Summer Special Sale Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 713PS592

CRISC Certified in Risk and Information Systems Control Questions and Answers

Questions 4

Which of the following would MOST effectively reduce risk associated with an increase of online transactions on a retailer website?

Options:

A.

Scalable infrastructure

B.

A hot backup site

C.

Transaction limits

D.

Website activity monitoring

Buy Now
Questions 5

Which of the following is MOST effective in continuous risk management process improvement?

Options:

A.

Periodic assessments

B.

Change management

C.

Awareness training

D.

Policy updates

Buy Now
Questions 6

Which of the following is the MOST important document regarding the treatment of sensitive data?

Options:

A.

Encryption policy

B.

Organization risk profile

C.

Digital rights management policy

D.

Information classification policy

Buy Now
Questions 7

Which of the following provides the BEST measurement of an organization's risk management maturity level?

Options:

A.

Level of residual risk

B.

The results of a gap analysis

C.

IT alignment to business objectives

D.

Key risk indicators (KRIs)

Buy Now
Questions 8

Before assigning sensitivity levels to information it is MOST important to:

Options:

A.

define recovery time objectives (RTOs).

B.

define the information classification policy

C.

conduct a sensitivity analyse

D.

Identify information custodians

Buy Now
Questions 9

Which of the following is MOST important to sustainable development of secure IT services?

Options:

A.

Security training for systems development staff

B.

\Well-documented business cases

C.

Security architecture principles

D.

Secure coding practices

Buy Now
Questions 10

Which of the following controls would BEST reduce the risk of account compromise?

Options:

A.

Enforce password changes.

B.

Enforce multi-factor authentication (MFA).

C.

Enforce role-based authentication.

D.

Enforce password encryption.

Buy Now
Questions 11

Which of the following is the PRIMARY role of the board of directors in corporate risk governance?

Options:

A.

Approving operational strategies and objectives

B.

Monitoring the results of actions taken to mitigate risk

C.

Ensuring the effectiveness of the risk management program

D.

Ensuring risk scenarios are identified and recorded in the risk register

Buy Now
Questions 12

Which of the following BEST enables detection of ethical violations committed by employees?

Options:

A.

Transaction log monitoring

B.

Access control attestation

C.

Periodic job rotation

D.

Whistleblower program

Buy Now
Questions 13

Which of the following is the GREATEST concern associated with redundant data in an organization's inventory system?

Options:

A.

Poor access control

B.

Unnecessary data storage usage

C.

Data inconsistency

D.

Unnecessary costs of program changes

Buy Now
Questions 14

An organization has recently been experiencing frequent data corruption incidents. Implementing a file corruption detection tool as a risk response strategy will help to:

Options:

A.

reduce the likelihood of future events

B.

restore availability

C.

reduce the impact of future events

D.

address the root cause

Buy Now
Questions 15

Which of the following is necessary to enable an IT risk register to be consolidated with the rest of the organization’s risk register?

Options:

A.

Risk taxonomy

B.

Risk response

C.

Risk appetite

D.

Risk ranking

Buy Now
Questions 16

A risk practitioner is concerned with potential data loss in the event of a breach at a hosted third-party provider. Which of the following is the BEST way to mitigate this risk?

Options:

A.

Include an indemnification clause in the provider's contract.

B.

Monitor provider performance against service level agreements (SLAs).

C.

Purchase cyber insurance to protect against data breaches.

D.

Ensure appropriate security controls are in place through independent audits.

Buy Now
Questions 17

Which of the following would be the BEST recommendation if the level of risk in the IT risk profile has decreased and is now below management's risk appetite?

Options:

A.

Optimize the control environment.

B.

Realign risk appetite to the current risk level.

C.

Decrease the number of related risk scenarios.

D.

Reduce the risk management budget.

Buy Now
Questions 18

Which of the following would be the GREATEST concern related to data privacy when implementing an Internet of Things (loT) solution that collects personally identifiable information (Pll)?

Options:

A.

A privacy impact assessment has not been completed.

B.

Data encryption methods apply to a subset of Pll obtained.

C.

The data privacy officer was not consulted.

D.

Insufficient access controls are used on the loT devices.

Buy Now
Questions 19

Which of the following is MOST important for senior management to review during an acquisition?

Options:

A.

Risk appetite and tolerance

B.

Risk framework and methodology

C.

Key risk indicator (KRI) thresholds

D.

Risk communication plan

Buy Now
Questions 20

A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:

Options:

A.

updating the risk register

B.

documenting the risk scenarios.

C.

validating the risk scenarios

D.

identifying risk mitigation controls.

Buy Now
Questions 21

Which of the following is the BEST approach for selecting controls to minimize risk?

Options:

A.

Industry best practice review

B.

Risk assessment

C.

Cost-benefit analysis

D.

Control-effectiveness evaluation

Buy Now
Questions 22

Which of the following is MOST useful when communicating risk to management?

Options:

A.

Risk policy

B.

Audit report

C.

Risk map

D.

Maturity model

Buy Now
Questions 23

Which of the following is the GREATEST concern when establishing key risk indicators (KRIs)?

Options:

A.

High percentage of lagging indicators

B.

Nonexistent benchmark analysis

C.

Incomplete documentation for KRI monitoring

D.

Ineffective methods to assess risk

Buy Now
Questions 24

Which of the following is the BEST approach to mitigate the risk associated with outsourcing network management to an external vendor who will have access to sensitive information assets?

Options:

A.

Prepare a skills matrix to illustrate tasks and required expertise.

B.

Require periodic security assessments of the vendor within the contract.

C.

Perform due diligence to enable holistic assessment of the vendor.

D.

Plan a phased approach for the transition of processes to the vendor.

Buy Now
Questions 25

Which of the following is the PRIMARY purpose of periodically reviewing an organization's risk profile?

Options:

A.

Align business objectives with risk appetite.

B.

Enable risk-based decision making.

C.

Design and implement risk response action plans.

D.

Update risk responses in the risk register

Buy Now
Questions 26

When reviewing a report on the performance of control processes, it is MOST important to verify whether the:

Options:

A.

business process objectives have been met.

B.

control adheres to regulatory standards.

C.

residual risk objectives have been achieved.

D.

control process is designed effectively.

Buy Now
Questions 27

Read" rights to application files in a controlled server environment should be approved by the:

Options:

A.

business process owner.

B.

database administrator.

C.

chief information officer.

D.

systems administrator.

Buy Now
Questions 28

What is the PRIMARY purpose of a business impact analysis (BIA)?

Options:

A.

To determine the likelihood and impact of threats to business operations

B.

To identify important business processes in the organization

C.

To estimate resource requirements for related business processes

D.

To evaluate the priority of business operations in case of disruption

Buy Now
Questions 29

Which of the following is MOST helpful to review when identifying risk scenarios associated with the adoption of Internet of Things (loT) technology in an organization?

Options:

A.

The business case for the use of loT

B.

The loT threat landscape

C.

Policy development for loT

D.

The network that loT devices can access

Buy Now
Questions 30

Which of the following would be of GREATEST concern to a risk practitioner reviewing current key risk indicators (KRIs)?

Options:

A.

The KRIs' source data lacks integrity.

B.

The KRIs are not automated.

C.

The KRIs are not quantitative.

D.

The KRIs do not allow for trend analysis.

Buy Now
Questions 31

Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data?

Options:

A.

The cost associated with incident response activitiesThe composition and number of records in the information asset

B.

The maximum levels of applicable regulatory fines

C.

The length of time between identification and containment of the incident

Buy Now
Questions 32

When developing a risk awareness training program, which of the following training topics would BEST facilitate a thorough understanding of risk scenarios?

Options:

A.

Mapping threats to organizational objectives

B.

Reviewing past audits

C.

Analyzing key risk indicators (KRIs)

D.

Identifying potential sources of risk

Buy Now
Questions 33

Which of the following would BEST provide early warning of a high-risk condition?

Options:

A.

Risk register

B.

Risk assessment

C.

Key risk indicator (KRI)

D.

Key performance indicator (KPI)

Buy Now
Questions 34

During an organization's simulated phishing email campaign, which of the following is the BEST indicator of a mature security awareness program?

Options:

A.

A high number of participants reporting the email

B.

A high number of participants deleting the email

C.

A low number of participants with questions for the help desk

D.

A low number of participants opening the email

Buy Now
Questions 35

Which of the following requirements is MOST important to include in an outsourcing contract to help ensure sensitive data stored with a service provider is secure?

Options:

A.

A third-party assessment report of control environment effectiveness must be provided at least annually.

B.

Incidents related to data toss must be reported to the organization immediately after they occur.

C.

Risk assessment results must be provided to the organization at least annually.

D.

A cyber insurance policy must be purchased to cover data loss events.

Buy Now
Questions 36

The risk appetite for an organization could be derived from which of the following?

Options:

A.

Cost of controls

B.

Annual loss expectancy (ALE)

C.

Inherent risk

D.

Residual risk

Buy Now
Questions 37

An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?

Options:

A.

Invoke the disaster recovery plan during an incident.

B.

Prepare a cost-benefit analysis of alternatives available

C.

Implement redundant infrastructure for the application.

D.

Reduce the recovery time by strengthening the response team.

Buy Now
Questions 38

When formulating a social media policy lo address information leakage, which of the following is the MOST important concern to address?

Options:

A.

Sharing company information on social media

B.

Sharing personal information on social media

C.

Using social media to maintain contact with business associates

D.

Using social media for personal purposes during working hours

Buy Now
Questions 39

Which of the following is MOST helpful in preventing risk events from materializing?

Options:

A.

Prioritizing and tracking issues

B.

Establishing key risk indicators (KRIs)

C.

Reviewing and analyzing security incidents

D.

Maintaining the risk register

Buy Now
Questions 40

An organization is developing a risk universe to create a holistic view of its overall risk profile. Which of the following is the GREATEST barrier to achieving the initiative's objectives?

Options:

A.

Lack of cross-functional risk assessment workshops within the organization

B.

Lack of common understanding of the organization's risk culture

C.

Lack of quantitative methods to aggregate the total risk exposure

D.

Lack of an integrated risk management system to aggregate risk scenarios

Buy Now
Questions 41

Who should be accountable for ensuring effective cybersecurity controls are established?

Options:

A.

Risk owner

B.

Security management function

C.

IT management

D.

Enterprise risk function

Buy Now
Questions 42

Which of the following should be an element of the risk appetite of an organization?

Options:

A.

The effectiveness of compensating controls

B.

The enterprise's capacity to absorb loss

C.

The residual risk affected by preventive controls

D.

The amount of inherent risk considered appropriate

Buy Now
Questions 43

An organization recently received an independent security audit report of its cloud service provider that indicates significant control weaknesses. What should be done NEXT in response to this report?

Options:

A.

Migrate all data to another compliant service provider.

B.

Analyze the impact of the provider's control weaknesses to the business.

C.

Conduct a follow-up audit to verify the provider's control weaknesses.

D.

Review the contract to determine if penalties should be levied against the provider.

Buy Now
Questions 44

An organization is considering outsourcing user administration controls tor a critical system. The potential vendor has offered to perform quarterly sett-audits of its controls instead of having annual independent audits. Which of the following should be of GREATEST concern to me risk practitioner?

Options:

A.

The controls may not be properly tested

B.

The vendor will not ensure against control failure

C.

The vendor will not achieve best practices

D.

Lack of a risk-based approach to access control

Buy Now
Questions 45

The PRIMARY benefit of selecting an appropriate set of key risk indicators (KRIs) is that they:

Options:

A.

serve as a basis for measuring risk appetite.

B.

align with the organization's risk profile.

C.

provide a warning of emerging high-risk conditions.

D.

provide data for updating the risk register.

Buy Now
Questions 46

During which phase of the system development life cycle (SDLC) should information security requirements for the implementation of a new IT system be defined?

Options:

A.

Monitoring

B.

Development

C.

Implementation

D.

Initiation

Buy Now
Questions 47

An organization is implementing Zero Trust architecture to improve its security posture. Which of the following is the MOST important input to develop the architecture?

Options:

A.

Cloud services risk assessments

B.

The organization's threat model

C.

Access control logs

D.

Multi-factor authentication (MFA) architecture

Buy Now
Questions 48

Which of The following is the MOST comprehensive input to the risk assessment process specific to the effects of system downtime?

Options:

A.

Business continuity plan (BCP) testing results

B.

Recovery lime objective (RTO)

C.

Business impact analysis (BIA)

D.

results Recovery point objective (RPO)

Buy Now
Questions 49

Which of the following should be the FIRST consideration when a business unit wants to use personal information for a purpose other than for which it was originally collected?

Options:

A.

Informed consent

B.

Cross border controls

C.

Business impact analysis (BIA)

D.

Data breach protection

Buy Now
Questions 50

When prioritizing risk response, management should FIRST:

Options:

A.

evaluate the organization s ability and expertise to implement the solution.

B.

evaluate the risk response of similar organizations.

C.

address high risk factors that have efficient and effective solutions.

D.

determine which risk factors have high remediation costs

Buy Now
Questions 51

An organization's decision to remain noncompliant with certain laws or regulations is MOST likely influenced by:

Options:

A.

The region in which the organization operates.

B.

Established business culture.

C.

Risk appetite set by senior management.

D.

Identified business process controls.

Buy Now
Questions 52

A violation of segregation of duties is when the same:

Options:

A.

user requests and tests the change prior to production.

B.

user authorizes and monitors the change post-implementation.

C.

programmer requests and tests the change prior to production.

D.

programmer writes and promotes code into production.

Buy Now
Questions 53

When an organization’s disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment options is being applied?

Options:

A.

Acceptance

B.

Mitigation

C.

Transfer

D.

Avoidance

Buy Now
Questions 54

Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system?

Options:

A.

Data owner

B.

Control owner

C.

Risk owner

D.

System owner

Buy Now
Questions 55

Which of the following is MOST important for an organization to consider when developing its IT strategy?

Options:

A.

IT goals and objectives

B.

Organizational goals and objectives

C.

The organization's risk appetite statement

D.

Legal and regulatory requirements

Buy Now
Questions 56

Which of the following is the MOST effective way to mitigate identified risk scenarios?

Options:

A.

Assign ownership of the risk response plan

B.

Provide awareness in early detection of risk.

C.

Perform periodic audits on identified risk.

D.

areas Document the risk tolerance of the organization.

Buy Now
Questions 57

A service organization is preparing to adopt an IT control framework to comply with the contractual requirements of a new client. Which of the following would be MOST helpful to the risk practitioner?

Options:

A.

Negotiating terms of adoption

B.

Understanding the timeframe to implement

C.

Completing a gap analysis

D.

Initiating the conversion

Buy Now
Questions 58

Which of the following is the BEST key control indicator (KCI) for measuring the security of a blockchain network?

Options:

A.

Number of active nodes

B.

Blockchain size in gigabytes

C.

Average transaction speed

D.

Number of validated transactions

Buy Now
Questions 59

A risk practitioner is performing a risk assessment of recent external advancements in quantum computing. Which of the following would pose the GREATEST concern for the risk practitioner?

Options:

A.

The organization has incorporated blockchain technology in its operations.

B.

The organization has not reviewed its encryption standards.

C.

The organization has implemented heuristics on its network firewall.

D.

The organization has not adopted Infrastructure as a Service (laaS) for its operations.

Buy Now
Questions 60

Which of the following is the MOST effective way to incorporate stakeholder concerns when developing risk scenarios?

Options:

A.

Evaluating risk impact

B.

Establishing key performance indicators (KPIs)

C.

Conducting internal audits

D.

Creating quarterly risk reports

Buy Now
Questions 61

After undertaking a risk assessment of a production system, the MOST appropriate action is fcr the risk manager to

Options:

A.

recommend a program that minimizes the concerns of that production system.

B.

inform the process owner of the concerns and propose measures to reduce them.

C.

inform the IT manager of the concerns and propose measures to reduce them.

D.

inform the development team of the concerns and together formulate risk reduction measures.

Buy Now
Questions 62

Upon learning that the number of failed back-up attempts continually exceeds the current risk threshold, the risk practitioner should:

Options:

A.

inquire about the status of any planned corrective actions

B.

keep monitoring the situation as there is evidence that this is normal

C.

adjust the risk threshold to better reflect actual performance

D.

initiate corrective action to address the known deficiency

Buy Now
Questions 63

Real-time monitoring of security cameras implemented within a retail store is an example of which type of control?

Options:

A.

Preventive

B.

Deterrent

C.

Compensating

D.

Detective

Buy Now
Questions 64

Which of the following represents a vulnerability?

Options:

A.

An identity thief seeking to acquire personal financial data from an organization

B.

Media recognition of an organization's market leadership in its industry

C.

A standard procedure for applying software patches two weeks after release

D.

An employee recently fired for insubordination

Buy Now
Questions 65

A risk practitioner has been asked to assess the risk associated with a new critical application used by a financial process team that the risk practitioner was a member of two years ago. Which of the following is the GREATEST concern with this request?

Options:

A.

The risk assessment team may be overly confident of its ability to identify issues.

B.

The risk practitioner may be unfamiliar with recent application and process changes.

C.

The risk practitioner may still have access rights to the financial system.

D.

Participation in the risk assessment may constitute a conflict of interest.

Buy Now
Questions 66

Which of the following is the MOST important responsibility of a risk owner?

Options:

A.

Testing control design

B.

Accepting residual risk

C.

Establishing business information criteria

D.

Establishing the risk register

Buy Now
Questions 67

Which of the following should be included in a risk assessment report to BEST facilitate senior management's understanding of the results?

Options:

A.

Benchmarking parameters likely to affect the results

B.

Tools and techniques used by risk owners to perform the assessments

C.

A risk heat map with a summary of risk identified and assessed

D.

The possible impact of internal and external risk factors on the assessment results

Buy Now
Questions 68

Which of the following is a risk practitioner's BEST recommendation to address an organization's need to secure multiple systems with limited IT resources?

Options:

A.

Apply available security patches.

B.

Schedule a penetration test.

C.

Conduct a business impact analysis (BIA)

D.

Perform a vulnerability analysis.

Buy Now
Questions 69

Which of the following BEST supports the management of identified risk scenarios?

Options:

A.

Collecting risk event data

B.

Maintaining a risk register

C.

Using key risk indicators (KRIs)

D.

Defining risk parameters

Buy Now
Questions 70

Which of the following information is MOST useful to a risk practitioner for developing IT risk scenarios?

Options:

A.

Published vulnerabilities relevant to the business

B.

Threat actors that can trigger events

C.

Events that could potentially impact the business

D.

IT assets requiring the greatest investment

Buy Now
Questions 71

The BEST criteria when selecting a risk response is the:

Options:

A.

capability to implement the response

B.

importance of IT risk within the enterprise

C.

effectiveness of risk response options

D.

alignment of response to industry standards

Buy Now
Questions 72

Which of the following should be of GREATEST concern lo a risk practitioner reviewing the implementation of an emerging technology?

Options:

A.

Lack of alignment to best practices

B.

Lack of risk assessment

C.

Lack of risk and control procedures

D.

Lack of management approval

Buy Now
Questions 73

Which of the following is the BEST indication of a mature organizational risk culture?

Options:

A.

Corporate risk appetite is communicated to staff members.

B.

Risk owners understand and accept accountability for risk.

C.

Risk policy has been published and acknowledged by employees.

D.

Management encourages the reporting of policy breaches.

Buy Now
Questions 74

Which of the following BEST facilitates the process of documenting risk tolerance?

Options:

A.

Creating a risk register

B.

Interviewing management

C.

Conducting a risk assessment

D.

Researching industry standards

Buy Now
Questions 75

A threat intelligence team has identified an indicator of compromise related to an advanced persistent threat (APT) actor. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Review the most recent vulnerability scanning report.

B.

Determine the business criticality of the asset.

C.

Determine the adequacy of existing security controls.

D.

Review prior security incidents related to the asset.

Buy Now
Questions 76

What is the MOST important consideration when selecting key performance indicators (KPIs) for control monitoring?

Options:

A.

Source information is acquired at stable cost.

B.

Source information is tailored by removing outliers.

C.

Source information is readily quantifiable.

D.

Source information is consistently available.

Buy Now
Questions 77

Which of the following is MOST important for a risk practitioner to confirm once a risk action plan has been completed?

Options:

A.

The risk register has been updated.

B.

The risk tolerance has been recalibrated.

C.

The risk has been mitigated to the intended level.

D.

The risk owner has reviewed the outcomes.

Buy Now
Questions 78

An organization’s board of directors is concerned about recent data breaches in the news and wants to assess its exposure to similar scenarios. Which of the following is the BEST course of action?

Options:

A.

Evaluate the organization's existing data protection controls.

B.

Reassess the risk appetite and tolerance levels of the business.

C.

Evaluate the sensitivity of data that the business needs to handle.

D.

Review the organization’s data retention policy and regulatory requirements.

Buy Now
Questions 79

Well-developed, data-driven risk measurements should be:

Options:

A.

reflective of the lowest organizational level.

B.

a data feed taken directly from operational production systems.

C.

reported to management the same day data is collected.

D.

focused on providing a forward-looking view.

Buy Now
Questions 80

A large organization needs to report risk at all levels for a new centralized visualization project to reduce cost and improve performance. Which of the following would MOST effectively represent the overall risk of the project to senior management?

Options:

A.

Aggregated key performance indicators (KPls)

B.

Key risk indicators (KRIs)

C.

Centralized risk register

D.

Risk heat map

Buy Now
Questions 81

Which of the following will BEST help to ensure implementation of corrective action plans?

Options:

A.

Establishing employee awareness training

B.

Assigning accountability to risk owners

C.

Selling target dates to complete actions

D.

Contracting to third parties

Buy Now
Questions 82

The MAIN reason for prioritizing IT risk responses is to enable an organization to:

Options:

A.

determine the risk appetite.

B.

determine the budget.

C.

define key performance indicators (KPIs).

D.

optimize resource utilization.

Buy Now
Questions 83

Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?

Options:

A.

An updated risk register

B.

Risk assessment results

C.

Technical control validation

D.

Control testing results

Buy Now
Questions 84

Upon learning that the number of failed backup attempts continually exceeds

the current risk threshold, the risk practitioner should:

Options:

A.

initiate corrective action to address the known deficiency.

B.

adjust the risk threshold to better reflect actual performance.

C.

inquire about the status of any planned corrective actions.

D.

keep monitoring the situation as there is evidence that this is normal.

Buy Now
Questions 85

Which of the following provides the BEST evidence that a selected risk treatment plan is effective?

Options:

A.

Identifying key risk indicators (KRIs)

B.

Evaluating the return on investment (ROI)

C.

Evaluating the residual risk level

D.

Performing a cost-benefit analysis

Buy Now
Questions 86

To minimize risk in a software development project, when is the BEST time to conduct a risk analysis?

Options:

A.

During the business requirement definitions phase

B.

Before periodic steering committee meetings

C.

At each stage of the development life cycle

D.

During the business case development

Buy Now
Questions 87

Which of the following resources is MOST helpful to a risk practitioner when updating the likelihood rating in the risk register?

Options:

A.

Risk control assessment

B.

Audit reports with risk ratings

C.

Penetration test results

D.

Business impact analysis (BIA)

Buy Now
Questions 88

Who should have the authority to approve an exception to a control?

Options:

A.

information security manager

B.

Control owner

C.

Risk owner

D.

Risk manager

Buy Now
Questions 89

The PRIMARY reason to implement a formalized risk taxonomy is to:

Options:

A.

reduce subjectivity in risk management.

B.

comply with regulatory requirements.

C.

demonstrate best industry practice.

D.

improve visibility of overall risk exposure.

Buy Now
Questions 90

An organization has been notified that a disgruntled, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization?

Options:

A.

Authentication logs have been disabled.

B.

An external vulnerability scan has been detected.

C.

A brute force attack has been detected.

D.

An increase in support requests has been observed.

Buy Now
Questions 91

Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?

Options:

A.

Customer database manager

B.

Customer data custodian

C.

Data privacy officer

D.

Audit committee

Buy Now
Questions 92

A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access. Who is responsible for ensuring the control is designed to effectively address risk?

Options:

A.

Risk manager

B.

Control owner

C.

Control tester

D.

Risk owner

Buy Now
Questions 93

Which of the following BEST provides an early warning that network access of terminated employees is not being revoked in accordance with the service level agreement (SLA)?

Options:

A.

Updating multi-factor authentication

B.

Monitoring key access control performance indicators

C.

Analyzing access control logs for suspicious activity

D.

Revising the service level agreement (SLA)

Buy Now
Questions 94

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of IT policies? The number of:

Options:

A.

IT policy exceptions granted.

B.

Senior management approvals.

C.

Key technology controls covered by IT policies.

D.

Processes covered by IT policies.

Buy Now
Questions 95

What is the MOST important consideration when aligning IT risk management with the enterprise risk management (ERM) framework?

Options:

A.

Risk and control ownership

B.

Senior management participation

C.

Business unit support

D.

Risk nomenclature and taxonomy

Buy Now
Questions 96

An organization uses a biometric access control system for authentication and access to its server room. Which control type has been implemented?

Options:

A.

Detective

B.

Deterrent

C.

Preventive

D.

Corrective

Buy Now
Questions 97

Which of the following is a risk practitioner's BEST course of action upon learning that regulatory authorities have concerns with an emerging technology the organization is considering?

Options:

A.

Redesign key risk indicators (KRIs).

B.

Update risk responses.

C.

Conduct a SWOT analysis.

D.

Perform a threat assessment.

Buy Now
Questions 98

Which of the following is the ULTIMATE goal of conducting a privacy impact analysis (PIA)?

Options:

A.

To identify gaps in data protection controls

B.

To develop a customer notification plan

C.

To identify personally identifiable information (Pll)

D.

To determine gaps in data identification processes

Buy Now
Questions 99

Who is accountable for risk treatment?

Options:

A.

Enterprise risk management team

B.

Risk mitigation manager

C.

Business process owner

D.

Risk owner

Buy Now
Questions 100

What is a risk practitioner's BEST approach to monitor and measure how quickly an exposure to a specific risk can affect the organization?

Options:

A.

Create an asset valuation report.

B.

Create key performance indicators (KPls).

C.

Create key risk indicators (KRIs).

D.

Create a risk volatility report.

Buy Now
Questions 101

Which of the following would be the result of a significant increase in the motivation of a malicious threat actor?

Options:

A.

Increase in mitigating control costs

B.

Increase in risk event impact

C.

Increase in risk event likelihood

D.

Increase in cybersecurity premium

Buy Now
Questions 102

When collecting information to identify IT-related risk, a risk practitioner should FIRST focus on IT:

Options:

A.

risk appetite.

B.

security policies

C.

process maps.

D.

risk tolerance level

Buy Now
Questions 103

WhichT5f the following is the MOST effective way to promote organization-wide awareness of data security in response to an increase in regulatory penalties for data leakage?

Options:

A.

Enforce sanctions for noncompliance with security procedures.

B.

Conduct organization-w>de phishing simulations.

C.

Require training on the data handling policy.

D.

Require regular testing of the data breach response plan.

Buy Now
Questions 104

An organization must make a choice among multiple options to respond to a risk. The stakeholders cannot agree and decide to postpone the decision. Which of the following risk responses has the organization adopted?

Options:

A.

Transfer

B.

Mitigation

C.

Avoidance

D.

Acceptance

Buy Now
Questions 105

What are the MOST important criteria to consider when developing a data classification scheme to facilitate risk assessment and the prioritization of risk mitigation activities?

Options:

A.

Mitigation and control value

B.

Volume and scope of data generated daily

C.

Business criticality and sensitivity

D.

Recovery point objective (RPO) and recovery time objective (RTO)

Buy Now
Questions 106

An organization has allowed its cyber risk insurance to lapse while seeking a new insurance provider. The risk practitioner should report to management that the risk has been:

Options:

A.

transferred

B.

mitigated.

C.

accepted

D.

avoided

Buy Now
Questions 107

An external security audit has reported multiple findings related to control noncompliance. Which of the following would be MOST important for the risk practitioner to communicate to senior management?

Options:

A.

A recommendation for internal audit validation

B.

Plans for mitigating the associated risk

C.

Suggestions for improving risk awareness training

D.

The impact to the organization’s risk profile

Buy Now
Questions 108

Which of the following would cause the GREATEST concern for a risk practitioner reviewing the IT risk scenarios recorded in an organization’s IT risk register?

Options:

A.

Some IT risk scenarios have multi-year risk action plans.

B.

Several IT risk scenarios are missing assigned owners.

C.

Numerous IT risk scenarios have been granted risk acceptances.

D.

Many IT risk scenarios are categorized as avoided.

Buy Now
Questions 109

Which of the following is the GREATEST risk associated with the transition of a sensitive data backup solution from on-premise to a cloud service provider?

Options:

A.

More complex test restores

B.

Inadequate service level agreement (SLA) with the provider

C.

More complex incident response procedures

D.

Inadequate data encryption

Buy Now
Questions 110

Which of the following BEST facilities the alignment of IT risk management with enterprise risk management (ERM)?

Options:

A.

Adopting qualitative enterprise risk assessment methods

B.

Linking IT risk scenarios to technology objectives

C.

linking IT risk scenarios to enterprise strategy

D.

Adopting quantitative enterprise risk assessment methods

Buy Now
Questions 111

Which of the following BEST reduces the risk associated with the theft of a laptop containing sensitive information?

Options:

A.

Cable lock

B.

Data encryption

C.

Periodic backup

D.

Biometrics access control

Buy Now
Questions 112

Which of the following methods is an example of risk mitigation?

Options:

A.

Not providing capability for employees to work remotely

B.

Outsourcing the IT activities and infrastructure

C.

Enforcing change and configuration management processes

D.

Taking out insurance coverage for IT-related incidents

Buy Now
Questions 113

Which of the following is MOST important information to review when developing plans for using emerging technologies?

Options:

A.

Existing IT environment

B.

IT strategic plan

C.

Risk register

D.

Organizational strategic plan

Buy Now
Questions 114

Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?

Options:

A.

A high number of approved exceptions exist with compensating controls.

B.

Successive assessments have the same recurring vulnerabilities.

C.

Redundant compensating controls are in place.

D.

Asset custodians are responsible for defining controls instead of asset owners.

Buy Now
Questions 115

An application runs a scheduled job that compiles financial data from multiple business systems and updates the financial reporting system. If this job runs too long, it can delay financial reporting. Which of the following is the risk practitioner's BEST recommendation?

Options:

A.

Implement database activity and capacity monitoring.

B.

Ensure the business is aware of the risk.

C.

Ensure the enterprise has a process to detect such situations.

D.

Consider providing additional system resources to this job.

Buy Now
Questions 116

A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner's BEST course of action when a compensating control needs to be applied?

Options:

A.

Obtain the risk owner's approval.

B.

Record the risk as accepted in the risk register.

C.

Inform senior management.

D.

update the risk response plan.

Buy Now
Questions 117

After conducting a risk assessment for regulatory compliance, an organization has identified only one possible mitigating control. The cost of the control has been determined to be higher than the penalty of noncompliance. Which of the following would be the risk practitioner's BEST recommendation?

Options:

A.

Accept the risk with management sign-off.

B.

Ignore the risk until the regulatory body conducts a compliance check.

C.

Mitigate the risk with the identified control.

D.

Transfer the risk by buying insurance.

Buy Now
Questions 118

Which of the following tasks should be completed prior to creating a disaster recovery plan (DRP)?

Options:

A.

Conducting a business impact analysis (BIA)

B.

Identifying the recovery response team

C.

Procuring a recovery site

D.

Assigning sensitivity levels to data

Buy Now
Questions 119

Recovery the objectives (RTOs) should be based on

Options:

A.

minimum tolerable downtime

B.

minimum tolerable loss of data.

C.

maximum tolerable downtime.

D.

maximum tolerable loss of data

Buy Now
Questions 120

Which of the following is the BEST approach when a risk practitioner has been asked by a business unit manager to exclude an in-scope system from a risk assessment?

Options:

A.

Postpone the risk assessment.

B.

Facilitate the exception process.

C.

Accept the manager's request.

D.

Reject the manager's request.

Buy Now
Questions 121

Which of the following is the MOST important consideration when determining the appropriate data retention period throughout the data management life cycle?

Options:

A.

Data storage and collection methods

B.

Data owner preferences

C.

Legal and regulatory requirements

D.

Choice of encryption algorithms

Buy Now
Questions 122

An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning of the associated risk entries?

Options:

A.

The volume of risk scenarios is too large

B.

Risk aggregation has not been completed

C.

Risk scenarios are not applicable

D.

The risk analysts for each scenario is incomplete

Buy Now
Questions 123

Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?

Options:

A.

Obtain objective assessment of the control environment.

B.

Ensure the risk profile is defined and communicated.

C.

Validate the threat management process.

D.

Obtain an objective view of process gaps and systemic errors.

Buy Now
Questions 124

Which of the following would be a risk practitioner's BEST course of action when a project team has accepted a risk outside the established risk appetite?

Options:

A.

Reject the risk acceptance and require mitigating controls.

B.

Monitor the residual risk level of the accepted risk.

C.

Escalate the risk decision to the project sponsor for review.

D.

Document the risk decision in the project risk register.

Buy Now
Questions 125

Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?

Options:

A.

Identification of controls gaps that may lead to noncompliance

B.

Prioritization of risk action plans across departments

C.

Early detection of emerging threats

D.

Accurate measurement of loss impact

Buy Now
Questions 126

Which of the following is the BEST approach for obtaining management buy-in

to implement additional IT controls?

Options:

A.

List requirements based on a commonly accepted IT risk management framework.

B.

Provide information on new governance, risk, and compliance (GRC) platform functionalities.

C.

Describe IT risk impact on organizational processes in monetary terms.

D.

Present new key risk indicators (KRIs) based on industry benchmarks.

Buy Now
Questions 127

A zero-day vulnerability has been discovered in a globally used brand of hardware server that allows hackers to gain

access to affected IT systems. Which of the following is MOST likely to change as a result of this situation?

Options:

A.

Control effectiveness

B.

Risk appetite

C.

Risk likelihood

D.

Key risk indicator (KRI)

Buy Now
Questions 128

Which of the following should be the MOST important consideration when performing a vendor risk assessment?

Options:

A.

Results of the last risk assessment of the vendor

B.

Inherent risk of the business process supported by the vendor

C.

Risk tolerance of the vendor

D.

Length of time since the last risk assessment of the vendor

Buy Now
Questions 129

Which of the following BEST enables a proactive approach to minimizing the potential impact of unauthorized data disclosure?

Options:

A.

Cyber insurance

B.

Data backups

C.

Incident response plan

D.

Key risk indicators (KRIs)

Buy Now
Questions 130

Which of the following should be the starting point when performing a risk analysis for an asset?

Options:

A.

Assess risk scenarios.

B.

Update the risk register.

C.

Evaluate threats.

D.

Assess controls.

Buy Now
Questions 131

Which of the following would be MOST helpful in assessing the risk associated with data loss due to human vulnerabilities?

Options:

A.

Reviewing password change history

B.

Performing periodic access recertification

C.

Conducting social engineering exercises

D.

Reviewing the results of security awareness surveys

Buy Now
Questions 132

An organization has completed a project to implement encryption on all databases that host customer data. Which of the following elements of the risk register should be updated the reflect this change?

Options:

A.

Risk likelihood

B.

Inherent risk

C.

Risk appetite

D.

Risk tolerance

Buy Now
Questions 133

Once a risk owner has decided to implement a control to mitigate risk, it is MOST important to develop:

Options:

A.

a process for measuring and reporting control performance.

B.

an alternate control design in case of failure of the identified control.

C.

a process for bypassing control procedures in case of exceptions.

D.

procedures to ensure the effectiveness of the control.

Buy Now
Questions 134

A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner's NEXT step?

Options:

A.

Develop a mechanism for monitoring residual risk.

B.

Update the risk register with the results.

C.

Prepare a business case for the response options.

D.

Identify resources for implementing responses.

Buy Now
Questions 135

An organization has identified the need to implement an asset tiering model to establish the appropriate level of impact. Which of the following is the MOST effective risk assessment methodology for a risk practitioner to use for this initiative?

Options:

A.

Qualitative method

B.

Industry calibration method

C.

Threat-based method

D.

Quantitative method

Buy Now
Questions 136

Which of the following is the MOST important reason to communicate risk assessments to senior management?

Options:

A.

To ensure actions can be taken to align assessment results to risk appetite

B.

To ensure key risk indicator (KRI) thresholds can be adjusted for tolerance

C.

To ensure awareness of risk and controls is shared with key decision makers

D.

To ensure the maturity of the assessment program can be validated

Buy Now
Questions 137

Which of the following outcomes of disaster recovery planning is MOST important to enable the initiation of necessary actions during a disaster?

Options:

A.

Definition of disaster recovery plan (DRP) scope and key stakeholders

B.

Recovery time and maximum acceptable data loss thresholds

C.

A checklist including equipment, location of data backups, and backup sites

D.

A list of business areas and critical functions subject to risk analysis

Buy Now
Questions 138

When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes

Options:

A.

risk exposure in business terms

B.

a detailed view of individual risk exposures

C.

a summary of incidents that have impacted the organization.

D.

recommendations by an independent risk assessor.

Buy Now
Questions 139

Which of the following provides the MOST helpful information in identifying risk in an organization?

Options:

A.

Risk registers

B.

Risk analysis

C.

Risk scenarios

D.

Risk responses

Buy Now
Questions 140

Reviewing which of the following would provide the MOST useful information when preparing to evaluate the effectiveness of existing controls?

Options:

A.

Previous audit reports

B.

Control objectives

C.

Risk responses in the risk register

D.

Changes in risk profiles

Buy Now
Questions 141

Which of the following is the MOST important factor when deciding on a control to mitigate risk exposure?

Options:

A.

Relevance to the business process

B.

Regulatory compliance requirements

C.

Cost-benefit analysis

D.

Comparison against best practice

Buy Now
Questions 142

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process?

Options:

A.

Percentage of vulnerabilities remediated within the agreed service level

B.

Number of vulnerabilities identified during the period

C.

Number of vulnerabilities re-opened during the period

D.

Percentage of vulnerabilities escalated to senior management

Buy Now
Questions 143

A global organization is planning to collect customer behavior data through social media advertising. Which of the following is the MOST important business risk to be considered?

Options:

A.

Regulatory requirements may differ in each country.

B.

Data sampling may be impacted by various industry restrictions.

C.

Business advertising will need to be tailored by country.

D.

The data analysis may be ineffective in achieving objectives.

Buy Now
Questions 144

Which of the following is MOST important for an organization to have in place when developing a risk management framework?

Options:

A.

A strategic approach to risk including an established risk appetite

B.

A risk-based internal audit plan for the organization

C.

A control function within the risk management team

D.

An organization-wide risk awareness training program

Buy Now
Questions 145

Which of the following is MOST helpful when prioritizing action plans for identified risk?

Options:

A.

Comparing risk rating against appetite

B.

Obtaining input from business units

C.

Determining cost of controls to mitigate risk

D.

Ranking the risk based on likelihood of occurrence

Buy Now
Questions 146

Which of the following BEST indicates that additional or improved controls ate needed m the environment?

Options:

A.

Management, has decreased organisational risk appetite

B.

The risk register and portfolio do not include all risk scenarios

C.

merging risk scenarios have been identified

D.

Risk events and losses exceed risk tolerance

Buy Now
Questions 147

Which of the following is the MOST important element of a successful risk awareness training program?

Options:

A.

Customizing content for the audience

B.

Providing incentives to participants

C.

Mapping to a recognized standard

D.

Providing metrics for measurement

Buy Now
Questions 148

The risk associated with inadvertent disclosure of database records from a public cloud service provider (CSP) would MOST effectively be reduced by:

Options:

A.

encrypting the data

B.

including a nondisclosure clause in the CSP contract

C.

assessing the data classification scheme

D.

reviewing CSP access privileges

Buy Now
Questions 149

The PRIMARY objective for requiring an independent review of an organization's IT risk management process should be to:

Options:

A.

assess gaps in IT risk management operations and strategic focus.

B.

confirm that IT risk assessment results are expressed as business impact.

C.

verify implemented controls to reduce the likelihood of threat materialization.

D.

ensure IT risk management is focused on mitigating potential risk.

Buy Now
Questions 150

Mitigating technology risk to acceptable levels should be based PRIMARILY upon:

Options:

A.

organizational risk appetite.

B.

business sector best practices.

C.

business process requirements.

D.

availability of automated solutions

Buy Now
Questions 151

When developing risk scenario using a list of generic scenarios based on industry best practices, it is MOST imported to:

Options:

A.

Assess generic risk scenarios with business users.

B.

Validate the generic risk scenarios for relevance.

C.

Select the maximum possible risk scenarios from the list.

D.

Identify common threats causing generic risk scenarios

Buy Now
Questions 152

Which of the following is the MOST important requirement when implementing a data loss prevention (DLP) system?

Options:

A.

Identifying users who have access

B.

Selecting an encryption solution

C.

Defining the data retention period

D.

Determining the value of data

Buy Now
Questions 153

The GREATEST benefit of including low-probability, high-impact events in a risk assessment is the ability to:

Options:

A.

develop a comprehensive risk mitigation strategy

B.

develop understandable and realistic risk scenarios

C.

identify root causes for relevant events

D.

perform an aggregated cost-benefit analysis

Buy Now
Questions 154

A cote data center went offline abruptly for several hours affecting many transactions across multiple locations. Which of the to" owing would provide the MOST useful information to determine mitigating controls?

Options:

A.

Forensic analysis

B.

Risk assessment

C.

Root cause analysis

D.

Business impact analysis (BlA)

Buy Now
Questions 155

Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?

Options:

A.

Maintain and review the classified data inventor.

B.

Implement mandatory encryption on data

C.

Conduct an awareness program for data owners and users.

D.

Define and implement a data classification policy

Buy Now
Questions 156

During the creation of an organization's IT risk management program, the BEST time to identify key risk indicators (KRIs) is while:

Options:

A.

Interviewing data owners

B.

Reviewing risk response plans with internal audit

C.

Developing a risk monitoring process

D.

Reviewing an external risk assessment

Buy Now
Questions 157

Which of the following BEST enables the development of a successful IT strategy focused on business risk mitigation?

Options:

A.

Providing risk awareness training for business units

B.

Obtaining input from business management

C.

Understanding the business controls currently in place

D.

Conducting a business impact analysis (BIA)

Buy Now
Questions 158

An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure manuals for use by the part-time employees. Which of the following BEST describes this situation?

Options:

A.

Threat

B.

Risk

C.

Vulnerability

D.

Policy violation

Buy Now
Questions 159

Which of the following is MOST important for a risk practitioner to ensure once a risk action plan has been completed?

Options:

A.

The risk owner has validated outcomes.

B.

The risk register has been updated.

C.

The control objectives are mapped to risk objectives.

D.

The requirements have been achieved.

Buy Now
Questions 160

Which of the following BEST supports the integration of IT risk management into an organization's strategic planning?

Options:

A.

Clearly defined organizational goals and objectives

B.

Incentive plans that reward employees based on IT risk metrics

C.

Regular organization-wide risk awareness training

D.

A comprehensive and documented IT risk management plan

Buy Now
Questions 161

The MAIN goal of the risk analysis process is to determine the:

Options:

A.

potential severity of impact

B.

frequency and magnitude of loss

C.

control deficiencies

D.

threats and vulnerabilities

Buy Now
Questions 162

Which of the following should be a risk practitioner's NEXT action after identifying a high probability of data loss in a system?

Options:

A.

Enhance the security awareness program.

B.

Increase the frequency of incident reporting.

C.

Purchase cyber insurance from a third party.

D.

Conduct a control assessment.

Buy Now
Questions 163

Which of the following roles would provide the MOST important input when identifying IT risk scenarios?

Options:

A.

Information security managers

B.

Internal auditors

C.

Business process owners

D.

Operational risk managers

Buy Now
Questions 164

Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

Options:

A.

a gap analysis

B.

a root cause analysis.

C.

an impact assessment.

D.

a vulnerability assessment.

Buy Now
Questions 165

A risk practitioner is collaborating with key stakeholders to prioritize a large number of IT risk scenarios. Which scenarios should receive the PRIMARY focus?

Options:

A.

Scenarios with the highest number of open audit issues

B.

Scenarios with the highest frequency of incidents

C.

Scenarios with the largest budget allocation for risk mitigation

D.

Scenarios with the highest risk impact to the business

Buy Now
Questions 166

A global company s business continuity plan (BCP) requires the transfer of its customer information….

event of a disaster. Which of the following should be the MOST important risk consideration?

Options:

A.

The difference In the management practices between each company

B.

The cloud computing environment is shared with another company

C.

The lack of a service level agreement (SLA) in the vendor contract

D.

The organizational culture differences between each country

Buy Now
Questions 167

Which of the following BEST supports the communication of risk assessment results to stakeholders?

Options:

A.

Monitoring of high-risk areas

B.

Classification of risk profiles

C.

Periodic review of the risk register

D.

Assignment of risk ownership

Buy Now
Questions 168

An internal audit report reveals that not all IT application databases have encryption in place. Which of the following information would be MOST important for assessing the risk impact?

Options:

A.

The number of users who can access sensitive data

B.

A list of unencrypted databases which contain sensitive data

C.

The reason some databases have not been encrypted

D.

The cost required to enforce encryption

Buy Now
Questions 169

An organization recently configured a new business division Which of the following is MOST likely to be affected?

Options:

A.

Risk profile

B.

Risk culture

C.

Risk appetite

D.

Risk tolerance

Buy Now
Questions 170

A risk practitioner identifies an increasing trend of employees copying company information unrelated to their job functions to USB drives. Which of the following elements of the risk register should be updated to reflect this observation?

Options:

A.

Risk impact

B.

Key risk indicator (KRI)

C.

Risk appetite

D.

Risk likelihood

Buy Now
Questions 171

Which of the following should management consider when selecting a risk mitigation option?

Options:

A.

Maturity of the enterprise architecture

B.

Cost of control implementation

C.

Reliability of key performance indicators (KPIs)

D.

Reliability of key risk indicators (KPIs)

Buy Now
Questions 172

Which of the following would BEST help an enterprise prioritize risk scenarios?

Options:

A.

Industry best practices

B.

Placement on the risk map

C.

Degree of variances in the risk

D.

Cost of risk mitigation

Buy Now
Questions 173

Which of the following BEST enables the integration of IT risk management across an organization?

Options:

A.

Enterprise risk management (ERM) framework

B.

Enterprise-wide risk awareness training

C.

Robust risk reporting practices

D.

Risk management policies

Buy Now
Questions 174

Which of the following is the BEST key performance indicator (KPI) for determining how well an IT policy is aligned to business requirements?

Options:

A.

Total cost to support the policy

B.

Number of exceptions to the policy

C.

Total cost of policy breaches

D.

Number of inquiries regarding the policy

Buy Now
Questions 175

Which of the following provides the BEST evidence that risk responses have been executed according to their risk action plans?

Options:

A.

Risk policy review

B.

Business impact analysis (B1A)

C.

Control catalog

D.

Risk register

Buy Now
Questions 176

Which element of an organization's risk register is MOST important to update following the commissioning of a new financial reporting system?

Options:

A.

Key risk indicators (KRIs)

B.

The owner of the financial reporting process

C.

The risk rating of affected financial processes

D.

The list of relevant financial controls

Buy Now
Questions 177

An effective control environment is BEST indicated by controls that:

Options:

A.

minimize senior management's risk tolerance.

B.

manage risk within the organization's risk appetite.

C.

reduce the thresholds of key risk indicators (KRIs).

D.

are cost-effective to implement

Buy Now
Questions 178

Which of the following is the BEST indication that key risk indicators (KRls) should be revised?

Options:

A.

A decrease in the number of critical assets covered by risk thresholds

B.

An Increase In the number of risk threshold exceptions

C.

An increase in the number of change events pending management review

D.

A decrease In the number of key performance indicators (KPls)

Buy Now
Questions 179

Which of the following will BEST help to ensure key risk indicators (KRIs) provide value to risk owners?

Options:

A.

Ongoing training

B.

Timely notification

C.

Return on investment (ROI)

D.

Cost minimization

Buy Now
Questions 180

Which of the following will BEST help an organization select a recovery strategy for critical systems?

Options:

A.

Review the business impact analysis.

B.

Create a business continuity plan.

C.

Analyze previous disaster recovery reports.

D.

Conduct a root cause analysis.

Buy Now
Questions 181

Which of the following presents the GREATEST challenge to managing an organization's end-user devices?

Options:

A.

Incomplete end-user device inventory

B.

Unsupported end-user applications

C.

Incompatible end-user devices

D.

Multiple end-user device models

Buy Now
Questions 182

Which of the following is the BEST recommendation of a risk practitioner for an organization that recently changed its organizational structure?

Options:

A.

Communicate the new risk profile.

B.

Implement a new risk assessment process.

C.

Revalidate the corporate risk appetite.

D.

Review and adjust key risk indicators (KRIs).

Buy Now
Questions 183

Which of the following would be of MOST concern to a risk practitioner reviewing risk action plans for documented IT risk scenarios?

Options:

A.

Individuals outside IT are managing action plans for the risk scenarios.

B.

Target dates for completion are missing from some action plans.

C.

Senior management approved multiple changes to several action plans.

D.

Many action plans were discontinued after senior management accepted the risk.

Buy Now
Questions 184

Which of the following is the MOST important topic to cover in a risk awareness training program for all staff?

Options:

A.

Internal and external information security incidents

B.

The risk department's roles and responsibilities

C.

Policy compliance requirements and exceptions process

D.

The organization's information security risk profile

Buy Now
Questions 185

Which of the following is MOST important for effective communication of a risk profile to relevant stakeholders?

Options:

A.

Emphasizing risk in the risk profile that is related to critical business activities

B.

Customizing the presentation of the risk profile to the intended audience

C.

Including details of risk with high deviation from the risk appetite

D.

Providing information on the efficiency of controls for risk mitigation

Buy Now
Questions 186

When of the following is the MOST significant exposure when an application uses individual user accounts to access the underlying database?

Options:

A.

Users may share accounts with business system analyst

B.

Application may not capture a complete audit trail.

C.

Users may be able to circumvent application controls.

D.

Multiple connects to the database are used and slow the process

Buy Now
Questions 187

Which of the following is the PRIMARY factor in determining a recovery time objective (RTO)?

Options:

A.

Cost of offsite backup premises

B.

Cost of downtime due to a disaster

C.

Cost of testing the business continuity plan

D.

Response time of the emergency action plan

Buy Now
Questions 188

Which of the following is the PRIMARY responsibility of the first line of defense related to computer-enabled fraud?

Options:

A.

Providing oversight of risk management processes

B.

Implementing processes to detect and deter fraud

C.

Ensuring that risk and control assessments consider fraud

D.

Monitoring the results of actions taken to mitigate fraud

Buy Now
Questions 189

An organization is measuring the effectiveness of its change management program to reduce the number of unplanned production changes. Which of the following would be the BEST metric to determine if the program is performing as expected?

Options:

A.

Decrease in the time to move changes to production

B.

Ratio of emergency fixes to total changes

C.

Ratio of system changes to total changes

D.

Decrease in number of changes without a fallback plan

Buy Now
Questions 190

Which of the following is MOST important to consider when developing an organization's risk management strategy?

Options:

A.

Complexity of technology architecture

B.

Disaster recovery strategy

C.

Business operational requirements

D.

Criteria for assessing risk

Buy Now
Questions 191

A bank wants to send a critical payment order via email to one of its offshore branches. Which of the following is the BEST way to ensure the message reaches the intended recipient without alteration?

Options:

A.

Add a digital certificate

B.

Apply multi-factor authentication

C.

Add a hash to the message

D.

Add a secret key

Buy Now
Questions 192

An organization allows programmers to change production systems in emergency situations. Which of the following is the BEST control?

Options:

A.

Implementing an emergency change authorization process

B.

Periodically reviewing operator logs

C.

Limiting the number of super users

D.

Reviewing the programmers' emergency change reports

Buy Now
Questions 193

Which of the following BEST enables a risk practitioner to enhance understanding of risk among stakeholders?

Options:

A.

Key risk indicators (KRIs)

B.

Risk scenarios

C.

Business impact analysis (BIA)

D.

Threat analysis

Buy Now
Questions 194

An organization recently invested in an identity and access management (IAM) solution to manage user activities across corporate mobile devices. Which of the following is MOST important to update in the risk register?

Options:

A.

Inherent risk

B.

Risk appetite

C.

Risk tolerance

D.

Residual risk

Buy Now
Questions 195

Which of the following would be a risk practitioner’s GREATEST concern related to the monitoring of key risk indicators (KRIs)?

Options:

A.

Logs are retained for longer than required.

B.

Logs are reviewed annually.

C.

Logs are stored in a multi-tenant cloud environment.

D.

Logs are modified before analysis is conducted.

Buy Now
Questions 196

Which of the following offers the SIMPLEST overview of changes in an organization's risk profile?

Options:

A.

A risk roadmap

B.

A balanced scorecard

C.

A heat map

D.

The risk register

Buy Now
Questions 197

Which of the following would MOST likely cause a risk practitioner to change the likelihood rating in the risk register?

Options:

A.

Risk appetite

B.

Control cost

C.

Control effectiveness

D.

Risk tolerance

Buy Now
Questions 198

The BEST use of key risk indicators (KRIs) is to provide:

Options:

A.

Early indication of increasing exposure to a specific risk.

B.

Lagging indication of major information security incidents.

C.

Early indication of changes to required risk response.

D.

Insight into the performance of a monitored process.

Buy Now
Questions 199

A risk assessment has identified that departments have installed their own WiFi access points on the enterprise network. Which of the following would be MOST important to include in a report to senior management?

Options:

A.

The network security policy

B.

Potential business impact

C.

The WiFi access point configuration

D.

Planned remediation actions

Buy Now
Questions 200

The MAJOR reason to classify information assets is

Options:

A.

maintain a current inventory and catalog of information assets

B.

determine their sensitivity and critical

C.

establish recovery time objectives (RTOs)

D.

categorize data into groups

Buy Now
Questions 201

The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for.

Options:

A.

data logging and monitoring

B.

data mining and analytics

C.

data classification and labeling

D.

data retention and destruction

Buy Now
Questions 202

Which of the following BEST mitigates the risk of sensitive personal data leakage from a software development environment?

Options:

A.

Tokenized personal data only in test environments

B.

Data loss prevention tools (DLP) installed in passive mode

C.

Anonymized personal data in non-production environments

D.

Multi-factor authentication for access to non-production environments

Buy Now
Questions 203

Which of the following would require updates to an organization's IT risk register?

Options:

A.

Discovery of an ineffectively designed key IT control

B.

Management review of key risk indicators (KRls)

C.

Changes to the team responsible for maintaining the register

D.

Completion of the latest internal audit

Buy Now
Questions 204

An IT operations team implements disaster recovery controls based on decisions from application owners regarding the level of resiliency needed. Who is the risk owner in this scenario?

Options:

A.

Business resilience manager

B.

Disaster recovery team lead

C.

Application owner

D.

IT operations manager

Buy Now
Questions 205

Which of the following is MOST important to understand when determining an appropriate risk assessment approach?

Options:

A.

Complexity of the IT infrastructure

B.

Value of information assets

C.

Management culture

D.

Threats and vulnerabilities

Buy Now
Questions 206

A risk practitioner implemented a process to notify management of emergency changes that may not be approved. Which of the following is the BEST way to provide this information to management?

Options:

A.

Change logs

B.

Change management meeting minutes

C.

Key control indicators (KCIs)

D.

Key risk indicators (KRIs)

Buy Now
Questions 207

The BEST key performance indicator (KPI) to measure the effectiveness of the security patching process is the percentage of patches installed:

Options:

A.

by the security administration team.

B.

successfully within the expected time frame.

C.

successfully during the first attempt.

D.

without causing an unplanned system outage.

Buy Now
Questions 208

An organization operates in a jurisdiction where heavy fines are imposed for leakage of customer data. Which of the following provides the BEST input to assess the inherent risk impact?

Options:

A.

Number of customer records held

B.

Number of databases that host customer data

C.

Number of encrypted customer databases

D.

Number of staff members having access to customer data

Buy Now
Questions 209

Which of the following is MOST important to promoting a risk-aware culture?

Options:

A.

Regular testing of risk controls

B.

Communication of audit findings

C.

Procedures for security monitoring

D.

Open communication of risk reporting

Buy Now
Questions 210

A risk practitioner is defining metrics for security threats that were not identified by antivirus software. Which type of metric is being developed?

Options:

A.

Key control indicator (KCI)

B.

Key risk indicator (KRI)

C.

Operational level agreement (OLA)

D.

Service level agreement (SLA)

Buy Now
Questions 211

Which of the following is the BEST method of creating risk awareness in an organization?

Options:

A.

Marking the risk register available to project stakeholders

B.

Ensuring senior management commitment to risk training

C.

Providing regular communication to risk managers

D.

Appointing the risk manager from the business units

Buy Now
Questions 212

Which of the following is the MOST important foundational element of an effective three lines of defense model for an organization?

Options:

A.

A robust risk aggregation tool set

B.

Clearly defined roles and responsibilities

C.

A well-established risk management committee

D.

Well-documented and communicated escalation procedures

Buy Now
Questions 213

Which of the following is the PRIMARY reason to use administrative controls in conjunction with technical controls?

Options:

A.

To gain stakeholder support for the implementation of controls

B.

To comply with industry best practices by balancing multiple types of controls

C.

To improve the effectiveness of controls that mitigate risk

D.

To address multiple risk scenarios mitigated by technical controls

Buy Now
Questions 214

After several security incidents resulting in significant financial losses, IT management has decided to outsource the security function to a third party that provides 24/7 security operation services. Which risk response option has management implemented?

Options:

A.

Risk mitigation

B.

Risk avoidance

C.

Risk acceptance

D.

Risk transfer

Buy Now
Questions 215

Which of the following controls BEST helps to ensure that transaction data reaches its destination?

Options:

A.

Securing the network from attacks

B.

Providing acknowledgments from receiver to sender

C.

Digitally signing individual messages

D.

Encrypting data-in-transit

Buy Now
Questions 216

Which of the following is the PRIMARY reason to engage business unit managers in risk management processes'?

Options:

A.

Improved alignment will technical risk

B.

Better-informed business decisions

C.

Enhanced understanding of enterprise architecture (EA)

D.

Improved business operations efficiency

Buy Now
Questions 217

Which of the following risk management practices BEST facilitates the incorporation of IT risk scenarios into the enterprise-wide risk register?

Options:

A.

Key risk indicators (KRls) are developed for key IT risk scenarios

B.

IT risk scenarios are assessed by the enterprise risk management team

C.

Risk appetites for IT risk scenarios are approved by key business stakeholders.

D.

IT risk scenarios are developed in the context of organizational objectives.

Buy Now
Questions 218

An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following should be the risk practitioner's NEXT course of action?

Options:

A.

Remove the associated risk from the register.

B.

Validate control effectiveness and update the risk register.

C.

Review the contract and service level agreements (SLAs).

D.

Obtain an assurance report from the third-party provider.

Buy Now
Questions 219

Which of the following roles is BEST suited to help a risk practitioner understand the impact of IT-related events on business objectives?

Options:

A.

IT management

B.

Internal audit

C.

Process owners

D.

Senior management

Buy Now
Questions 220

The percentage of unpatched systems is a:

Options:

A.

threat vector.

B.

critical success factor (CSF).

C.

key performance indicator (KPI).

D.

key risk indicator (KRI).

Buy Now
Questions 221

Which type of indicators should be developed to measure the effectiveness of an organization's firewall rule set?

Options:

A.

Key risk indicators (KRIs)

B.

Key management indicators (KMIs)

C.

Key performance indicators (KPIs)

D.

Key control indicators (KCIs)

Buy Now
Questions 222

Which of the following BEST mitigates reputational risk associated with disinformation campaigns against an organization?

Options:

A.

Monitoring digital platforms that disseminate inaccurate or misleading news stories

B.

Engaging public relations personnel to debunk false stories and publications

C.

Restricting the use of social media on corporate networks during specific hours

D.

Providing awareness training to understand and manage these types of attacks

Buy Now
Questions 223

An organization has established a policy prohibiting ransom payments if subjected to a ransomware attack. Which of the following is the MOST effective control to support this policy?

Options:

A.

Conducting periodic vulnerability scanning

B.

Creating immutable backups

C.

Performing required patching

D.

Implementing continuous intrusion detection monitoring

Buy Now
Questions 224

The results of a risk assessment reveal risk scenarios with high impact and low likelihood of occurrence. Which of the following would be the BEST action to address these scenarios?

Options:

A.

Assemble an incident response team.

B.

Create a disaster recovery plan (DRP).

C.

Develop a risk response plan.

D.

Initiate a business impact analysis (BIA).

Buy Now
Questions 225

Which of the following should be of MOST concern to a risk practitioner reviewing the system development life cycle (SDLC)?

Options:

A.

Testing is completed in phases, with user testing scheduled as the final phase.

B.

Segregation of duties controls are overridden during user testing phases.

C.

Data anonymization is used during all cycles of end-user testing.

D.

Testing is completed by IT support users without input from end users.

Buy Now
Questions 226

When testing the security of an IT system, il is MOST important to ensure that;

Options:

A.

tests are conducted after business hours.

B.

operators are unaware of the test.

C.

external experts execute the test.

D.

agreement is obtained from stakeholders.

Buy Now
Questions 227

Which of the following risk register elements is MOST likely to be updated if the attack surface or exposure of an asset is reduced?

Options:

A.

Likelihood rating

B.

Control effectiveness

C.

Assessment approach

D.

Impact rating

Buy Now
Questions 228

Which of the following should be the PRIMARY consideration for a startup organization that has decided to adopt externally-sourced security policies?

Options:

A.

Availability of policy updates and support

B.

Stakeholder buy-in of policies

C.

Applicability to business operations

D.

Compliance with local regulations

Buy Now
Questions 229

After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:

Options:

A.

recommend a program that minimizes the concerns of that production system.

B.

inform the development team of the concerns, and together formulate risk reduction measures.

C.

inform the process owner of the concerns and propose measures to reduce them

D.

inform the IT manager of the concerns and propose measures to reduce them.

Buy Now
Questions 230

Which of the following is the PRIMARY purpose of a risk register?

Options:

A.

To assign control ownership of risk

B.

To provide a centralized view of risk

C.

To identify opportunities to transfer risk

D.

To mitigate organizational risk

Buy Now
Questions 231

When outsourcing a business process to a cloud service provider, it is MOST important to understand that:

Options:

A.

insurance could be acquired for the risk associated with the outsourced process.

B.

service accountability remains with the cloud service provider.

C.

a risk owner must be designated within the cloud service provider.

D.

accountability for the risk will remain with the organization.

Buy Now
Questions 232

An internal audit report reveals that a legacy system is no longer supported Which of the following is the risk practitioner's MOST important action before recommending a risk response'

Options:

A.

Review historical application down me and frequency

B.

Assess the potential impact and cost of mitigation

C.

identify other legacy systems within the organization

D.

Explore the feasibility of replacing the legacy system

Buy Now
Questions 233

Which of the following activities should only be performed by the third line of defense?

Options:

A.

Operating controls for risk mitigation

B.

Testing the effectiveness and efficiency of internal controls

C.

Providing assurance on risk management processes

D.

Recommending risk treatment options

Buy Now
Questions 234

When determining the accuracy of a key risk indicator (KRI), it is MOST important that the indicator:

Options:

A.

is correlated to risk and tracks variances in the risk.

B.

is assigned to IT processes and projects with a low level of risk.

C.

has a high correlation with the process outcome.

D.

triggers response based on risk thresholds.

Buy Now
Questions 235

Which of the following BEST indicates that an organization's disaster

recovery plan (DRP) will mitigate the risk of the organization failing to recover

from a major service disruption?

Options:

A.

A defined recovery point objective (RPO)

B.

An experienced and certified disaster recovery team

C.

A comprehensive list of critical applications

D.

A record of quarterly disaster recovery tests

Buy Now
Questions 236

A multinational organization is considering implementing standard background checks to' all new employees A KEY concern regarding this approach

Options:

A.

fail to identity all relevant issues.

B.

be too costly

C.

violate laws in other countries

D.

be too line consuming

Buy Now
Questions 237

Which of the following is PRIMARILY responsible for providing assurance to the board of directors and senior management during the evaluation of a risk management program implementation?

Options:

A.

Risk management

B.

Business units

C.

External audit

D.

Internal audit

Buy Now
Questions 238

Which of the following should be the PRIMARY focus of an IT risk awareness program?

Options:

A.

Ensure compliance with the organization's internal policies

B.

Cultivate long-term behavioral change.

C.

Communicate IT risk policy to the participants.

D.

Demonstrate regulatory compliance.

Buy Now
Questions 239

Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?

Options:

A.

Performing a benchmark analysis and evaluating gaps

B.

Conducting risk assessments and implementing controls

C.

Communicating components of risk and their acceptable levels

D.

Participating in peer reviews and implementing best practices

Buy Now
Questions 240

A risk assessment has identified increased losses associated with an IT risk scenario. It is MOST important for the risk practitioner to:

Options:

A.

update the risk rating.

B.

reevaluate inherent risk.

C.

develop new risk scenarios.

D.

implement additional controls.

Buy Now
Questions 241

A hospital recently implemented a new technology to allow virtual patient appointments. Which of the following should be the risk practitioner's FIRST course of action?

Options:

A.

Reassess the risk profile.

B.

Modify the risk taxonomy.

C.

Increase the risk tolerance.

D.

Review the risk culture.

Buy Now
Questions 242

Which of the following BEST facilitates the identification of emerging risk?

Options:

A.

Performing scenario-based assessments

B.

Reviewing audit reports annually

C.

Conducting root cause analyses

D.

Engaging a risk-focused audit team

Buy Now
Questions 243

Which of the following would be a risk practitioner's GREATEST concern with the use of a vulnerability scanning tool?

Options:

A.

Increased time to remediate vulnerabilities

B.

Inaccurate reporting of results

C.

Increased number of vulnerabilities

D.

Network performance degradation

Buy Now
Questions 244

Which of the following activities is a responsibility of the second line of defense?

Options:

A.

Challenging risk decision making

B.

Developing controls to manage risk scenarios

C.

Implementing risk response plans

D.

Establishing organizational risk appetite

Buy Now
Questions 245

Which of the following is MOST important to update when an organization's risk appetite changes?

Options:

A.

Key risk indicators (KRIs)

B.

Risk reporting methodology

C.

Key performance indicators (KPIs)

D.

Risk taxonomy

Buy Now
Questions 246

Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?

Options:

A.

Control chart

B.

Sensitivity analysis

C.

Trend analysis

D.

Decision tree

Buy Now
Questions 247

Establishing and organizational code of conduct is an example of which type of control?

Options:

A.

Preventive

B.

Directive

C.

Detective

D.

Compensating

Buy Now
Questions 248

When updating a risk register with the results of an IT risk assessment, the risk practitioner should log:

Options:

A.

high impact scenarios.

B.

high likelihood scenarios.

C.

treated risk scenarios.

D.

known risk scenarios.

Buy Now
Questions 249

Which of the following is the BEST way to help ensure risk will be managed properly after a business process has been re-engineered?

Options:

A.

Reassessing control effectiveness of the process

B.

Conducting a post-implementation review to determine lessons learned

C.

Reporting key performance indicators (KPIs) for core processes

D.

Establishing escalation procedures for anomaly events

Buy Now
Questions 250

Which of the following would be a risk practitioner's MOST important action upon learning that an IT control has failed?

Options:

A.

Implement a replacement control.

B.

Adjust residual risk rating.

C.

Escalate to senior management.

D.

Review compensating controls.

Buy Now
Questions 251

Which of the following BEST helps to identify significant events that could impact an organization?

Vulnerability analysis

Options:

A.

Control analysis

B.

Scenario analysis

C.

Heat map analysis

Buy Now
Questions 252

A MAJOR advantage of using key risk indicators (KRIs) is that they:

Options:

A.

Identify scenarios that exceed defined risk appetite.

B.

Help with internal control assessments concerning risk appetite.

C.

Assess risk scenarios that exceed defined thresholds.

D.

Identify when risk exceeds defined thresholds.

Buy Now
Questions 253

Which of the following is the BEST Key control indicator KCO to monitor the effectiveness of patch management?

Options:

A.

Percentage of legacy servers out of support

B.

Percentage of severs receiving automata patches

C.

Number of unpremeditated vulnerabilities

D.

Number of intrusion attempts

Buy Now
Questions 254

Which of the following is the MOST important characteristic of an effective risk management program?

Options:

A.

Risk response plans are documented

B.

Controls are mapped to key risk scenarios.

C.

Key risk indicators are defined.

D.

Risk ownership is assigned

Buy Now
Questions 255

Which of the following is the BEST indicator of an effective IT security awareness program?

Options:

A.

Decreased success rate of internal phishing tests

B.

Decreased number of reported security incidents

C.

Number of disciplinary actions issued for security violations

D.

Number of employees that complete security training

Buy Now
Questions 256

Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?

Options:

A.

Align business objectives to the risk profile.

B.

Assess risk against business objectives

C.

Implement an organization-specific risk taxonomy.

D.

Explain risk details to management.

Buy Now
Questions 257

Which of the following is the MOST important success factor when introducing risk management in an organization?

Options:

A.

Implementing a risk register

B.

Defining a risk mitigation strategy and plan

C.

Assigning risk ownership

D.

Establishing executive management support

Buy Now
Questions 258

Which of the following should be the FIRST step when a company is made aware of new regulatory requirements impacting IT?

Options:

A.

Perform a gap analysis.

B.

Prioritize impact to the business units.

C.

Perform a risk assessment.

D.

Review the risk tolerance and appetite.

Buy Now
Questions 259

Which of the following would provide the MOST helpful input to develop risk scenarios associated with hosting an organization's key IT applications in a cloud environment?

Options:

A.

Reviewing the results of independent audits

B.

Performing a site visit to the cloud provider's data center

C.

Performing a due diligence review

D.

Conducting a risk workshop with key stakeholders

Buy Now
Questions 260

After identifying new risk events during a project, the project manager s NEXT step should be to:

Options:

A.

determine if the scenarios need 10 be accepted or responded to.

B.

record the scenarios into the risk register.

C.

continue with a qualitative risk analysis.

D.

continue with a quantitative risk analysis.

Buy Now
Questions 261

Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?

Options:

A.

impact due to failure of control

B.

Frequency of failure of control

C.

Contingency plan for residual risk

D.

Cost-benefit analysis of automation

Buy Now
Questions 262

An organization recently experienced a cyber attack that resulted in the loss of confidential customer data. Which of the following is the risk practitioner's BEST recommendation after recovery steps have been completed?

Options:

A.

Develop new key risk indicators (KRIs).

B.

Perform a root cause analysis.

C.

Recommend the purchase of cyber insurance.

D.

Review the incident response plan.

Buy Now
Questions 263

A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?

Options:

A.

Document the finding in the risk register.

B.

Invoke the incident response plan.

C.

Re-evaluate key risk indicators.

D.

Modify the design of the control.

Buy Now
Questions 264

Which of the following is a KEY outcome of risk ownership?

Options:

A.

Risk responsibilities are addressed.

B.

Risk-related information is communicated.

C.

Risk-oriented tasks are defined.

D.

Business process risk is analyzed.

Buy Now
Questions 265

An organization has provided legal text explaining the rights and expected behavior of users accessing a system from geographic locations that have strong privacy regulations. Which of the following control types has been applied?

Options:

A.

Detective

B.

Directive

C.

Preventive

D.

Compensating

Buy Now
Questions 266

From a business perspective, which of the following is the MOST important objective of a disaster recovery test?

Options:

A.

The organization gains assurance it can recover from a disaster

B.

Errors are discovered in the disaster recovery process.

C.

All business-critical systems are successfully tested.

D.

All critical data is recovered within recovery time objectives (RTOs).

Buy Now
Questions 267

Which organizational role should be accountable for ensuring information assets are appropriately classified?

Options:

A.

Data protection officer

B.

Chief information officer (CIO)

C.

Information asset custodian

D.

Information asset owner

Buy Now
Questions 268

Which of the following is the PRIMARY reason to update a risk register with risk assessment results?

Options:

A.

To communicate the level and priority of assessed risk to management

B.

To provide a comprehensive inventory of risk across the organization

C.

To assign a risk owner to manage the risk

D.

To enable the creation of action plans to address nsk

Buy Now
Questions 269

Which of the following situations would BEST justify escalation to senior management?

Options:

A.

Residual risk exceeds acceptable limits.

B.

Residual risk is inadequately recorded.

C.

Residual risk remains after controls have been applied.

D.

Residual risk equals current risk.

Buy Now
Questions 270

Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?

Options:

A.

Vulnerability and threat analysis

B.

Control remediation planning

C.

User acceptance testing (UAT)

D.

Control self-assessment (CSA)

Buy Now
Questions 271

Reviewing which of the following provides the BEST indication of an organizations risk tolerance?

Options:

A.

Risk sharing strategy

B.

Risk transfer agreements

C.

Risk policies

D.

Risk assessments

Buy Now
Questions 272

Which of the following BEST helps to identify significant events that could impact an organization?

Options:

A.

Control analysis

B.

Vulnerability analysis

C.

Scenario analysis

D.

Heat map analysis

Buy Now
Questions 273

Which of the following would be the BEST way for a risk practitioner to validate the effectiveness of a patching program?

Options:

A.

Conduct penetration testing.

B.

Interview IT operations personnel.

C.

Conduct vulnerability scans.

D.

Review change control board documentation.

Buy Now
Questions 274

Which of the following would BEST help an enterprise define and communicate its risk appetite?

Options:

A.

Gap analysis

B.

Risk assessment

C.

Heat map

D.

Risk register

Buy Now
Questions 275

The PRIMARY objective of testing the effectiveness of a new control before implementation is to:

Options:

A.

ensure that risk is mitigated by the control.

B.

measure efficiency of the control process.

C.

confirm control alignment with business objectives.

D.

comply with the organization's policy.

Buy Now
Questions 276

Which of the following is the BEST way to protect sensitive data from administrators within a public cloud?

Options:

A.

Use an encrypted tunnel lo connect to the cloud.

B.

Encrypt the data in the cloud database.

C.

Encrypt physical hard drives within the cloud.

D.

Encrypt data before it leaves the organization.

Buy Now
Questions 277

Which of the following would MOST likely cause a risk practitioner to reassess risk scenarios?

Options:

A.

A change in the risk management policy

B.

A major security incident

C.

A change in the regulatory environment

D.

An increase in intrusion attempts

Buy Now
Questions 278

The MOST essential content to include in an IT risk awareness program is how to:

Options:

A.

populate risk register entries and build a risk profile for management reporting.

B.

prioritize IT-related actions by considering risk appetite and risk tolerance.

C.

define the IT risk framework for the organization.

D.

comply with the organization's IT risk and information security policies.

Buy Now
Questions 279

Which of the following is the GREATEST risk associated with inappropriate classification of data?

Options:

A.

Inaccurate record management data

B.

Inaccurate recovery time objectives (RTOs)

C.

Lack of accountability for data ownership

D.

Users having unauthorized access to data

Buy Now
Questions 280

An organization is concerned that its employees may be unintentionally disclosing data through the use of social media sites. Which of the following will MOST effectively mitigate tins risk?

Options:

A.

Requiring the use of virtual private networks (VPNs)

B.

Establishing a data classification policy

C.

Conducting user awareness training

D.

Requiring employee agreement of the acceptable use policy

Buy Now
Questions 281

Which of the following BEST facilitates the development of effective IT risk scenarios?

Options:

A.

Utilization of a cross-functional team

B.

Participation by IT subject matter experts

C.

Integration of contingency planning

D.

Validation by senior management

Buy Now
Questions 282

An information system for a key business operation is being moved from an in-house application to a Software as a Service (SaaS) vendor. Which of the following will have the GREATEST impact on the ability to monitor risk?

Options:

A.

Reduced ability to evaluate key risk indicators (KRIs)

B.

Reduced access to internal audit reports

C.

Dependency on the vendor's key performance indicators (KPIs)

D.

Dependency on service level agreements (SLAs)

Buy Now
Questions 283

Which of the following is the BEST criterion to determine whether higher residual risk ratings in the risk register should be accepted?

Options:

A.

Risk maturity

B.

Risk policy

C.

Risk appetite

D.

Risk culture

Buy Now
Questions 284

Which of the following is the MOST important component in a risk treatment plan?

Options:

A.

Technical details

B.

Target completion date

C.

Treatment plan ownership

D.

Treatment plan justification

Buy Now
Questions 285

The PRIMARY objective of a risk identification process is to:

Options:

A.

evaluate how risk conditions are managed.

B.

determine threats and vulnerabilities.

C.

estimate anticipated financial impact of risk conditions.

D.

establish risk response options.

Buy Now
Questions 286

Which of the following criteria is MOST important when developing a response to an attack that would compromise data?

Options:

A.

The recovery time objective (RTO)

B.

The likelihood of a recurring attack

C.

The organization's risk tolerance

D.

The business significance of the information

Buy Now
Questions 287

Which of the following will be MOST effective to mitigate the risk associated with the loss of company data stored on personal devices?

Options:

A.

An acceptable use policy for personal devices

B.

Required user log-on before synchronizing data

C.

Enforced authentication and data encryption

D.

Security awareness training and testing

Buy Now
Questions 288

Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?

Options:

A.

Identify the potential risk.

B.

Monitor employee usage.

C.

Assess the potential risk.

D.

Develop risk awareness training.

Buy Now
Questions 289

Which of the following BEST helps to ensure disaster recovery staff members

are able to complete their assigned tasks effectively during a disaster?

Options:

A.

Performing parallel disaster recovery testing

B.

Documenting the order of system and application restoration

C.

Involving disaster recovery staff members in risk assessments

D.

Conducting regular tabletop exercises and scenario analysis

Buy Now
Questions 290

Reviewing which of the following BEST helps an organization gam insight into its overall risk profile''

Options:

A.

Risk register

B.

Risk appetite

C.

Threat landscape

D.

Risk metrics

Buy Now
Questions 291

An organization maintains independent departmental risk registers that are not automatically aggregated. Which of the following is the GREATEST concern?

Options:

A.

Management may be unable to accurately evaluate the risk profile.

B.

Resources may be inefficiently allocated.

C.

The same risk factor may be identified in multiple areas.

D.

Multiple risk treatment efforts may be initiated to treat a given risk.

Buy Now
Questions 292

A legacy application used for a critical business function relies on software that has reached the end of extended support Which of the following is the MOST effective control to manage this application?

Options:

A.

Subscribe to threat intelligence to monitor external attacks.

B.

Apply patches for a newer version of the application.

C.

Segment the application within the existing network.

D.

Increase the frequency of regular system and data backups.

Buy Now
Questions 293

The risk associated with an asset before controls are applied can be expressed as:

Options:

A.

a function of the likelihood and impact

B.

the magnitude of an impact

C.

a function of the cost and effectiveness of control.

D.

the likelihood of a given threat

Buy Now
Questions 294

Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?

Options:

A.

The program has not decreased threat counts.

B.

The program has not considered business impact.

C.

The program has been significantly revised

D.

The program uses non-customized training modules.

Buy Now
Questions 295

An organization planning to transfer and store its customer data with an offshore cloud service provider should be PRIMARILY concerned with:

Options:

A.

data aggregation

B.

data privacy

C.

data quality

D.

data validation

Buy Now
Questions 296

Following the implementation of an Internet of Things (loT) solution, a risk practitioner identifies new risk factors with impact to existing controls. Which of the following is MOST important to include in a report to stakeholders?

Options:

A.

Identified vulnerabilities

B.

Business managers' concerns

C.

Changes to residual risk

D.

Risk strategies of peer organizations

Buy Now
Questions 297

A newly incorporated enterprise needs to secure its information assets From a governance perspective which of the following should be done FIRST?

Options:

A.

Define information retention requirements and policies

B.

Provide information security awareness training

C.

Establish security management processes and procedures

D.

Establish an inventory of information assets

Buy Now
Questions 298

An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program. Which of the following is MOST useful for this purpose?

Options:

A.

Balanced scorecard

B.

Capability maturity level

C.

Internal audit plan

D.

Control self-assessment (CSA)

Buy Now
Questions 299

Which of the following should be the PRIMARY focus of a risk owner once a decision is made to mitigate a risk?

Options:

A.

Updating the risk register to include the risk mitigation plan

B.

Determining processes for monitoring the effectiveness of the controls

C.

Ensuring that control design reduces risk to an acceptable level

D.

Confirming to management the controls reduce the likelihood of the risk

Buy Now
Questions 300

Which of the following is the MAIN reason for analyzing risk scenarios?

Options:

A.

Identifying additional risk scenarios

B.

Updating the heat map

C.

Assessing loss expectancy

D.

Establishing a risk appetite

Buy Now
Questions 301

Which of the following is the MOST significant indicator of the need to perform a penetration test?

Options:

A.

An increase in the number of high-risk audit findings

B.

An increase in the number of security incidents

C.

An increase in the percentage of turnover in IT personnel

D.

An increase in the number of infrastructure changes

Buy Now
Questions 302

An organization has initiated a project to launch an IT-based service to customers and take advantage of being the first to market. Which of the following should be of GREATEST concern to senior management?

Options:

A.

More time has been allotted for testing.

B.

The project is likely to deliver the product late.

C.

A new project manager is handling the project.

D.

The cost of the project will exceed the allotted budget.

Buy Now
Questions 303

Which of the following is MOST important to the successful development of IT risk scenarios?

Options:

A.

Cost-benefit analysis

B.

Internal and external audit reports

C.

Threat and vulnerability analysis

D.

Control effectiveness assessment

Buy Now
Questions 304

Which of the following approaches BEST identifies information systems control deficiencies?

Options:

A.

Countermeasures analysis

B.

Best practice assessment

C.

Gap analysis

D.

Risk assessment

Buy Now
Questions 305

An organization is moving its critical assets to the cloud. Which of the following is the MOST important key performance indicator (KPI) to include in the service level agreement (SLA)?

Options:

A.

Percentage of standard supplier uptime

B.

Average time to respond to incidents

C.

Number of assets included in recovery processes

D.

Number of key applications hosted

Buy Now
Questions 306

Which of the following is MOST important for mitigating ethical risk when establishing accountability for control ownership?

Options:

A.

Ensuring processes are documented to enable effective control execution

B.

Ensuring regular risk messaging is Included in business communications from leadership

C.

Ensuring schedules and deadlines for control-related deliverables are strictly monitored

D.

Ensuring performance metrics balance business goals with risk appetite

Buy Now
Questions 307

Which of the following is the GREATEST benefit of a three lines of defense structure?

Options:

A.

An effective risk culture that empowers employees to report risk

B.

Effective segregation of duties to prevent internal fraud

C.

Clear accountability for risk management processes

D.

Improved effectiveness and efficiency of business operations

Buy Now
Questions 308

Which of the following BEST represents a critical threshold value for a key control indicator (KCI)?

Options:

A.

The value at which control effectiveness would fail

B.

Thresholds benchmarked to peer organizations

C.

A typical operational value

D.

A value that represents the intended control state

Buy Now
Questions 309

Which of the following is the BEST way to quantify the likelihood of risk materialization?

Options:

A.

Balanced scorecard

B.

Threat and vulnerability assessment

C.

Compliance assessments

D.

Business impact analysis (BIA)

Buy Now
Questions 310

Which of the following is MOST helpful in identifying loss magnitude during risk analysis of a new system?

Options:

A.

Recovery time objective (RTO)

B.

Cost-benefit analysis

C.

Business impact analysis (BIA)

D.

Cyber insurance coverage

Buy Now
Questions 311

An organization is planning to outsource its payroll function to an external service provider Which of the following should be the MOST important consideration when selecting the provider?

Options:

A.

Disaster recovery plan (DRP) of the system

B.

Right to audit the provider

C.

Internal controls to ensure data privacy

D.

Transparency of key performance indicators (KPIs)

Buy Now
Questions 312

Which of the following BEST contributes to the implementation of an effective risk response action plan?

Options:

A.

An IT tactical plan

B.

Disaster recovery and continuity testing

C.

Assigned roles and responsibilities

D.

A business impact analysis

Buy Now
Questions 313

A business is conducting a proof of concept on a vendor’s AI technology. Which of the following is the MOST important consideration for managing risk?

Options:

A.

Use of a non-production environment

B.

Regular security updates

C.

Third-party management plan

D.

Adequate vendor support

Buy Now
Questions 314

Risk management strategies are PRIMARILY adopted to:

Options:

A.

take necessary precautions for claims and losses.

B.

achieve acceptable residual risk levels.

C.

avoid risk for business and IT assets.

D.

achieve compliance with legal requirements.

Buy Now
Questions 315

Which of the following is the PRIMARY risk management responsibility of the second line of defense?

Options:

A.

Monitoring risk responses

B.

Applying risk treatments

C.

Providing assurance of control effectiveness

D.

Implementing internal controls

Buy Now
Questions 316

Which of the following is the MOST effective way to validate organizational awareness of cybersecurity risk?

Options:

A.

Conducting security awareness training

B.

Updating the information security policy

C.

Implementing mock phishing exercises

D.

Requiring two-factor authentication

Buy Now
Questions 317

Which of the following statements describes the relationship between key risk indicators (KRIs) and key control indicators (KCIs)?

Options:

A.

KRI design must precede definition of KCIs.

B.

KCIs and KRIs are independent indicators and do not impact each other.

C.

A decreasing trend of KRI readings will lead to changes to KCIs.

D.

Both KRIs and KCIs provide insight to potential changes in the level of risk.

Buy Now
Questions 318

Which of the following scenarios presents the GREATEST risk of noncompliance with data privacy best practices?

Options:

A.

Making data available to a larger audience of customers

B.

Data not being disposed according to the retention policy

C.

Personal data not being de-identified properly

D.

Data being used for purposes the data subjects have not opted into

Buy Now
Questions 319

An organization uses a web application hosted by a cloud service that is populated by data sent to the vendor via email on a monthly basis. Which of the following should be the FIRST consideration when analyzing the risk associated with the application?

Options:

A.

Whether the service provider's data center is located in the same country

B.

Whether the data sent by email has been encrypted

C.

Whether the data has been appropriately classified

D.

Whether the service provider contract allows right of onsite audit

Buy Now
Questions 320

When presenting risk, the BEST method to ensure that the risk is measurable against the organization's risk appetite is through the use of a:

Options:

A.

risk map

B.

cause-and-effect diagram

C.

maturity model

D.

technology strategy plan.

Buy Now
Questions 321

Which of the following presents the GREATEST security risk associated with Internet of Things (IoT) technology?

Options:

A.

The inability to monitor via network management solutions

B.

The lack of relevant IoT security frameworks to guide the risk assessment process

C.

The heightened level of IoT threats via the widespread use of smart devices

D.

The lack of updates for vulnerable firmware

Buy Now
Questions 322

Which of the following contributes MOST to the effective implementation of risk responses?

Options:

A.

Clear understanding of the risk

B.

Comparable industry risk trends

C.

Appropriate resources

D.

Detailed standards and procedures

Buy Now
Questions 323

The MOST effective way to increase the likelihood that risk responses will be implemented is to:

Options:

A.

create an action plan

B.

assign ownership

C.

review progress reports

D.

perform regular audits.

Buy Now
Questions 324

Which of the following is the MOST important criteria for selecting key risk indicators (KRIs)?

Options:

A.

Historical data availability

B.

Implementation and reporting effort

C.

Ability to display trends

D.

Sensitivity and reliability

Buy Now
Questions 325

Which of the following IT key risk indicators (KRIs) provides management with the BEST feedback on IT capacity?

Options:

A.

Trends in IT resource usage

B.

Trends in IT maintenance costs

C.

Increased resource availability

D.

Increased number of incidents

Buy Now
Questions 326

The purpose of requiring source code escrow in a contractual agreement is to:

Options:

A.

ensure that the source code is valid and exists.

B.

ensure that the source code is available if the vendor ceases to exist.

C.

review the source code for adequacy of controls.

D.

ensure the source code is available when bugs occur.

Buy Now
Questions 327

Which of the following is the MOST effective way to reduce potential losses due to ongoing expense fraud?

Options:

A.

Implement user access controls

B.

Perform regular internal audits

C.

Develop and communicate fraud prevention policies

D.

Conduct fraud prevention awareness training.

Buy Now
Questions 328

Which of the following is a risk practitioner's BEST recommendation regarding disaster recovery management (DRM) for Software as a Service (SaaS) providers?

Options:

A.

Conduct inoremental backups of data in the SaaS environment to a local data center.

B.

Implement segregation of duties between multiple SaaS solution providers.

C.

Codify availability requirements in the SaaS provider's contract.

D.

Conduct performance benchmarking against other SaaS service providers.

Buy Now
Questions 329

Which of the following is the GREATEST risk associated with the misclassification of data?

Options:

A.

inadequate resource allocation

B.

Data disruption

C.

Unauthorized access

D.

Inadequate retention schedules

Buy Now
Questions 330

Which of the following would provide the MOST reliable evidence of the effectiveness of security controls implemented for a web application?

Options:

A.

Penetration testing

B.

IT general controls audit

C.

Vulnerability assessment

D.

Fault tree analysis

Buy Now
Questions 331

After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?

Options:

A.

The risk practitioner

B.

The business process owner

C.

The risk owner

D.

The control owner

Buy Now
Questions 332

Which of the following is MOST important to the effective monitoring of key risk indicators (KRIS)?

Options:

A.

Updating the threat inventory with new threats

B.

Automating log data analysis

C.

Preventing the generation of false alerts

D.

Determining threshold levels

Buy Now
Questions 333

Which of the following would be MOST beneficial as a key risk indicator (KRI)?

Options:

A.

Current capital allocation reserves

B.

Negative security return on investment (ROI)

C.

Project cost variances

D.

Annualized loss projections

Buy Now
Questions 334

An organization has raised the risk appetite for technology risk. The MOST likely result would be:

Options:

A.

increased inherent risk.

B.

higher risk management cost

C.

decreased residual risk.

D.

lower risk management cost.

Buy Now
Questions 335

Which of the following describes the relationship between Key risk indicators (KRIs) and key control indicators (KCIS)?

Options:

A.

KCIs are independent from KRIs KRIs.

B.

KCIs and KRIs help in determining risk appetite.

C.

KCIs are defined using data from KRIs.

D.

KCIs provide input for KRIs

Buy Now
Questions 336

Which of the following provides the MOST reliable evidence to support conclusions after completing an information systems controls assessment?

Options:

A.

Risk and control self-assessment (CSA) reports

B.

Information generated by the systems

C.

Control environment narratives

D.

Confirmation from industry peers

Buy Now
Questions 337

A risk action plan has been changed during the risk mitigation effort. Which of the following is MOST important for the risk practitioner to verify?

Options:

A.

Impact of the change on inherent risk

B.

Approval for the change by the risk owner

C.

Business rationale for the change

D.

Risk to the mitigation effort due to the change

Buy Now
Questions 338

Which of the following is MOST helpful in providing a high-level overview of current IT risk severity*?

Options:

A.

Risk mitigation plans

B.

heat map

C.

Risk appetite statement

D.

Key risk indicators (KRls)

Buy Now
Questions 339

A payroll manager discovers that fields in certain payroll reports have been modified without authorization. Which of the following control weaknesses could have contributed MOST to this problem?

Options:

A.

The user requirements were not documented.

B.

Payroll files were not under the control of a librarian.

C.

The programmer had access to the production programs.

D.

The programmer did not involve the user in testing.

Buy Now
Questions 340

Which of the following would present the GREATEST challenge for a risk practitioner during a merger of two organizations?

Options:

A.

Variances between organizational risk appetites

B.

Different taxonomies to categorize risk scenarios

C.

Disparate platforms for governance, risk, and compliance (GRC) systems

D.

Dissimilar organizational risk acceptance protocols

Buy Now
Questions 341

Which of the following is MOST important to include in a Software as a Service (SaaS) vendor agreement?

Options:

A.

An annual contract review

B.

A service level agreement (SLA)

C.

A requirement to adopt an established risk management framework

D.

A requirement to provide an independent audit report

Buy Now
Questions 342

Which of the following should a risk practitioner review FIRST when evaluating risk events associated with the organization's data flow model?

Options:

A.

Results of data classification activities

B.

Recent changes to enterprise architecture (EA)

C.

High-level network diagrams

D.

Notes from interviews with the data owners

Buy Now
Questions 343

Which of the following is MOST important for management to consider when deciding whether to invest in an IT initiative that exceeds management's risk appetite?

Options:

A.

Risk management budget

B.

Risk management industry trends

C.

Risk tolerance

D.

Risk capacity

Buy Now
Questions 344

An organizations chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a denial-of-service (DoS) attack. In this situation, the risk practitioner's BEST course of action is to:

Options:

A.

identify key risk indicators (KRls) for ongoing monitoring

B.

validate the CTO's decision with the business process owner

C.

update the risk register with the selected risk response

D.

recommend that the CTO revisit the risk acceptance decision.

Buy Now
Questions 345

Which of the following BEST enables an organization to address risk associated with technical complexity?

Options:

A.

Documenting system hardening requirements

B.

Minimizing dependency on technology

C.

Aligning with a security architecture

D.

Establishing configuration guidelines

Buy Now
Questions 346

Which of the following is a risk practitioner's BEST course of action after identifying risk scenarios related to noncompliance with new industry regulations?

Options:

A.

Escalate to senior management.

B.

Transfer the risk.

C.

Implement monitoring controls.

D.

Recalculate the risk.

Buy Now
Questions 347

A risk practitioner is performing a risk assessment of recent external advancements in quantum computing. Which of the following would pose the GREATEST concern for the risk practitioner?

Options:

A.

The organization has not adopted Infrastructure as a Service (IaaS) for its operations

B.

The organization has incorporated blockchain technology in its operations

C.

The organization has implemented heuristics on its network firewall

D.

The organization has not reviewed its encryption standards

Buy Now
Questions 348

A highly regulated enterprise is developing a new risk management plan to specifically address legal and regulatory risk scenarios What should be done FIRST by IT governance to support this effort?

Options:

A.

Request a regulatory risk reporting methodology

B.

Require critical success factors (CSFs) for IT risks.

C.

Establish IT-specific compliance objectives

D.

Communicate IT key risk indicators (KRIs) and triggers

Buy Now
Questions 349

What should be the PRIMARY objective for a risk practitioner performing a post-implementation review of an IT risk mitigation project?

Options:

A.

Documenting project lessons learned

B.

Validating the risk mitigation project has been completed

C.

Confirming that the project budget was not exceeded

D.

Verifying that the risk level has been lowered

Buy Now
Questions 350

Which of the following is the BEST evidence that a user account has been properly authorized?

Options:

A.

An email from the user accepting the account

B.

Notification from human resources that the account is active

C.

User privileges matching the request form

D.

Formal approval of the account by the user's manager

Buy Now
Questions 351

Which of the following is the MOST critical consideration when awarding a project to a third-party service provider whose servers are located offshore?

Options:

A.

Difficulty of monitoring compliance due to geographical distance

B.

Cost implications due to installation of network intrusion detection systems (IDSs)

C.

Delays in incident communication

D.

Potential impact on data governance

Buy Now
Questions 352

Which of the following presents the GREATEST concern associated with the

use of artificial intelligence (Al) systems?

Options:

A.

Al systems need to be available continuously.

B.

Al systems can be affected by bias.

C.

Al systems are expensive to maintain.

D.

Al systems can provide false positives.

Buy Now
Questions 353

A penetration testing team discovered an ineffectively designed access control. Who is responsible for ensuring the control design gap is remediated?

Options:

A.

Control owner

B.

Risk owner

C.

IT security manager

D.

Control operator

Buy Now
Questions 354

Which of the following is MOST important when identifying an organization's risk exposure associated with Internet of Things (loT) devices?

Options:

A.

Defined remediation plans

B.

Management sign-off on the scope

C.

Manual testing of device vulnerabilities

D.

Visibility into all networked devices

Buy Now
Questions 355

Which of the following BEST indicates that security requirements have been incorporated into the system development life cycle (SDLC)?

Options:

A.

Comprehensive security training of developers

B.

Validated security requirements and design documents

C.

Completed user acceptance testing (UAT)

D.

Compliance with laws and regulatory requirements

Buy Now
Questions 356

To communicate the risk associated with IT in business terms, which of the following MUST be defined?

Options:

A.

Compliance objectives

B.

Risk appetite of the organization

C.

Organizational objectives

D.

Inherent and residual risk

Buy Now
Questions 357

Which of the following would be of GREATEST assistance when justifying investment in risk response strategies?

Options:

A.

Total cost of ownership

B.

Resource dependency analysis

C.

Cost-benefit analysis

D.

Business impact analysis

Buy Now
Questions 358

Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis?

Options:

A.

Quantitative analysis might not be possible.

B.

Risk factors might not be relevant to the organization

C.

Implementation costs might increase.

D.

Inherent risk might not be considered.

Buy Now
Questions 359

Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?

Options:

A.

A control self-assessment

B.

A third-party security assessment report

C.

Internal audit reports from the vendor

D.

Service level agreement monitoring

Buy Now
Questions 360

Which of the following provides the MOST helpful reference point when communicating the results of a risk assessment to stakeholders?

Options:

A.

Risk tolerance

B.

Risk appetite

C.

Risk awareness

D.

Risk policy

Buy Now
Questions 361

Risk aggregation in a complex organization will be MOST successful when:

Options:

A.

using the same scales in assessing risk

B.

utilizing industry benchmarks

C.

using reliable qualitative data for risk Hems

D.

including primarily low-level risk factors

Buy Now
Questions 362

When evaluating enterprise IT risk management it is MOST important to:

Options:

A.

create new control processes to reduce identified IT risk scenarios

B.

confirm the organization’s risk appetite and tolerance

C.

report identified IT risk scenarios to senior management

D.

review alignment with the organization's investment plan

Buy Now
Questions 363

The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner s BEST recommendation?

Options:

A.

Perform a root cause analysis

B.

Perform a code review

C.

Implement version control software.

D.

Implement training on coding best practices

Buy Now
Questions 364

Continuous monitoring of key risk indicators (KRIs) will:

Options:

A.

ensure that risk will not exceed the defined risk appetite of the organization.

B.

provide an early warning so that proactive action can be taken.

C.

provide a snapshot of the risk profile.

D.

ensure that risk tolerance and risk appetite are aligned.

Buy Now
Questions 365

Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment?

Options:

A.

Improved senior management communication

B.

Optimized risk treatment decisions

C.

Enhanced awareness of risk management

D.

Improved collaboration among risk professionals

Buy Now
Questions 366

An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?

Options:

A.

Mitigate

B.

Accept

C.

Transfer

D.

Avoid

Buy Now
Questions 367

A risk practitioner discovers that an IT operations team manager bypassed web filtering controls by using a mobile device, in violation of the network security policy. Which of the following should the risk practitioner do FIRST?

Options:

A.

Report the incident.

B.

Plan a security awareness session.

C.

Assess the new risk.

D.

Update the risk register.

Buy Now
Questions 368

Concerned about system load capabilities during the month-end close process, management requires monitoring of the average time to complete tasks and monthly reporting of the findings. What type of measure has been established?

Options:

A.

Service level agreement (SLA)

B.

Critical success factor (CSF)

C.

Key risk indicator (KRI)

D.

Key performance indicator (KPI)

Buy Now
Questions 369

Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Options:

A.

Including trend analysis of risk metrics

B.

Using an aggregated view of organizational risk

C.

Relying on key risk indicator (KRI) data

D.

Ensuring relevance to organizational goals

Buy Now
Questions 370

Which of the following is the MOST important information to be communicated during security awareness training?

Options:

A.

Management's expectations

B.

Corporate risk profile

C.

Recent security incidents

D.

The current risk management capability

Buy Now
Questions 371

A risk practitioner is reporting on an increasing trend of ransomware attacks in the industry. Which of the following information is MOST important to include to enable an informed response decision by key stakeholders?

Options:

A.

Methods of attack progression

B.

Losses incurred by industry peers

C.

Most recent antivirus scan reports

D.

Potential impact of events

Buy Now
Questions 372

A risk assessment has been completed on an application and reported to the application owner. The report includes validated vulnerability findings that require mitigation. Which of the following should be the NEXT step?

Options:

A.

Report the findings to executive management to enable treatment decisions.

B.

Reassess each vulnerability to evaluate the risk profile of the application.

C.

Conduct a penetration test to determine how to mitigate the vulnerabilities.

D.

Prepare a risk response that is aligned to the organization's risk tolerance.

Buy Now
Questions 373

Which of the following is MOST helpful to management when determining the resources needed to mitigate a risk?

Options:

A.

An internal audit

B.

A heat map

C.

A business impact analysis (BIA)

D.

A vulnerability report

Buy Now
Questions 374

Key risk indicators (KRIs) are MOST useful during which of the following risk management phases?

Options:

A.

Monitoring

B.

Analysis

C.

Identification

D.

Response selection

Buy Now
Questions 375

Which of the following is the BEST approach when a risk treatment plan cannot be completed on time?

Options:

A.

Replace the action owner with a more experienced individual.

B.

Implement compensating controls until the preferred action can be completed.

C.

Change the risk response strategy of the relevant risk to risk avoidance.

D.

Develop additional key risk indicators (KRIs) until the preferred action can be completed.

Buy Now
Questions 376

Which of the following is the BEST approach for an organization in a heavily regulated industry to comprehensively test application functionality?

Options:

A.

Use production data in a non-production environment

B.

Use masked data in a non-production environment

C.

Use test data in a production environment

D.

Use anonymized data in a non-production environment

Buy Now
Questions 377

What is the PRIMARY benefit of risk monitoring?

Options:

A.

It reduces the number of audit findings.

B.

It provides statistical evidence of control efficiency.

C.

It facilitates risk-aware decision making.

D.

It facilitates communication of threat levels.

Buy Now
Questions 378

Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board''

Options:

A.

A summary of risk response plans with validation results

B.

A report with control environment assessment results

C.

A dashboard summarizing key risk indicators (KRIs)

D.

A summary of IT risk scenarios with business cases

Buy Now
Questions 379

The BEST way to obtain senior management support for investment in a control implementation would be to articulate the reduction in:

Options:

A.

detected incidents.

B.

residual risk.

C.

vulnerabilities.

D.

inherent risk.

Buy Now
Questions 380

A business delegates its application data management to the internal IT team. Which of the following is the role of the internal IT team in this situation?

Options:

A.

Data controllers

B.

Data custodians

C.

Data analysts

D.

Data owners

Buy Now
Questions 381

The BEST way for an organization to ensure that servers are compliant to security policy is

to review:

Options:

A.

change logs.

B.

configuration settings.

C.

server access logs.

D.

anti-malware compliance.

Buy Now
Questions 382

A risk practitioner finds that data has been misclassified. Which of the following is the GREATEST concern?

Options:

A.

Unauthorized access

B.

Data corruption

C.

Inadequate retention schedules

D.

Data disruption

Buy Now
Questions 383

An information security audit identified a risk resulting from the failure of an automated control Who is responsible for ensuring the risk register is updated accordingly?

Options:

A.

The risk practitioner

B.

The risk owner

C.

The control owner

D.

The audit manager

Buy Now
Questions 384

Which of the following is the PRIMARY reason for an organization to ensure the risk register is updated regularly?

Options:

A.

Risk assessment results are accessible to senior management and stakeholders.

B.

Risk mitigation activities are managed and coordinated.

C.

Key risk indicators (KRIs) are evaluated to validate they are still within the risk threshold.

D.

Risk information is available to enable risk-based decisions.

Buy Now
Questions 385

A maturity model is MOST useful to an organization when it:

Options:

A.

benchmarks against other organizations

B.

defines a qualitative measure of risk

C.

provides a reference for progress

D.

provides risk metrics.

Buy Now
Questions 386

Following a review of a third-party vendor, it is MOST important for an organization to ensure:

Options:

A.

results of the review are accurately reported to management.

B.

identified findings are reviewed by the organization.

C.

results of the review are validated by internal audit.

D.

identified findings are approved by the vendor.

Buy Now
Questions 387

Which of the following will BEST ensure that controls adequately support business goals and objectives?

Options:

A.

Using the risk management process

B.

Enforcing strict disciplinary procedures in case of noncompliance

C.

Reviewing results of the annual company external audit

D.

Adopting internationally accepted controls

Buy Now
Questions 388

Because of a potential data breach, an organization has decided to temporarily shut down its online sales order system until sufficient controls can be implemented. Which risk treatment has been selected?

Options:

A.

Avoidance

B.

Acceptance

C.

Mitigation

D.

Transfer

Buy Now
Questions 389

Which of the following is the BEST way for an organization to enable risk treatment decisions?

Options:

A.

Allocate sufficient funds for risk remediation.

B.

Promote risk and security awareness.

C.

Establish clear accountability for risk.

D.

Develop comprehensive policies and standards.

Buy Now
Questions 390

A review of an organization s controls has determined its data loss prevention {DLP) system is currently failing to detect outgoing emails containing credit card data. Which of the following would be MOST impacted?

Options:

A.

Key risk indicators (KRls)

B.

Inherent risk

C.

Residual risk

D.

Risk appetite

Buy Now
Questions 391

A risk practitioner has been notified of a social engineering attack using artificial intelligence (Al) technology to impersonate senior management personnel. Which of the following would BEST mitigate the impact of such attacks?

Options:

A.

Training and awareness of employees for increased vigilance

B.

Increased monitoring of executive accounts

C.

Subscription to data breach monitoring sites

D.

Suspension and takedown of malicious domains or accounts

Buy Now
Questions 392

Which of the following is the MOST useful input when developing risk scenarios?

Options:

A.

Common attacks in other industries

B.

Identification of risk events

C.

Impact on critical assets

D.

Probability of disruptive risk events

Buy Now
Questions 393

The BEST way to determine the likelihood of a system availability risk scenario is by assessing the:

Options:

A.

availability of fault tolerant software.

B.

strategic plan for business growth.

C.

vulnerability scan results of critical systems.

D.

redundancy of technical infrastructure.

Buy Now
Questions 394

A vendor’s planned maintenance schedule will cause a critical application to temporarily lose failover capabilities. Of the following, who should approve this proposed schedule?

Options:

A.

Business application owner

B.

Business continuity manager

C.

Chief risk officer (CRO)

D.

IT infrastructure manager

Buy Now
Questions 395

A global organization has implemented an application that does not address all privacy requirements across multiple jurisdictions. Which of the following risk responses has the organization adopted with regard to privacy requirements?

Options:

A.

Risk avoidance

B.

Risk transfer

C.

Risk mitigation

D.

Risk acceptance

Buy Now
Questions 396

Which of the following would BEST facilitate the maintenance of data classification requirements?

Options:

A.

Scheduling periodic audits

B.

Assigning a data custodian

C.

Implementing technical controls over the assets

D.

Establishing a data loss prevention (DLP) solution

Buy Now
Questions 397

Which of the following resources is MOST helpful when creating a manageable set of IT risk scenarios?

Options:

A.

Results of current and past risk assessments

B.

Organizational strategy and objectives

C.

Lessons learned from materialized risk scenarios

D.

Internal and external audit findings

Buy Now
Questions 398

Which of the following is the BEST reason to use qualitative measures to express residual risk levels related to emerging threats?

Options:

A.

Qualitative measures require less ongoing monitoring.

B.

Qualitative measures are better aligned to regulatory requirements.

C.

Qualitative measures are better able to incorporate expert judgment.

D.

Qualitative measures are easier to update.

Buy Now
Questions 399

Which of the following is a detective control?

Options:

A.

Limit check

B.

Periodic access review

C.

Access control software

D.

Rerun procedures

Buy Now
Questions 400

An organization has decided to commit to a business activity with the knowledge that the risk exposure is higher than the risk appetite. Which of the following is the risk practitioner's MOST important action related to this decision?

Options:

A.

Recommend risk remediation

B.

Change the level of risk appetite

C.

Document formal acceptance of the risk

D.

Reject the business initiative

Buy Now
Questions 401

A third-party vendor has offered to perform user access provisioning and termination. Which of the following control accountabilities is BEST retained within the organization?

Options:

A.

Reviewing access control lists

B.

Authorizing user access requests

C.

Performing user access recertification

D.

Terminating inactive user access

Buy Now
Questions 402

Which of the following BEST helps to mitigate risk associated with excessive access by authorized users?

Options:

A.

Monitoring user activity using security logs

B.

Revoking access for users changing roles

C.

Granting access based on least privilege

D.

Conducting periodic reviews of authorizations granted

Buy Now
Questions 403

When an organization's business continuity plan (BCP) states that it cannot afford to lose more than three hours of a critical application's data, the three hours is considered the application’s:

Options:

A.

Maximum tolerable outage (MTO).

B.

Recovery point objective (RPO).

C.

Mean time to restore (MTTR).

D.

Recovery time objective (RTO).

Buy Now
Questions 404

Who should be responsible (of evaluating the residual risk after a compensating control has been

Options:

A.

Compliance manager

B.

Risk owner

C.

Control owner

D.

Risk practitioner

Buy Now
Questions 405

Which of the following BEST promotes commitment to controls?

Options:

A.

Assigning control ownership

B.

Assigning appropriate resources

C.

Assigning a quality control review

D.

Performing regular independent control reviews

Buy Now
Questions 406

During a risk treatment plan review, a risk practitioner finds the approved risk action plan has not been completed However, there were other risk mitigation actions implemented. Which of the fallowing is the BEST course of action?

Options:

A.

Review the cost-benefit of mitigating controls

B.

Mark the risk status as unresolved within the risk register

C.

Verify the sufficiency of mitigating controls with the risk owner

D.

Update the risk register with implemented mitigating actions

Buy Now
Questions 407

An enterprise has taken delivery of software patches that address vulnerabilities in its core business software. Prior to implementation, which of the following is the MOST important task to be performed?

Options:

A.

Assess the impact of applying the patches on the production environment.

B.

Survey other enterprises regarding their experiences with applying these patches.

C.

Seek information from the software vendor to enable effective application of the patches.

D.

Determine in advance an off-peak period to apply the patches.

Buy Now
Questions 408

Which of the following management actions will MOST likely change the likelihood rating of a risk scenario related to remote network access?

Options:

A.

Creating metrics to track remote connections

B.

Updating the organizational policy for remote access

C.

Updating remote desktop software

D.

Implementing multi-factor authentication

Buy Now
Questions 409

A migration from an in-house developed system to an external cloud-based solution is affecting a previously rated key risk scenario related to payroll processing. Which part of the risk register should be updated FIRST?

Options:

A.

Payroll system risk factors

B.

Payroll system risk mitigation plans

C.

Payroll process owner

D.

Payroll administrative controls

Buy Now
Questions 410

Implementing which of the following controls would BEST reduce the impact of a vulnerability that has been exploited?

Options:

A.

Detective control

B.

Deterrent control

C.

Preventive control

D.

Corrective control

Buy Now
Questions 411

While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BES reduce the risk associated with such a data breach?

Options:

A.

Ensuring the vendor does not know the encryption key

B.

Engaging a third party to validate operational controls

C.

Using the same cloud vendor as a competitor

D.

Using field-level encryption with a vendor supplied key

Buy Now
Questions 412

Which of the following is MOST helpful in providing an overview of an organization's risk management program?

Options:

A.

Risk management treatment plan

B.

Risk assessment results

C.

Risk management framework

D.

Risk register

Buy Now
Questions 413

Which of the following is the BEST way to determine whether system settings are in alignment with control baselines?

Options:

A.

Configuration validation

B.

Control attestation

C.

Penetration testing

D.

Internal audit review

Buy Now
Questions 414

A risk practitioner is organizing a training session lo communicate risk assessment methodologies to ensure a consistent risk view within the organization Which of the following i< the MOST important topic to cover in this training?

Options:

A.

Applying risk appetite

B.

Applying risk factors

C.

Referencing risk event data

D.

Understanding risk culture

Buy Now
Questions 415

Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?

Options:

A.

Temporarily mitigate the OS vulnerabilities

B.

Document and implement a patching process

C.

Evaluate permanent fixes such as patches and upgrades

D.

Identify the vulnerabilities and applicable OS patches

Buy Now
Questions 416

Which of the following BEST enforces access control for an organization that uses multiple cloud technologies?

Options:

A.

Senior management support of cloud adoption strategies

B.

Creation of a cloud access risk management policy

C.

Adoption of a cloud access security broker (CASB) solution

D.

Expansion of security information and event management (SIEM) to cloud services

Buy Now
Questions 417

Which of the following activities should be performed FIRST when establishing IT risk management processes?

Options:

A.

Collect data of past incidents and lessons learned.

B.

Conduct a high-level risk assessment based on the nature of business.

C.

Identify the risk appetite of the organization.

D.

Assess the goals and culture of the organization.

Buy Now
Questions 418

Which of the following controls will BEST detect unauthorized modification of data by a database administrator?

Options:

A.

Reviewing database access rights

B.

Reviewing database activity logs

C.

Comparing data to input records

D.

Reviewing changes to edit checks

Buy Now
Questions 419

Which of the following is MOST important when developing risk scenarios?

Options:

A.

Reviewing business impact analysis (BIA)

B.

Collaborating with IT audit

C.

Conducting vulnerability assessments

D.

Obtaining input from key stakeholders

Buy Now
Questions 420

Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)?

Options:

A.

KRIs assist in the preparation of the organization's risk profile.

B.

KRIs signal that a change in the control environment has occurred.

C.

KRIs provide a basis to set the risk appetite for an organization

D.

KRIs provide an early warning that a risk threshold is about to be reached.

Buy Now
Questions 421

Which of the following is the BEST key control indicator (KCI) for risk related to IT infrastructure failure?

Options:

A.

Number of times the recovery plan is reviewed

B.

Number of successful recovery plan tests

C.

Percentage of systems with outdated virus protection

D.

Percentage of employees who can work remotely

Buy Now
Questions 422

Which of the following provides the BEST evidence that robust risk management practices are in place within an organization?

Options:

A.

A management-approved risk dashboard

B.

A current control framework

C.

A regularly updated risk register

D.

Regularly updated risk management procedures

Buy Now
Questions 423

A risk practitioner observes that the fraud detection controls in an online payment system do not perform as expected. Which of the following will MOST likely change as a result?

Options:

A.

Impact

B.

Residual risk

C.

Inherent risk

D.

Risk appetite

Buy Now
Questions 424

Who is BEST suited to provide objective input when updating residual risk to reflect the results of control effectiveness?

Options:

A.

Control owner

B.

Risk owner

C.

Internal auditor

D.

Compliance manager

Buy Now
Questions 425

Which of the following is MOST important for a risk practitioner to consider when evaluating plans for changes to IT services?

Options:

A.

Change testing schedule

B.

Impact assessment of the change

C.

Change communication plan

D.

User acceptance testing (UAT)

Buy Now
Questions 426

When implementing an IT risk management program, which of the following is the BEST time to evaluate current control effectiveness?

Options:

A.

Before defining a framework

B.

During the risk assessment

C.

When evaluating risk response

D.

When updating the risk register

Buy Now
Questions 427

Which of the following factors will have the GREATEST impact on the implementation of a risk mitigation strategy for an organization?

Options:

A.

Cost-benefit analysis

B.

Risk tolerance

C.

Known vulnerabilities

D.

Cyber insurance

Buy Now
Questions 428

Which of the following could BEST detect an in-house developer inserting malicious functions into a web-based application?

Options:

A.

Segregation of duties

B.

Code review

C.

Change management

D.

Audit modules

Buy Now
Questions 429

Which of the following is the BEST indicator of the effectiveness of a control monitoring program?

Options:

A.

Time between control failure and failure detection

B.

Number of key controls as a percentage of total control count

C.

Time spent on internal control assessment reviews

D.

Number of internal control failures within the measurement period

Buy Now
Questions 430

A penetration test reveals several vulnerabilities in a web-facing application. Which of the following should be the FIRST step in selecting a risk response?

Options:

A.

Correct the vulnerabilities to mitigate potential risk exposure.

B.

Develop a risk response action plan with key stakeholders.

C.

Assess the level of risk associated with the vulnerabilities.

D.

Communicate the vulnerabilities to the risk owner.

Buy Now
Questions 431

Which of the following should be a risk practitioner's PRIMARY focus when tasked with ensuring organization records are being retained for a sufficient period of time to meet legal obligations?

Options:

A.

Data duplication processes

B.

Data archival processes

C.

Data anonymization processes

D.

Data protection processes

Buy Now
Questions 432

An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the risk associated with these new entries has been;

Options:

A.

mitigated

B.

deferred

C.

accepted.

D.

transferred

Buy Now
Questions 433

Which of the following BEST enables a risk practitioner to understand management's approach to organizational risk?

Options:

A.

Organizational structure and job descriptions

B.

Risk appetite and risk tolerance

C.

Industry best practices for risk management

D.

Prior year's risk assessment results

Buy Now
Questions 434

Who is MOST important lo include in the assessment of existing IT risk scenarios?

Options:

A.

Technology subject matter experts

B.

Business process owners

C.

Business users of IT systems

D.

Risk management consultants

Buy Now
Questions 435

Which of the following scenarios presents the GREATEST risk for a global organization when implementing a data classification policy?

Options:

A.

Data encryption has not been applied to all sensitive data across the organization.

B.

There are many data assets across the organization that need to be classified.

C.

Changes to information handling procedures are not documented.

D.

Changes to data sensitivity during the data life cycle have not been considered.

Buy Now
Questions 436

Legal and regulatory risk associated with business conducted over the Internet is driven by:

Options:

A.

the jurisdiction in which an organization has its principal headquarters

B.

international law and a uniform set of regulations.

C.

the laws and regulations of each individual country

D.

international standard-setting bodies.

Buy Now
Questions 437

The PRIMARY benefit associated with key risk indicators (KRls) is that they:

Options:

A.

help an organization identify emerging threats.

B.

benchmark the organization's risk profile.

C.

identify trends in the organization's vulnerabilities.

D.

enable ongoing monitoring of emerging risk.

Buy Now
Questions 438

Which of the following should be initiated when a high number of noncompliant conditions are observed during review of a control procedure?

Options:

A.

Disciplinary action

B.

A control self-assessment

C.

A review of the awareness program

D.

Root cause analysis

Buy Now
Questions 439

An organization automatically approves exceptions to security policies on a recurring basis. This practice is MOST likely the result of:

Options:

A.

a lack of mitigating actions for identified risk

B.

decreased threat levels

C.

ineffective service delivery

D.

ineffective IT governance

Buy Now
Questions 440

Winch of the following is the BEST evidence of an effective risk treatment plan?

Options:

A.

The inherent risk is below the asset residual risk.

B.

Remediation cost is below the asset business value

C.

The risk tolerance threshold s above the asset residual

D.

Remediation is completed within the asset recovery time objective (RTO)

Buy Now
Questions 441

During the control evaluation phase of a risk assessment, it is noted that multiple controls are ineffective. Which of the following should be the risk practitioner's FIRST course of action?

Options:

A.

Compare the residual risk to the current risk appetite.

B.

Recommend risk remediation of the ineffective controls.

C.

Implement key control indicators (KCIs).

D.

Escalate the control failures to senior management.

Buy Now
Questions 442

What is the PRIMARY role of the application owner when changes are being introduced into an existing environment?

Options:

A.

Determining possible losses due to downtime during the changes

B.

Updating control procedures and documentation

C.

Approving the proposed changes based on impact analysis

D.

Notifying owners of affected systems after the changes are implemented

Buy Now
Questions 443

Which stakeholders are PRIMARILY responsible for determining enterprise IT risk appetite?

Options:

A.

Audit and compliance management

B.

The chief information officer (CIO) and the chief financial officer (CFO)

C.

Enterprise risk management and business process owners

D.

Executive management and the board of directors

Buy Now
Questions 444

The BEST key performance indicator (KPI) to measure the effectiveness of a vendor risk management program is the percentage of:

Options:

A.

vendors providing risk assessments on time.

B.

vendor contracts reviewed in the past year.

C.

vendor risk mitigation action items completed on time.

D.

vendors that have reported control-related incidents.

Buy Now
Questions 445

Which of the following should be of MOST concern to a risk practitioner reviewing an organization risk register after the completion of a series of risk assessments?

Options:

A.

Several risk action plans have missed target completion dates.

B.

Senior management has accepted more risk than usual.

C.

Risk associated with many assets is only expressed in qualitative terms.

D.

Many risk scenarios are owned by the same senior manager.

Buy Now
Questions 446

Which of the following is the BEST method to mitigate the risk of an unauthorized employee viewing confidential data in a database''

Options:

A.

Implement role-based access control

B.

Implement a data masking process

C.

Include sanctions in nondisclosure agreements (NDAs)

D.

Install a data loss prevention (DLP) tool

Buy Now
Questions 447

It is MOST appropriate for changes to be promoted to production after they are:

Options:

A.

communicated to business management

B.

tested by business owners.

C.

approved by the business owner.

D.

initiated by business users.

Buy Now
Questions 448

A risk practitioner has been asked to propose a risk acceptance framework for an organization. Which of the following is the MOST important consideration for the risk practitioner to address in the framework?

Options:

A.

Consistent forms to document risk acceptance rationales

B.

Acceptable scenarios to override risk appetite or tolerance thresholds

C.

Individuals or roles authorized to approve risk acceptance

D.

Communication protocols when a risk is accepted

Buy Now
Questions 449

Which of the following is the GREATEST benefit of updating the risk register to include outcomes from a risk assessment?

Options:

A.

It maintains evidence of compliance with risk policy.

B.

It facilitates timely risk-based decisions.

C.

It validates the organization's risk appetite.

D.

It helps to mitigate internal and external risk factors.

Buy Now
Questions 450

Who should be responsible for implementing and maintaining security controls?

Options:

A.

End user

B.

Internal auditor

C.

Data owner

D.

Data custodian

Buy Now
Questions 451

Who is responsible for IT security controls that are outsourced to an external service provider?

Options:

A.

Organization's information security manager

B.

Organization's risk function

C.

Service provider's IT management

D.

Service provider's information security manager

Buy Now
Questions 452

A risk practitioner has discovered a deficiency in a critical system that cannot be patched. Which of the following should be the risk practitioner's FIRST course of action?

Options:

A.

Report the issue to internal audit.

B.

Submit a request to change management.

C.

Conduct a risk assessment.

D.

Review the business impact assessment.

Buy Now
Questions 453

Which of the following will BEST help ensure that risk factors identified during an information systems review are addressed?

Options:

A.

Informing business process owners of the risk

B.

Reviewing and updating the risk register

C.

Assigning action items and deadlines to specific individuals

D.

Implementing new control technologies

Buy Now
Questions 454

During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?

Options:

A.

Describe IT risk scenarios in terms of business risk.

B.

Recommend the formation of an executive risk council to oversee IT risk.

C.

Provide an estimate of IT system downtime if IT risk materializes.

D.

Educate business executives on IT risk concepts.

Buy Now
Questions 455

A PRIMARY function of the risk register is to provide supporting information for the development of an organization's risk:

Options:

A.

strategy.

B.

profile.

C.

process.

D.

map.

Buy Now
Questions 456

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?

Options:

A.

Number of users that participated in the DRP testing

B.

Number of issues identified during DRP testing

C.

Percentage of applications that met the RTO during DRP testing

D.

Percentage of issues resolved as a result of DRP testing

Buy Now
Questions 457

An organization is preparing to transfer a large number of customer service representatives to the sales department. Of the following, who is responsible for mitigating the risk associated with residual system access?

Options:

A.

IT service desk manager

B.

Sales manager

C.

Customer service manager

D.

Access control manager

Buy Now
Questions 458

Which of the following is a KEY responsibility of the second line of defense?

Options:

A.

Implementing control activities

B.

Monitoring control effectiveness

C.

Conducting control self-assessments

D.

Owning risk scenarios

Buy Now
Questions 459

Which of the following is the BEST response when a potential IT control deficiency has been identified?

Options:

A.

Remediate and report the deficiency to the enterprise risk committee.

B.

Verify the deficiency and then notify the business process owner.

C.

Verify the deficiency and then notify internal audit.

D.

Remediate and report the deficiency to senior executive management.

Buy Now
Questions 460

Which of the following would present the MOST significant risk to an organization when updating the incident response plan?

Options:

A.

Obsolete response documentation

B.

Increased stakeholder turnover

C.

Failure to audit third-party providers

D.

Undefined assignment of responsibility

Buy Now
Questions 461

A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:

Options:

A.

updating the risk register.

B.

validating the risk scenarios.

C.

documenting the risk scenarios.

D.

identifying risk mitigation controls.

Buy Now
Questions 462

Which of the following should be included in a risk scenario to be used for risk analysis?

Options:

A.

Risk appetite

B.

Threat type

C.

Risk tolerance

D.

Residual risk

Buy Now
Questions 463

Which of the following provides the MOST useful information for developing key risk indicators (KRIs)?

Options:

A.

Business impact analysis (BIA) results

B.

Risk scenario ownership

C.

Risk thresholds

D.

Possible causes of materialized risk

Buy Now
Questions 464

Which of the following is the BEST indicator of the effectiveness of IT risk management processes?

Options:

A.

Percentage of business users completing risk training

B.

Percentage of high-risk scenarios for which risk action plans have been developed

C.

Number of key risk indicators (KRIs) defined

D.

Time between when IT risk scenarios are identified and the enterprise's response

Buy Now
Questions 465

During a risk assessment of a financial institution, a risk practitioner discovers that tellers can initiate and approve transactions of significant value. This team is also responsible for ensuring transactions are recorded and balances are reconciled by the end of the day. Which of the following is the risk practitioner's BEST recommendation to mitigate the associated risk?

Options:

A.

Implement continuous monitoring.

B.

Require a second level of approval.

C.

Implement separation of duties.

D.

Require a code of ethics.

Buy Now
Questions 466

When is the BEST to identify risk associated with major project to determine a mitigation plan?

Options:

A.

Project execution phase

B.

Project initiation phase

C.

Project closing phase

D.

Project planning phase

Buy Now
Questions 467

The effectiveness of a control has decreased. What is the MOST likely effect on the associated risk?

Options:

A.

The risk impact changes.

B.

The risk classification changes.

C.

The inherent risk changes.

D.

The residual risk changes.

Buy Now
Questions 468

Which of the following would BEST ensure that identified risk scenarios are addressed?

Options:

A.

Reviewing the implementation of the risk response

B.

Creating a separate risk register for key business units

C.

Performing real-time monitoring of threats

D.

Performing regular risk control self-assessments

Buy Now
Questions 469

Which of the following will help ensure the elective decision-making of an IT risk management committee?

Options:

A.

Key stakeholders are enrolled as members

B.

Approved minutes ate forwarded to senior management

C.

Committee meets at least quarterly

D.

Functional overlap across the business is minimized

Buy Now
Questions 470

When a high number of approved exceptions are observed during a review of a control procedure, an organization should FIRST initiate a review of the:

Options:

A.

Relevant policies.

B.

Threat landscape.

C.

Awareness program.

D.

Risk heat map.

Buy Now
Questions 471

Which of the following is MOST helpful in determining the effectiveness of an organization's IT risk mitigation efforts?

Options:

A.

Assigning identification dates for risk scenarios in the risk register

B.

Updating impact assessments for risk scenario

C.

Verifying whether risk action plans have been completed

D.

Reviewing key risk indicators (KRIS)

Buy Now
Questions 472

The PRIMARY reason for prioritizing risk scenarios is to:

Options:

A.

provide an enterprise-wide view of risk

B.

support risk response tracking

C.

assign risk ownership

D.

facilitate risk response decisions.

Buy Now
Questions 473

An organization's risk register contains a large volume of risk scenarios that senior management considers overwhelming. Which of the following would BEST help to improve the risk register?

Options:

A.

Analyzing the residual risk components

B.

Performing risk prioritization

C.

Validating the risk appetite level

D.

Conducting a risk assessment

Buy Now
Questions 474

Which of the following is the MOST important consideration when multiple risk practitioners capture risk scenarios in a single risk register?

Options:

A.

Aligning risk ownership and control ownership

B.

Developing risk escalation and reporting procedures

C.

Maintaining up-to-date risk treatment plans

D.

Using a consistent method for risk assessment

Buy Now
Questions 475

Which of the following will MOST likely change as a result of the decrease in risk appetite due to a new privacy regulation?

Options:

A.

Key risk indicator (KRI) thresholds

B.

Risk trends

C.

Key performance indicators (KPIs)

D.

Risk objectives

Buy Now
Questions 476

Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?

Options:

A.

Perform an m-depth code review with an expert

B.

Validate functionality by running in a test environment

C.

Implement a service level agreement.

D.

Utilize the change management process.

Buy Now
Questions 477

Which of the following is a specific concern related to machine learning algorithms?

Options:

A.

Low software quality

B.

Lack of access controls

C.

Data breaches

D.

Data bias

Buy Now
Questions 478

When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:

Options:

A.

information risk assessments with enterprise risk assessments.

B.

key risk indicators (KRIs) with risk appetite of the business.

C.

the control key performance indicators (KPIs) with audit findings.

D.

control performance with risk tolerance of business owners.

Buy Now
Questions 479

A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?

Options:

A.

Business continuity manager (BCM)

B.

Human resources manager (HRM)

C.

Chief risk officer (CRO)

D.

Chief information officer (CIO)

Buy Now
Questions 480

Which of the following would provide the MOST useful information to a risk owner when reviewing the progress of risk mitigation?

Options:

A.

Key audit findings

B.

Treatment plan status

C.

Performance indicators

D.

Risk scenario results

Buy Now
Questions 481

Which of the following roles is PRIMARILY accountable for risk associated with business information protection?

Options:

A.

Control owner

B.

Data owner

C.

System owner

D.

Application owner

Buy Now
Questions 482

An organization has established workflows in its service desk to support employee reports of security-related concerns. Which of the following is the MOST efficient approach to analyze these concerns?

Options:

A.

Map concerns to organizational assets.

B.

Sort concerns by likelihood.

C.

Align concerns to key vendors.

D.

Prioritize concerns based on frequency of reports.

Buy Now
Questions 483

Which of the following is a risk practitioner's BEST course of action upon learning that a control under internal review may no longer be necessary?

Options:

A.

Obtain approval to retire the control.

B.

Update the status of the control as obsolete.

C.

Consult the internal auditor for a second opinion.

D.

Verify the effectiveness of the original mitigation plan.

Buy Now
Questions 484

Which of the following is MOST important to consider when determining the value of an asset during the risk identification process?

Options:

A.

The criticality of the asset

B.

The monetary value of the asset

C.

The vulnerability profile of the asset

D.

The size of the asset's user base

Buy Now
Questions 485

The MAIN purpose of reviewing a control after implementation is to validate that the control:

Options:

A.

operates as intended.

B.

is being monitored.

C.

meets regulatory requirements.

D.

operates efficiently.

Buy Now
Questions 486

An organization has just started accepting credit card payments from customers via the corporate website. Which of the following is MOST likely to increase as a result of this new initiative?

Options:

A.

Risk tolerance

B.

Risk appetite

C.

Inherent risk

D.

Residual risk

Buy Now
Questions 487

A risk practitioner notices a risk scenario associated with data loss at the organization's cloud provider is assigned to the provider who should the risk scenario be reassigned to.

Options:

A.

Senior management

B.

Chief risk officer (CRO)

C.

Vendor manager

D.

Data owner

Buy Now
Questions 488

Which of the following key risk indicators (KRIs) provides the BEST insight into the risk associated with IT systems being unable to meet the required availability service level in the future?

Options:

A.

Percentage of IT systems having defined incident management service levels

B.

Percentage of IT systems having met the availability service level

C.

Percentage of IT outsourced systems having met the availability service level

D.

Percentage of IT systems routinely running at peak utilization

Buy Now
Questions 489

When creating a separate IT risk register for a large organization, which of the following is MOST important to consider with regard to the existing corporate risk 'register?

Options:

A.

Leveraging business risk professionals

B.

Relying on generic IT risk scenarios

C.

Describing IT risk in business terms

D.

Using a common risk taxonomy

Buy Now
Questions 490

Which of the following sources is MOST relevant to reference when updating security awareness training materials?

Options:

A.

Risk management framework

B.

Risk register

C.

Global security standards

D.

Recent security incidents reported by competitors

Buy Now
Questions 491

Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

Options:

A.

Risk appetite is decreased.

B.

Inherent risk is increased.

C.

Risk tolerance is decreased.

D.

Residual risk is increased.

Buy Now
Questions 492

Which of the following BEST indicates the risk appetite and tolerance level (or the risk associated with business interruption caused by IT system failures?

Options:

A.

Mean time to recover (MTTR)

B.

IT system criticality classification

C.

Incident management service level agreement (SLA)

D.

Recovery time objective (RTO)

Buy Now
Exam Code: CRISC
Exam Name: Certified in Risk and Information Systems Control
Last Update: Jun 24, 2025
Questions: 1727

PDF + Testing Engine

$72.6  $181.49

Testing Engine

$57.8  $144.49
buy now CRISC testing engine

PDF (Q&A)

$49.8  $124.49
buy now CRISC pdf