CRISC Exam Question 321
An organization automatically approves exceptions to security policies on a recurring basis. This practice is MOST likely the result of:
Correct Answer: D
IT governance is the process of ensuring that IT supports the organization's objectives and strategies, and that IT risks are managed appropriately. IT governance involves defining the roles, responsibilities, and accountabilities of the IT stakeholders, establishing the IT policies, standards, and procedures, and monitoring and evaluating the IT performance and outcomes1.
An organization that automatically approves exceptions to security policies on a recurring basis is most likely the result of ineffective IT governance, because it indicates that the organization:
* Lacks a clear and consistent IT strategy and direction, and does not align IT with the business goals and needs
* Fails to implement and enforce the IT policies, standards, and procedures, and does not ensure the compliance and accountability of the IT users and providers
* Neglects to identify and assess the IT risks, and does not implement the appropriate risk responses and controls
* Does not monitor and measure the IT performance and outcomes, and does not review and improve the IT processes and practices23 The other options are not the most likely results of ineffective IT governance, but rather some of the possible causes or consequences of it. A lack of mitigating actions for identified risk is a possible consequence of ineffective IT governance, as it implies that the organization does not have a systematic and proactive approach to IT risk management, and does not address the IT risks in a timely and effective manner.
Decreased threat levels is a possible cause of ineffective IT governance, as it may create a false sense of security and complacency, and reduce the motivation and urgency to implement and follow the IT policies, standards, and procedures. Ineffective service delivery is a possible consequence of ineffective IT governance, as it means that the organization does not deliver the IT services that meet the expectations and requirements of the customers and stakeholders, and does not ensure the quality and reliability of the IT services. References
=
* IT Governance - ISACA
* IT Governance: What It Is and Why You Need It
* IT Governance: The Benefits of an Effective Enterprise IT Governance Framework
* [CRISC Review Manual, 7th Edition]
An organization that automatically approves exceptions to security policies on a recurring basis is most likely the result of ineffective IT governance, because it indicates that the organization:
* Lacks a clear and consistent IT strategy and direction, and does not align IT with the business goals and needs
* Fails to implement and enforce the IT policies, standards, and procedures, and does not ensure the compliance and accountability of the IT users and providers
* Neglects to identify and assess the IT risks, and does not implement the appropriate risk responses and controls
* Does not monitor and measure the IT performance and outcomes, and does not review and improve the IT processes and practices23 The other options are not the most likely results of ineffective IT governance, but rather some of the possible causes or consequences of it. A lack of mitigating actions for identified risk is a possible consequence of ineffective IT governance, as it implies that the organization does not have a systematic and proactive approach to IT risk management, and does not address the IT risks in a timely and effective manner.
Decreased threat levels is a possible cause of ineffective IT governance, as it may create a false sense of security and complacency, and reduce the motivation and urgency to implement and follow the IT policies, standards, and procedures. Ineffective service delivery is a possible consequence of ineffective IT governance, as it means that the organization does not deliver the IT services that meet the expectations and requirements of the customers and stakeholders, and does not ensure the quality and reliability of the IT services. References
=
* IT Governance - ISACA
* IT Governance: What It Is and Why You Need It
* IT Governance: The Benefits of an Effective Enterprise IT Governance Framework
* [CRISC Review Manual, 7th Edition]
CRISC Exam Question 322
Which of the following is the BEST method to ensure a terminated employee's access to IT systems is revoked upon departure from the organization?
Correct Answer: D
* The best method to ensure a terminated employee's access to IT systems is revoked upon departure from the organization is to have the human resources (HR) system automatically revoke system access, which is a process that involves integrating the HR system with the IT system, and triggering the removal of access rights for the employee as soon as the termination is recorded in the HR system12.
* This method is the best because it provides the most timely, accurate, and consistent way of revoking access, and reduces the risk of human error, oversight, or delay that may occur in manual or semi- automated processes12.
* This method is also the best because it enhances the security and compliance of the organization, and prevents the terminated employee from accessing or compromising the IT systems or data after departure12.
* The other options are not the best methods, but rather alternative or supplementary methods that may have some limitations or drawbacks. For example:
* Login attempts are reconciled to a list of terminated employees is a method that involves monitoring and verifying the login activities of the IT systems, and comparing them with a list of terminated employees to identify and block any unauthorized access attempts34. However, this method is not the best because it is reactive rather than proactive, and may not prevent the terminated employee from accessing the IT systems before the reconciliation is done34.
* A list of terminated employees is generated for reconciliation against current IT access is a method that involves creating and maintaining a list of terminated employees, and checking it against the current IT access rights to identify and remove any access that is no longer needed34. However, this method is not the best because it is manual and labor-intensive, and may introduce errors or inconsistencies in the list or the access rights34.
* A process to remove employee access during the exit interview is implemented is a method that involves conducting an exit interview with the terminated employee, and revoking the employee' s access to the IT systems during or immediately after the interview34. However, this method is not the best because it depends on the availability and cooperation of the terminated employee, and may not cover all the IT systems or access rights that the employee had34. References =
* 1: IT Involvement in Employee Termination, A Checklist3
* 2: Best Practices to Ensure Departing Employees Retain No Access5
* 3: User Termination Best Practices - IT Security - Spiceworks2
* 4: IT Security for Employee Termination - Policies, Checklists, Templates - Endsight1
* This method is the best because it provides the most timely, accurate, and consistent way of revoking access, and reduces the risk of human error, oversight, or delay that may occur in manual or semi- automated processes12.
* This method is also the best because it enhances the security and compliance of the organization, and prevents the terminated employee from accessing or compromising the IT systems or data after departure12.
* The other options are not the best methods, but rather alternative or supplementary methods that may have some limitations or drawbacks. For example:
* Login attempts are reconciled to a list of terminated employees is a method that involves monitoring and verifying the login activities of the IT systems, and comparing them with a list of terminated employees to identify and block any unauthorized access attempts34. However, this method is not the best because it is reactive rather than proactive, and may not prevent the terminated employee from accessing the IT systems before the reconciliation is done34.
* A list of terminated employees is generated for reconciliation against current IT access is a method that involves creating and maintaining a list of terminated employees, and checking it against the current IT access rights to identify and remove any access that is no longer needed34. However, this method is not the best because it is manual and labor-intensive, and may introduce errors or inconsistencies in the list or the access rights34.
* A process to remove employee access during the exit interview is implemented is a method that involves conducting an exit interview with the terminated employee, and revoking the employee' s access to the IT systems during or immediately after the interview34. However, this method is not the best because it depends on the availability and cooperation of the terminated employee, and may not cover all the IT systems or access rights that the employee had34. References =
* 1: IT Involvement in Employee Termination, A Checklist3
* 2: Best Practices to Ensure Departing Employees Retain No Access5
* 3: User Termination Best Practices - IT Security - Spiceworks2
* 4: IT Security for Employee Termination - Policies, Checklists, Templates - Endsight1
CRISC Exam Question 323
Which of the following is MOST important for management to consider when deciding whether to invest in an IT initiative that exceeds management's risk appetite?
Correct Answer: C
The most important factor for management to consider when deciding whether to invest in an IT initiative that exceeds management's risk appetite is C. Risk tolerance1 According to the CRISC Review Manual, risk tolerance is the acceptable level of variation that management is willing to allow for any specific risk as the enterprise pursues its objectives. Risk tolerance reflects the degree of uncertainty that an organization is prepared to accept in relation to achieving its goals2 When an IT initiative exceeds management's risk appetite, it means that the potential benefits of the initiative are outweighed by the potential negative consequences or losses that could result from the initiative.
However, management may still decide to invest in the initiative if the level of uncertainty or variation is within the organization's risk tolerance. For example, management may accept a higher level of risk for a strategic or innovative initiative that could provide a competitive advantage or a significant return on investment3
However, management may still decide to invest in the initiative if the level of uncertainty or variation is within the organization's risk tolerance. For example, management may accept a higher level of risk for a strategic or innovative initiative that could provide a competitive advantage or a significant return on investment3
CRISC Exam Question 324
During a risk assessment, the risk practitioner finds a new risk scenario without controls has been entered into the risk register. Which of the following is the MOST appropriate action?
Correct Answer: A
A new risk scenario without controls means that there is a potential threat or event that could adversely affect the organization's objectives, and there are no existing measures to prevent or reduce the impact or likelihood of the risk. Therefore, the most appropriate action is to include the new risk scenario in the current risk assessment, so that the risk practitioner can analyze the risk, evaluate its severity and priority, and recommend suitable controls to mitigate the risk. By including the new risk scenario in the current risk assessment, the risk practitioner can ensure that the risk register is updated and reflects the current risk profile of the organization. The other options are not appropriate because they either ignore the new risk scenario, delay the risk assessment process, or remove valuable information from the risk register. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.4.1, page 95.
CRISC Exam Question 325
Which of the following is MOST important to communicate to senior management during the initial implementation of a risk management program?
Correct Answer: D
The most important factor to communicate to senior management during the initial implementation of a risk management program is the desired risk level, which is the level of risk that the organization aims to achieve in order to fulfill its objectives and strategy1. The desired risk level can help to:
* Define and communicate the risk appetite and tolerance, which are the amount and type of risk that the organization is willing to accept or pursue in order to achieve its objectives2.
* Guide and align the risk identification, analysis, evaluation, and treatment processes, and ensure that the risks are consistent and proportional to the desired risk level3.
* Measure and monitor the risk performance and outcome, and ensure that the actual risk level is within the desired risk level, or take corrective actions if needed4.
The other factors are not the most important to communicate to senior management, because:
* Regulatory compliance is a necessary but not sufficient factor to communicate to senior management, as it ensures that the risk management program complies with the applicable laws, rules, or standards that govern the organization's activities and operations5. However, regulatory compliance does not guarantee that the risk management program is relevant and useful for the organization's specific objectives and strategy.
* Risk ownership is a desirable but not essential factor to communicate to senior management, as it assigns the roles and responsibilities for managing the risks and implementing the risk responses to the appropriate individuals or entities within the organization. However, risk ownership does not ensure that the risk management program is effective and efficient in achieving the desired risk level.
* Best practices are a useful but not critical factor to communicate to senior management, as they provide the guidelines and standards for designing and implementing the risk management program, based on the experience and knowledge of the industry or the profession. However, best practices do not ensure that the risk management program is suitable and feasible for the organization's specific context and capabilities.
References =
* Desired Risk Level - CIO Wiki
* Risk Appetite and Tolerance - CIO Wiki
* Risk Management Process - CIO Wiki
* Risk Monitoring - CIO Wiki
* Regulatory Compliance - CIO Wiki
* [Risk Ownership - CIO Wiki]
* [Best Practice - CIO Wiki]
* [Risk Management - CIO Wiki]
* Define and communicate the risk appetite and tolerance, which are the amount and type of risk that the organization is willing to accept or pursue in order to achieve its objectives2.
* Guide and align the risk identification, analysis, evaluation, and treatment processes, and ensure that the risks are consistent and proportional to the desired risk level3.
* Measure and monitor the risk performance and outcome, and ensure that the actual risk level is within the desired risk level, or take corrective actions if needed4.
The other factors are not the most important to communicate to senior management, because:
* Regulatory compliance is a necessary but not sufficient factor to communicate to senior management, as it ensures that the risk management program complies with the applicable laws, rules, or standards that govern the organization's activities and operations5. However, regulatory compliance does not guarantee that the risk management program is relevant and useful for the organization's specific objectives and strategy.
* Risk ownership is a desirable but not essential factor to communicate to senior management, as it assigns the roles and responsibilities for managing the risks and implementing the risk responses to the appropriate individuals or entities within the organization. However, risk ownership does not ensure that the risk management program is effective and efficient in achieving the desired risk level.
* Best practices are a useful but not critical factor to communicate to senior management, as they provide the guidelines and standards for designing and implementing the risk management program, based on the experience and knowledge of the industry or the profession. However, best practices do not ensure that the risk management program is suitable and feasible for the organization's specific context and capabilities.
References =
* Desired Risk Level - CIO Wiki
* Risk Appetite and Tolerance - CIO Wiki
* Risk Management Process - CIO Wiki
* Risk Monitoring - CIO Wiki
* Regulatory Compliance - CIO Wiki
* [Risk Ownership - CIO Wiki]
* [Best Practice - CIO Wiki]
* [Risk Management - CIO Wiki]
- Other Version
- 3199ISACA.CRISC.v2025-01-04.q999
- 1501ISACA.CRISC.v2024-06-13.q683
- 2185ISACA.CRISC.v2024-04-02.q999
- 2752ISACA.CRISC.v2023-07-10.q544
- 5436ISACA.CRISC.v2022-05-25.q338
- 76ISACA.Actual4dump.CRISC.v2022-04-12.by.newman.349q.pdf
- 5245ISACA.CRISC.v2022-02-22.q349
- 5070ISACA.CRISC.v2021-10-27.q295
- 42ISACA.Updatedumps.CRISC.v2021-09-05.by.bonnie.114q.pdf
- Latest Upload
- 147Microsoft.SC-400.v2025-09-20.q290
- 375ISACA.CGEIT.v2025-09-19.q537
- 160Fortinet.FCP_FWF_AD-7.4.v2025-09-18.q62
- 161Scrum.SAFe-Practitioner.v2025-09-18.q63
- 155Workday.Workday-Prism-Analytics.v2025-09-17.q17
- 135Oracle.1Z0-1055-24.v2025-09-17.q28
- 131Oracle.1Z1-182.v2025-09-17.q32
- 261Nutanix.NCP-US-6.5.v2025-09-16.q73
- 282Oracle.1z0-071.v2025-09-16.q232
- 205Oracle.1Z1-922.v2025-09-16.q125
[×]
Download PDF File
Enter your email address to download ISACA.CRISC.v2025-08-27.q675 Practice Test