ISACA CRISC問題集で必ず試験合格させる [Q653-Q670]

Share

ISACA CRISC問題集で必ず試験合格させる

CRISC試験問題(更新されたのは2025年)100%リアル問題解答


CRISC認定を取得することは、情報システムとセキュリティの分野の専門家にとって貴重な資産になります。リスク管理における高レベルの専門知識を示しており、キャリアの進歩と収益の可能性の増加につながる可能性があります。ただし、重要な研究と準備、および分野での知識とスキルを維持するための継続的なコミットメントが必要です。


ISACA CRISC(Certified in Risk and Information Systems Control)試験は、情報システムに関連するリスクを特定し、評価、軽減する責任を持つ専門家の知識とスキルを検証する認定資格です。 CRISC資格は、リスク管理の原則と実践に深い理解を持ち、さまざまなコンテキストでそれを適用する能力を持つことを証明するため、情報技術の分野で世界的に認められ、高く評価されています。

 

質問 # 653
You are the project manager in your enterprise. You have identified occurrence of risk event in your enterprise. You have pre-planned risk responses. You have monitored the risks that had occurred. What is the immediate step after this monitoring process that has to be followed in response to risk events?

  • A. Communicate lessons learned from risk events
  • B. Update the risk register
  • C. Initiate incident response
  • D. Eliminate the risk completely

正解:C

解説:
Explanation/Reference:
Explanation:
When the risk events occur then following tasks have to done to react to it:
Maintain incident response plans

Monitor risk

Initiate incident response

Communicate lessons learned from risk events


質問 # 654
When a high-risk security breach occurs, which of the following would be MOST important to the person responsible for managing the incident?

  • A. A justification of corrective action taken
  • B. An analysis of the security logs that illustrate the sequence of events
  • C. A business case for implementing stronger logical access controls
  • D. An analysis of the impact of similar attacks in other organizations

正解:B

解説:
An analysis of the security logs that illustrate the sequence of events is the most important information for the person responsible for managing the incident, as it can help to identify the source, scope, and impact of the security breach, and to determine the appropriate response actions. An analysis of the security logs can also provide evidence for forensic investigation and legal action, and help to prevent or mitigate future incidents by identifying the root causes and vulnerabilities. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, Question 235. CRISC by Isaca Actual Free Exam Q&As, Question 9. CRISC: Certified in Risk & Information Systems Control Sample Questions, Question
235. CRISC Sample Questions 2024, Question 235.


質問 # 655
An organization has an approved bring your own device (BYOD) policy. Which of the following would BEST mitigate the security risk associated with the inappropriate use of enterprise applications on the devices?

  • A. Include BYOD in organizational awareness programs
  • B. Periodically review application on BYOD devices
  • C. Implement BYOD mobile device management (MDM) controls.
  • D. Enable a remote wee capability for BYOD devices

正解:C


質問 # 656
Which of the following would be MOST beneficial as a key risk indicator (KRI)?

  • A. Negative security return on investment (ROI)
  • B. Current capital allocation reserves
  • C. Project cost variances
  • D. Annualized loss projections

正解:D


質問 # 657
Which of the following should be the PRIMARY recipient of reports showing the progress of a current IT risk mitigation project?

  • A. IT risk manager
  • B. Project sponsor
  • C. Senior management
  • D. Project manager

正解:B

解説:
* A project sponsor is the person or group who provides the financial, political, or organizational support for a project, and who has the authority to approve or reject the project's objectives, scope, budget, schedule, and deliverables.
* The primary recipient of reports showing the progress of a current IT risk mitigation project should be the project sponsor, because they are ultimately responsible for the success or failure of the project, and they need to be informed of the project's status, issues, risks, and achievements on a regular basis.
* The other options are not the primary recipients of reports showing the progress of a current IT risk mitigation project. They are either secondary or not essential for project reporting.
The references for this answer are:
* Risk IT Framework, page 21
* Information Technology & Security, page 15
* Risk Scenarios Starter Pack, page 13


質問 # 658
Which of the following is MOST important when developing key risk indicators (KRIs)?

  • A. Availability of qualitative data.
  • B. Alignment with regulatory requirements.
  • C. Alignment with industry benchmarks.
  • D. Property set thresholds.

正解:B

解説:
Section: Volume D


質問 # 659
Which of the following is the BEST approach when a risk treatment plan cannot be completed on time?

  • A. Develop additional key risk indicators (KRIs) until the preferred action can be completed.
  • B. Replace the action owner with a more experienced individual.
  • C. Change the risk response strategy of the relevant risk to risk avoidance.
  • D. Implement compensating controls until the preferred action can be completed.

正解:D

解説:
Implement compensating controls until the preferred action can be completed, because it helps to reduce the residual risk to an acceptable level, while allowing the preferred action to be delayed or postponed. A risk treatment plan is a document that describes the actions and resources required to implement the chosen risk response strategy for a specific risk. A risk response strategy is a course of action that is selected to address a risk, such as avoid, transfer, mitigate, or accept. A compensating control is a control that provides an alternative or additional measure of protection or assurance, when the primary or preferred control is not feasible or effective. Implementing compensating controls is the best approach, as it helps to maintain the risk management process and objectives, and to avoid or minimize the negative consequences of the delay or postponement of the preferred action.
Developing additional key risk indicators (KRIs), replacing the action owner with a more experienced individual, and changing the risk response strategy of the relevant risk to risk avoidance are all possible approaches when a risk treatment plan cannot be completed on time, but they are not the best approach, as they may not address the residual risk level, and they may introduce new risks or issues.


質問 # 660
The PRIMARY purpose of a maturity model is to compare the:

  • A. organization to industry best practices.
  • B. actual KPIs with target KPIs.
  • C. current state of key processes to their desired state.
  • D. organization to peers.

正解:C


質問 # 661
The MAJOR reason to classify information assets is

  • A. determine their sensitivity and critical
  • B. categorize data into groups
  • C. maintain a current inventory and catalog of information assets
  • D. establish recovery time objectives (RTOs)

正解:A

解説:
Information asset classification is the process of assigning a level of sensitivity and criticality to an information asset based on its value, importance, and impact to the organization. The major reason to classify information assets is to determine their sensitivity and criticality, which are the measures of how confidential, proprietary, or sensitive the information is, and how essential, urgent, or time-sensitive the information is for the business operations. By determining the sensitivity and criticality of information assets, the organization can prioritize the protection and recovery of the information assets, implement the appropriate security controls and safeguards, comply with the regulatory and contractual requirements, and manage the information lifecycle and disposal. References = CRISC Review Manual, 7th Edition, page 74.


質問 # 662
Which of the following controls will BEST detect unauthorized modification of data by a database administrator?

  • A. Reviewing changes to edit checks
  • B. Reviewing database activity logs
  • C. Comparing data to input records
  • D. Reviewing database access rights

正解:B

解説:
* Unauthorized modification of data by a database administrator is a security risk that involves altering, deleting, or inserting data on a database without proper authorization or approval, by a person who has privileged access to the database, such as a database administrator12.
* The best control to detect unauthorized modification of data by a database administrator is to review database activity logs, which are records that capture and store the details and history of the transactions or activities that are performed on the database, such as who, what, when, where, and how34.
* Reviewing database activity logs is the best control because it provides evidence and visibility of the database operations, and enables the detection and reporting of any deviations, anomalies, or issues that may indicate unauthorized modification of data by a database administrator34.
* Reviewing database activity logs is also the best control because it supports the accountability and auditability of the database operations, and facilitates the investigation and resolution of any unauthorized modification of data by a database administrator34.
* The other options are not the best controls, but rather possible measures or techniques that may supplement or enhance the review of database activity logs. For example:
* Reviewing database access rights is a measure that involves verifying and validating the permissions and privileges that are granted or revoked to the users or roles who can access or modify the data on the database56. However, this measure is not the best control because it does not directly detect unauthorized modification of data by a database administrator, especially if the database administrator has legitimate access rights to the data56.
* Comparing data to input records is a technique that involves matching and reconciling the data on the database with the original or source data that are entered or imported into the database, and identifying and correcting any discrepancies or errors78. However, this technique is not the best control because it does not directly detect unauthorized modification of data by a database administrator, especially if the input records are also modified or compromised78.
* Reviewing changes to edit checks is a technique that involves examining and evaluating the modifications or updates to the edit checks, which are rules or validations that are applied to the data on the database to ensure their accuracy, completeness, and consistency9 . However, this technique is not the best control because it does not directly detect unauthorized modification of data by a database administrator, especially if the edit checks are bypassed or disabled9 .
References =
* 1: Database Security: Attacks and Solutions | SpringerLink2
* 2: Unauthorised Modification of Data With Intent to Cause Impairment3
* 3: Database Activity Monitoring - Wikipedia4
* 4: Database Activity Monitoring (DAM) | Imperva5
* 5: Database Access Control - Wikipedia6
* 6: Database Access Control: Best Practices for Database Security7
* 7: Data Reconciliation - Wikipedia8
* 8: Data Reconciliation and Gross Error Detection9
* 9: Edit Check - Wikipedia
* : Edit Checks: A Data Quality Tool


質問 # 663
Which of The following BEST represents the desired risk posture for an organization?

  • A. Accepted risk is higher than risk tolerance.
  • B. Residual risk is lower than risk tolerance.
  • C. Operational risk is higher than risk tolerance.
  • D. Inherent risk is lower than risk tolerance.

正解:B

解説:
The best representation of the desired risk posture for an organization is when the residual risk is lower than the risk tolerance. Residual risk is the remaining risk after the implementation of risk responses or controls.
Risk tolerance is the acceptable level of risk that the organization is willing to take or bear. The desired risk posture is when the organization has reduced the residual risk to a level that is equal to or lower than the risk tolerance, which means that the organization has achieved its risk objectives and is comfortable with the remaining risk exposure. The other options are not the best representation of the desired risk posture, as they indicate that the organization has not effectively managed its risk. Inherent risk is lower than risk tolerance means that the organization has not identified or assessed its risk properly, as inherent risk is the risk before any controls or responses are applied. Operational risk is higher than risk tolerance means that the organization has not implemented or monitored its risk responses or controls adequately, as operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems. Accepted risk is higher than risk tolerance means that the organization has not aligned its risk appetite and risk tolerance, as accepted risk is the risk that the organization chooses to retain or take without any further action. References = Risk and Information Systems Control Study Manual, Chapter 2, Section 2.3.1, page 2-
23.


質問 # 664
While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially Which of the following would be the BEST approach for the risk practitioner to take?

  • A. Document the control deficiency in the risk register.
  • B. Temporarily suspend emergency changes.
  • C. Continue monitoring change management metrics.
  • D. Conduct a root cause analysis.

正解:D

解説:
According to the CRISC Review Manual, a root cause analysis is a technique that identifies the underlying causes of an event or a problem. It helps to determine the most effective actions to prevent or mitigate the recurrence of the event or problem. A root cause analysis is the best approach for the risk practitioner to take in this scenario, because it will help to understand why the number of emergency changes has increased substantially and what can be done to address the issue. The other options are not the best approaches, because they do not address the underlying causes of the problem. Temporarily suspending emergency changes may disrupt the business operations and create more risks. Documenting the control deficiency in the risk register is a passive action that does not resolve the problem. Continuing monitoring change management metrics is an ongoing activity that does not provide any insight into the problem. References = CRISC Review Manual, 7th Edition, Chapter 3, Section 3.2.4, page 130.


質問 # 665
You work as a Project Manager for Company Inc. You have to conduct the risk management activities for a project. Which of the following inputs will you use in the plan risk management process?
Each correct answer represents a complete solution. (Choose three.)

  • A. Project scope statement
  • B. Quality management plan
  • C. Schedule management plan
  • D. Cost management plan

正解:A、C、D

解説:
Section: Volume C
Explanation:
The inputs to the plan risk management process are as follows:
* Project scope statement: It provides a clear sense of the range of possibilities associated with the project and establishes the framework for how significant the risk management effort may become.
* Cost management plan: It describes how risk budgets, contingencies, and management reserves will be reported and accessed.
* Schedule management plan: It describes how the schedule contingencies will be reported and assessed.
* Communication management plan: It describes the interactions, which occurs on the project and determines who will be available to share information on various risks and responses at different times.
* Enterprise environmental factors: It include, but are not limited to, risk attitudes and tolerances that describe the degree of risk that an organization withstand.
* Organizational process assets: It includes, but are not limited to, risk categories, risk statement formats, standard templates, roles and responsibilities, authority levels for decision-making, lessons learned, and stakeholder registers.
Incorrect Answers:
A: It is not an input for Plan risk management process.


質問 # 666
Which of the following situations presents the GREATEST challenge to creating a comprehensive IT risk profile of an organization?

  • A. Inaccurate documentation of enterprise architecture (EA)
  • B. Manual vulnerability scanning processes
  • C. Organizational reliance on third-party service providers
  • D. Risk-averse organizational risk appetite

正解:A

解説:
The situation that presents the greatest challenge to creating a comprehensive IT risk profile of an organization is having inaccurate documentation of enterprise architecture (EA). EA is the blueprint that describes the structure and operation of an organization, including its business processes, information systems, technology infrastructure, and governance. EA helps to align the IT strategy and objectives with the business strategy and objectives, and to identify and manage the IT risks and opportunities. Having inaccurate documentation of EA could lead to incomplete, inconsistent, or misleading information about the organization's IT environment, which could affect the quality and reliability of the IT risk profile. The other situations are not as challenging as having inaccurate documentation of EA, although they may also pose some difficulties or limitations for the IT risk profile. References = Risk and Information Systems Control Study Manual, Chapter 2, Section 2.2.1, page 2-12.


質問 # 667
Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?

  • A. Gather scenarios from senior management.
  • B. Map scenarios to a recognized risk management framework.
  • C. Benchmark scenarios against industry peers.
  • D. Derive scenarios from IT risk policies and standards.

正解:D


質問 # 668
Which of the following should be the MOST important consideration when performing a vendor risk assessment?

  • A. Length of time since the last risk assessment of the vendor
  • B. Risk tolerance of the vendor
  • C. Inherent risk of the business process supported by the vendor
  • D. Results of the last risk assessment of the vendor

正解:C

解説:
The most important consideration when performing a vendor risk assessment is the inherent risk of the business process supported by the vendor, which is the risk that exists before any controls or mitigating factors are applied. The inherent risk reflects the potential impact and likelihood of the vendor's failure or disruption on the enterprise's objectives, operations, and reputation. The higher the inherent risk, the more rigorous and frequent the vendor risk assessment should be. The results of the last risk assessment of the vendor, the risk tolerance of the vendor, and the length of time since the last risk assessment of the vendor are not the most important considerations, as they do not directly measure the level of exposure and dependency that the enterprise has on the vendor. References = CRISC Certified in Risk and Information Systems Control
- Question204; ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 204.


質問 # 669
Which of the following will BEST help in communicating strategic risk priorities?

  • A. Business impact analysis (BIA)
  • B. Balanced Scorecard
  • C. Risk register
  • D. Heat map

正解:B


質問 # 670
......

合格させるISACA CRISC試験最速合格にはFast2test:https://jp.fast2test.com/CRISC-premium-file.html

準備CRISC問題解答でCRISC試験問題集:https://drive.google.com/open?id=1PsdbKnheydKQSC62K-uGuEq-Sksz6FcY


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어