Free Access ISACA.CRISC.v2025-07-19.q999 Practice Test (Page 51)

Question 246

An organization is considering modifying its system to enable acceptance of credit card payments. To reduce the risk of data exposure, which of the following should the organization do FIRST?

A.Update the risk register.

B.Update the security strategy.

C.Conduct a risk assessment.

D.Implement additional controls.

Question 247

Which of the following is the BEST method for assessing control effectiveness?

A.Ad hoc control reporting

B.Control self-assessment

C.Continuous monitoring

D.Predictive analytics

Correct Answer: C

* Control effectiveness is the degree to which a control achieves its intended objective and mitigates the risk that it is designed to address. It is measured by comparing the actual performance and outcome of the control with the expected or desired performance and outcome.
* The best method for assessing control effectiveness is continuous monitoring, which is the process of collecting, analyzing, and reporting on the performance and outcome of the controls on an ongoing basis. Continuous monitoring provides timely and accurate information on the status and results of the controls, and enables the identification and correction of any issues or gaps in the control environment.
* Continuous monitoring can be performed using various techniques, such as automated tools, dashboards, indicators, metrics, logs, audits, reviews, etc. Continuous monitoring can also be integrated with the risk management process, and aligned with the organization's objectives and risk appetite.
* The other options are not the best methods for assessing control effectiveness, because they do not provide the same level of timeliness, accuracy, and completeness of information on the performance and outcome of the controls.
* Ad hoc control reporting is the process of collecting, analyzing, and reporting on the performance and outcome of the controls on an irregular or occasional basis. Ad hoc control reporting may be triggered by specific events, requests, or incidents, and it may not cover all the relevant or critical controls. Ad hoc control reporting may not provide sufficient or consistent information on the control effectiveness, and it may not enable the timely and proactive identification and correction of any issues or gaps in the control environment.
* Control self-assessment is the process of allowing the control owners or operators to evaluate and report on the performance and outcome of their own controls. Control self-assessment can provide useful insights and feedback from the control owners or operators, and it can enhance their awareness and accountability for the control effectiveness. However, control self-assessment may not be objective, reliable, or independent, and it may not cover all the relevant or critical controls. Control self-assessment may not provide sufficient or consistent information on the control effectiveness, and it may not enable the timely and proactive identification and correction of any issues or gaps in the control environment.
* Predictive analytics is the process of using statistical techniques and models to analyze historical and current data, and to make predictions or forecasts about future events or outcomes. Predictive analytics can provide useful insights and trends on the potential performance and outcome of the controls, and it can support the decision making and planning for the control effectiveness.
However, predictive analytics may not be accurate, valid, or reliable, and it may not reflect the actual or current performance and outcome of the controls. Predictive analytics may not provide sufficient or consistent information on the control effectiveness, and it may not enable the timely and proactive identification and correction of any issues or gaps in the control environment.
References =
* ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 40-41, 47-48, 54-55, 58-59, 62-63
* ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 150
* CRISC Practice Quiz and Exam Prep

Question 248

A peer review of a risk assessment finds that a relevant threat community was not included. Mitigation of the risk will require substantial changes to a software application. Which of the following is the BEST course of action?

A.Ask the business to make a budget request to remediate the problem.

B.Research the types of attacks the threat can present.

C.Determine the impact of the missing threat.

D.Build a business case to remediate the fix.

Question 249

Which of the following is the MOST important factor when deciding on a control to mitigate risk exposure?

A.Comparison against best practice

B.Relevance to the business process

C.Regulatory compliance requirements

D.Cost-benefit analysis

Question 250

Which of the following BEST ensures that a firewall is configured in compliance with an enterprise's security policy?

A.Interview the firewall administrator.

B.Review the actual procedures.

C.Review the device's log file for recent attacks.

D.Review the parameter settings.

Other Version: 6564ISACA.CRISC.v2024-09-11.q999; 7512ISACA.CRISC.v2022-10-10.q527; 12586ISACA.CRISC.v2022-08-23.q834; 15418ISACA.CRISC.v2022-05-05.q821; 66ISACA.Examboosts.CRISC.v2021-09-26.by.erica.460q.pdf

Latest Upload: 107Oracle.1z0-1196-25.v2025-09-12.q18; 106NetworkAppliance.NS0-162.v2025-09-12.q86; 146OCEG.GRCP.v2025-09-11.q211; 107HP.HPE0-V27.v2025-09-11.q78; 123Oracle.1Z0-1057-23.v2025-09-10.q47; 157Google.Professional-Cloud-Network-Engineer.v2025-09-09.q179; 137SAP.C-S4EWM-2023.v2025-09-08.q83; 182TheSecOpsGroup.CNSP.v2025-09-08.q20; 262CFAInstitute.ESG-Investing.v2025-09-08.q173; 250PECB.ISO-IEC-27001-Lead-Implementer.v2025-09-06.q132

Question 246

Question 247

Question 248

Question 249

Question 250

Download PDF File