[Q265-Q288] 合格させるCRISC試験一発合格保証100%カバー率でリアル試験問題 [2025年03月]

Share

合格させるCRISC試験一発合格保証100%カバー率でリアル試験問題 [2025年03月]

有効なCRISCテスト解答ISACA CRISC試験PDF問題を試そう

質問 # 265
An organization uses a vendor to destroy hard drives. Which of the following would BEST reduce the risk of data leakage?

  • A. Require the vendor to degauss the hard drives
  • B. Require confirmation of destruction from the IT manager.
  • C. Use an accredited vendor to dispose of the hard drives.
  • D. Implement an encryption policy for the hard drives.

正解:C

解説:
Data leakage is the unauthorized or accidental disclosure of sensitive or confidential data to unauthorized parties. Data leakage can cause serious damages or losses to the organization, such as data breaches, fines, lawsuits, reputational harm, or loss of customer trust. Data leakage can occur due to various reasons, such as human errors, malicious attacks, or inadequate controls1.
An organization that uses a vendor to destroy hard drives faces a risk of data leakage, as the vendor may not properly or securely destroy the hard drives, or may access or misuse the data stored on them. The best way to reduce this risk is to use an accredited vendor to dispose of the hard drives, because it means that the vendor:
* Has been certified or verified by a reputable or recognized authority or organization, such as ISACA, NAID, or R2, to provide hard drive destruction services
* Follows the industry standards and best practices for hard drive destruction, such as NIST 800-88 or DoD 5220.22-M, and ensures the compliance with the legal and regulatory requirements, such as HIPAA, PCI DSS, or GDPR
* Provides a secure and transparent process for hard drive destruction, such as using a specialized shredder, issuing a certificate of destruction, or allowing the customer to witness the destruction
* Maintains a high level of professionalism and integrity, and does not compromise the confidentiality or security of the customer's data234 The other options are not the best ways to reduce the risk of data leakage, but rather some of the steps or aspects of hard drive destruction. Require the vendor to degauss the hard drives is a step that can help to erase the data on the hard drives by using a strong magnetic field. However, degaussing may not be effective or reliable for some types of hard drives, such as solid state drives (SSDs), and it may not prevent the vendor from accessing or misusing the data before degaussing5. Implement an encryption policy for the hard drives is an aspect that can help to protect the data on the hard drives by using a cryptographic algorithm to make it unreadable without a key. However, encryption may not be sufficient or applicable for some types of data, such as metadata, and it may not prevent the vendor from accessing or misusing the key or the encrypted data6. Require confirmation of destruction from the IT manager is a step that can help to verify that the hard drives have been destroyed by the vendor, and to document the process and the outcome. However, confirmation of destruction may not be accurate or authentic, and it may not prevent the vendor from accessing or misusing the data before destruction7. References =
* Data Leakage - ISACA
* Hard Drive Shredding Services | Hard Drive Destruction & Disposal
* Hard Drive Shredding and Destruction Service | CompuCycle
* Electronic Destruction & Recycling | Shred Nations
* Degaussing - ISACA
* Encryption - ISACA
* Certificate of Destruction - ISACA
* [CRISC Review Manual, 7th Edition]


質問 # 266
What type of policy would an organization use to forbid its employees from using organizational e-mail for personal use?

  • A. Privacy policy
  • B. Anti-harassment policy
  • C. Acceptable use policy
  • D. Intellectual property policy

正解:C

解説:
Section: Volume C
Explanation
Explanation:
An acceptable use policy is a set of rules applied by the owner/manager of a network, website or large computer system that restrict the ways in which the network site or system may be used. Acceptable Use Policies are an integral part of the framework of information security policies.
Incorrect Answers:
A, C: These two policies are not related to Information system security.
D: Privacy policy is a statement or a legal document (privacy law) that discloses some or all of the ways a party gathers, uses, discloses and manages a customer or client's data.


質問 # 267
The PRIMARY advantage of implementing an IT risk management framework is the:

  • A. establishment of a reliable basis for risk-aware decision making
  • B. alignment of business goals with IT objectives
  • C. compliance with relevant legal and regulatory requirements
  • D. improvement of controls within the organization and minimized losses

正解:D

解説:
Section: Volume D


質問 # 268
Which of the following should be the PRIMARY focus of an IT risk awareness program?

  • A. Communicate IT risk policy to the participants.
  • B. Ensure compliance with the organization's internal policies
  • C. Cultivate long-term behavioral change.
  • D. Demonstrate regulatory compliance.

正解:C

解説:
The primary focus of an IT risk awareness program is to cultivate long-term behavioral change. An IT risk awareness program is a program that educates and informs the stakeholders, such as the employees, managers, customers, or partners, about the IT risks and the IT risk management activities. An IT risk awareness program helps to increase the knowledge and understanding of the IT risks and the IT risk management objectives, strategies, and processes, and to promote the participation and collaboration of the stakeholders in the IT risk management activities. The primary focus of an IT risk awareness program is to cultivate long-term behavioral change, which is the change in the attitudes, beliefs, values, and actions of the stakeholders regarding the IT risks and the IT risk management activities. Cultivating long-term behavioral change helps to create and sustain a risk-aware culture, which is a culture that recognizes, respects, and supports the IT risk management activities, and that encourages the stakeholders to take responsibility and ownership of the IT risks and the IT risk management activities. Cultivating long-term behavioral change also helps to improve the effectiveness and efficiency of the IT risk management activities, and to align the IT risk management activities with the business goals and values. Ensuring compliance with the organization's internal policies, communicating IT risk policy to the participants, and demonstrating regulatory compliance are not the primary focus of an IT risk awareness program, as they are either the benefits or the objectives of the IT risk awareness program, and they do not address the primary need of changing the behavior of the stakeholders. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 36.


質問 # 269
Which of the following is the BEST course of action when an organization wants to reduce likelihood in order to reduce a risk level?

  • A. Monitor risk controls.
  • B. Implement detective controls.
  • C. Transfer the risk.
  • D. Implement preventive measures.

正解:D

解説:
The best course of action when an organization wants to reduce likelihood in order to reduce a risk level is to implement preventive measures. Likelihood is the probability or chance of a risk occurring, and risk level is the combination of likelihood and impact of a risk. Preventive measures are controls that are designed to prevent or deter the occurrence of a risk, such as policies, standards, procedures, guidelines, etc.
Implementing preventive measures is the best course of action, because it helps to reduce the likelihood of a risk, and consequently, the risk level. Implementing preventive measures also helps to protect and enhance the organization's objectives, performance, and improvement. The other options are not the best course of action, although they may be related to the risk management process. Monitoring risk controls, implementing detective controls, and transferring the risk are all activities that can help to manage or mitigate the risks, but they do not necessarily reduce the likelihood or the risk level. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.1, page 4-21.


質問 # 270
Which of the following is the GREATEST benefit of analyzing logs collected from different systems?

  • A. Security violations can be identified.
  • B. Developing threats are detected earlier.
  • C. Forensic investigations are facilitated.
  • D. A record of incidents is maintained.

正解:B

解説:
According to the CRISC Review Manual, the greatest benefit of analyzing logs collected from different systems is to detect developing threats earlier, because it helps to identify and correlate the patterns, trends, and anomalies that may indicate a potential attack or compromise. Log analysis is the process of examining and interpreting the log data generated by various systems, such as firewalls, servers, routers, and applications.
Log analysis can provide valuable insights into the activities and events that occur on the systems, and can enable the timely detection and response to the emerging threats. The other options are not the greatest benefits of analyzing logs, as they are less proactive or less strategic than detecting developing threats earlier.
Maintaining a record of incidents is a benefit of logging, but not of analyzing logs, as it involves storing and preserving the log data for future reference. Facilitating forensic investigations is a benefit of analyzing logs, but it is a reactive and tactical activity that occurs after an incident has happened. Identifying security violations is a benefit of analyzing logs, but it is a specific and operational activity that focuses on the compliance and enforcement of the security policies and standards. References = CRISC Review Manual, 7th Edition, Chapter 5, Section 5.3.2, page 263.


質問 # 271
The BEST metric to demonstrate that servers are configured securely is the total number of servers:

  • A. experiencing hardware failures
  • B. meeting the baseline for hardening.
  • C. exceeding availability thresholds
  • D. exceeding current patching standards.

正解:B


質問 # 272
Implementing which of the following will BEST help ensure that systems comply with an established baseline before deployment?

  • A. Access controls and active logging
  • B. Continuous monitoring and alerting
  • C. Configuration management
  • D. Vulnerability scanning

正解:C

解説:
Configuration management is a process that establishes and maintains the consistency and integrity of the IT systems and applications throughout their lifecycle. Configuration management involves identifying, documenting, controlling, and auditing the configuration items, such as hardware, software, data, or services, that comprise the IT systems and applications. Configuration management also involves establishing and enforcing the configuration baselines, which are the approved and authorized states of the configuration items.
Implementing configuration management will best help ensure that systems comply with an established baseline before deployment, as it will enable the enterprise to verify that the systems meet the specified requirements, standards, and policies, and to detect and correct any deviations or discrepancies. The other options are not as effective as configuration management, as they involve different aspects or outcomes of the IT systems and applications:
* Vulnerability scanning is a process that identifies and analyzes the weaknesses or gaps in the IT systems and applications that could be exploited by threats. Vulnerability scanning helps to assess the security and compliance of the systems, but it does not ensure that the systems comply with an established baseline before deployment, as it may not cover all the aspects or components of the systems, or may not reflect the latest changes or updates of the systems.
* Continuous monitoring and alerting is a process that tracks and reports the performance and status of the IT systems and applications on an ongoing basis. Continuous monitoring and alerting helps to identify and respond to any issues or incidents that affect the availability, integrity, or confidentiality of the systems, but it does not ensure that the systems comply with an established baseline before deployment, as it may not prevent or detect the unauthorized or unintended changes or modifications of the systems, or may not provide sufficient information or evidence to verify the compliance of the systems.
* Access controls and active logging are processes that restrict and record the access and activities of the users or entities on the IT systems and applications. Access controls and active logging help to protect and audit the IT systems and applications, but they do not ensure that the systems comply with an established baseline before deployment, as they may not address the configuration or quality issues of the systems, or may not be consistent or comprehensive across the systems. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.2.1.1, pp. 156-157.


質問 # 273
Which of the following BEST enables detection of ethical violations committed by employees?

  • A. Periodic job rotation
  • B. Access control attestation
  • C. Whistleblower program
  • D. Transaction log monitoring

正解:C

解説:
Whistleblower Program:
* A whistleblower program provides a confidential and anonymous channel for employees to report
* unethical behavior, violations of laws, regulations, or company policies.
* It is a proactive approach to uncover ethical violations that might not be detected through regular monitoring and controls.
Enabling Detection:
* Encourages employees to come forward without fear of retaliation.
* Provides management with early warning signs of potential ethical issues, allowing them to address problems before they escalate.
Comparing Other Methods:
* Transaction Log Monitoring: While useful for detecting anomalies, it may not specifically identify ethical violations.
* Access Control Attestation: Ensures that users have appropriate access but does not directly address ethical behavior.
* Periodic Job Rotation: Helps prevent fraud by reducing opportunities for unethical behavior but may not actively detect violations.
References:
* The CRISC Review Manual discusses the role of whistleblower programs in managing ethical risks and detecting violations (CRISC Review Manual, Chapter 4: Risk Monitoring and Reporting, Section 4.4.4 Reporting Mechanisms) .


質問 # 274
Which of the following should be the risk practitioner's PRIMARY focus when determining whether controls are adequate to mitigate risk?

  • A. Level of residual risk
  • B. Risk appetite
  • C. Cost-benefit analysis
  • D. Sensitivity analysis

正解:B

解説:
Section: Volume D


質問 # 275
You are working in an enterprise. You enterprise is willing to accept a certain amount of risk. What is this risk called?

  • A. Explanation:
    Risk appetite considers the qualitative and quantitative aspects of accepting risks in an organization. The term refers to the type of risks the organization is willing to pursue, as well as amount of risk and the level of risk. Risk appetite is the amount of risk a company or other entity is willing to accept in pursuit of its mission. This is the responsibility of the board to decide risk appetite of an enterprise. When considering the risk appetite levels for the enterprise, the following two major factors should be taken into account: The enterprise's objective capacity to absorb loss, e.g., financial loss, reputation damage, etc. The culture towards risk taking-cautious or aggressive. In other words, the amount of loss the enterprise wants to accept in pursue of its objective fulfillment.
  • B. Hedging
  • C. Appetite
  • D. Tolerance
  • E. Aversion

正解:C

解説:
and A are incorrect. Aversion and hedging are related to each other and represents the avoidance of risk within the organization. Answer:D is incorrect. The acceptable variation relative to the achievement of an objective is termed as risk tolerance. In other words, risk tolerance is the acceptable deviation from the level set by the risk appetite and business objectives. Risk tolerance is defined at the enterprise level by the board and clearly communicated to all stakeholders. A process should be in place to review and approve any exceptions to such standards.


質問 # 276
Which of the following should be the FIRST course of action if the risk associated with a new technology is found to be increasing?

  • A. Implement additional controls.
  • B. Revise the current risk action plan.
  • C. Escalate the risk to senior management.
  • D. Re-evaluate current controls.

正解:B

解説:
A risk action plan is a document that outlines the actions to be taken to mitigate or avoid a risk. A risk action plan should be revised when the risk associated with a new technology is found to be increasing, as this indicates that the current plan is not effective or sufficient. Revising the risk action plan can help identify the root causes of the risk increase, evaluate the effectiveness of current controls, and implement additional or alternative controls as needed. Re-evaluating current controls, escalating the risk to senior management, and implementing additional controls are possible steps in the revision process, but they are not the first course of action. The first course of action should be to update the risk action plan to reflect the current risk situation and the appropriate risk response.


質問 # 277
Which of the following is the MOST important reason to validate that risk responses have been executed as outlined in the risk response plan''

  • A. To ensure completion of the risk assessment cycle
  • B. To ensure controls arc operating effectively
  • C. To ensure control costs do not exceed benefits
  • D. To ensure residual risk Is at an acceptable level

正解:A


質問 # 278
You are the project manager of GHT project. Your project utilizes a machine for production of goods. This machine has the specification that if its temperature would rise above 450 degree Fahrenheit then it may result in burning of windings. So, there is an alarm which blows when machine's temperature reaches 430 degree Fahrenheit and the machine is shut off for 1 hour.
What role does alarm contribute here?

  • A. Explanation:
    Here in this scenario alarm indicates the potential risk that the rising temperature of machine can cause, hence it is enacting as a risk indicator. Risk indicators are metrics used to indicate risk thresholds, i.e., it gives indication when a risk level is approaching a high or unacceptable level of risk. The main objective of a risk indicator is to ensure tracking and reporting mechanisms that alert staff about the potential risks.
  • B. Of risk trigger
  • C. Of risk response
  • D. Of risk identification
  • E. Of risk indicator

正解:E

解説:
is incorrect. The temperature 430 degree in scenario is the risk trigger. A risk trigger is a warning sign or condition that a risk event is about to happen. As in this scenario the 430 degree temperature is the indication of upcoming risks, hence 430 degree temperature is a risk trigger. Answer:D is incorrect. Risk response is the action taken to reduce the risk event occurrence. Hence here risk response is shutting off of machine. Answer:B is incorrect. The first thing we must do in risk management is to identify the areas of the project where the risks can occur. This is termed as risk identification. Listing all the possible risks is proved to be very productive for the enterprise as we can cure them before it can occur. In risk identification both threats and opportunities are considered, as both carry some level of risk with them.


質問 # 279
What should be the PRIMARY objective for a risk practitioner performing a post-implementation review of an IT risk mitigation project?

  • A. Verifying that the risk level has been lowered
  • B. Confirming that the project budget was not exceeded
  • C. Validating the risk mitigation project has been completed
  • D. Documenting project lessons learned

正解:A


質問 # 280
Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs?

  • A. Implementing log analysis tools to automate controls
  • B. Building correlations between logs collected from different sources
  • C. Ensuring availability of resources for log analysis
  • D. Ensuring the control is proportional to the risk

正解:D

解説:
The primary consideration when implementing controls for monitoring user activity logs is ensuring that the control is proportional to the risk, because this helps to optimize the balance between the benefits and costs of the control, and to avoid over- or under-controlling the risk. User activity logs are records of the actions or events performed by users on IT systems, networks, or resources, such as accessing, modifying, or transferring data or files. Monitoring user activity logs can help to detect and prevent potential threats, such as unauthorized access, data leakage, or malicious activity, and to support the investigation and remediation of incidents. However, monitoring user activity logs also involves certain costs and challenges, such as collecting, storing, analyzing, and reporting large amounts of log data, ensuring the accuracy, completeness, and timeliness of the log data, protecting the privacy and security of the log data, and complying with the relevant laws and regulations. Therefore, when implementing controls for monitoring user activity logs, the organization should consider the level and impact of the risk that the control is intended to address, and the value and effectiveness of the control in reducing the risk exposure and impact. The organization should also consider the costs and feasibility of implementing and maintaining the control, and the potential negative consequences or side effects of the control, such as performance degradation, user dissatisfaction, or legal liability. By ensuring that the control is proportional to the risk, the organization can achieve the optimal level of risk management, and avoid wasting resources or creating new risks. References = Risk IT Framework, ISACA, 2022, p. 151


質問 # 281
Which of the following criteria is MOST important when developing a response to an attack that would compromise data?

  • A. The recovery time objective (RTO)
  • B. The likelihood of a recurring attack
  • C. The business significance of the information
  • D. The organization's risk tolerance

正解:C

解説:
According to the CRISC Review Manual (Digital Version), the business significance of the information is the most important criterion when developing a response to an attack that would compromise data, as it determines the impact and severity of the attack on the organization's objectives and performance. The business significance of the information helps to:
* Assess the value and sensitivity of the data that is compromised or at risk of compromise
* Evaluate the potential losses or damages that the organization may incur due to the data compromise
* Prioritize the data recovery and restoration activities based on the criticality and urgency of the data
* Communicate and coordinate the data breach response and notification with the relevant stakeholders, such as the data owners, the customers, the regulators, and the media
* Enhance the data protection and security measures to prevent or mitigate future data compromise incidents References = CRISC Review Manual (Digital Version), Chapter 3: IT Risk Response, Section 3.3: Risk Response Options, pp. 174-1751


質問 # 282
The head of a business operations department asks to review the entire IT risk register. Which of the following would be the risk manager's BEST approach to this request before sharing the register?

  • A. Sanitize portions of the register.
  • B. Determine the purpose of the request.
  • C. Require a nondisclosure agreement.
  • D. Escalate to senior management.

正解:B

解説:
Section: Volume D


質問 # 283
You are the risk control professional of your enterprise. You have implemented a tool that correlates information from multiple sources. To which of the following do this monitoring tool focuses?

  • A. Explanation:
    Monitoring tools that focuses on transaction data generally correlate information from one system to another, such as employee data from the human resources (HR) system with spending information from the expense system or the payroll system.
  • B. Transaction data
  • C. System changes
  • D. Process integrity
  • E. Configuration settings

正解:B

解説:
is incorrect. Process integrity is confirmed within the system, it dose not need monitoring. Answer: D is incorrect. System changes are compared from a previous state to the current state, it dose not correlate information from multiple sources. Answer: C is incorrect. Configuration settings are generally compared against predefined values and not based on the correlation between multiple souces.


質問 # 284
The BEST way to demonstrate alignment of the risk profile with business objectives is through:

  • A. risk policy.
  • B. risk scenarios.
  • C. risk tolerance.
  • D. risk appetite.

正解:C


質問 # 285
Which of the following should be included in a risk scenario to be used for risk analysis?

  • A. Risk tolerance
  • B. Risk appetite
  • C. Residual risk
  • D. Threat type

正解:D

解説:
A risk scenario is a hypothetical situation that describes how a risk event could adversely affect an organization's objectives, assets, or operations. A risk scenario can be used for risk analysis, which is the process of estimating the likelihood and impact of the risk event, and evaluating the effectiveness and efficiency of the risk response1.
One of the essential components of a risk scenario is the threat type, which is the source or cause of the risk event. The threat type can be classified into various categories, such as natural, human, technical, environmental, or legal. The threat type can help to define the characteristics, motivations, capabilities, and methods of the risk event, and to identify the potential vulnerabilities and exposures of the organization. The threat type can also help to determine the frequency and severity of the risk event, and to select the appropriate risk response strategies and controls23.
The other options are not the components of a risk scenario, but rather the outcomes or inputs of risk analysis.
Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. Risk appetite can help to guide the risk analysis by providing a high-level statement of the desired level of risk taking and tolerance4. Risk tolerance is the acceptable variation in the outcomes related to specific objectives or risks. Risk tolerance can help to measure the risk analysis by providing quantitative or qualitative indicators of the acceptable range of risk exposure and performance4. Residual risk is the remaining risk after the risk response has been implemented. Residual risk can help to monitor the risk analysis by providing feedback on the effectiveness and efficiency of the risk response and the need for further action. References =
* Risk Analysis - ISACA
* Threat - ISACA
* Threat Modeling - ISACA
* Risk Appetite and Risk Tolerance - ISACA
* [Residual Risk - ISACA]
* [CRISC Review Manual, 7th Edition]


質問 # 286
Which of the following are risk components of the COSO ERM framework?
Each correct answer represents a complete solution. Choose three.

  • A. Risk response
  • B. Business continuity
  • C. Internal environment
  • D. Control activities

正解:A、C、D

解説:
Explanation/Reference:
Explanation:
The risk components defined by the COSO ERM are internal environment, objective settings, event identification, risk assessment, risk response, control objectives, information and communication, and monitoring.
Incorrect Answers:
C: Business continuity is not considered as risk component within the ERM framework.


質問 # 287
Which of me following is MOST helpful to mitigate the risk associated with an application under development not meeting business objectives?

  • A. Identifying tweets that may compromise enterprise architecture (EA)
  • B. Performing risk assessments during the business case development stage
  • C. Including diverse Business scenarios in user acceptance testing (UAT)
  • D. Including key stakeholders in review of user requirements

正解:D

解説:
The most helpful way to mitigate the risk associated with an application under development not meeting business objectives is to include key stakeholders in the review of user requirements, because this ensures that the application is designed and developed according to the needs and expectations of the end users and the business owners. Including key stakeholders in the review of user requirements also helps to avoid scope creep, requirement changes, or miscommunication that may affect the quality, functionality, or usability of the application. The other options are not the most helpful ways to mitigate the risk, although they may also be useful in reducing the likelihood or impact of the risk. Identifying threats that may compromise enterprise architecture (EA), including diverse business scenarios in user acceptance testing (UAT), and performing risk assessments during the business case development stage are examples of preventive or detective controls that aim to identify and address the potential issues or problems that may arise during the application development process, but they do not address the alignment of the application with the business objectives. References
= CRISC: Certified in Risk & Information Systems Control Sample Questions


質問 # 288
......

CRISC試験問題にて有効なCRISC問題集PDF:https://jp.fast2test.com/CRISC-premium-file.html

検証済みCRISC問題集と解答で合格保証:https://drive.google.com/open?id=1cdAu8ZCLuGSBt39VnP1nUP0KTII4hDbS


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어