
100%の合格率を試そう!更新されたのはCRISC試験問題 [2025]
合格させるCRISC試験にはリアル問題解答
CRISC認定試験は、情報システムのリスク管理と制御に関する候補者の知識と理解をテストする150の多肢選択問題から構成されています。この試験は、リスク特定、評価、評価、リスク対応、リスク監視と報告、および情報システムコントロールの設計と実装の4つのドメインをカバーしています。試験時間は4時間で、800点満点中450点以上の合格点が必要です。
質問 # 351
An IT license audit has revealed that there are several unlicensed copies of co be to:
- A. report the issue to management so appropriate action can be taken.
- B. procure the requisite licenses for the software to minimize business impact.
- C. immediately uninstall the unlicensed software from the laptops
- D. centralize administration rights on laptops so that installations are controlled
正解:A
解説:
An IT license audit is a process that verifies the compliance of the IT software and hardware assets with the licensing agreements and regulations. An IT license audit can reveal the existence of unlicensed copies of software, which can expose the enterprise to legal, financial, and reputational risks. The best course of action in such a situation is to report the issue to management so that appropriate action can be taken. Management can then decide on the most suitable risk response strategy, such as procuring the necessary licenses, uninstalling the unlicensed software, or negotiating with the software vendor. Reporting the issue to management can also help to prevent further violations, identify the root causes, and implement corrective and preventive measures. The other options are not the best course of action, as they may not address the issue effectively, efficiently, or ethically. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.2.1.1, pp. 156-157.
質問 # 352
The risk associated with an asset before controls are applied can be expressed as:
- A. a function of the likelihood and impact.
- B. the likelihood of a given threat.
- C. the magnitude of an impact.
- D. a function of the cost and effectiveness of controls.
正解:A
解説:
Section: Volume D
Explanation/Reference:
質問 # 353
Which of the following should be of GREATEST concern to a risk practitioner when determining the effectiveness of IT controls?
- A. Operational staff perform control self-assessments.
- B. Configuration updates do not follow formal change control.
- C. Controls are selected without a formal cost-benefit
- D. analysis-Management reviews security policies once every two years.
正解:B
質問 # 354
Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are:
- A. independent from the business operations.
- B. members of senior management.
- C. authorized to select risk mitigation options.
- D. accountable for the affected processes.
正解:D
質問 # 355
Which of the following is MOST appropriate method to evaluate the potential impact of legal, regulatory, and contractual requirements on business objectives?
- A. Compliance-oriented gap analysis
- B. Compliance-oriented business impact analysis
- C. Communication with business process stakeholders
- D. Mapping of compliance requirements to policies and procedures
正解:B
解説:
Explanation/Reference:
Explanation:
A compliance-oriented BIA will identify all the compliance requirements to which the enterprise has to align and their impacts on business objectives and activities. It is a discovery process meant to uncover the inner workings of any process. Hence it will also evaluate the potential impact of legal, regulatory, and contractual requirements on business objectives.
Incorrect Answers:
A: Communication with business process stakeholders is done so as to identify the business objectives, but it does not help in identifying impacts.
C: Compliance-oriented gap analysis will only identify the gaps in compliance to current requirements and will not identify impacts to business objectives.
D: Mapping of compliance requirements to policies and procedures will identify only the way the compliance is achieved but not the business impact.
質問 # 356
Stephen is the project manager of the GBB project. He has worked with two subject matter experts and his project team to complete the risk assessment technique. There are approximately 47 risks that have a low probability and a low impact on the project. Which of the following answers best describes what Stephen should do with these risk events?
- A. The low probability and low impact risks should be added to a watchlist for future monitoring.
- B. is incorrect. The risk response for these events may be to accept them, but the best
answer is to first add them to a watchlist. - C. Because they are low probability and low impact, Stephen should accept the risks.
- D. is incorrect. Risks are not dismissed; they are at least added to a watchlist for
monitoring. - E. Explanation:
The low probability and low impact risks should be added to a watchlist for future monitoring. - F. The low probability and low impact risks should be added to the risk register.
- G. Because they are low probability and low impact, the risks can be dismissed.
正解:A
解説:
is incorrect. While the risks may eventually be added to the register, the best answer is
to first add them to the watchlist for monitoring.
質問 # 357
Which of the following is the MOST important topic to cover in a risk awareness training program for all staff?
- A. Internal and external information security incidents.
- B. The organization's information security risk profile.
- C. Policy compliance requirements and exceptions process.
- D. The risk department's roles and responsibilities.
正解:C
解説:
Section: Volume D
質問 # 358
FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?
- A. Annually
- B. Every three years
- C. Quarterly
- D. Never
正解:A
解説:
Section: Volume B
Explanation/Reference:
Explanation:
Inspection of FISMA is required to be done annually. Each year, agencies must have an independent evaluation of their program. The objective is to determine the effectiveness of the program. These evaluations include:
* Testing for effectiveness: Policies, procedures, and practices are to be tested. This evaluation does not test every policy, procedure, and practice. Instead, a representative sample is tested.
* An assessment or report: This report identifies the agency's compliance as well as lists compliance with FISMA. It also lists compliance with other standards and guidelines.
Incorrect Answers:
B, C, D: Auditing of compliance by external organization is done annually, not quarterly or every three years.
質問 # 359
Jenny is the project manager for the NBT projects. She is working with the project team and several subject matter experts to perform the quantitative risk analysis process. During this process she and the project team uncover several risks events that were not previously identified. What should Jenny do with these risk events?
- A. Explanation:
All identified risk events should be entered into the risk register.
A risk register is an inventory of risks and exposure associated with those risks. Risks are
commonly found in project management practices, and provide information to identify, analyze,
and manage risks. Typically a risk register contains:
A description of the risk
The impact should this event actually occur
The probability of its occurrence
Risk Score (the multiplication of Probability and Impact)
A summary of the planned response should the event occur
A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact
of the event)
Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved. - B. The events should be determined if they need to be accepted or responded to.
- C. The events should be entered into the risk register.
- D. is incorrect. Before the risk events are analyzed they should be documented in the risk
register. - E. is incorrect. These risks should first be identified, documented, passed through
qualitative risk analysis and then it should be determined if they should pass through the
quantitative risk analysis process. - F. The events should be entered into qualitative risk analysis.
- G. The events should continue on with quantitative risk analysis.
正解:C
解説:
is incorrect. The risks should first be documented and analyzed.
質問 # 360
Which of the following is the MOST critical security consideration when an enterprise outsource its major part of IT department to a third party whose servers are in foreign company?
- A. Explanation:
Laws and regulations of the country of origin may not be enforceable in foreign country and conversely, it is also true that laws and regulations of the foreign outsourcer may also impact the enterprise. Hence violation of applicable laws may not be recognized or rectified due to lack of knowledge of the local laws. - B. Additional network intrusion detection sensors should be installed, resulting in additional cost
- C. A security breach notification may get delayed due to time difference
- D. Laws and regulations of the country of origin may not be enforceable in foreign country
- E. The enterprise could not be able to monitor the compliance with its internal security and privacy guidelines
正解:D
解説:
is incorrect. Outsourcing does not remove the enterprise's responsibility regarding internal requirements. Hence monitoring the compliance with its internal security and privacy guidelines is not a problem. Answer:A is incorrect. Security breach notification is not a problem and also time difference does not play any role in 24/7 environment. Pagers, cellular phones, telephones, etc. are there to communicate the notifications. Answer:D is incorrect. The need for additional network intrusion detection sensors is not a major problem as it can be easily managed. It only requires addition funding, but can be addressed.
質問 # 361
A risk practitioner is reviewing the status of an action plan to mitigate an emerging IT risk and finds the risk level has increased. The BEST course of action would be to:
- A. revise the action plan to include additional mitigating controls.
- B. suspend the current action plan in order to reassess the risk.
- C. evaluate whether selected controls are still appropriate.
- D. implement the planned controls and accept the remaining risk.
正解:C
質問 # 362
Which of the following will MOST improve stakeholders' understanding of the effect of a potential threat?
- A. Communicating the results of the threat impact analysis
- B. Establishing a risk management committee
- C. Updating the organization's risk register to reflect the new threat
- D. Establishing metrics to assess the effectiveness of the responses
正解:A
質問 # 363
Which organization is implementing a project to automate the purchasing process, including the modification of approval controls. Which of the following tasks is lie responsibility of the risk practitioner*?
- A. Verify that existing controls continue to properly mitigate defined risk
- B. Test approval process controls once the project is completed
- C. Update the existing controls for changes in approval processes from this project
- D. Perform a gap analysis of the impacted control processes
正解:A
解説:
A risk practitioner is a person who is responsible for performing risk management activities, such as identifying, analyzing, evaluating, treating, monitoring, and communicating risks. When an organization is implementing a project to automate the purchasing process, including the modification of approval controls, the task that is the responsibility of the risk practitioner is to verify that the existing controls continue to properly mitigate the defined risk. This means that the risk practitioner should ensure that the automation and modification of the approval controls do not introduce new risks or change the existing risk profile, and that the controls are still effective and adequate for the purchasing process. The risk practitioner should also monitor the performance and compliance of the controls, and recommend any improvements or adjustments as needed. References = CRISC Review Manual, 7th Edition, page 177.
質問 # 364
During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:
- A. risk management is effective.
- B. a control mitigation plan is in place.
- C. compensating controls are in place.
- D. residual risk is accepted.
正解:C
質問 # 365
Which of the following is MOST helpful in developing key risk indicator thresholds?
- A. IT service level agreements
- B. Loss expectancy information
- C. Remediation activity progress
- D. Control performance results
正解:B
解説:
Section: Volume D
質問 # 366
A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization.
Which of the following components of this review would provide the MOST useful information?
- A. Risk register
- B. Enterprise risk management framework
- C. Risk management policies
- D. Risk appetite statement
正解:B
解説:
Section: Volume D
Explanation/Reference:
質問 # 367
The risk associated with inadvertent disclosure of database records from a public cloud service provider (CSP) would MOST effectively be reduced by:
- A. assessing the data classification scheme
- B. reviewing CSP access privileges
- C. encrypting the data
- D. including a nondisclosure clause in the CSP contract
正解:C
質問 # 368
Which of the following do NOT indirect information?
- A. Reports that show orders that were rejected for credit limitations.
- B. Information about the propriety of cutoff
- C. Reports that provide information about any unusual deviations and individual product margins.
- D. The lack of any significant differences between perpetual levels and actual levels of goods.
正解:B
解説:
Explanation/Reference:
Explanation:
Information about the propriety of cutoff is a kind of direct information.
Incorrect Answers:
B: Reports that show orders that were rejected for credit limitations provide indirect information that credit checking aspects of the system are working as intended.
C: Reports that provide information about any unusual deviations and individual product margins (whereby, the price of an item sold is compared to its standard cost) provide indirect information that controls over billing and pricing are operating.
D: The lack of any significant differences between perpetual levels and actual levels provides indirect information that its billing controls are operating.
質問 # 369
An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern?
- A. Potential increase in regulatory scrutiny
- B. Potential legal risk
- C. Potential system downtime
- D. Potential theft of personal information
正解:D
解説:
Potential theft of personal information should be of greatest concern for an organization that has detected unauthorized logins to its client database servers, as it poses a serious threat to the confidentiality, integrity, and availability of the client data and the reputation and trust of the organization. Potential theft of personal information is a scenario that involves the unauthorized access, disclosure, or use of the client data by malicious actors, such as hackers, competitors, or insiders. Potential theft of personal information can have significant impacts and consequences for the organization and its clients, such as:
* It can compromise the privacy and security of the client data, and expose the clients to identity theft, fraud, or blackmail.
* It can violate the legal and regulatory obligations and requirements of the organization, such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI DSS), and result in fines, penalties, or lawsuits.
* It can damage the reputation and credibility of the organization, and erode the confidence and loyalty of the clients, and lead to loss of business or market share.
The other options are not the greatest concerns for an organization that has detected unauthorized logins to its client database servers. Potential increase in regulatory scrutiny is a possible consequence of the unauthorized logins, as it may trigger audits, investigations, or sanctions by the relevant authorities, but it is not the most critical or immediate concern. Potential system downtime is a possible consequence of the unauthorized logins, as it may disrupt or degrade the performance or availability of the database servers or the applications that depend on them, but it is not the most severe or lasting concern. Potential legal risk is a possible consequence of the unauthorized logins, as it may expose the organization to litigation or liability claims by the affected clients or parties, but it is not the most direct or urgent concern. References = Data Breach Response: A Guide for Business - Federal Trade Commission, IT Risk Resources | ISACA, How to Prevent Unauthorized Access to Your Database - ScaleGrid
質問 # 370
You work as a Project Manager for Company Inc. You are incorporating a risk response owner to take the job for each agreed-to and funded risk response. On which of the following processes are you working?
- A. Identify Risks
- B. Qualitative Risk Analysis
- C. Plan risk response
- D. Quantitative Risk Analysis
正解:C
解説:
Section: Volume D
Explanation/Reference:
Explanation:
The plan risk response project management process aims to reduce the threats to the project objectives and to increase opportunities. It follows the perform qualitative risk analysis process and perform quantitative risk analysis process. Plan risk response process includes the risk response owner to take the job for each agreed- to and funded risk response. This process addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget. The inputs to the plan risk response process are as follows:
* Risk register
* Risk management plan
Incorrect Answers:
A: Quantitative analysis is the use of numerical and statistical techniques rather than the analysis of verbal material for analyzing risks. Some of the quantitative methods of risk analysis are:
* Internal loss method
* External data analysis
* Business process modeling (BPM) and simulation
* Statistical process control (SPC)
B: Identify Risks is the process of determining which risks may affect the project. It also documents risks' characteristics. The Identify Risks process is part of the Project Risk Management knowledge area. As new risks may evolve or become known as the project progresses through its life cycle, Identify Risks is an iterative process. The process should involve the project team so that they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions. Risk Register is the only output of this process.
D: Qualitative analysis is the definition of risk factors in terms of high/medium/low or a numeric scale (1 to 10).
Hence it determines the nature of risk on a relative scale.
Some of the qualitative methods of risk analysis are:
* Scenario analysis- This is a forward-looking process that can reflect risk for a given point in time.
* Risk Control Self -assessment (RCSA) - RCSA is used by enterprises (like banks) for the identification and evaluation of operational risk exposure. It is a logical first step and assumes that business owners and managers are closest to the issues and have the most expertise as to the source of the risk. RCSA is a constructive process in compelling business owners to contemplate, and then explain, the issues at hand with the added benefit of increasing their accountability.
質問 # 371
While reviewing the risk register, a risk practitioner notices that different business units have significant variances in inherent risk for the same risk scenario. Which of the following is the BEST course of action?
- A. Request that both business units conduct another review of the risk.
- B. Review the assumptions of both risk scenarios to determine whether the variance is reasonable.
- C. Update the risk register to ensure both risk scenarios have the highest residual risk.
- D. Update the risk register with the average of residual risk for both business units.
正解:B
質問 # 372
A risk assessment has identified increased losses associated with an IT risk scenario. It is MOST important for the risk practitioner to:
- A. implement additional controls.
- B. reevaluate inherent risk.
- C. update the risk rating.
- D. develop new risk scenarios.
正解:C
解説:
The most important action for the risk practitioner to take when a risk assessment has identified increased losses associated with an IT risk scenario is to update the risk rating. A risk rating is a measure of the overall level of risk, based on the combination of the probability and impact of the risk scenario. A risk rating helps to prioritize the risks, communicate the risk exposure, and monitor the risk response. Updating the risk rating is the most important action, because it reflects the current state and magnitude of the risk, and it triggers the review and revision of the risk response plan, if needed. Updating the risk rating also ensures that the risk register and the risk profile are accurate and complete, and that the risk management process is consistent and effective. The other options are not the most important action, although they may be related or subsequent steps in the risk management process. Reevaluating inherent risk is a part of the risk analysis process, which estimates the probability and impact of the risk scenario before considering the existing controls.
Reevaluating inherent risk can help to identify the root causes and drivers of the risk, and to assess the effectiveness and efficiency of the controls, but it does not change the overall level of risk or the risk response plan. Developing new risk scenarios is a part of the risk identification process, which identifies and describes the potential events or situations that could affect the achievement of the objectives. Developing new risk scenarios can help to expand the scope and coverage of the risk management process, and to address the emerging or changing risks, but it does not update the existing risk scenarios or the risk response plan.
Implementing additional controls is a part of the risk response process, which selects and executes the appropriate actions to reduce, avoid, share, or exploit the risk. Implementing additional controls can help to mitigate the risk and achieve the desired risk level, but it is not the first or the only option, as it depends on the risk appetite, tolerance, and capacity of the organization, and the cost-benefit analysis of the controls.
References = Risk Register Template and Examples | Prioritize and Manage Risk, How to Write Strong Risk Scenarios and Statements - ISACA, IT Risk Resources | ISACA
質問 # 373
Which of the following components ensures that risks are examined for all new proposed change requests in the change control system?
- A. Scope change control
- B. Configuration management
- C. Integrated change control
- D. Risk monitoring and control
- E. Explanation:
Integrated change control is the component that is responsible for reviewing all aspects of a change's impact on a project - including risks that may be introduced by the new change. Integrated change control is a way to manage the changes incurred during a project. It is a method that manages reviewing the suggestions for changes and utilizing the tools and techniques to evaluate whether the change should be approved or rejected. Integrated change control is a primary component of the project's change control system that examines the affect of a proposed change on the entire project.
正解:C、E
解説:
is incorrect. Configuration management controls and documents changes to the features and functions of the product scope. Answer:B is incorrect. Scope change control focuses on the processes to allow changes to enter the project scope. Answer:C is incorrect. Risk monitoring and control is not part of the change control system, so this choice is not valid.
質問 # 374
......
CRISC試験問題を最新版を今すぐ試そうの[2025年最新] 正解回答付き:https://jp.fast2test.com/CRISC-premium-file.html
無料ISACA CRISCテスト練習問題試験問題集:https://drive.google.com/open?id=1PsdbKnheydKQSC62K-uGuEq-Sksz6FcY