Isaca Certified in Risk and Information Systems Control CRISC Question # 418 Topic 42 Discussion

CRISC Exam Topic 42 Question 418 Discussion:

Question #: 418

Topic #: 42

An organization automatically approves exceptions to security policies on a recurring basis. This practice is MOST likely the result of:

a lack of mitigating actions for identified risk

decreased threat levels

ineffective service delivery

ineffective IT governance

Get Premium CRISC Questions

Explanation

IT governance is the process of ensuring that IT supports the organization’s objectives and strategies, and that IT risks are managed appropriately. IT governance involves defining the roles, responsibilities, and accountabilities of the IT stakeholders, establishing the IT policies, standards, and procedures, and monitoring and evaluating the IT performance and outcomes1.

An organization that automatically approves exceptions to security policies on a recurring basis is most likely the result of ineffective IT governance, because it indicates that the organization:

Lacks a clear and consistent IT strategy and direction, and does not align IT with the business goals and needs

Fails to implement and enforce the IT policies, standards, and procedures, and does not ensure the compliance and accountability of the IT users and providers

Neglects to identify and assess the IT risks, and does not implement the appropriate risk responses and controls

Does not monitor and measure the IT performance and outcomes, and does not review and improve the IT processes and practices23

The other options are not the most likely results of ineffective IT governance, but rather some of the possible causes or consequences of it. A lack of mitigating actions for identified risk is a possible consequence of ineffective IT governance, as it implies that the organization does not have a systematic and proactiveapproach to IT risk management, and does not address the IT risks in a timely and effective manner. Decreased threat levels is a possible cause of ineffective IT governance, as it may create a false sense of security and complacency, and reduce the motivation and urgency to implement and follow the IT policies, standards, and procedures. Ineffective service delivery is a possible consequence of ineffective IT governance, as it means that the organization does not deliver the IT services that meet the expectations and requirements of the customers and stakeholders, and does not ensure the quality and reliability of the IT services. References =

IT Governance - ISACA

IT Governance: What It Is and Why You Need It

IT Governance: The Benefits of an Effective Enterprise IT Governance Framework

[CRISC Review Manual, 7th Edition]

Actual exam question for Isaca CRISC exam by Xander7011 at Aug 3, 2025, 11:27:20 AM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Isaca Certified in Risk and Information Systems Control CRISC Question # 418 Topic 42 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 418 Topic 42 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Isaca Certified in Risk and Information Systems Control CRISC Question # 418 Topic 42 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 418 Topic 42 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval