Which of the following is the MOST useful information for a risk practitioner when planning response activities after risk identification?
Correct Answer: C
The most useful information for a risk practitioner when planning response activities after risk identification is the risk priorities. Risk priorities are the order or ranking of the risks based on their level of importance or urgency. Risk priorities help the risk practitioner to focus on the most critical risks, and allocate the resources and efforts accordingly. Risk priorities are usually determined by using a combination of factors, such as the likelihood and impact of the risks, the risk appetite and tolerance of the organization, and the cost and benefit of the risk responses. The other options are not as useful as the risk priorities, although they may provide some input or context for the risk response planning. The risk register is the document that records the details of all identified risks, but it does not necessarily indicate the risk priorities. The risk appetite is the amount and type of risk that the organization is willing to pursue, retain, or take, but it does not specify the risk priorities. The risk heat maps are graphical tools that display the risk level of each risk based on the likelihood and impact, but they do not show the risk priorities. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.1, page 4-23.
CRISC Exam Question 32
An organization has outsourced its customer management database to an external service provider. Of the following, who should be accountable for ensuring customer data privacy?
Correct Answer: A
CRISC Exam Question 33
Which of the following is the BEST way to validate privileged access to database accounts?
Correct Answer: A
Regular reviewshelp detect inappropriate, outdated, or excessive access rights. This is a fundamental part of access control governance and supports the principle of least privilege. Reference:CRISC Manual - Domain 1, Slide 230-232
CRISC Exam Question 34
While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially Which of the following would be the BEST approach for the risk practitioner to take?
Correct Answer: C
According to the CRISC Review Manual, a root cause analysis is a technique that identifies the underlying causes of an event or a problem. It helps to determine the most effective actions to prevent or mitigate the recurrence of the event or problem. A root cause analysis is the best approach for the risk practitioner to take in this scenario, because it will help to understand why the number of emergency changes has increased substantially and what can be done to address the issue. The other options are not the best approaches, because they do not address the underlying causes of the problem. Temporarily suspending emergency changes may disrupt the business operations and create more risks. Documenting the control deficiency in the risk register is a passive action that does not resolve the problem. Continuing monitoring change management metrics is an ongoing activity that does not provide any insight into the problem. References = CRISC Review Manual, 7th Edition, Chapter 3, Section 3.2.4, page 130.
CRISC Exam Question 35
The PRIMARY reason to implement a formalized risk taxonomy is to:
Correct Answer: D
The primary reason to implement a formalized risk taxonomy is to reduce subjectivity in risk management, as it provides a common and consistent language and structure for identifying, classifying, and reporting risks, and facilitates the comparison and aggregation of risks across the organization. The other options are not the primary reasons, as they are more related to the outcomes, benefits, or drivers of risk management, respectively, rather than the reason for risk management. References = CRISC Review Manual, 7th Edition, page 100.