March Special Sale Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 713PS592

CRISC Certified in Risk and Information Systems Control Questions and Answers

Questions 4

The objective of aligning mitigating controls to risk appetite is to ensure that:

Options:

A.

exposures are reduced to the fullest extent

B.

exposures are reduced only for critical business systems

C.

insurance costs are minimized

D.

the cost of controls does not exceed the expected loss.

Buy Now
Questions 5

Which of the following is MOST important for successful incident response?

Options:

A.

The quantity of data logged by the attack control tools

B.

Blocking the attack route immediately

C.

The ability to trace the source of the attack

D.

The timeliness of attack recognition

Buy Now
Questions 6

Which of the following is the GREATEST benefit of centralizing IT systems?

Options:

A.

Risk reporting

B.

Risk classification

C.

Risk monitoring

D.

Risk identification

Buy Now
Questions 7

Which of the following is the MOST important key performance indicator (KPI) to monitor the effectiveness of disaster recovery processes?

Options:

A.

Percentage of IT systems recovered within the mean time to restore (MTTR) during the disaster recovery test

B.

Percentage of issues arising from the disaster recovery test resolved on time

C.

Percentage of IT systems included in the disaster recovery test scope

D.

Percentage of IT systems meeting the recovery time objective (RTO) during the disaster recovery test

Buy Now
Questions 8

An organization has experienced a cyber attack that exposed customer personally identifiable information (Pll) and caused extended outages of network services. Which of the following stakeholders are MOST important to include in the cyber response team to determine response actions?

Options:

A.

Security control owners based on control failures

B.

Cyber risk remediation plan owners

C.

Risk owners based on risk impact

D.

Enterprise risk management (ERM) team

Buy Now
Questions 9

The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning process is to:

Options:

A.

obtain the support of executive management.

B.

map the business processes to supporting IT and other corporate resources.

C.

identify critical business processes and the degree of reliance on support services.

D.

document the disaster recovery process.

Buy Now
Questions 10

Which of the following would present the GREATEST challenge for a risk practitioner during a merger of two organizations?

Options:

A.

Variances between organizational risk appetites

B.

Different taxonomies to categorize risk scenarios

C.

Disparate platforms for governance, risk, and compliance (GRC) systems

D.

Dissimilar organizational risk acceptance protocols

Buy Now
Questions 11

It is MOST important that security controls for a new system be documented in:

Options:

A.

testing requirements

B.

the implementation plan.

C.

System requirements

D.

The security policy

Buy Now
Questions 12

Which of the following will BEST help to ensure key risk indicators (KRIs) provide value to risk owners?

Options:

A.

Ongoing training

B.

Timely notification

C.

Return on investment (ROI)

D.

Cost minimization

Buy Now
Questions 13

What is the MAIN benefit of using a top-down approach to develop risk scenarios?

Options:

A.

It describes risk events specific to technology used by the enterprise.

B.

It establishes the relationship between risk events and organizational objectives.

C.

It uses hypothetical and generic risk events specific to the enterprise.

D.

It helps management and the risk practitioner to refine risk scenarios.

Buy Now
Questions 14

A recent vulnerability assessment of a web-facing application revealed several weaknesses. Which of the following should be done NEXT to determine the risk exposure?

Options:

A.

Code review

B.

Penetration test

C.

Gap assessment

D.

Business impact analysis (BIA)

Buy Now
Questions 15

As pan of business continuity planning, which of the following is MOST important to include m a business impact analysis (BlA)?

Options:

A.

An assessment of threats to the organization

B.

An assessment of recovery scenarios

C.

industry standard framework

D.

Documentation of testing procedures

Buy Now
Questions 16

Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?

Options:

A.

Temporarily mitigate the OS vulnerabilities

B.

Document and implement a patching process

C.

Evaluate permanent fixes such as patches and upgrades

D.

Identify the vulnerabilities and applicable OS patches

Buy Now
Questions 17

Which of me following is MOST helpful to mitigate the risk associated with an application under development not meeting business objectives?

Options:

A.

Identifying tweets that may compromise enterprise architecture (EA)

B.

Including diverse Business scenarios in user acceptance testing (UAT)

C.

Performing risk assessments during the business case development stage

D.

Including key stakeholders in review of user requirements

Buy Now
Questions 18

An organization's recovery team is attempting to recover critical data backups following a major flood in its data center. However, key team members do not know exactly what steps should be taken to address this crisis. Which of the following is the MOST likely cause of this situation?

Options:

A.

Failure to test the disaster recovery plan (DRP)

B.

Lack of well-documented business impact analysis (BIA)

C.

Lack of annual updates to the disaster recovery plan (DRP)

D.

Significant changes in management personnel

Buy Now
Questions 19

Which of The following should be of GREATEST concern for an organization considering the adoption of a bring your own device (BYOD) initiative?

Options:

A.

Device corruption

B.

Data loss

C.

Malicious users

D.

User support

Buy Now
Questions 20

A risk practitioner has been asked to advise management on developing a log collection and correlation strategy. Which of the following should be the MOST important consideration when developing this strategy?

Options:

A.

Ensuring time synchronization of log sources.

B.

Ensuring the inclusion of external threat intelligence log sources.

C.

Ensuring the inclusion of all computing resources as log sources.

D.

Ensuring read-write access to all log sources

Buy Now
Questions 21

An organization has initiated a project to launch an IT-based service to customers and take advantage of being the first to market. Which of the following should be of GREATEST concern to senior management?

Options:

A.

More time has been allotted for testing.

B.

The project is likely to deliver the product late.

C.

A new project manager is handling the project.

D.

The cost of the project will exceed the allotted budget.

Buy Now
Questions 22

Which of the following is the MOST important factor when deciding on a control to mitigate risk exposure?

Options:

A.

Relevance to the business process

B.

Regulatory compliance requirements

C.

Cost-benefit analysis

D.

Comparison against best practice

Buy Now
Questions 23

The BEST way to obtain senior management support for investment in a control implementation would be to articulate the reduction in:

Options:

A.

detected incidents.

B.

residual risk.

C.

vulnerabilities.

D.

inherent risk.

Buy Now
Questions 24

Which of the following BEST assists in justifying an investment in automated controls?

Options:

A.

Cost-benefit analysis

B.

Alignment of investment with risk appetite

C.

Elimination of compensating controls

D.

Reduction in personnel costs

Buy Now
Questions 25

Several network user accounts were recently created without the required management approvals. Which of the following would be the risk practitioner's BEST recommendation to address this situation?

Options:

A.

Conduct a comprehensive compliance review.

B.

Develop incident response procedures for noncompliance.

C.

Investigate the root cause of noncompliance.

D.

Declare a security breach and Inform management.

Buy Now
Questions 26

Which of the following scenarios presents the GREATEST risk for a global organization when implementing a data classification policy?

Options:

A.

Data encryption has not been applied to all sensitive data across the organization.

B.

There are many data assets across the organization that need to be classified.

C.

Changes to information handling procedures are not documented.

D.

Changes to data sensitivity during the data life cycle have not been considered.

Buy Now
Questions 27

To minimize the risk of a potential acquisition being exposed externally, an organization has selected a few key employees to be engaged in the due diligence process. A member of the due diligence team realizes a close acquaintance is a high-ranking IT professional at a subsidiary of the company about to be acquired. What is the BEST course of action for this team member?

Options:

A.

Enforce segregation of duties.

B.

Disclose potential conflicts of interest.

C.

Delegate responsibilities involving the acquaintance.

D.

Notify the subsidiary's legal team.

Buy Now
Questions 28

The BEST way to determine the likelihood of a system availability risk scenario is by assessing the:

Options:

A.

availability of fault tolerant software.

B.

strategic plan for business growth.

C.

vulnerability scan results of critical systems.

D.

redundancy of technical infrastructure.

Buy Now
Questions 29

The design of procedures to prevent fraudulent transactions within an enterprise resource planning (ERP) system should be based on:

Options:

A.

stakeholder risk tolerance.

B.

benchmarking criteria.

C.

suppliers used by the organization.

D.

the control environment.

Buy Now
Questions 30

A peer review of a risk assessment finds that a relevant threat community was not included. Mitigation of the risk will require substantial changes to a software application. Which of the following is the BEST course of action?

Options:

A.

Ask the business to make a budget request to remediate the problem.

B.

Build a business case to remediate the fix.

C.

Research the types of attacks the threat can present.

D.

Determine the impact of the missing threat.

Buy Now
Questions 31

During a risk treatment plan review, a risk practitioner finds the approved risk action plan has not been completed However, there were other risk mitigation actions implemented. Which of the fallowing is the BEST course of action?

Options:

A.

Review the cost-benefit of mitigating controls

B.

Mark the risk status as unresolved within the risk register

C.

Verify the sufficiency of mitigating controls with the risk owner

D.

Update the risk register with implemented mitigating actions

Buy Now
Questions 32

A department allows multiple users to perform maintenance on a system using a single set of credentials. A risk practitioner determined this practice to be high-risk. Which of the following is the MOST effective way to mitigate this risk?

Options:

A.

Single sign-on

B.

Audit trail review

C.

Multi-factor authentication

D.

Data encryption at rest

Buy Now
Questions 33

An organization must make a choice among multiple options to respond to a risk. The stakeholders cannot agree and decide to postpone the decision. Which of the following risk responses has the organization adopted?

Options:

A.

Transfer

B.

Mitigation

C.

Avoidance

D.

Acceptance

Buy Now
Questions 34

Which of the following is the MOST important objective of establishing an enterprise risk management (ERM) function within an organization?

Options:

A.

To have a unified approach to risk management across the organization

B.

To have a standard risk management process for complying with regulations

C.

To optimize risk management resources across the organization

D.

To ensure risk profiles are presented in a consistent format within the organization

Buy Now
Questions 35

Which of the following is a risk practitioner's BEST recommendation to address an organization's need to secure multiple systems with limited IT resources?

Options:

A.

Apply available security patches.

B.

Schedule a penetration test.

C.

Conduct a business impact analysis (BIA)

D.

Perform a vulnerability analysis.

Buy Now
Questions 36

Which of the following is the BEST course of action to help reduce the probability of an incident recurring?

Options:

A.

Perform a risk assessment.

B.

Perform root cause analysis.

C.

Initiate disciplinary action.

D.

Update the incident response plan.

Buy Now
Questions 37

A risk practitioner has been notified that an employee sent an email in error containing customers' personally identifiable information (Pll). Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Report it to the chief risk officer.

B.

Advise the employee to forward the email to the phishing team.

C.

follow incident reporting procedures.

D.

Advise the employee to permanently delete the email.

Buy Now
Questions 38

An organization has initiated a project to implement an IT risk management program for the first time. The BEST time for the risk practitioner to start populating the risk register is when:

Options:

A.

identifying risk scenarios.

B.

determining the risk strategy.

C.

calculating impact and likelihood.

D.

completing the controls catalog.

Buy Now
Questions 39

The PRIMARY purpose of vulnerability assessments is to:

Options:

A.

provide clear evidence that the system is sufficiently secure.

B.

determine the impact of potential threats.

C.

test intrusion detection systems (IDS) and response procedures.

D.

detect weaknesses that could lead to system compromise.

Buy Now
Questions 40

Which of the following is a detective control?

Options:

A.

Limit check

B.

Periodic access review

C.

Access control software

D.

Rerun procedures

Buy Now
Questions 41

Which of the following provides the BEST measurement of an organization's risk management maturity level?

Options:

A.

Level of residual risk

B.

The results of a gap analysis

C.

IT alignment to business objectives

D.

Key risk indicators (KRIs)

Buy Now
Questions 42

A newly hired risk practitioner finds that the risk register has not been updated in the past year. What is the risk practitioner's BEST course of action?

Options:

A.

Identify changes in risk factors and initiate risk reviews.

B.

Engage an external consultant to redesign the risk management process.

C.

Outsource the process for updating the risk register.

D.

Implement a process improvement and replace the old risk register.

Buy Now
Questions 43

Which of the following is the BEST way to assess the effectiveness of an access management process?

Options:

A.

Comparing the actual process with the documented process

B.

Reviewing access logs for user activity

C.

Reconciling a list of accounts belonging to terminated employees

D.

Reviewing for compliance with acceptable use policy

Buy Now
Questions 44

An organization outsources the processing of us payroll data A risk practitioner identifies a control weakness at the third party trial exposes the payroll data. Who should own this risk?

Options:

A.

The third party's IT operations manager

B.

The organization's process owner

C.

The third party's chief risk officer (CRO)

D.

The organization's risk practitioner

Buy Now
Questions 45

Which of the following practices MOST effectively safeguards the processing of personal data?

Options:

A.

Personal data attributed to a specific data subject is tokenized.

B.

Data protection impact assessments are performed on a regular basis.

C.

Personal data certifications are performed to prevent excessive data collection.

D.

Data retention guidelines are documented, established, and enforced.

Buy Now
Questions 46

To reduce costs, an organization is combining the second and third tines of defense in a new department that reports to a recently appointed C-level executive. Which of the following is the GREATEST concern with this situation?

Options:

A.

The risk governance approach of the second and third lines of defense may differ.

B.

The independence of the internal third line of defense may be compromised.

C.

Cost reductions may negatively impact the productivity of other departments.

D.

The new structure is not aligned to the organization's internal control framework.

Buy Now
Questions 47

Winch of the following is the BEST evidence of an effective risk treatment plan?

Options:

A.

The inherent risk is below the asset residual risk.

B.

Remediation cost is below the asset business value

C.

The risk tolerance threshold s above the asset residual

D.

Remediation is completed within the asset recovery time objective (RTO)

Buy Now
Questions 48

Winch of the following key control indicators (KCIs) BEST indicates whether security requirements are identified and managed throughout a project He cycle?

Options:

A.

Number of projects going live without a security review

B.

Number of employees completing project-specific security training

C.

Number of security projects started in core departments

D.

Number of security-related status reports submitted by project managers

Buy Now
Questions 49

When presenting risk, the BEST method to ensure that the risk is measurable against the organization's risk appetite is through the use of a:

Options:

A.

risk map

B.

cause-and-effect diagram

C.

maturity model

D.

technology strategy plan.

Buy Now
Questions 50

A risk practitioner notices that a particular key risk indicator (KRI) has remained below its established trigger point for an extended period of time. Which of the following should be done FIRST?

Options:

A.

Recommend a re-evaluation of the current threshold of the KRI.

B.

Notify management that KRIs are being effectively managed.

C.

Update the risk rating associated with the KRI In the risk register.

D.

Update the risk tolerance and risk appetite to better align to the KRI.

Buy Now
Questions 51

Which of the following is MOST useful when communicating risk to management?

Options:

A.

Risk policy

B.

Audit report

C.

Risk map

D.

Maturity model

Buy Now
Questions 52

Which of the following will BEST support management repotting on risk?

Options:

A.

Risk policy requirements

B.

A risk register

C.

Control self-assessment

D.

Key performance Indicators

Buy Now
Questions 53

Which of the following is MOST commonly compared against the risk appetite?

Options:

A.

IT risk

B.

Inherent risk

C.

Financial risk

D.

Residual risk

Buy Now
Questions 54

Which of the following is the BEST way to identify changes in the risk profile of an organization?

Options:

A.

Monitor key risk indicators (KRIs).

B.

Monitor key performance indicators (KPIs).

C.

Interview the risk owner.

D.

Conduct a gap analysis

Buy Now
Questions 55

Which of the following BEST indicates that an organizations risk management program is effective?

Options:

A.

Fewer security incidents have been reported.

B.

The number of audit findings has decreased.

C.

Residual risk is reduced.

D.

inherent risk Is unchanged.

Buy Now
Questions 56

Which of the following BEST indicates the risk appetite and tolerance level (or the risk associated with business interruption caused by IT system failures?

Options:

A.

Mean time to recover (MTTR)

B.

IT system criticality classification

C.

Incident management service level agreement (SLA)

D.

Recovery time objective (RTO)

Buy Now
Questions 57

Which of the following scenarios represents a threat?

Options:

A.

Connecting a laptop to a free, open, wireless access point (hotspot)

B.

Visitors not signing in as per policy

C.

Storing corporate data in unencrypted form on a laptop

D.

A virus transmitted on a USB thumb drive

Buy Now
Questions 58

An organization is implementing encryption for data at rest to reduce the risk associated with unauthorized access. Which of the following MUST be considered to assess the residual risk?

Options:

A.

Data retention requirements

B.

Data destruction requirements

C.

Cloud storage architecture

D.

Key management

Buy Now
Questions 59

Which of the following is the PRIMARY reason to adopt key control indicators (KCIs) in the risk monitoring and reporting process?

Options:

A.

To provide data for establishing the risk profile

B.

To provide assurance of adherence to risk management policies

C.

To provide measurements on the potential for risk to occur

D.

To provide assessments of mitigation effectiveness

Buy Now
Questions 60

The PRIMARY reason for tracking the status of risk mitigation plans is to ensure:

Options:

A.

the proposed controls are implemented as scheduled.

B.

security controls are tested prior to implementation.

C.

compliance with corporate policies.

D.

the risk response strategy has been decided.

Buy Now
Questions 61

Which of the following is the GREATEST risk associated with the misclassification of data?

Options:

A.

inadequate resource allocation

B.

Data disruption

C.

Unauthorized access

D.

Inadequate retention schedules

Buy Now
Questions 62

An IT department originally planned to outsource the hosting of its data center at an overseas location to reduce operational expenses. After a risk assessment, the department has decided to keep the data center in-house. How should the risk treatment response be reflected in the risk register?

Options:

A.

Risk mitigation

B.

Risk avoidance

C.

Risk acceptance

D.

Risk transfer

Buy Now
Questions 63

An organization practices the principle of least privilege. To ensure access remains appropriate, application owners should be required to review user access rights on a regular basis by obtaining:

Options:

A.

business purpose documentation and software license counts

B.

an access control matrix and approval from the user's manager

C.

documentation indicating the intended users of the application

D.

security logs to determine the cause of invalid login attempts

Buy Now
Questions 64

Which of the following can be interpreted from a single data point on a risk heat map?

Options:

A.

Risk tolerance

B.

Risk magnitude

C.

Risk response

D.

Risk appetite

Buy Now
Questions 65

The effectiveness of a control has decreased. What is the MOST likely effect on the associated risk?

Options:

A.

The risk impact changes.

B.

The risk classification changes.

C.

The inherent risk changes.

D.

The residual risk changes.

Buy Now
Questions 66

Which of the following BEST indicates effective information security incident management?

Options:

A.

Monthly trend of information security-related incidents

B.

Average time to identify critical information security incidents

C.

Frequency of information security incident response plan testing

D.

Percentage of high risk security incidents

Buy Now
Questions 67

A risk practitioner observes that the fraud detection controls in an online payment system do not perform as expected. Which of the following will MOST likely change as a result?

Options:

A.

Impact

B.

Residual risk

C.

Inherent risk

D.

Risk appetite

Buy Now
Questions 68

Which of the following is MOST helpful in determining the effectiveness of an organization's IT risk mitigation efforts?

Options:

A.

Assigning identification dates for risk scenarios in the risk register

B.

Updating impact assessments for risk scenario

C.

Verifying whether risk action plans have been completed

D.

Reviewing key risk indicators (KRIS)

Buy Now
Questions 69

Which of the following is MOST influential when management makes risk response decisions?

Options:

A.

Risk appetite

B.

Audit risk

C.

Residual risk

D.

Detection risk

Buy Now
Questions 70

Which stakeholders are PRIMARILY responsible for determining enterprise IT risk appetite?

Options:

A.

Audit and compliance management

B.

The chief information officer (CIO) and the chief financial officer (CFO)

C.

Enterprise risk management and business process owners

D.

Executive management and the board of directors

Buy Now
Questions 71

An organization is making significant changes to an application. At what point should the application risk profile be updated?

Options:

A.

After user acceptance testing (UAT)

B.

Upon release to production

C.

During backlog scheduling

D.

When reviewing functional requirements

Buy Now
Questions 72

IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:

Options:

A.

the cost associated with each control.

B.

historical risk assessments.

C.

key risk indicators (KRls).

D.

information from the risk register.

Buy Now
Questions 73

Which of the following BEST protects an organization against breaches when using a software as a service (SaaS) application?

Options:

A.

Control self-assessment (CSA)

B.

Security information and event management (SIEM) solutions

C.

Data privacy impact assessment (DPIA)

D.

Data loss prevention (DLP) tools

Buy Now
Questions 74

Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?

Options:

A.

Occurrences of specific events

B.

A performance measurement

C.

The risk tolerance level

D.

Risk scenarios

Buy Now
Questions 75

Which of the following BEST indicates the effectiveness of anti-malware software?

Options:

A.

Number of staff hours lost due to malware attacks

B.

Number of downtime hours in business critical servers

C.

Number of patches made to anti-malware software

D.

Number of successful attacks by malicious software

Buy Now
Questions 76

Which of the following provides the MOST useful information when developing a risk profile for management approval?

Options:

A.

Residual risk and risk appetite

B.

Strength of detective and preventative controls

C.

Effectiveness and efficiency of controls

D.

Inherent risk and risk tolerance

Buy Now
Questions 77

Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system?

Options:

A.

Data owner

B.

Control owner

C.

Risk owner

D.

System owner

Buy Now
Questions 78

Which of the following is MOST important for an organization to update following a change in legislation requiring notification to individuals impacted by data breaches?

Options:

A.

Insurance coverage

B.

Security awareness training

C.

Policies and standards

D.

Risk appetite and tolerance

Buy Now
Questions 79

Which of the following should be the risk practitioner's FIRST course of action when an organization plans to adopt a cloud computing strategy?

Options:

A.

Request a budget for implementation

B.

Conduct a threat analysis.

C.

Create a cloud computing policy.

D.

Perform a controls assessment.

Buy Now
Questions 80

Which of the following is the PRIMARY reason for an organization to ensure the risk register is updated regularly?

Options:

A.

Risk assessment results are accessible to senior management and stakeholders.

B.

Risk mitigation activities are managed and coordinated.

C.

Key risk indicators (KRIs) are evaluated to validate they are still within the risk threshold.

D.

Risk information is available to enable risk-based decisions.

Buy Now
Questions 81

Who is PRIMARILY accountable for risk treatment decisions?

Options:

A.

Risk owner

B.

Business manager

C.

Data owner

D.

Risk manager

Buy Now
Questions 82

An organization has engaged a third party to provide an Internet gateway encryption service that protects sensitive data uploaded to a cloud service. This is an example of risk:

Options:

A.

mitigation.

B.

avoidance.

C.

transfer.

D.

acceptance.

Buy Now
Questions 83

Risk aggregation in a complex organization will be MOST successful when:

Options:

A.

using the same scales in assessing risk

B.

utilizing industry benchmarks

C.

using reliable qualitative data for risk Hems

D.

including primarily low level risk factors

Buy Now
Questions 84

Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk?

Options:

A.

A data extraction tool

B.

An access control list

C.

An intrusion detection system (IDS)

D.

An acceptable usage policy

Buy Now
Questions 85

Implementing which of the following will BEST help ensure that systems comply with an established baseline before deployment?

Options:

A.

Vulnerability scanning

B.

Continuous monitoring and alerting

C.

Configuration management

D.

Access controls and active logging

Buy Now
Questions 86

What should a risk practitioner do FIRST upon learning a risk treatment owner has implemented a different control than what was specified in the IT risk action plan?

Options:

A.

Seek approval from the control owner.

B.

Update the action plan in the risk register.

C.

Reassess the risk level associated with the new control.

D.

Validate that the control has an established testing method.

Buy Now
Questions 87

Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?

Options:

A.

A companion of risk assessment results to the desired state

B.

A quantitative presentation of risk assessment results

C.

An assessment of organizational maturity levels and readiness

D.

A qualitative presentation of risk assessment results

Buy Now
Questions 88

An organization's risk tolerance should be defined and approved by which of the following?

Options:

A.

The chief risk officer (CRO)

B.

The board of directors

C.

The chief executive officer (CEO)

D.

The chief information officer (CIO)

Buy Now
Questions 89

A bank has outsourced its statement printing function to an external service provider. Which of the following is the MOST critical requirement to include in the contract?

Options:

A.

Monitoring of service costs

B.

Provision of internal audit reports

C.

Notification of sub-contracting arrangements

D.

Confidentiality of customer data

Buy Now
Questions 90

An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?

Options:

A.

Mitigate

B.

Accept

C.

Transfer

D.

Avoid

Buy Now
Questions 91

What is the GREATEST concern with maintaining decentralized risk registers instead of a consolidated risk register?

Options:

A.

Aggregated risk may exceed the enterprise's risk appetite and tolerance.

B.

Duplicate resources may be used to manage risk registers.

C.

Standardization of risk management practices may be difficult to enforce.

D.

Risk analysis may be inconsistent due to non-uniform impact and likelihood scales.

Buy Now
Questions 92

Business areas within an organization have engaged various cloud service providers directly without assistance from the IT department. What should the risk practitioner do?

Options:

A.

Recommend the IT department remove access to the cloud services.

B.

Engage with the business area managers to review controls applied.

C.

Escalate to the risk committee.

D.

Recommend a risk assessment be conducted.

Buy Now
Questions 93

A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges. What is the risk practitioner's BEST course of action?

Options:

A.

Review the design of the machine learning model against control objectives.

B.

Adopt the machine learning model as a replacement for current manual access reviews.

C.

Ensure the model assists in meeting regulatory requirements for access controls.

D.

Discourage the use of emerging technologies in key processes.

Buy Now
Questions 94

Which of the following statements BEST describes risk appetite?

Options:

A.

The amount of risk an organization is willing to accept

B.

The effective management of risk and internal control environments

C.

Acceptable variation between risk thresholds and business objectives

D.

The acceptable variation relative to the achievement of objectives

Buy Now
Questions 95

As part of an overall IT risk management plan, an IT risk register BEST helps management:

Options:

A.

align IT processes with business objectives.

B.

communicate the enterprise risk management policy.

C.

stay current with existing control status.

D.

understand the organizational risk profile.

Buy Now
Questions 96

Which of the following is MOST important to sustainable development of secure IT services?

Options:

A.

Security training for systems development staff

B.

\Well-documented business cases

C.

Security architecture principles

D.

Secure coding practices

Buy Now
Questions 97

Which of the following is the BEST key performance indicator (KPI) for determining how well an IT policy is aligned to business requirements?

Options:

A.

Total cost to support the policy

B.

Number of exceptions to the policy

C.

Total cost of policy breaches

D.

Number of inquiries regarding the policy

Buy Now
Questions 98

Controls should be defined during the design phase of system development because:

Options:

A.

it is more cost-effective to determine controls in the early design phase.

B.

structured analysis techniques exclude identification of controls.

C.

structured programming techniques require that controls be designed before coding begins.

D.

technical specifications are defined during this phase.

Buy Now
Questions 99

The annualized loss expectancy (ALE) method of risk analysis:

Options:

A.

helps in calculating the expected cost of controls

B.

uses qualitative risk rankings such as low. medium and high.

C.

can be used m a cost-benefit analysts

D.

can be used to determine the indirect business impact.

Buy Now
Questions 100

The risk associated with data loss from a website which contains sensitive customer information is BEST owned by:

Options:

A.

the third-party website manager

B.

the business process owner

C.

IT security

D.

the compliance manager

Buy Now
Questions 101

Which of the following would MOST likely cause a risk practitioner to reassess risk scenarios?

Options:

A.

A change in the risk management policy

B.

A major security incident

C.

A change in the regulatory environment

D.

An increase in intrusion attempts

Buy Now
Questions 102

A risk owner should be the person accountable for:

Options:

A.

the risk management process

B.

managing controls.

C.

implementing actions.

D.

the business process.

Buy Now
Questions 103

Which of the following risk register elements is MOST likely to be updated if the attack surface or exposure of an asset is reduced?

Options:

A.

Likelihood rating

B.

Control effectiveness

C.

Assessment approach

D.

Impact rating

Buy Now
Questions 104

Which of the following is the MAIN reason for documenting the performance of controls?

Options:

A.

Obtaining management sign-off

B.

Demonstrating effective risk mitigation

C.

Justifying return on investment

D.

Providing accurate risk reporting

Buy Now
Questions 105

Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?

Options:

A.

Digital signatures

B.

Encrypted passwords

C.

One-time passwords

D.

Digital certificates

Buy Now
Questions 106

Which of the following is the PRIMARY role of the board of directors in corporate risk governance?

Options:

A.

Approving operational strategies and objectives

B.

Monitoring the results of actions taken to mitigate risk

C.

Ensuring the effectiveness of the risk management program

D.

Ensuring risk scenarios are identified and recorded in the risk register

Buy Now
Questions 107

Which of the following is the BEST measure of the effectiveness of an employee deprovisioning process?

Options:

A.

Number of days taken to remove access after staff separation dates

B.

Number of days taken for IT to remove access after receipt of HR instructions

C.

Number of termination requests processed per reporting period

D.

Number of days taken for HR to provide instructions to IT after staff separation dates

Buy Now
Questions 108

Which of the following would be- MOST helpful to understand the impact of a new technology system on an organization's current risk profile?

Options:

A.

Hire consultants specializing m the new technology.

B.

Review existing risk mitigation controls.

C.

Conduct a gap analysis.

D.

Perform a risk assessment.

Buy Now
Questions 109

Which of the following would BEST help to ensure that identified risk is efficiently managed?

Options:

A.

Reviewing the maturity of the control environment

B.

Regularly monitoring the project plan

C.

Maintaining a key risk indicator for each asset in the risk register

D.

Periodically reviewing controls per the risk treatment plan

Buy Now
Questions 110

Which of the following would BEST ensure that identified risk scenarios are addressed?

Options:

A.

Reviewing the implementation of the risk response

B.

Creating a separate risk register for key business units

C.

Performing real-time monitoring of threats

D.

Performing regular risk control self-assessments

Buy Now
Questions 111

Which of the following is the PRIMARY factor in determining a recovery time objective (RTO)?

Options:

A.

Cost of offsite backup premises

B.

Cost of downtime due to a disaster

C.

Cost of testing the business continuity plan

D.

Response time of the emergency action plan

Buy Now
Questions 112

Which of the following would be MOST helpful when estimating the likelihood of negative events?

Options:

A.

Business impact analysis

B.

Threat analysis

C.

Risk response analysis

D.

Cost-benefit analysis

Buy Now
Questions 113

When implementing an IT risk management program, which of the following is the BEST time to evaluate current control effectiveness?

Options:

A.

Before defining a framework

B.

During the risk assessment

C.

When evaluating risk response

D.

When updating the risk register

Buy Now
Questions 114

Which of the following is the PRIMARY reason to perform ongoing risk assessments?

Options:

A.

Emerging risk must be continuously reported to management.

B.

New system vulnerabilities emerge at frequent intervals.

C.

The risk environment is subject to change.

D.

The information security budget must be justified.

Buy Now
Questions 115

Which of the following is the MOST important benefit of key risk indicators (KRIs)'

Options:

A.

Assisting in continually optimizing risk governance

B.

Enabling the documentation and analysis of trends

C.

Ensuring compliance with regulatory requirements

D.

Providing an early warning to take proactive actions

Buy Now
Questions 116

Which of the following would be considered a vulnerability?

Options:

A.

Delayed removal of employee access

B.

Authorized administrative access to HR files

C.

Corruption of files due to malware

D.

Server downtime due to a denial of service (DoS) attack

Buy Now
Questions 117

An organization is planning to engage a cloud-based service provider for some of its data-intensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?

Options:

A.

Service level agreement

B.

Customer service reviews

C.

Scope of services provided

D.

Right to audit the provider

Buy Now
Questions 118

Which of the following should be the HIGHEST priority when developing a risk response?

Options:

A.

The risk response addresses the risk with a holistic view.

B.

The risk response is based on a cost-benefit analysis.

C.

The risk response is accounted for in the budget.

D.

The risk response aligns with the organization's risk appetite.

Buy Now
Questions 119

An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?

Options:

A.

Invoke the disaster recovery plan during an incident.

B.

Prepare a cost-benefit analysis of alternatives available

C.

Implement redundant infrastructure for the application.

D.

Reduce the recovery time by strengthening the response team.

Buy Now
Questions 120

Improvements in the design and implementation of a control will MOST likely result in an update to:

Options:

A.

inherent risk.

B.

residual risk.

C.

risk appetite

D.

risk tolerance

Buy Now
Questions 121

Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?

Options:

A.

Maintain and review the classified data inventor.

B.

Implement mandatory encryption on data

C.

Conduct an awareness program for data owners and users.

D.

Define and implement a data classification policy

Buy Now
Questions 122

Which of the following is the BEST indication of an effective risk management program?

Options:

A.

Risk action plans are approved by senior management.

B.

Residual risk is within the organizational risk appetite

C.

Mitigating controls are designed and implemented.

D.

Risk is recorded and tracked in the risk register

Buy Now
Questions 123

During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?

Options:

A.

Describe IT risk scenarios in terms of business risk.

B.

Recommend the formation of an executive risk council to oversee IT risk.

C.

Provide an estimate of IT system downtime if IT risk materializes.

D.

Educate business executives on IT risk concepts.

Buy Now
Questions 124

Which of the following is MOST important when developing key performance indicators (KPIs)?

Options:

A.

Alignment to risk responses

B.

Alignment to management reports

C.

Alerts when risk thresholds are reached

D.

Identification of trends

Buy Now
Questions 125

It is MOST appropriate for changes to be promoted to production after they are:

Options:

A.

communicated to business management

B.

tested by business owners.

C.

approved by the business owner.

D.

initiated by business users.

Buy Now
Questions 126

A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?

Options:

A.

Implement a tool to create and distribute violation reports

B.

Raise awareness of encryption requirements for sensitive data.

C.

Block unencrypted outgoing emails which contain sensitive data.

D.

Implement a progressive disciplinary process for email violations.

Buy Now
Questions 127

Which of the following is the MOST important element of a successful risk awareness training program?

Options:

A.

Customizing content for the audience

B.

Providing incentives to participants

C.

Mapping to a recognized standard

D.

Providing metrics for measurement

Buy Now
Questions 128

When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?

Options:

A.

Risk analysis results

B.

Exception handling policy

C.

Vulnerability assessment results

D.

Benchmarking assessments

Buy Now
Questions 129

A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?

Options:

A.

Business continuity manager (BCM)

B.

Human resources manager (HRM)

C.

Chief risk officer (CRO)

D.

Chief information officer (CIO)

Buy Now
Questions 130

The risk associated with an asset before controls are applied can be expressed as:

Options:

A.

a function of the likelihood and impact

B.

the magnitude of an impact

C.

a function of the cost and effectiveness of control.

D.

the likelihood of a given threat

Buy Now
Questions 131

The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:

Options:

A.

align with audit results.

B.

benchmark with competitor s actions.

C.

reference best practice.

D.

focus on the business drivers

Buy Now
Questions 132

Which of the following would BEST help an enterprise prioritize risk scenarios?

Options:

A.

Industry best practices

B.

Placement on the risk map

C.

Degree of variances in the risk

D.

Cost of risk mitigation

Buy Now
Questions 133

Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?

Options:

A.

Implementing record retention tools and techniques

B.

Establishing e-discovery and data loss prevention (DLP)

C.

Sending notifications when near storage quota

D.

Implementing a bring your own device 1BVOD) policy

Buy Now
Questions 134

Which of the following is the BEST way to identify changes to the risk landscape?

Options:

A.

Internal audit reports

B.

Access reviews

C.

Threat modeling

D.

Root cause analysis

Buy Now
Questions 135

A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization. Which of the following components of this review would provide the MOST useful information?

Options:

A.

Risk appetite statement

B.

Enterprise risk management framework

C.

Risk management policies

D.

Risk register

Buy Now
Questions 136

The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner s BEST recommendation?

Options:

A.

Perform a root cause analysis

B.

Perform a code review

C.

Implement version control software.

D.

Implement training on coding best practices

Buy Now
Questions 137

Who is the MOST appropriate owner for newly identified IT risk?

Options:

A.

The manager responsible for IT operations that will support the risk mitigation efforts

B.

The individual with authority to commit organizational resources to mitigate the risk

C.

A project manager capable of prioritizing the risk remediation efforts

D.

The individual with the most IT risk-related subject matter knowledge

Buy Now
Questions 138

A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?

Options:

A.

The team that performed the risk assessment

B.

An assigned risk manager to provide oversight

C.

Action plans to address risk scenarios requiring treatment

D.

The methodology used to perform the risk assessment

Buy Now
Questions 139

The acceptance of control costs that exceed risk exposure MOST likely demonstrates:

Options:

A.

corporate culture alignment

B.

low risk tolerance

C.

high risk tolerance

D.

corporate culture misalignment.

Buy Now
Questions 140

In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization's risk profile?

Options:

A.

The control catalog

B.

The asset profile

C.

Business objectives

D.

Key risk indicators (KRls)

Buy Now
Questions 141

Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?

Options:

A.

impact due to failure of control

B.

Frequency of failure of control

C.

Contingency plan for residual risk

D.

Cost-benefit analysis of automation

Buy Now
Questions 142

Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Options:

A.

Using an aggregated view of organizational risk

B.

Ensuring relevance to organizational goals

C.

Relying on key risk indicator (KRI) data Including

D.

Trend analysis of risk metrics

Buy Now
Questions 143

An effective control environment is BEST indicated by controls that:

Options:

A.

minimize senior management's risk tolerance.

B.

manage risk within the organization's risk appetite.

C.

reduce the thresholds of key risk indicators (KRIs).

D.

are cost-effective to implement

Buy Now
Questions 144

An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk?

Options:

A.

Perform a risk assessment

B.

Disable user access.

C.

Develop an access control policy.

D.

Perform root cause analysis.

Buy Now
Questions 145

Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

Options:

A.

Risk tolerance is decreased.

B.

Residual risk is increased.

C.

Inherent risk is increased.

D.

Risk appetite is decreased

Buy Now
Questions 146

Which of the following is the BEST method for assessing control effectiveness?

Options:

A.

Ad hoc control reporting

B.

Control self-assessment

C.

Continuous monitoring

D.

Predictive analytics

Buy Now
Questions 147

An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:

Options:

A.

chief risk officer.

B.

project manager.

C.

chief information officer.

D.

business process owner.

Buy Now
Questions 148

A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

Options:

A.

identification.

B.

treatment.

C.

communication.

D.

assessment

Buy Now
Questions 149

Which of the following is the BEST metric to demonstrate the effectiveness of an organization's change management process?

Options:

A.

Increase in the frequency of changes

B.

Percent of unauthorized changes

C.

Increase in the number of emergency changes

D.

Average time to complete changes

Buy Now
Questions 150

The PRIMARY objective for selecting risk response options is to:

Options:

A.

reduce risk 10 an acceptable level.

B.

identify compensating controls.

C.

minimize residual risk.

D.

reduce risk factors.

Buy Now
Questions 151

Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?

Options:

A.

Derive scenarios from IT risk policies and standards.

B.

Map scenarios to a recognized risk management framework.

C.

Gather scenarios from senior management.

D.

Benchmark scenarios against industry peers.

Buy Now
Questions 152

Which of the following is the MOST effective way to help ensure accountability for managing risk?

Options:

A.

Assign process owners to key risk areas.

B.

Obtain independent risk assessments.

C.

Assign incident response action plan responsibilities.

D.

Create accurate process narratives.

Buy Now
Questions 153

Which of the following is the PRIMARY purpose of creating and documenting control procedures?

Options:

A.

To facilitate ongoing audit and control testing

B.

To help manage risk to acceptable tolerance levels

C.

To establish and maintain a control inventory

D.

To increase the likelihood of effective control operation

Buy Now
Questions 154

Which of the following is the PRIMARY reason for a risk practitioner to review an organization's IT asset inventory?

Options:

A.

To plan for the replacement of assets at the end of their life cycles

B.

To assess requirements for reducing duplicate assets

C.

To understand vulnerabilities associated with the use of the assets

D.

To calculate mean time between failures (MTBF) for the assets

Buy Now
Questions 155

When developing risk scenario using a list of generic scenarios based on industry best practices, it is MOST imported to:

Options:

A.

Assess generic risk scenarios with business users.

B.

Validate the generic risk scenarios for relevance.

C.

Select the maximum possible risk scenarios from the list.

D.

Identify common threats causing generic risk scenarios

Buy Now
Questions 156

Which of the following is MOST helpful in identifying loss magnitude during risk analysis of a new system?

Options:

A.

Recovery time objective (RTO)

B.

Cost-benefit analysis

C.

Business impact analysis (BIA)

D.

Cyber insurance coverage

Buy Now
Questions 157

When classifying and prioritizing risk responses, the areas to address FIRST are those with:

Options:

A.

low cost effectiveness ratios and high risk levels

B.

high cost effectiveness ratios and low risk levels.

C.

high cost effectiveness ratios and high risk levels

D.

low cost effectiveness ratios and low risk levels.

Buy Now
Questions 158

Which of the following BEST balances the costs and benefits of managing IT risk*?

Options:

A.

Prioritizing and addressing risk in line with risk appetite

. Eliminating risk through preventive and detective controls

B.

Considering risk that can be shared with a third party

C.

Evaluating the probability and impact of risk scenarios

Buy Now
Questions 159

Which of the following would provide the MOST reliable evidence of the effectiveness of security controls implemented for a web application?

Options:

A.

Penetration testing

B.

IT general controls audit

C.

Vulnerability assessment

D.

Fault tree analysis

Buy Now
Questions 160

A risk practitioner is reviewing accountability assignments for data risk in the risk register. Which of the following would pose the GREATEST concern?

Options:

A.

The risk owner is not the control owner for associated data controls.

B.

The risk owner is in a business unit and does not report through the IT department.

C.

The risk owner is listed as the department responsible for decision making.

D.

The risk owner is a staff member rather than a department manager.

Buy Now
Questions 161

A penetration test reveals several vulnerabilities in a web-facing application. Which of the following should be the FIRST step in selecting a risk response?

Options:

A.

Correct the vulnerabilities to mitigate potential risk exposure.

B.

Develop a risk response action plan with key stakeholders.

C.

Assess the level of risk associated with the vulnerabilities.

D.

Communicate the vulnerabilities to the risk owner.

Buy Now
Questions 162

Which of the following BEST enables a risk practitioner to understand management's approach to organizational risk?

Options:

A.

Organizational structure and job descriptions

B.

Risk appetite and risk tolerance

C.

Industry best practices for risk management

D.

Prior year's risk assessment results

Buy Now
Questions 163

A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access. Who is responsible for ensuring the control is designed to effectively address risk?

Options:

A.

Risk manager

B.

Control owner

C.

Control tester

D.

Risk owner

Buy Now
Questions 164

A MAJOR advantage of using key risk indicators (KRis) is that (hey

Options:

A.

identify when risk exceeds defined thresholds

B.

assess risk scenarios that exceed defined thresholds

C.

identify scenarios that exceed defined risk appetite

D.

help with internal control assessments concerning risk appellate

Buy Now
Questions 165

Which of the following is the PRIMARY objective of establishing an organization's risk tolerance and appetite?

Options:

A.

To align with board reporting requirements

B.

To assist management in decision making

C.

To create organization-wide risk awareness

D.

To minimize risk mitigation efforts

Buy Now
Questions 166

Which of the blowing is MOST important when implementing an organization s security policy?

Options:

A.

Obtaining management support

B.

Benchmarking against industry standards

C.

Assessing compliance requirements

D.

Identifying threats and vulnerabilities

Buy Now
Questions 167

Which of the following is the BEST recommendation to address recent IT risk trends that indicate social engineering attempts are increasing in the organization?

Options:

A.

Conduct a simulated phishing attack.

B.

Update spam filters

C.

Revise the acceptable use policy

D.

Strengthen disciplinary procedures

Buy Now
Questions 168

A risk practitioner recently discovered that personal information from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation?

Options:

A.

Enable data encryption in the test environment.

B.

Prevent the use of production data in the test environment

C.

De-identify data before being transferred to the test environment.

D.

Enforce multi-factor authentication within the test environment.

Buy Now
Questions 169

Which of the following is MOST important when determining risk appetite?

Options:

A.

Assessing regulatory requirements

B.

Benchmarking against industry standards

C.

Gaining management consensus

D.

Identifying risk tolerance

Buy Now
Questions 170

Which of the following is a risk practitioner's BEST course of action after identifying risk scenarios related to noncompliance with new industry regulations?

Options:

A.

Escalate to senior management.

B.

Transfer the risk.

C.

Implement monitoring controls.

D.

Recalculate the risk.

Buy Now
Questions 171

Which of the following is the MOST important reason to validate that risk responses have been executed as outlined in the risk response plan''

Options:

A.

To ensure completion of the risk assessment cycle

B.

To ensure controls arc operating effectively

C.

To ensure residual risk Is at an acceptable level

D.

To ensure control costs do not exceed benefits

Buy Now
Questions 172

Which of the following practices would be MOST effective in protecting personality identifiable information (Ptl) from unauthorized access m a cloud environment?

Options:

A.

Apply data classification policy

B.

Utilize encryption with logical access controls

C.

Require logical separation of company data

D.

Obtain the right to audit

Buy Now
Questions 173

Which of the following is the MOST important concern when assigning multiple risk owners for an identified risk?

Options:

A.

Accountability may not be clearly defined.

B.

Risk ratings may be inconsistently applied.

C.

Different risk taxonomies may be used.

D.

Mitigation efforts may be duplicated.

Buy Now
Questions 174

Which component of a software inventory BEST enables the identification and mitigation of known vulnerabilities?

Options:

A.

Software version

B.

Assigned software manager

C.

Software support contract expiration

D.

Software licensing information

Buy Now
Questions 175

After the implementation of internal of Things (IoT) devices, new risk scenarios were identified. What is the PRIMARY reason to report this information to risk owners?

Options:

A.

To reevaluate continued use to IoT devices

B.

The add new controls to mitigate the risk

C.

The recommend changes to the IoT policy

D.

To confirm the impact to the risk profile

Buy Now
Questions 176

Which stakeholder is MOST important to include when defining a risk profile during me selection process for a new third party application'?

Options:

A.

The third-party risk manager

B.

The application vendor

C.

The business process owner

D.

The information security manager

Buy Now
Questions 177

Which of the following is the BEST course of action when an organization wants to reduce likelihood in order to reduce a risk level?

Options:

A.

Monitor risk controls.

B.

Implement preventive measures.

C.

Implement detective controls.

D.

Transfer the risk.

Buy Now
Questions 178

A multinational organization is considering implementing standard background checks to' all new employees A KEY concern regarding this approach

Options:

A.

fail to identity all relevant issues.

B.

be too costly

C.

violate laws in other countries

D.

be too line consuming

Buy Now
Questions 179

A control process has been implemented in response to a new regulatory requirement, but has significantly reduced productivity. Which of the following is the BEST way to resolve this concern?

Options:

A.

Absorb the loss in productivity.

B.

Request a waiver to the requirements.

C.

Escalate the issue to senior management

D.

Remove the control to accommodate business objectives.

Buy Now
Exam Code: CRISC
Exam Name: Certified in Risk and Information Systems Control
Last Update: Mar 28, 2024
Questions: 1197

PDF + Testing Engine

$66.4  $165.99

Testing Engine

$46  $114.99
buy now CRISC testing engine

PDF (Q&A)

$42  $104.99
buy now CRISC pdf