Isaca IT-Risk-Fundamentals Exam With Confidence Using Practice Dumps

Operationelle Risiken umfassen Verluste, die durch unzureichende oder fehlgeschlagene interne Prozesse, Personen und Systeme oder durch externe Ereignisse verursacht werden. Mitarbeiterfehler und Systemausfälle sind typische Beispiele für operationelle Risiken.

Definition und Kategorien von Risiken:

Operational Risk: Betrifft Verluste aufgrund interner Prozesse oder menschlicher Fehler.

Market Risk: Verluste aufgrund von Marktschwankungen.

Strategic Risk: Verluste aufgrund von Fehlentscheidungen im Management oder strategischen Planungsfehlern.

Beispiele für operationelle Risiken:

Mitarbeiterfehler: Fehlerhafte Dateneingabe, Nichtbeachtung von Arbeitsprozessen.

Systemausfälle: IT-Systemabstürze, Hardware-Fehlfunktionen.

References:

ISA 315: Operational risks and how they are identified and managed within the IT environment​​.

ISO 27001: Information security management systems that include measures for mitigating operational risks.

The primary objective of a vulnerability assessment is to identify and document weaknesses in IT systems and applications. It aims to improve the understanding of deficient control conditions by uncovering vulnerabilities that could be exploited.

While vulnerability assessments inform the best course of action (A), that's a consequence of the assessment, not the primary objective itself. Reducing the effort to identify new vulnerabilities (C) is a desirable outcome of a good process, but not the primary goal.

An enterprise that uses a two-factor authentication login method for accessing sensitive data has implemented a preventive control. Here’s why:

Preventive Control: This type of control is designed to prevent security incidents before they occur. Two-factor authentication (2FA) enhances security by requiring two forms of verification (e.g., a password and a mobile code) to access sensitive data. This prevents unauthorized access by ensuring that even if one authentication factor (like a password) is compromised, the second factor remains a barrier to entry.

Corrective Control: These controls come into play after an incident has occurred, aiming to correct or mitigate the impact. Examples include restoring data from backups or applying patches after a vulnerability is exploited. 2FA does not correct an incident but prevents it from happening.

Detective Control: These controls are designed to detect and alert about incidents when they happen. Examples include intrusion detection systems (IDS) and audit logs. 2FA is not about detection but about prevention.

Therefore, two-factor authentication is a preventive control.