitigating a given risk. What is the BEST action would you choose in this scenario?

  • A. The enterprise should exploit the risk.
  • B. Explanation:
    If the costs of specific controls or countermeasures (control overhead) exceed the benefits of
    mitigating a given risk the enterprise may choose to accept the risk rather than incur the cost of
    mitigation. This is done according to the principle of proportionality described in:
    Generally accepted security systems principles (GASSP)
    Generally accepted information security principles (GAISP)
  • C. The enterprise may apply the appropriate control anyway.
  • D. is incorrect. When the cost of specific controls exceed the benefits of mitigating a given
    risk, then controls are not applied, rather risk is being accepted.
  • E. The enterprise should adopt corrective control.
  • F. The enterprise may choose to accept the risk rather than incur the cost of mitigation.
  • G. is incorrect. The risk is being exploited when there is an opportunity, i.e., the risk is
    positive. But here in this case, negative risk exists as it needs mitigation. So, exploitation cannot
    be done.

正解:F

解説:
is incorrect. As the cost of control exceeds the benefits of mitigating a given risk, hence
no control should be applied.
Corrective control is a type of control and hence it should not be adopted.


質問 # 570
A large organization recently restructured the IT department and has decided to outsource certain functions.
What action should the control owners in the IT department take?

  • A. Perform vulnerability and threat assessments.
  • B. Analyze and update IT control assessments.
  • C. Conduct risk classification for associated IT controls.
  • D. Determine whether risk responses still effectively address risk.

正解:D

解説:
According to the ISACA Risk and Information Systems Control study guide and handbook, the control owners in the IT department should determine whether risk responses still effectively address risk after a restructuring and outsourcing of certain functions. This is because the restructuring and outsourcing may have changed the risk profile, the control environment, and the control activities of the IT department. The control owners should review the existing risk responses and evaluate if they are still appropriate, adequate, and efficient in mitigating the risks associated with the outsourced functions. The control owners should also monitor the performance and compliance of the service providers and ensure that the contractual obligations and service level agreements are met12
1: ISACA Risk and Information Systems Control Study Guide, 4th Edition, page 33 2: ISACA Risk and Information Systems Control Handbook, 1st Edition, page 25


質問 # 571
Days before the realization of an acquisition, a data breach is discovered at the company to be acquired. For the accruing organization, this situation represents which of the following?

  • A. Threat event
  • B. Security incident
  • C. Risk event
  • D. Inherent risk

正解:C

解説:
A risk event is an occurrence or situation that has a negative impact on the objectives, operations, or resources of an enterprise. A data breach at the company to be acquired is a risk event for the acquiring organization, because it can affect the value, reputation, or performance of the acquisition. A risk event can also trigger other risks or consequences that may require further actions or responses. The other options are not the correct answers, because they do not describe the situation accurately. A threat event is an occurrence or situation that exploits a vulnerability or causes harm to an asset or process. An inherent risk is the risk that exists before applying any controls or treatments. A security incident is an event that violates the security policies or procedures of an enterprise. References = CRISC: Certified in Risk & Information Systems Control Sample Questions


質問 # 572
What are the functions of audit and accountability control?
Each correct answer represents a complete solution. Choose all that apply.

  • A. Implement effective access control
  • B. Provides details on how to protect the audit logs
  • C. Implement an effective audit program
  • D. Provides details on how to determine what to audit

正解:B、C、D

解説:
Explanation/Reference:
Explanation:
Audit and accountability family of controls helps an organization implement an effective audit program. It provides details on how to determine what to audit. It provides details on how to protect the audit logs. It also includes information on using audit logs for non-repudiation.
Incorrect Answers:
B: Access Control is the family of controls that helps an organization implement effective access control.
They ensure that users have the rights and permissions they need to perform their jobs, and no more. It includes principles such as least privilege and separation of duties.
Audit and accountability family of controls do not help in implementing effective access control.


質問 # 573
Which of the following provides the MOST useful information to assess the magnitude of identified deficiencies in the IT control environment?

  • A. Threat analysis results
  • B. Peer benchmarks
  • C. Business impact analysis (BIA) results
  • D. Internal audit reports

正解:D

解説:
Internal audit reports provide the most useful information to assess the magnitude of identified deficiencies in the IT control environment. Internal audit reports are independent and objective evaluations of the design and operating effectiveness of the IT controls, as well as the compliance with policies, standards, and regulations.
Internal audit reports also provide recommendations for improvement and follow-up actions for the control deficiencies. Internal audit reports can help measure the impact and severity of the control deficiencies, and prioritize the remediation efforts. Peer benchmarks, business impact analysis (BIA) results, and threat analysis results are not as directly related to the assessment of the control deficiencies, although they may provide some contextual or comparative information. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.4.1, page 1-19.


質問 # 574
IT disaster recovery point objectives (RPOs) should be based on the:

  • A. type of business.
  • B. maximum tolerable loss of data.
  • C. need of each business unit.
  • D. maximum tolerable downtime.

正解:B

解説:
IT disaster recovery point objectives (RPOs) should be based on the:
B: maximum tolerable loss of data.
RPOs are determined by how much data loss an organization can withstand in the event of a disaster. It's a measure of the maximum age of files that an organization must recover from backup storage for normal operations to resume after a disaster. Therefore, RPOs are directly related to the maximum tolerable loss of data.


質問 # 575
Which of the following is the BEST risk management approach for the strategic IT planning process?

  • A. Key performance indicators (KPIs) are established to track IT strategic initiatives.
  • B. The IT strategic plan is reviewed by the chief information security officer (CISO) and enterprise risk management (ERM).
  • C. The IT strategic plan is developed from the organization-wide risk management plan.
  • D. Risk scenarios associated with IT strategic initiatives are identified and assessed.

正解:D

解説:
Identifying and assessing the risk scenarios associated with IT strategic initiatives is the best risk management approach for the strategic IT planning process, because it helps to understand and evaluate the potential or actual threats or opportunities that may affect the achievement or implementation of the IT strategic initiatives, and to determine the appropriate risk responses and controls. A risk scenario is a hypothetical situation or event that describes the source, cause, consequence, and impact of a risk. A risk scenario can be positive or negative, depending on whether it represents an opportunity or a threat. An IT strategic initiative is a project or program that supports or enables the IT strategy, which is a plan that defines how IT supports and aligns with the organization's vision, mission, and strategy. The strategic IT planning process is a process of developing, implementing, and monitoring the IT strategy and its associated IT strategic initiatives. Identifying and assessing the risk scenarios is the best risk management approach, as it helps to anticipate and prepare for the potential or actual outcomes of the IT strategic initiatives, and to optimize the risk-reward balance and the value delivery of IT. Establishing key performance indicators (KPIs) to track IT strategic initiatives, reviewing the IT strategic plan by the chief information security officer (CISO) and enterprise risk management (ERM), and developing the IT strategic plan from the organization-wide risk management plan are all possible risk management approaches for the strategic IT planning process, but they are not the best approach, as they do not directly address the identification and assessment of the risk scenarios associated with IT strategic initiatives. References = Risk and Information Systems Control Study Manual, Chapter 2, Section 2.1.1, page
37


質問 # 576
You are the project manager for GHT project. You need to perform the Qualitative risk analysis process.
When you have completed this process, you will produce all of the following as part of the risk register update output except which one?

  • A. Probability of achieving time and cost estimates
  • B. Watch list of low-priority risks
  • C. Priority list of risks
  • D. Risks grouped by categories

正解:A

解説:
Explanation/Reference:
Explanation:
Probability of achieving time and cost estimates is an update that is produced from the Quantitative risk analysis process. In Qualitative risk analysis probability of occurrence of a specific risk is identified but not of achieving time and cost estimates.


質問 # 577
You are working with a vendor on your project. A stakeholder has requested a change for the project, which will add value to the project deliverables. The vendor that you're working with on the project will be affected by the change. What system can help you introduce and execute the stakeholder change request with the vendor?

  • A. Cost change control system
  • B. Contract change control system
  • C. Scope change control system
  • D. Schedule change control system

正解:B

解説:
Explanation/Reference:
Explanation:
The contract change control system is part of the project's change control system. It addresses changes with the vendor that may affect the project contract. Change control system, a part of the configuration management system, is a collection of formal documented procedures that define how project deliverables and documentation will be controlled, changed, and approved.
Incorrect Answers:
B: The scope may change because of the stakeholder change request.
Vendor's relationship to the project, hence this choice is not the best answer.
C: The cost change control system manages changes to costs in the project.
D: There is no indication that the change could affect the project schedule.


質問 # 578
......

ISACA CRISCリアル2025年最新のブレーン問題集模擬試験問題集:https://jp.fast2test.com/CRISC-premium-file.html

最新CRISC試験問題集で最近更新された1519問題:https://drive.google.com/open?id=1p_OjPRaWkElIj0hf8XPmaUFRJFrGZqPn


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어