Summer Special Sale Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 713PS592

CRISC Certified in Risk and Information Systems Control Questions and Answers

Questions 4

A risk practitioner has identified that the agreed recovery time objective (RTO) with a Software as a Service (SaaS) provider is longer than the business expectation. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Collaborate with the risk owner to determine the risk response plan.

B.

Document the gap in the risk register and report to senior management.

C.

Include a right to audit clause in the service provider contract.

D.

Advise the risk owner to accept the risk.

Buy Now
Questions 5

Which of the following activities should be performed FIRST when establishing IT risk management processes?

Options:

A.

Collect data of past incidents and lessons learned.

B.

Conduct a high-level risk assessment based on the nature of business.

C.

Identify the risk appetite of the organization.

D.

Assess the goals and culture of the organization.

Buy Now
Questions 6

Which of the following BEST enables an organization to determine whether external emerging risk factors will impact the organization's risk profile?

Options:

A.

Control identification and mitigation

B.

Adoption of a compliance-based approach

C.

Prevention and detection techniques

D.

Scenario analysis and stress testing

Buy Now
Questions 7

Which of me following is MOST helpful to mitigate the risk associated with an application under development not meeting business objectives?

Options:

A.

Identifying tweets that may compromise enterprise architecture (EA)

B.

Including diverse Business scenarios in user acceptance testing (UAT)

C.

Performing risk assessments during the business case development stage

D.

Including key stakeholders in review of user requirements

Buy Now
Questions 8

After conducting a risk assessment for regulatory compliance, an organization has identified only one possible mitigating control. The cost of the control has been determined to be higher than the penalty of noncompliance. Which of the following would be the risk practitioner's BEST recommendation?

Options:

A.

Accept the risk with management sign-off.

B.

Ignore the risk until the regulatory body conducts a compliance check.

C.

Mitigate the risk with the identified control.

D.

Transfer the risk by buying insurance.

Buy Now
Questions 9

Which of the following is MOST important when defining controls?

Options:

A.

Identifying monitoring mechanisms

B.

Including them in the risk register

C.

Aligning them with business objectives

D.

Prototyping compensating controls

Buy Now
Questions 10

The operational risk associated with attacks on a web application should be owned by the individual in charge of:

Options:

A.

network operations.

B.

the cybersecurity function.

C.

application development.

D.

the business function.

Buy Now
Questions 11

How does an organization benefit by purchasing cyber theft insurance?

Options:

A.

It decreases the amount of organizational loss if risk events occur.

B.

It justifies the acceptance of risk associated with cyber theft events.

C.

It transfers risk ownership along with associated liabilities to a third party.

D.

It decreases the likelihood of risk events occurring.

Buy Now
Questions 12

Which of the following is the BEST reason to use qualitative measures to express residual risk levels related to emerging threats?

Options:

A.

Qualitative measures require less ongoing monitoring.

B.

Qualitative measures are better aligned to regulatory requirements.

C.

Qualitative measures are better able to incorporate expert judgment.

D.

Qualitative measures are easier to update.

Buy Now
Questions 13

Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data?

Options:

A.

The cost associated with incident response activitiesThe composition and number of records in the information asset

B.

The maximum levels of applicable regulatory fines

C.

The length of time between identification and containment of the incident

Buy Now
Questions 14

Which of the following is MOST important to consider when determining the value of an asset during the risk identification process?

Options:

A.

The criticality of the asset

B.

The monetary value of the asset

C.

The vulnerability profile of the asset

D.

The size of the asset's user base

Buy Now
Questions 15

Which of the following issues found during the review of a newly created disaster recovery plan (DRP) should be of MOST concern?

Options:

A.

Some critical business applications are not included in the plan

B.

Several recovery activities will be outsourced

C.

The plan is not based on an internationally recognized framework

D.

The chief information security officer (CISO) has not approved the plan

Buy Now
Questions 16

Which of the following is the BEST risk management approach for the strategic IT planning process?

Options:

A.

Key performance indicators (KPIs) are established to track IT strategic initiatives.

B.

The IT strategic plan is reviewed by the chief information security officer (CISO) and enterprise risk management (ERM).

C.

The IT strategic plan is developed from the organization-wide risk management plan.

D.

Risk scenarios associated with IT strategic initiatives are identified and assessed.

Buy Now
Questions 17

The MAJOR reason to classify information assets is

Options:

A.

maintain a current inventory and catalog of information assets

B.

determine their sensitivity and critical

C.

establish recovery time objectives (RTOs)

D.

categorize data into groups

Buy Now
Questions 18

Which of the following presents the GREATEST risk to change control in business application development over the complete life cycle?

Options:

A.

Emphasis on multiple application testing cycles

B.

Lack of an integrated development environment (IDE) tool

C.

Introduction of requirements that have not been approved

D.

Bypassing quality requirements before go-live

Buy Now
Questions 19

Which of the following would provide the MOST comprehensive information for communicating current levels of IT-related risk to executive management?

Options:

A.

Risk register

B.

Risk appetite

C.

Risk dashboard

D.

Risk action plans

Buy Now
Questions 20

When testing the security of an IT system, il is MOST important to ensure that;

Options:

A.

tests are conducted after business hours.

B.

operators are unaware of the test.

C.

external experts execute the test.

D.

agreement is obtained from stakeholders.

Buy Now
Questions 21

Which of the following practices BEST mitigates risk related to enterprise-wide ethical decision making in a multi-national organization?

Options:

A.

Customized regional training on local laws and regulations

B.

Policies requiring central reporting of potential procedure exceptions

C.

Ongoing awareness training to support a common risk culture

D.

Zero-tolerance policies for risk taking by middle-level managers

Buy Now
Questions 22

A key risk indicator (KRI) threshold has reached the alert level, indicating data leakage incidents are highly probable. What should be the risk practitioner's FIRST course of action?

Options:

A.

Update the KRI threshold.

B.

Recommend additional controls.

C.

Review incident handling procedures.

D.

Perform a root cause analysis.

Buy Now
Questions 23

An organization has initiated a project to launch an IT-based service to customers and take advantage of being the first to market. Which of the following should be of GREATEST concern to senior management?

Options:

A.

More time has been allotted for testing.

B.

The project is likely to deliver the product late.

C.

A new project manager is handling the project.

D.

The cost of the project will exceed the allotted budget.

Buy Now
Questions 24

Which of the following BEST prevents unauthorized access to customer personal data transmitted to third-party service providers?

Options:

A.

Reviewing and testing service providers' business continuity plans (BCPs)

B.

Ensuring service providers comply with laws and regulations

C.

Implementing and reviewing data sharing controls

D.

Requiring service providers to report privacy breaches

Buy Now
Questions 25

Which of the following risk impacts should be the PRIMARY consideration for determining recovery priorities in a disaster recovery situation?

Options:

A.

Data security

B.

Recovery costs

C.

Business disruption

D.

Recovery resource availability

Buy Now
Questions 26

Which of the following is necessary to enable an IT risk register to be consolidated with the rest of the organization’s risk register?

Options:

A.

Risk taxonomy

B.

Risk response

C.

Risk appetite

D.

Risk ranking

Buy Now
Questions 27

A risk practitioner has established that a particular control is working as desired, but the annual cost of maintenance has increased and now exceeds the expected annual loss exposure. The result is that the control is:

Options:

A.

mature

B.

ineffective.

C.

optimized.

D.

inefficient.

Buy Now
Questions 28

Within the risk management space, which of the following activities could be

delegated to a cloud service provider?

Options:

A.

Risk oversight

B.

Control implementation

C.

Incident response

D.

User access reviews

Buy Now
Questions 29

Which of the following BEST indicates the effectiveness of anti-malware software?

Options:

A.

Number of staff hours lost due to malware attacks

B.

Number of downtime hours in business critical servers

C.

Number of patches made to anti-malware software

D.

Number of successful attacks by malicious software

Buy Now
Questions 30

In an organization that allows employee use of social media accounts for work purposes, which of the following is the BEST way to protect company sensitive information from being exposed?

Options:

A.

Educating employees on what needs to be kept confidential

B.

Implementing a data loss prevention (DLP) solution

C.

Taking punitive action against employees who expose confidential data

D.

Requiring employees to sign nondisclosure agreements

Buy Now
Questions 31

Which of the following is the BEST way to ensure data is properly sanitized while in cloud storage?

Options:

A.

Deleting the data from the file system

B.

Cryptographically scrambling the data

C.

Formatting the cloud storage at the block level

D.

Degaussing the cloud storage media

Buy Now
Questions 32

The BEST way to obtain senior management support for investment in a control implementation would be to articulate the reduction in:

Options:

A.

detected incidents.

B.

residual risk.

C.

vulnerabilities.

D.

inherent risk.

Buy Now
Questions 33

Which of the following is MOST useful when performing a quantitative risk assessment?

Options:

A.

RACI matrix

B.

Financial models

C.

Management support

D.

Industry benchmarking

Buy Now
Questions 34

Which of the following is the MOST effective way 10 identify an application backdoor prior to implementation'?

Options:

A.

User acceptance testing (UAT)

B.

Database activity monitoring

C.

Source code review

D.

Vulnerability analysis

Buy Now
Questions 35

A failed IT system upgrade project has resulted in the corruption of an organization's asset inventory database. Which of the following controls BEST mitigates the impact of this incident?

Options:

A.

Encryption

B.

Authentication

C.

Configuration

D.

Backups

Buy Now
Questions 36

An organization has implemented a cloud-based backup solution to help prevent loss of transactional data from offices in an earthquake zone. This strategy demonstrates risk:

Options:

A.

Avoidance

B.

Mitigation

C.

Transfer

D.

Acceptance

Buy Now
Questions 37

Which of the following BEST indicates that an organizations risk management program is effective?

Options:

A.

Fewer security incidents have been reported.

B.

The number of audit findings has decreased.

C.

Residual risk is reduced.

D.

inherent risk Is unchanged.

Buy Now
Questions 38

Which of the following roles is PRIMARILY accountable for risk associated with business information protection?

Options:

A.

Control owner

B.

Data owner

C.

System owner

D.

Application owner

Buy Now
Questions 39

Which of the following MUST be assessed before considering risk treatment options for a scenario with significant impact?

Options:

A.

Risk magnitude

B.

Incident probability

C.

Risk appetite

D.

Cost-benefit analysis

Buy Now
Questions 40

Which of the following is MOST important for an organization to update following a change in legislation requiring notification to individuals impacted by data breaches?

Options:

A.

Insurance coverage

B.

Security awareness training

C.

Policies and standards

D.

Risk appetite and tolerance

Buy Now
Questions 41

A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to:

Options:

A.

include detailed deviations from industry benchmarks,

B.

include a summary linking information to stakeholder needs,

C.

include a roadmap to achieve operational excellence,

D.

publish the report on-demand for stakeholders.

Buy Now
Questions 42

An organization has an approved bring your own device (BYOD) policy. Which of the following would BEST mitigate the security risk associated with the inappropriate use of enterprise applications on the devices?

Options:

A.

Periodically review application on BYOD devices

B.

Include BYOD in organizational awareness programs

C.

Implement BYOD mobile device management (MDM) controls.

D.

Enable a remote wee capability for BYOD devices

Buy Now
Questions 43

An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?

Options:

A.

Business benefits of shadow IT

B.

Application-related expresses

C.

Classification of the data

D.

Volume of data

Buy Now
Questions 44

Which of the following is the PRIMARY benefit of implementing key control indicators (KCIs)?

Options:

A.

Confirming the adequacy of recovery plans.

B.

Improving compliance with control standards.

C.

Providing early detection of control degradation.

D.

Reducing the number of incidents.

Buy Now
Questions 45

The PRIMARY reason for a risk practitioner to review business processes is to:

Options:

A.

Benchmark against peer organizations.

B.

Identify appropriate controls within business processes.

C.

Assess compliance with global standards.

D.

Identify risk owners related to business processes.

Buy Now
Questions 46

What would be the MAIN concern associated with a decentralized IT function maintaining multiple risk registers?

Options:

A.

Risk treatment efforts within the IT function may overlap one another.

B.

Duplicate IT risk scenarios may be documented across the organization.

C.

Aggregate risk within the IT function may exceed the organization's appetite.

D.

Related IT risk scenarios in the IT function may be updated at different times.

Buy Now
Questions 47

Which of the following should be the GREATEST concern to a risk practitioner when process documentation is incomplete?

Options:

A.

Inability to allocate resources efficiently

B.

Inability to identify the risk owner

C.

Inability to complete the risk register

D.

Inability to identify process experts

Buy Now
Questions 48

A risk practitioner learns of an urgent threat intelligence alert to patch a critical vulnerability identified in the organization's operating system. Which of the following should the risk practitioner do FIRST?

Options:

A.

Patch the operating system immediately

B.

Determine whether any active attacks are exploiting the vulnerability

C.

Invoke the organization's incident response plan

D.

Evaluate the threat in the context of the organization's IT environment

Buy Now
Questions 49

Which of the following is the GREATEST benefit of identifying appropriate risk owners?

Options:

A.

Accountability is established for risk treatment decisions

B.

Stakeholders are consulted about risk treatment options

C.

Risk owners are informed of risk treatment options

D.

Responsibility is established for risk treatment decisions.

Buy Now
Questions 50

In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities. The risk practitioner's BEST recommendation to further reduce the impact of ransomware attacks would be to implement:

Options:

A.

two-factor authentication.

B.

continuous data backup controls.

C.

encryption for data at rest.

D.

encryption for data in motion.

Buy Now
Questions 51

A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:

Options:

A.

updating the risk register

B.

documenting the risk scenarios.

C.

validating the risk scenarios

D.

identifying risk mitigation controls.

Buy Now
Questions 52

Senior leadership has set guidelines for the integration of a new acquisition. The guidelines allow for a variation in the level of risk-taking. The variation indicates which of the following risk management concepts?

Options:

A.

Risk tolerance

B.

Risk appetite

C.

Risk sensitivity

D.

Risk velocity

Buy Now
Questions 53

Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?

Options:

A.

Completeness of system documentation

B.

Results of end user acceptance testing

C.

Variances between planned and actual cost

D.

availability of in-house resources

Buy Now
Questions 54

The BEST metric to demonstrate that servers are configured securely is the total number of servers:

Options:

A.

exceeding availability thresholds

B.

experiencing hardware failures

C.

exceeding current patching standards.

D.

meeting the baseline for hardening.

Buy Now
Questions 55

Which of the following would be MOST helpful when communicating roles associated with the IT risk management process?

Options:

A.

Skills matrix

B.

Job descriptions

C.

RACI chart

D.

Organizational chart

Buy Now
Questions 56

An organization has opened a subsidiary in a foreign country. Which of the following would be the BEST way to measure the effectiveness of the subsidiary's IT systems controls?

Options:

A.

Implement IT systems in alignment with business objectives.

B.

Review metrics and key performance indicators (KPIs).

C.

Review design documentation of IT systems.

D.

Evaluate compliance with legal and regulatory requirements.

Buy Now
Questions 57

Which of the following BEST protects an organization against breaches when using a software as a service (SaaS) application?

Options:

A.

Control self-assessment (CSA)

B.

Security information and event management (SIEM) solutions

C.

Data privacy impact assessment (DPIA)

D.

Data loss prevention (DLP) tools

Buy Now
Questions 58

Which of the following is the BEST way to validate whether controls to reduce user device vulnerabilities have been implemented according to management's action plan?

Options:

A.

Survey device owners.

B.

Rescan the user environment.

C.

Require annual end user policy acceptance.

D.

Review awareness training assessment results

Buy Now
Questions 59

An organization plans to implement a new Software as a Service (SaaS) speech-to-text solution Which of the following is MOST important to mitigate risk associated with data privacy?

Options:

A.

Secure encryption protocols are utilized.

B.

Multi-factor authentication is set up for users.

C.

The solution architecture is approved by IT.

D.

A risk transfer clause is included in the contact

Buy Now
Questions 60

Which of the following should be the PRIMARY area of focus when reporting changes to an organization's risk profile to executive management?

Options:

A.

Risk management resources

B.

Risk tolerance

C.

Cyberattack threats

D.

Risk trends

Buy Now
Questions 61

Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?

Options:

A.

Digital signatures

B.

Encrypted passwords

C.

One-time passwords

D.

Digital certificates

Buy Now
Questions 62

Which of the following is the MOST important reason to communicate risk assessments to senior management?

Options:

A.

To ensure actions can be taken to align assessment results to risk appetite

B.

To ensure key risk indicator (KRI) thresholds can be adjusted for tolerance

C.

To ensure awareness of risk and controls is shared with key decision makers

D.

To ensure the maturity of the assessment program can be validated

Buy Now
Questions 63

An organization has implemented a preventive control to lock user accounts after three unsuccessful login attempts. This practice has been proven to be unproductive, and a change in the control threshold value has been recommended. Who should authorize changing this threshold?

Options:

A.

Risk owner

B.

IT security manager

C.

IT system owner

D.

Control owner

Buy Now
Questions 64

Which of the following observations would be the GREATEST concern to a risk practitioner evaluating an organization's risk management practices?

Options:

A.

Senior management has approved numerous requests for risk acceptance.

B.

Business leaders provide final approval for information security policies.

C.

Several risk scenarios have action plans spanning multiple years.

D.

Senior management does not set risk tolerance.

Buy Now
Questions 65

A newly incorporated enterprise needs to secure its information assets From a governance perspective which of the following should be done FIRST?

Options:

A.

Define information retention requirements and policies

B.

Provide information security awareness training

C.

Establish security management processes and procedures

D.

Establish an inventory of information assets

Buy Now
Questions 66

What would be a risk practitioner's BEST recommendation when several key performance indicators (KPIs) for a control process fail to meet service level agreements (SLAs)?

Options:

A.

Adjust the process KPI threshold.

B.

Develop an IT risk response plan.

C.

Review the organization's IT risk profile.

D.

Review process efficiency.

Buy Now
Questions 67

Which key performance indicator (KPI) BEST measures the effectiveness of an organization's disaster recovery program?

Options:

A.

Number of disaster recovery scenarios identified

B.

Percentage of employees involved in the disaster recovery exercise

C.

Number of total systems recovered within the recovery point objective (RPO)

D.

Percentage of critical systems recovered within the recovery time objective (RTO)

Buy Now
Questions 68

After the announcement of a new IT regulatory requirement, it is MOST important for a risk practitioner to;

Options:

A.

prepare an IT risk mitigation strategy.

B.

escalate to senior management.

C.

perform a cost-benefit analysis.

D.

review the impact to the IT environment.

Buy Now
Questions 69

An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the risk associated with these new entries has been;

Options:

A.

mitigated

B.

deferred

C.

accepted.

D.

transferred

Buy Now
Questions 70

An organizational policy requires critical security patches to be deployed in production within three weeks of patch availability. Which of the following is the BEST metric to verify adherence to the policy?

Options:

A.

Maximum time gap between patch availability and deployment

B.

Percentage of critical patches deployed within three weeks

C.

Minimum time gap between patch availability and deployment

D.

Number of critical patches deployed within three weeks

Buy Now
Questions 71

Options:

A.

Develop policies with less restrictive requirements to ensure consistency across the organization.

B.

Develop a global policy to be applied uniformly by each country.

C.

Develop country-specific policies to address local regulations.

D.

Develop a global policy that accommodates country-specific requirements.

Buy Now
Questions 72

Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents:

Options:

A.

a threat.

B.

a vulnerability.

C.

an impact

D.

a control.

Buy Now
Questions 73

Which of the following is the MOST likely reason an organization would engage an independent reviewer to assess its IT risk management program?

Options:

A.

To ensure IT risk management is focused on mitigating emerging risk

B.

To confirm that IT risk assessment results are expressed in quantitative terms

C.

To evaluate threats to the organization's operations and strategy

D.

To identify gaps in the alignment of IT risk management processes and strategy

Buy Now
Questions 74

Which of the following will BEST help an organization select a recovery strategy for critical systems?

Options:

A.

Review the business impact analysis.

B.

Create a business continuity plan.

C.

Analyze previous disaster recovery reports.

D.

Conduct a root cause analysis.

Buy Now
Questions 75

An IT license audit has revealed that there are several unlicensed copies of co be to:

Options:

A.

immediately uninstall the unlicensed software from the laptops

B.

centralize administration rights on laptops so that installations are controlled

C.

report the issue to management so appropriate action can be taken.

D.

procure the requisite licenses for the software to minimize business impact.

Buy Now
Questions 76

Which of the following would BEST help to ensure that identified risk is efficiently managed?

Options:

A.

Reviewing the maturity of the control environment

B.

Regularly monitoring the project plan

C.

Maintaining a key risk indicator for each asset in the risk register

D.

Periodically reviewing controls per the risk treatment plan

Buy Now
Questions 77

Which of the following should be the PRIMARY basis for prioritizing risk responses?

Options:

A.

The impact of the risk

B.

The replacement cost of the business asset

C.

The cost of risk mitigation controls

D.

The classification of the business asset

Buy Now
Questions 78

A bank has outsourced its statement printing function to an external service provider. Which of the following is the MOST critical requirement to include in the contract?

Options:

A.

Monitoring of service costs

B.

Provision of internal audit reports

C.

Notification of sub-contracting arrangements

D.

Confidentiality of customer data

Buy Now
Questions 79

An organization uses a web application hosted by a cloud service that is populated by data sent to the vendor via email on a monthly basis. Which of the following should be the FIRST consideration when analyzing the risk associated with the application?

Options:

A.

Whether the service provider's data center is located in the same country

B.

Whether the data sent by email has been encrypted

C.

Whether the data has been appropriately classified

D.

Whether the service provider contract allows right of onsite audit

Buy Now
Questions 80

Which of the following BEST assists in justifying an investment in automated controls?

Options:

A.

Cost-benefit analysis

B.

Alignment of investment with risk appetite

C.

Elimination of compensating controls

D.

Reduction in personnel costs

Buy Now
Questions 81

An IT organization is replacing the customer relationship management (CRM) system. Who should own the risk associated with customer data leakage caused by insufficient IT security controls for the new system?

Options:

A.

Chief information security officer

B.

Business process owner

C.

Chief risk officer

D.

IT controls manager

Buy Now
Questions 82

When assessing the maturity level of an organization’s risk management framework, which of the following should be of GREATEST concern to a risk practitioner?

Options:

A.

Reliance on qualitative analysis methods.

B.

Lack of a governance, risk, and compliance (GRC) tool.

C.

Lack of senior management involvement.

D.

Use of multiple risk registers.

Buy Now
Questions 83

Which of the following should management consider when selecting a risk mitigation option?

Options:

A.

Maturity of the enterprise architecture

B.

Cost of control implementation

C.

Reliability of key performance indicators (KPIs)

D.

Reliability of key risk indicators (KPIs)

Buy Now
Questions 84

When an organization is having new software implemented under contract, which of the following is key to controlling escalating costs?

Options:

A.

Risk management

B.

Change management

C.

Problem management

D.

Quality management

Buy Now
Questions 85

Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?

Options:

A.

impact due to failure of control

B.

Frequency of failure of control

C.

Contingency plan for residual risk

D.

Cost-benefit analysis of automation

Buy Now
Questions 86

During a post-implementation review for a new system, users voiced concerns about missing functionality. Which of the following is the BEST way for the organization to avoid this situation in the future?

Options:

A.

Test system reliability and performance.

B.

Adopt an Agile development approach.

C.

Conduct user acceptance testing (UAT).

D.

Adopt a phased changeover approach.

Buy Now
Questions 87

Which of the following BEST prevents control gaps in the Zero Trust model when implementing in the environment?

Options:

A.

Relying on multiple solutions for Zero Trust

B.

Utilizing rapid development during implementation

C.

Establishing a robust technical architecture

D.

Starting with a large initial scope

Buy Now
Questions 88

An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?

Options:

A.

Review assignments of data ownership for key assets.

B.

Identify staff who have access to the organization’s sensitive data.

C.

Identify recent and historical incidents involving data loss.

D.

Review the organization's data inventory.

Buy Now
Questions 89

Which of the following should be considered FIRST when creating a comprehensive IT risk register?

Options:

A.

Risk management budget

B.

Risk mitigation policies

C.

Risk appetite

D.

Risk analysis techniques

Buy Now
Questions 90

From a risk management perspective, which of the following is the PRIMARY purpose of conducting a root cause analysis following an incident?

Options:

A.

To reduce incident response times defined in SLAs

B.

To satisfy senior management expectations for incident response

C.

To ensure risk has been reduced to acceptable levels

D.

To minimize the likelihood of future occurrences

Buy Now
Questions 91

Which of the following is MOST important for mitigating ethical risk when establishing accountability for control ownership?

Options:

A.

Ensuring processes are documented to enable effective control execution

B.

Ensuring regular risk messaging is Included in business communications from leadership

C.

Ensuring schedules and deadlines for control-related deliverables are strictly monitored

D.

Ensuring performance metrics balance business goals with risk appetite

Buy Now
Questions 92

Which of the following BEST enables the timely detection of changes in the security control environment?

Options:

A.

Control self-assessment (CSA)

B.

Log analysis

C.

Security control reviews

D.

Random sampling checks

Buy Now
Questions 93

Which of the following BEST mitigates the risk associated with inadvertent data leakage by users who work remotely?

Options:

A.

Conducting training on the protection of organizational assets

B.

Configuring devices to use virtual IP addresses

C.

Ensuring patching for end-user devices

D.

Providing encrypted access to organizational assets

Buy Now
Questions 94

Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

Options:

A.

Risk appetite is decreased.

B.

Inherent risk is increased.

C.

Risk tolerance is decreased.

D.

Residual risk is increased.

Buy Now
Questions 95

A bank recently incorporated Blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner’s BEST course of action?

Options:

A.

Determine whether risk responses are still adequate.

B.

Analyze and update control assessments with the new processes.

C.

Analyze the risk and update the risk register as needed.

D.

Conduct testing of the control that mitigate the existing risk.

Buy Now
Questions 96

A risk practitioner is concerned with potential data loss in the event of a breach at a hosted third-party provider. Which of the following is the BEST way to mitigate this risk?

Options:

A.

Include an indemnification clause in the provider's contract.

B.

Monitor provider performance against service level agreements (SLAs).

C.

Purchase cyber insurance to protect against data breaches.

D.

Ensure appropriate security controls are in place through independent audits.

Buy Now
Questions 97

Which of the following is the PRIMARY purpose of creating and documenting control procedures?

Options:

A.

To facilitate ongoing audit and control testing

B.

To help manage risk to acceptable tolerance levels

C.

To establish and maintain a control inventory

D.

To increase the likelihood of effective control operation

Buy Now
Questions 98

Which of the following has the GREATEST impact on backup policies for a system supporting a critical process?

Options:

A.

Impact of threats to the process

B.

Resource requirements of the process

C.

Recovery time objective (RTO)

D.

Recovery point objective (RPO)

Buy Now
Questions 99

Using key risk indicators (KRIs) to illustrate changes in the risk profile PRIMARILY helps to:

Options:

A.

communicate risk trends to stakeholders.

B.

assign ownership of emerging risk scenarios.

C.

highlight noncompliance with the risk policy

D.

identify threats to emerging technologies.

Buy Now
Questions 100

Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?

Options:

A.

Derive scenarios from IT risk policies and standards.

B.

Map scenarios to a recognized risk management framework.

C.

Gather scenarios from senior management.

D.

Benchmark scenarios against industry peers.

Buy Now
Questions 101

Which of the following should be the GREATEST concern for an organization that uses open source software applications?

Options:

A.

Lack of organizational policy regarding open source software

B.

Lack of reliability associated with the use of open source software

C.

Lack of monitoring over installation of open source software in the organization

D.

Lack of professional support for open source software

Buy Now
Questions 102

A risk practitioner is collaborating with key stakeholders to prioritize a large number of IT risk scenarios. Which scenarios should receive the PRIMARY focus?

Options:

A.

Scenarios with the highest number of open audit issues

B.

Scenarios with the highest frequency of incidents

C.

Scenarios with the largest budget allocation for risk mitigation

D.

Scenarios with the highest risk impact to the business

Buy Now
Questions 103

Which of the following is MOST important to review when determining whether a potential IT service provider’s control environment is effective?

Options:

A.

Independent audit report

B.

Control self-assessment

C.

MOST important to update when an

D.

Service level agreements (SLAs)

Buy Now
Questions 104

Which of the following should be of GREATEST concern when reviewing the results of an independent control assessment to determine the effectiveness of a vendor's control environment?

Options:

A.

The report was provided directly from the vendor.

B.

The risk associated with multiple control gaps was accepted.

C.

The control owners disagreed with the auditor's recommendations.

D.

The controls had recurring noncompliance.

Buy Now
Questions 105

Which of the following is a KEY outcome of risk ownership?

Options:

A.

Risk responsibilities are addressed.

B.

Risk-related information is communicated.

C.

Risk-oriented tasks are defined.

D.

Business process risk is analyzed.

Buy Now
Questions 106

Which of the following resources is MOST helpful to a risk practitioner when updating the likelihood rating in the risk register?

Options:

A.

Risk control assessment

B.

Audit reports with risk ratings

C.

Penetration test results

D.

Business impact analysis (BIA)

Buy Now
Questions 107

Which of the following is the BEST recommendation to senior management when the results of a risk and control assessment indicate a risk scenario can only be partially mitigated?

Options:

A.

Implement controls to bring the risk to a level within appetite and accept the residual risk.

B.

Implement a key performance indicator (KPI) to monitor the existing control performance.

C.

Accept the residual risk in its entirety and obtain executive management approval.

D.

Separate the risk into multiple components and avoid the risk components that cannot be mitigated.

Buy Now
Questions 108

Which of the following provides The MOST useful information when determining a risk management program's maturity level?

Options:

A.

Risk assessment results

B.

A recently reviewed risk register

C.

Key performance indicators (KPIs)

D.

The organization's risk framework

Buy Now
Questions 109

Which of the following is the BEST way for a risk practitioner to verify that management has addressed control issues identified during a previous external audit?

Options:

A.

Interview control owners.

B.

Observe the control enhancements in operation.

C.

Inspect external audit documentation.

D.

Review management's detailed action plans.

Buy Now
Questions 110

Which of the following observations from a third-party service provider review would be of GREATEST concern to a risk practitioner?

Options:

A.

Service level agreements (SLAs) have not been met over the last quarter.

B.

The service contract is up for renewal in less than thirty days.

C.

Key third-party personnel have recently been replaced.

D.

Monthly service charges are significantly higher than industry norms.

Buy Now
Questions 111

An organization has completed a project to implement encryption on all databases that host customer data. Which of the following elements of the risk register should be updated the reflect this change?

Options:

A.

Risk likelihood

B.

Inherent risk

C.

Risk appetite

D.

Risk tolerance

Buy Now
Questions 112

Which of the following should be considered when selecting a risk response?

Options:

A.

Risk scenarios analysis

B.

Risk response costs

C.

Risk factor awareness

D.

Risk factor identification

Buy Now
Questions 113

An organization delegates its data processing to the internal IT team to manage information through its applications. Which of the following is the role of the internal IT team in this situation?

Options:

A.

Data controllers

B.

Data processors

C.

Data custodians

D.

Data owners

Buy Now
Questions 114

Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?

Options:

A.

It compares performance levels of IT assets to value delivered.

B.

It facilitates the alignment of strategic IT objectives to business objectives.

C.

It provides input to business managers when preparing a business case for new IT projects.

D.

It helps assess the effects of IT decisions on risk exposure

Buy Now
Questions 115

Which of the following is a risk practitioner's MOST important course of action when the level of risk has exceeded risk tolerance?

Options:

A.

Facilitate a review of risk tolerance levels

B.

Adjust the risk impact and likelihood scale

C.

Revise key risk indicator (KRI) thresholds

D.

Introduce the risk treatment process

Buy Now
Questions 116

A new software package that could help mitigate risk in an organization has become available. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Perform a business impact analysis (BIA).

B.

Perform a cost-benefit analysis.

C.

Review industry best practice.

D.

Review risk governance policies.

Buy Now
Questions 117

Key control indicators (KCls) help to assess the effectiveness of the internal control environment PRIMARILY by:

Options:

A.

ensuring controls are operating efficiently and facilitating productivity.

B.

enabling senior leadership to better understand the level of risk the organization is facing.

C.

monitoring changes in the likelihood of adverse events due to ineffective controls.

D.

providing information on the degree to which controls are meeting intended objectives.

Buy Now
Questions 118

Which of the following BEST enables effective IT control implementation?

Options:

A.

Key risk indicators (KRIs)

B.

Documented procedures

C.

Information security policies

D.

Information security standards

Buy Now
Questions 119

A risk practitioner observed Vial a high number of pokey exceptions were approved by senior management. Which of the following is the risk practitioner’s BEST course of action to determine root cause?

Options:

A.

Review the risk profile

B.

Review pokey change history

C.

interview the control owner

D.

Perform control testing

Buy Now
Questions 120

Avoiding a business activity removes the need to determine:

Options:

A.

systemic risk

B.

residual risk

C.

inherent risk

D.

control risk

Buy Now
Questions 121

The following is the snapshot of a recently approved IT risk register maintained by an organization's information security department.

CRISC Question 121

After implementing countermeasures listed in ‘’Risk Response Descriptions’’ for each of the Risk IDs, which of the following component of the register MUST change?

Options:

A.

Risk Impact Rating

B.

Risk Owner

C.

Risk Likelihood Rating

D.

Risk Exposure

Buy Now
Questions 122

Which of the following is the BEST method to track asset inventory?

Options:

A.

Periodic asset review by management

B.

Asset registration form

C.

Automated asset management software

D.

IT resource budgeting process

Buy Now
Questions 123

An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning of the associated risk entries?

Options:

A.

The volume of risk scenarios is too large

B.

Risk aggregation has not been completed

C.

Risk scenarios are not applicable

D.

The risk analysts for each scenario is incomplete

Buy Now
Questions 124

An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Report the observation to the chief risk officer (CRO).

B.

Validate the adequacy of the implemented risk mitigation measures.

C.

Update the risk register with the implemented risk mitigation actions.

D.

Revert the implemented mitigation measures until approval is obtained

Buy Now
Questions 125

After entering a large number of low-risk scenarios into the risk register, it is MOST important for the risk practitioner to:

Options:

A.

prepare a follow-up risk assessment.

B.

recommend acceptance of the risk scenarios.

C.

reconfirm risk tolerance levels.

D.

analyze changes to aggregate risk.

Buy Now
Questions 126

Which of the following would be the BEST senior management action to influence a strong risk-aware culture within an organization?

Options:

A.

Initiating disciplinary actions against individuals causing incidents

B.

Identifying the root cause of incidents

C.

Sponsoring changes to prevent recurrence of incidents

D.

Reviewing the risk register and preparing incident reports

Buy Now
Questions 127

Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk?

Options:

A.

A data extraction tool

B.

An access control list

C.

An intrusion detection system (IDS)

D.

An acceptable usage policy

Buy Now
Questions 128

An IT risk practitioner is evaluating an organization's change management controls over the last six months. The GREATEST concern would be an increase in:

Options:

A.

rolled back changes below management's thresholds.

B.

change-related exceptions per month.

C.

the average implementation time for changes.

D.

number of user stories approved for implementation.

Buy Now
Questions 129

Several network user accounts were recently created without the required management approvals. Which of the following would be the risk practitioner's BEST recommendation to address this situation?

Options:

A.

Conduct a comprehensive compliance review.

B.

Develop incident response procedures for noncompliance.

C.

Investigate the root cause of noncompliance.

D.

Declare a security breach and Inform management.

Buy Now
Questions 130

Which of the following would BEST help an enterprise prioritize risk scenarios?

Options:

A.

Industry best practices

B.

Placement on the risk map

C.

Degree of variances in the risk

D.

Cost of risk mitigation

Buy Now
Questions 131

Which of the following would be MOST helpful to an information security management team when allocating resources to mitigate exposures?

Options:

A.

Relevant risk case studies

B.

Internal audit findings

C.

Risk assessment results

D.

Penetration testing results

Buy Now
Questions 132

Which of the following BEST reduces the risk associated with the theft of a laptop containing sensitive information?

Options:

A.

Cable lock

B.

Data encryption

C.

Periodic backup

D.

Biometrics access control

Buy Now
Questions 133

The PRIMARY objective for selecting risk response options is to:

Options:

A.

reduce risk 10 an acceptable level.

B.

identify compensating controls.

C.

minimize residual risk.

D.

reduce risk factors.

Buy Now
Questions 134

Which of the following is MOST effective in continuous risk management process improvement?

Options:

A.

Periodic assessments

B.

Change management

C.

Awareness training

D.

Policy updates

Buy Now
Questions 135

Which of the following is MOST important for an organization to have in place to identify unauthorized devices on the network?

Options:

A.

A technology review and approval process

B.

An acceptable use policy

C.

An automated network scanning solution

D.

A bring your own device (BYOD) policy

Buy Now
Questions 136

An organization has identified the need to implement an asset tiering model to establish the appropriate level of impact. Which of the following is the MOST effective risk assessment methodology for a risk practitioner to use for this initiative?

Options:

A.

Qualitative method

B.

Industry calibration method

C.

Threat-based method

D.

Quantitative method

Buy Now
Questions 137

Which of the following aspects of risk can be transferred to a third party?

Options:

A.

Reputation impact

B.

Ownership

C.

Financial impact

D.

Accountability

Buy Now
Questions 138

After undertaking a risk assessment of a production system, the MOST appropriate action is fcr the risk manager to

Options:

A.

recommend a program that minimizes the concerns of that production system.

B.

inform the process owner of the concerns and propose measures to reduce them.

C.

inform the IT manager of the concerns and propose measures to reduce them.

D.

inform the development team of the concerns and together formulate risk reduction measures.

Buy Now
Questions 139

Which of the following factors will have the GREATEST impact on the implementation of a risk mitigation strategy for an organization?

Options:

A.

Cost-benefit analysis

B.

Risk tolerance

C.

Known vulnerabilities

D.

Cyber insurance

Buy Now
Questions 140

Which of the following provides the BEST indication that existing controls are effective?

Options:

A.

Control testing

B.

Control logging

C.

Control documentation

D.

Control design

Buy Now
Questions 141

What are the MOST essential attributes of an effective Key control indicator (KCI)?

Options:

A.

Flexibility and adaptability

B.

Measurability and consistency

C.

Robustness and resilience

D.

Optimal cost and benefit

Buy Now
Questions 142

Which of the following is the GREATEST concern associated with redundant data in an organization's inventory system?

Options:

A.

Poor access control

B.

Unnecessary data storage usage

C.

Data inconsistency

D.

Unnecessary costs of program changes

Buy Now
Questions 143

Which of the following is MOST important for developing effective key risk indicators (KRIs)?

Options:

A.

Engaging sponsorship by senior management

B.

Utilizing data and resources internal to the organization

C.

Including input from risk and business unit management

D.

Developing in collaboration with internal audit

Buy Now
Questions 144

Which of the following is MOST important to understand when determining an appropriate risk assessment approach?

Options:

A.

Complexity of the IT infrastructure

B.

Value of information assets

C.

Management culture

D.

Threats and vulnerabilities

Buy Now
Questions 145

Which of the following should be management's PRIMARY focus when key risk indicators (KRIs) begin to rapidly approach defined thresholds?

Options:

A.

Designing compensating controls

B.

Determining if KRIs have been updated recently

C.

Assessing the effectiveness of the incident response plan

D.

Determining what has changed in the environment

Buy Now
Questions 146

Reviewing which of the following would provide the MOST useful information when preparing to evaluate the effectiveness of existing controls?

Options:

A.

Previous audit reports

B.

Control objectives

C.

Risk responses in the risk register

D.

Changes in risk profiles

Buy Now
Questions 147

Reviewing which of the following BEST helps an organization gain insight into its overall risk profile?

Options:

A.

Threat landscape

B.

Risk appetite

C.

Risk register

D.

Risk metrics

Buy Now
Questions 148

What is the BEST recommendation to reduce the risk associated with potential system compromise when a vendor stops releasing security patches and updates for a business-critical legacy system?

Options:

A.

Segment the system on its own network.

B.

Ensure regular backups take place.

C.

Virtualize the system in the cloud.

D.

Install antivirus software on the system.

Buy Now
Questions 149

Which of the following is MOST helpful in defining an early-warning threshold associated with insufficient network bandwidth’’?

Options:

A.

Average bandwidth usage

B.

Peak bandwidth usage

C.

Total bandwidth usage

D.

Bandwidth used during business hours

Buy Now
Questions 150

When reporting risk assessment results to senior management, which of the following is MOST important to include to enable risk-based decision making?

Options:

A.

Risk action plans and associated owners

B.

Recent audit and self-assessment results

C.

Potential losses compared to treatment cost

D.

A list of assets exposed to the highest risk

Buy Now
Questions 151

Which of the following is the PRIMARY reason for a risk practitioner to review an organization's IT asset inventory?

Options:

A.

To plan for the replacement of assets at the end of their life cycles

B.

To assess requirements for reducing duplicate assets

C.

To understand vulnerabilities associated with the use of the assets

D.

To calculate mean time between failures (MTBF) for the assets

Buy Now
Questions 152

A risk action plan has been changed during the risk mitigation effort. Which of the following is MOST important for the risk practitioner to verify?

Options:

A.

Impact of the change on inherent risk

B.

Approval for the change by the risk owner

C.

Business rationale for the change

D.

Risk to the mitigation effort due to the change

Buy Now
Questions 153

Determining if organizational risk is tolerable requires:

Options:

A.

mapping residual risk with cost of controls

B.

comparing against regulatory requirements

C.

comparing industry risk appetite with the organizations.

D.

understanding the organization's risk appetite.

Buy Now
Questions 154

An organization has asked an IT risk practitioner to conduct an operational risk assessment on an initiative to outsource the organization's customer service operations overseas. Which of the following would MOST significantly impact management's decision?

Options:

A.

Time zone difference of the outsourcing location

B.

Ongoing financial viability of the outsourcing company

C.

Cross-border information transfer restrictions in the outsourcing country

D.

Historical network latency between the organization and outsourcing location

Buy Now
Questions 155

An organization recently implemented an automated interface for uploading payment files to its banking system to replace manual processing. Which of the following elements of the risk register is MOST appropriate for the risk practitioner to update to reflect the improved control?

Options:

A.

Risk scenarios

B.

Risk ownership

C.

Risk impact

D.

Risk likelihood

Buy Now
Questions 156

An organization operates in an environment where the impact of ransomware attacks is high, with a low likelihood. After quantifying the impact of the risk associated with ransomware attacks exceeds the organization's risk appetite and tolerance, which of the following is the risk practitioner's BEST recommendation?

Options:

A.

Obtain adequate cybersecurity insurance coverage.

B.

Ensure business continuity assessments are up to date.

C.

Adjust the organization's risk appetite and tolerance.

D.

Obtain certification to a global information security standard.

Buy Now
Questions 157

During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?

Options:

A.

Describe IT risk scenarios in terms of business risk.

B.

Recommend the formation of an executive risk council to oversee IT risk.

C.

Provide an estimate of IT system downtime if IT risk materializes.

D.

Educate business executives on IT risk concepts.

Buy Now
Questions 158

Which of the following is the MOST important objective of an enterprise risk management (ERM) program?

Options:

A.

To create a complete repository of risk to the organization

B.

To create a comprehensive view of critical risk to the organization

C.

To provide a bottom-up view of the most significant risk scenarios

D.

To optimize costs of managing risk scenarios in the organization

Buy Now
Questions 159

Print jobs containing confidential information are sent to a shared network printer located in a secure room. Which of the following is the BEST control to prevent the inappropriate disclosure of confidential information?

Options:

A.

Requiring a printer access code for each user

B.

Using physical controls to access the printer room

C.

Using video surveillance in the printer room

D.

Ensuring printer parameters are properly configured

Buy Now
Questions 160

An organization recently received an independent security audit report of its cloud service provider that indicates significant control weaknesses. What should be done NEXT in response to this report?

Options:

A.

Migrate all data to another compliant service provider.

B.

Analyze the impact of the provider's control weaknesses to the business.

C.

Conduct a follow-up audit to verify the provider's control weaknesses.

D.

Review the contract to determine if penalties should be levied against the provider.

Buy Now
Questions 161

When determining risk ownership, the MAIN consideration should be:

Options:

A.

who owns the business process.

B.

the amount of residual risk.

C.

who is responsible for risk mitigation.

D.

the total cost of risk treatment.

Buy Now
Questions 162

Which of the following is the BEST approach to mitigate the risk associated with a control deficiency?

Options:

A.

Perform a business case analysis

B.

Implement compensating controls.

C.

Conduct a control sell-assessment (CSA)

D.

Build a provision for risk

Buy Now
Questions 163

Which of the following is the PRIMARY risk management responsibility of the third line of defense?

Options:

A.

Providing assurance of the effectiveness of risk management activities

B.

Providing guidance on the design of effective controls

C.

Providing advisory services on enterprise risk management (ERM)

D.

Providing benchmarking on other organizations' risk management programs

Buy Now
Questions 164

Which of the following is MOST important requirement to include in a Software as a Service (SaaS) vendor contract to ensure data is protected?

Options:

A.

The vendor must provide periodic independent assurance reports.

B.

The vendor must host data in a specific geographic location.

C.

The vendor must be held liable for regulatory fines for failure to protect data.

D.

The vendor must participate in an annual vendor performance review.

Buy Now
Questions 165

A global organization has implemented an application that does not address all privacy requirements across multiple jurisdictions. Which of the following risk responses has the organization adopted with regard to privacy requirements?

Options:

A.

Risk avoidance

B.

Risk transfer

C.

Risk mitigation

D.

Risk acceptance

Buy Now
Questions 166

What is a risk practitioner's BEST approach to monitor and measure how quickly an exposure to a specific risk can affect the organization?

Options:

A.

Create an asset valuation report.

B.

Create key performance indicators (KPls).

C.

Create key risk indicators (KRIs).

D.

Create a risk volatility report.

Buy Now
Questions 167

Which of The following BEST represents the desired risk posture for an organization?

Options:

A.

Inherent risk is lower than risk tolerance.

B.

Operational risk is higher than risk tolerance.

C.

Accepted risk is higher than risk tolerance.

D.

Residual risk is lower than risk tolerance.

Buy Now
Questions 168

Options:

A.

Ensure compliance with local legislation because it has a higher priority.

B.

Conduct a risk assessment and develop mitigation options.

C.

Terminate the current cloud contract and migrate to a local cloud provider.

D.

Accept the risk because foreign legislation does not apply to the organization.

Buy Now
Questions 169

It is MOST important to the effectiveness of an IT risk management function that the associated processes are:

Options:

A.

aligned to an industry-accepted framework.

B.

reviewed and approved by senior management.

C.

periodically assessed against regulatory requirements.

D.

updated and monitored on a continuous basis.

Buy Now
Questions 170

Which of the following is the MOST important driver of an effective enterprise risk management (ERM) program?

Options:

A.

Risk policy

B.

Risk committee

C.

Risk culture

D.

Risk management plan

Buy Now
Questions 171

Within the three lines of defense model, the responsibility for managing risk and controls resides with:

Options:

A.

operational management.

B.

the risk practitioner.

C.

the internal auditor.

D.

executive management.

Buy Now
Questions 172

Which of the following should be the PRIMARY input to determine risk tolerance?

Options:

A.

Regulatory requirements

B.

Organizational objectives

C.

Annual loss expectancy (ALE)

D.

Risk management costs

Buy Now
Questions 173

when developing IT risk scenarios associated with a new line of business, which of the following would be MOST helpful to review?

Options:

A.

Organizational threats

B.

Resource allocation plan

C.

Competitor analysis

D.

Cost-benefit analysis

Buy Now
Questions 174

Which of the following is the GREATEST benefit for an organization with a strong risk awareness culture?

Options:

A.

Reducing the involvement by senior management

B.

Using more risk specialists

C.

Reducing the need for risk policies and guidelines

D.

Discussing and managing risk as a team

Buy Now
Questions 175

Which of the following should be reported periodically to the risk committee?

Options:

A.

System risk and control matrix

B.

Emerging IT risk scenarios

C.

Changes to risk assessment methodology

D.

Audit committee charter

Buy Now
Questions 176

A service organization is preparing to adopt an IT control framework to comply with the contractual requirements of a new client. Which of the following would be MOST helpful to the risk practitioner?

Options:

A.

Negotiating terms of adoption

B.

Understanding the timeframe to implement

C.

Completing a gap analysis

D.

Initiating the conversion

Buy Now
Questions 177

Which of the following situations reflects residual risk?

Options:

A.

Risk that is present before risk acceptance has been finalized

B.

Risk that is removed after a risk acceptance has been finalized

C.

Risk that is present before mitigation controls have been applied

D.

Risk that remains after mitigation controls have been applied

Buy Now
Questions 178

When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?

Options:

A.

Risk analysis results

B.

Exception handling policy

C.

Vulnerability assessment results

D.

Benchmarking assessments

Buy Now
Questions 179

Which of the following BEST contributes to the implementation of an effective risk response action plan?

Options:

A.

An IT tactical plan

B.

Disaster recovery and continuity testing

C.

Assigned roles and responsibilities

D.

A business impact analysis

Buy Now
Questions 180

Which of the following would BEST facilitate the implementation of data classification requirements?

Options:

A.

Assigning a data owner

B.

Scheduling periodic audits

C.

Implementing technical controls over the assets

D.

Implementing a data loss prevention (DLP) solution

Buy Now
Questions 181

Which of the following should be an element of the risk appetite of an organization?

Options:

A.

The effectiveness of compensating controls

B.

The enterprise's capacity to absorb loss

C.

The residual risk affected by preventive controls

D.

The amount of inherent risk considered appropriate

Buy Now
Questions 182

Which of the following is the BEST approach for performing a business impact analysis (BIA) of a supply-chain management application?

Options:

A.

Reviewing the organization's policies and procedures

B.

Interviewing groups of key stakeholders

C.

Circulating questionnaires to key internal stakeholders

D.

Accepting IT personnel s view of business issues

Buy Now
Questions 183

Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?

Options:

A.

Occurrences of specific events

B.

A performance measurement

C.

The risk tolerance level

D.

Risk scenarios

Buy Now
Questions 184

When reviewing the business continuity plan (BCP) of an online sales order system, a risk practitioner notices that the recovery time objective (RTO) has a shorter lime than what is defined in the disaster recovery plan (DRP). Which of the following is the BEST way for the risk practitioner to address this concern?

Options:

A.

Adopt the RTO defined in the BCR

B.

Update the risk register to reflect the discrepancy.

C.

Adopt the RTO defined in the DRP.

D.

Communicate the discrepancy to the DR manager for follow-up.

Buy Now
Questions 185

A risk practitioner has been asked to evaluate a new cloud-based service to enhance an organization's access management capabilities. When is the BEST time for the risk practitioner to provide opinions on control strength?

Options:

A.

After the initial design

B.

Before production rollout

C.

After a few weeks in use

D.

Before end-user testing

Buy Now
Questions 186

Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario?

Options:

A.

Assess the vulnerability management process.

B.

Conduct a control serf-assessment.

C.

Conduct a vulnerability assessment.

D.

Reassess the inherent risk of the target.

Buy Now
Questions 187

Which of the following is the PRIMARY objective of aggregating the impact of IT risk scenarios and reflecting the results in the enterprise risk register?

Options:

A.

To ensure IT risk appetite is communicated across the organization

B.

To ensure IT risk impact can be compared to the IT risk appetite

C.

To ensure IT risk ownership is assigned at the appropriate organizational level

D.

To ensure IT risk scenarios are consistently assessed within the organization

Buy Now
Questions 188

An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?

Options:

A.

The third party s management

B.

The organization's management

C.

The control operators at the third party

D.

The organization's vendor management office

Buy Now
Questions 189

Which of the following is the PRIMARY purpose of a risk register?

Options:

A.

To assign control ownership of risk

B.

To provide a centralized view of risk

C.

To identify opportunities to transfer risk

D.

To mitigate organizational risk

Buy Now
Questions 190

A risk assessment has identified that departments have installed their own WiFi access points on the enterprise network. Which of the following would be MOST important to include in a report to senior management?

Options:

A.

The network security policy

B.

Potential business impact

C.

The WiFi access point configuration

D.

Planned remediation actions

Buy Now
Questions 191

Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?

Options:

A.

Improving risk awareness

B.

Obtaining buy-in from risk owners

C.

Leveraging existing metrics

D.

Optimizing risk treatment decisions

Buy Now
Questions 192

The MOST important reason to monitor key risk indicators (KRIs) is to help management:

Options:

A.

identity early risk transfer strategies.

B.

lessen the impact of realized risk.

C.

analyze the chain of risk events.

D.

identify the root cause of risk events.

Buy Now
Questions 193

An organization has operations in a location that regularly experiences severe weather events. Which of the following would BEST help to mitigate the risk to operations?

Options:

A.

Prepare a cost-benefit analysis to evaluate relocation.

B.

Prepare a disaster recovery plan (DRP).

C.

Conduct a business impact analysis (BIA) for an alternate location.

D.

Develop a business continuity plan (BCP).

Buy Now
Questions 194

Which of the following is a responsibility of the second line of defense in the three lines of defense model?

Options:

A.

Performing duties independently to provide assurance

B.

Alerting operational management to emerging issues

C.

Implementing corrective actions to address deficiencies

D.

Owning risk scenarios and bearing the consequences of loss

Buy Now
Questions 195

If concurrent update transactions to an account are not processed properly, which of the following will MOST likely be affected?

Options:

A.

Confidentiality

B.

Accountability

C.

Availability

D.

Integrity

Buy Now
Questions 196

Which of the following is a detective control?

Options:

A.

Limit check

B.

Periodic access review

C.

Access control software

D.

Rerun procedures

Buy Now
Questions 197

Which of the following BEST indicates the condition of a risk management program?

Options:

A.

Number of risk register entries

B.

Number of controls

C.

Level of financial support

D.

Amount of residual risk

Buy Now
Questions 198

An organization has initiated a project to implement an IT risk management program for the first time. The BEST time for the risk practitioner to start populating the risk register is when:

Options:

A.

identifying risk scenarios.

B.

determining the risk strategy.

C.

calculating impact and likelihood.

D.

completing the controls catalog.

Buy Now
Questions 199

To reduce costs, an organization is combining the second and third tines of defense in a new department that reports to a recently appointed C-level executive. Which of the following is the GREATEST concern with this situation?

Options:

A.

The risk governance approach of the second and third lines of defense may differ.

B.

The independence of the internal third line of defense may be compromised.

C.

Cost reductions may negatively impact the productivity of other departments.

D.

The new structure is not aligned to the organization's internal control framework.

Buy Now
Questions 200

An enterprise has taken delivery of software patches that address vulnerabilities in its core business software. Prior to implementation, which of the following is the MOST important task to be performed?

Options:

A.

Assess the impact of applying the patches on the production environment.

B.

Survey other enterprises regarding their experiences with applying these patches.

C.

Seek information from the software vendor to enable effective application of the patches.

D.

Determine in advance an off-peak period to apply the patches.

Buy Now
Questions 201

Which of the following is the GREATEST concern related to the monitoring of key risk indicators (KRIs)?

Options:

A.

Logs are retained for longer than required.

B.

Logs are reviewed annually.

C.

Logs are stored in a multi-tenant cloud environment.

D.

Logs are modified before analysis is conducted.

Buy Now
Questions 202

Which of the following is MOST important to compare against the corporate risk profile?

Options:

A.

Industry benchmarks

B.

Risk tolerance

C.

Risk appetite

D.

Regulatory compliance

Buy Now
Questions 203

When a risk practitioner is building a key risk indicator (KRI) from aggregated data, it is CRITICAL that the data is derived from:

Options:

A.

business process owners.

B.

representative data sets.

C.

industry benchmark data.

D.

data automation systems.

Buy Now
Questions 204

The risk associated with an asset after controls are applied can be expressed as:

Options:

A.

a function of the cost and effectiveness of controls.

B.

the likelihood of a given threat.

C.

a function of the likelihood and impact.

D.

the magnitude of an impact.

Buy Now
Questions 205

An organization's risk profile indicates that residual risk levels have fallen significantly below management's risk appetite. Which of the following is the BEST course of action?

Options:

A.

Decrease monitoring of residual risk levels.

B.

Optimize controls.

C.

Increase risk appetite.

D.

Add more risk scenarios to the risk register.

Buy Now
Questions 206

The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner s BEST recommendation?

Options:

A.

Perform a root cause analysis

B.

Perform a code review

C.

Implement version control software.

D.

Implement training on coding best practices

Buy Now
Questions 207

Which of the following is the GREATEST advantage of implementing a risk management program?

Options:

A.

Enabling risk-aware decisions

B.

Promoting a risk-aware culture

C.

Improving security governance

D.

Reducing residual risk

Buy Now
Questions 208

Which of the following is MOST influential when management makes risk response decisions?

Options:

A.

Risk appetite

B.

Audit risk

C.

Residual risk

D.

Detection risk

Buy Now
Questions 209

To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:

Options:

A.

require the vendor to sign a nondisclosure agreement

B.

clearly define the project scope.

C.

perform background checks on the vendor.

D.

notify network administrators before testing

Buy Now
Questions 210

An organization wants to transfer risk by purchasing cyber insurance. Which of the following would be MOST important for the risk practitioner to communicate to senior management for contract negotiation purposes?

Options:

A.

Most recent IT audit report results

B.

Replacement cost of IT assets

C.

Current annualized loss expectancy report

D.

Cyber insurance industry benchmarking report

Buy Now
Questions 211

When developing a new risk register, a risk practitioner should focus on which of the following risk management activities?

Options:

A.

Risk management strategy planning

B.

Risk monitoring and control

C.

Risk identification

D.

Risk response planning

Buy Now
Questions 212

Which of the following provides the MOST reliable evidence of a control's effectiveness?

Options:

A.

A risk and control self-assessment

B.

Senior management's attestation

C.

A system-generated testing report

D.

detailed process walk-through

Buy Now
Questions 213

Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?

Options:

A.

A decrease in control layering effectiveness

B.

An increase in inherent risk

C.

An increase in control vulnerabilities

D.

An increase in the level of residual risk

Buy Now
Questions 214

Which of the following is the MOST important criteria for selecting key risk indicators (KRIs)?

Options:

A.

Historical data availability

B.

Implementation and reporting effort

C.

Ability to display trends

D.

Sensitivity and reliability

Buy Now
Questions 215

Which of the following would be the BEST key performance indicator (KPI) for monitoring the effectiveness of the IT asset management process?

Options:

A.

Percentage of unpatched IT assets

B.

Percentage of IT assets without ownership

C.

The number of IT assets securely disposed during the past year

D.

The number of IT assets procured during the previous month

Buy Now
Questions 216

Which of the following conditions presents the GREATEST risk to an application?

Options:

A.

Application controls are manual.

B.

Application development is outsourced.

C.

Source code is escrowed.

D.

Developers have access to production environment.

Buy Now
Questions 217

Which of the following would BEST facilitate the implementation of data classification requirements?

Options:

A.

Assigning a data owner

B.

Implementing technical control over the assets

C.

Implementing a data loss prevention (DLP) solution

D.

Scheduling periodic audits

Buy Now
Questions 218

Which of the following is MOST important for effective communication of a risk profile to relevant stakeholders?

Options:

A.

Emphasizing risk in the risk profile that is related to critical business activities

B.

Customizing the presentation of the risk profile to the intended audience

C.

Including details of risk with high deviation from the risk appetite

D.

Providing information on the efficiency of controls for risk mitigation

Buy Now
Questions 219

The PRIMARY advantage of implementing an IT risk management framework is the:

Options:

A.

establishment of a reliable basis for risk-aware decision making.

B.

compliance with relevant legal and regulatory requirements.

C.

improvement of controls within the organization and minimized losses.

D.

alignment of business goals with IT objectives.

Buy Now
Questions 220

An incentive program is MOST likely implemented to manage the risk associated with loss of which organizational asset?

Options:

A.

Employees

B.

Data

C.

Reputation

D.

Customer lists

Buy Now
Questions 221

When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?

Options:

A.

Assess management's risk tolerance.

B.

Recommend management accept the low-risk scenarios.

C.

Propose mitigating controls

D.

Re-evaluate the risk scenarios associated with the control

Buy Now
Questions 222

As pan of business continuity planning, which of the following is MOST important to include m a business impact analysis (BlA)?

Options:

A.

An assessment of threats to the organization

B.

An assessment of recovery scenarios

C.

industry standard framework

D.

Documentation of testing procedures

Buy Now
Questions 223

Which of the following would BEST indicate to senior management that IT processes are improving?

Options:

A.

Changes in the number of intrusions detected

B.

Changes in the number of security exceptions

C.

Changes in the position in the maturity model

D.

Changes to the structure of the risk register

Buy Now
Questions 224

A penetration test reveals several vulnerabilities in a web-facing application. Which of the following should be the FIRST step in selecting a risk response?

Options:

A.

Correct the vulnerabilities to mitigate potential risk exposure.

B.

Develop a risk response action plan with key stakeholders.

C.

Assess the level of risk associated with the vulnerabilities.

D.

Communicate the vulnerabilities to the risk owner.

Buy Now
Questions 225

Which of the following can be used to assign a monetary value to risk?

Options:

A.

Annual loss expectancy (ALE)

B.

Business impact analysis

C.

Cost-benefit analysis

D.

Inherent vulnerabilities

Buy Now
Questions 226

Which of the following BEST provides an early warning that network access of terminated employees is not being revoked in accordance with the service level agreement (SLA)?

Options:

A.

Updating multi-factor authentication

B.

Monitoring key access control performance indicators

C.

Analyzing access control logs for suspicious activity

D.

Revising the service level agreement (SLA)

Buy Now
Questions 227

Which of the following contributes MOST to the effective implementation of risk responses?

Options:

A.

Clear understanding of the risk

B.

Comparable industry risk trends

C.

Appropriate resources

D.

Detailed standards and procedures

Buy Now
Questions 228

Which of the following, who should be PRIMARILY responsible for performing user entitlement reviews?

Options:

A.

IT security manager

B.

IT personnel

C.

Data custodian

D.

Data owner

Buy Now
Questions 229

An organization recently implemented new technologies that enable the use of robotic process automation. Which of the following is MOST important to reassess?

Options:

A.

Risk profile

B.

Risk tolerance

C.

Risk capacity

D.

Risk appetite

Buy Now
Questions 230

A risk practitioner is performing a risk assessment of recent external advancements in quantum computing. Which of the following would pose the GREATEST concern for the risk practitioner?

Options:

A.

The organization has not adopted Infrastructure as a Service (IaaS) for its operations

B.

The organization has incorporated blockchain technology in its operations

C.

The organization has implemented heuristics on its network firewall

D.

The organization has not reviewed its encryption standards

Buy Now
Questions 231

A risk assessment has identified increased losses associated with an IT risk scenario. It is MOST important for the risk practitioner to:

Options:

A.

update the risk rating.

B.

reevaluate inherent risk.

C.

develop new risk scenarios.

D.

implement additional controls.

Buy Now
Questions 232

Of the following, who is responsible for approval when a change in an application system is ready for release to production?

Options:

A.

Information security officer

B.

IT risk manager

C.

Business owner

D.

Chief risk officer (CRO)

Buy Now
Questions 233

Which of the following is the BEST method to ensure a terminated employee's access to IT systems is revoked upon departure from the organization?

Options:

A.

Login attempts are reconciled to a list of terminated employees.

B.

A list of terminated employees is generated for reconciliation against current IT access.

C.

A process to remove employee access during the exit interview is implemented.

D.

The human resources (HR) system automatically revokes system access.

Buy Now
Questions 234

Which of the following would provide the MOST helpful input to develop risk scenarios associated with hosting an organization's key IT applications in a cloud environment?

Options:

A.

Reviewing the results of independent audits

B.

Performing a site visit to the cloud provider's data center

C.

Performing a due diligence review

D.

Conducting a risk workshop with key stakeholders

Buy Now
Questions 235

A highly regulated organization acquired a medical technology startup company that processes sensitive personal information with weak data protection controls. Which of the following is the BEST way for the acquiring company to reduce its risk while still enabling the flexibility needed by the startup company?

Options:

A.

Identify previous data breaches using the startup company’s audit reports.

B.

Have the data privacy officer review the startup company’s data protection policies.

C.

Classify and protect the data according to the parent company's internal standards.

D.

Implement a firewall and isolate the environment from the parent company's network.

Buy Now
Questions 236

Which of the following is the result of a realized risk scenario?

Options:

A.

Technical event

B.

Threat event

C.

Vulnerability event

D.

Loss event

Buy Now
Questions 237

Which of the following is MOST important to the effectiveness of a senior oversight committee for risk monitoring?

Options:

A.

Key risk indicators (KRIs)

B.

Risk governance charter

C.

Organizational risk appetite

D.

Cross-business representation

Buy Now
Questions 238

Which of the following BEST facilitates the mitigation of identified gaps between current and desired risk environment states?

Options:

A.

Develop a risk treatment plan.

B.

Validate organizational risk appetite.

C.

Review results of prior risk assessments.

D.

Include the current and desired states in the risk register.

Buy Now
Questions 239

When developing IT risk scenarios, it is MOST important to consider:

Options:

A.

The industry's threat profile.

B.

Incidents occurring at similar organizations.

C.

System performance thresholds.

D.

Organizational objectives.

Buy Now
Questions 240

Who should be responsible for implementing and maintaining security controls?

Options:

A.

End user

B.

Internal auditor

C.

Data owner

D.

Data custodian

Buy Now
Questions 241

Which of the following is the PRIMARY purpose of periodically reviewing an organization's risk profile?

Options:

A.

Align business objectives with risk appetite.

B.

Enable risk-based decision making.

C.

Design and implement risk response action plans.

D.

Update risk responses in the risk register

Buy Now
Questions 242

A business unit has implemented robotic process automation (RPA) for its

repetitive back-office tasks. Which of the following should be the risk

practitioner's GREATEST concern?

Options:

A.

The security team is unaware of the implementation.

B.

The organization may lose institutional knowledge.

C.

The robots may fail to work effectively.

D.

Virtual clients are used for implementation.

Buy Now
Questions 243

Which of the following is MOST helpful in providing a high-level overview of current IT risk severity*?

Options:

A.

Risk mitigation plans

B.

heat map

C.

Risk appetite statement

D.

Key risk indicators (KRls)

Buy Now
Questions 244

An organization striving to be on the leading edge in regard to risk monitoring would MOST likely implement:

Options:

A.

procedures to monitor the operation of controls.

B.

a tool for monitoring critical activities and controls.

C.

real-time monitoring of risk events and control exceptions.

D.

monitoring activities for all critical assets.

E.

Perform a controls assessment.

Buy Now
Questions 245

To help identify high-risk situations, an organization should:

Options:

A.

continuously monitor the environment.

B.

develop key performance indicators (KPIs).

C.

maintain a risk matrix.

D.

maintain a risk register.

Buy Now
Questions 246

Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)?

Options:

A.

KRIs provide an early warning that a risk threshold is about to be reached.

B.

KRIs signal that a change in the control environment has occurred.

C.

KRIs provide a basis to set the risk appetite for an organization.

D.

KRIs assist in the preparation of the organization's risk profile.

Buy Now
Questions 247

A peer review of a risk assessment finds that a relevant threat community was not included. Mitigation of the risk will require substantial changes to a software application. Which of the following is the BEST course of action?

Options:

A.

Ask the business to make a budget request to remediate the problem.

B.

Build a business case to remediate the fix.

C.

Research the types of attacks the threat can present.

D.

Determine the impact of the missing threat.

Buy Now
Questions 248

An organization plans to migrate sensitive information to a public cloud infrastructure. Which of the following is the GREATEST security risk in this scenario?

Options:

A.

Data may be commingled with other tenants' data.

B.

System downtime does not meet the organization's thresholds.

C.

The infrastructure will be managed by the public cloud administrator.

D.

The cloud provider is not independently certified.

Buy Now
Questions 249

Which of the following is the BEST success criterion for control implementation?

Options:

A.

Adequate resources are allocated to perform the control.

B.

Responsibilities for control execution are properly defined.

C.

Risk is at an acceptable level after the control is in place.

D.

Key risk indicators (KRIs) for the control are properly defined.

Buy Now
Questions 250

Which of the following provides the MOST insight into an organization's IT threat exposure?

Options:

A.

Industry benchmarks

B.

Risk assessment reports

C.

External audit results

D.

Tabletop exercises

Buy Now
Questions 251

Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications?

Options:

A.

Identify information security controls in the requirements analysis

B.

Identify key risk indicators (KRIs) as process output.

C.

Design key performance indicators (KPIs) for security in system specifications.

D.

Include information security control specifications in business cases.

Buy Now
Questions 252

Which of the following would be the GREATEST concern related to data privacy when implementing an Internet of Things (loT) solution that collects personally identifiable information (Pll)?

Options:

A.

A privacy impact assessment has not been completed.

B.

Data encryption methods apply to a subset of Pll obtained.

C.

The data privacy officer was not consulted.

D.

Insufficient access controls are used on the loT devices.

Buy Now
Questions 253

An IT risk threat analysis is BEST used to establish

Options:

A.

risk scenarios

B.

risk maps

C.

risk appetite

D.

risk ownership.

Buy Now
Questions 254

An organization has outsourced a critical process involving highly regulated data to a third party with servers located in a foreign country. Who is accountable for the confidentiality of this data?

Options:

A.

Third-party data custodian

B.

Data custodian

C.

Regional office executive

D.

Data owner

Buy Now
Questions 255

A risk practitioner has just learned about new done FIRST?

Options:

A.

Notify executive management.

B.

Analyze the impact to the organization.

C.

Update the IT risk register.

D.

Design IT risk mitigation plans.

Buy Now
Questions 256

Management has required information security awareness training to reduce the risk associated with credential compromise. What is the BEST way to assess the effectiveness of the training?

Options:

A.

Conduct social engineering testing.

B.

Audit security awareness training materials.

C.

Administer an end-of-training quiz.

D.

Perform a vulnerability assessment.

Buy Now
Questions 257

Who should have the authority to approve an exception to a control?

Options:

A.

information security manager

B.

Control owner

C.

Risk owner

D.

Risk manager

Buy Now
Questions 258

Which of the following is the GREATEST concern if user acceptance testing (UAT) is not conducted when implementing a new application?

Options:

A.

The probability of application defects will increase

B.

Data confidentiality could be compromised

C.

Increase in the use of redundant processes

D.

The application could fail to meet defined business requirements

Buy Now
Questions 259

To ensure key risk indicators (KRIs) are effective and meaningful, the KRIs should be aligned to:

Options:

A.

A control framework

B.

Industry standards

C.

Capability maturity targets

D.

Business processes

Buy Now
Questions 260

Which of the following is MOST important for a risk practitioner to consider when analyzing the risk associated with migrating to a new cloud service provider?

Options:

A.

The cloud service provider's control environment

B.

The complexity of the cloud services

C.

The date of the cloud service provider's last risk assessment

D.

Past incidents related to acquired cloud services

Buy Now
Questions 261

Which of the following is the MOST important consideration when communicating the risk associated with technology end-of-life to business owners?

Options:

A.

Cost and benefit

B.

Security and availability

C.

Maintainability and reliability

D.

Performance and productivity

Buy Now
Questions 262

An organization is participating in an industry benchmarking study that involves providing customer transaction records for analysis Which of the following is the MOST important control to ensure the privacy of customer information?

Options:

A.

Nondisclosure agreements (NDAs)

B.

Data anonymization

C.

Data cleansing

D.

Data encryption

Buy Now
Questions 263

Business management is seeking assurance from the CIO that IT has a plan in place for early identification of potential issues that could impact the delivery of a new application Which of the following is the BEST way to increase the chances of a successful delivery'?

Options:

A.

Implement a release and deployment plan

B.

Conduct comprehensive regression testing.

C.

Develop enterprise-wide key risk indicators (KRls)

D.

Include business management on a weekly risk and issues report

Buy Now
Questions 264

A chief information officer (CIO) has identified risk associated with shadow systems being maintained by business units to address specific functionality gaps in the organization'senterprise resource planning (ERP) system. What is the BEST way to reduce this risk going forward?

Options:

A.

Align applications to business processes.

B.

Implement an enterprise architecture (EA).

C.

Define the software development life cycle (SDLC).

D.

Define enterprise-wide system procurement requirements.

Buy Now
Questions 265

What should a risk practitioner do FIRST when a shadow IT application is identified in a business owner's business impact analysis (BIA)?

Options:

A.

Include the application in the business continuity plan (BCP).

B.

Determine the business purpose of the application.

C.

Segregate the application from the network.

D.

Report the finding to management.

Buy Now
Questions 266

Which of the following is MOST important to the effective monitoring of key risk indicators (KRIS)?

Options:

A.

Updating the threat inventory with new threats

B.

Automating log data analysis

C.

Preventing the generation of false alerts

D.

Determining threshold levels

Buy Now
Questions 267

Which of the following statements BEST describes risk appetite?

Options:

A.

The amount of risk an organization is willing to accept

B.

The effective management of risk and internal control environments

C.

Acceptable variation between risk thresholds and business objectives

D.

The acceptable variation relative to the achievement of objectives

Buy Now
Questions 268

It is MOST important that security controls for a new system be documented in:

Options:

A.

testing requirements

B.

the implementation plan.

C.

System requirements

D.

The security policy

Buy Now
Questions 269

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery test of critical business processes?

Options:

A.

Percentage of job failures identified and resolved during the recovery process

B.

Percentage of processes recovered within the recovery time and point objectives

C.

Number of current test plans and procedures

D.

Number of issues and action items resolved during the recovery test

Buy Now
Questions 270

Accountability for a particular risk is BEST represented in a:

Options:

A.

risk register

B.

risk catalog

C.

risk scenario

D.

RACI matrix

Buy Now
Questions 271

Which of the following activities is PRIMARILY the responsibility of senior management?

Options:

A.

Bottom-up identification of emerging risks

B.

Categorization of risk scenarios against a standard taxonomy

C.

Prioritization of risk scenarios based on severity

D.

Review of external loss data

Buy Now
Questions 272

Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

Options:

A.

a gap analysis

B.

a root cause analysis.

C.

an impact assessment.

D.

a vulnerability assessment.

Buy Now
Questions 273

Which of the following will provide the BEST measure of compliance with IT policies?

Options:

A.

Evaluate past policy review reports.

B.

Conduct regular independent reviews.

C.

Perform penetration testing.

D.

Test staff on their compliance responsibilities.

Buy Now
Questions 274

The BEST way to determine the likelihood of a system availability risk scenario is by assessing the:

Options:

A.

availability of fault tolerant software.

B.

strategic plan for business growth.

C.

vulnerability scan results of critical systems.

D.

redundancy of technical infrastructure.

Buy Now
Questions 275

Which of the following is the GREATEST concern associated with the lack of proper control monitoring?

Options:

A.

There is potential for an increase in audit findings

B.

Key performance indicators (KPIs) may not be reliable

C.

The potential for risk realization is increased

D.

Control inefficiencies may go undetected

Buy Now
Questions 276

Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?

Options:

A.

An updated risk register

B.

Risk assessment results

C.

Technical control validation

D.

Control testing results

Buy Now
Questions 277

Which of the following is a risk practitioner's BEST recommendation to address an organization's need to secure multiple systems with limited IT resources?

Options:

A.

Apply available security patches.

B.

Schedule a penetration test.

C.

Conduct a business impact analysis (BIA)

D.

Perform a vulnerability analysis.

Buy Now
Questions 278

Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?

Options:

A.

Number of tickets for provisioning new accounts

B.

Average time to provision user accounts

C.

Password reset volume per month

D.

Average account lockout time

Buy Now
Questions 279

Which of the following should a risk practitioner review FIRST when evaluating risk events associated with the organization's data flow model?

Options:

A.

Results of data classification activities

B.

Recent changes to enterprise architecture (EA)

C.

High-level network diagrams

D.

Notes from interviews with the data owners

Buy Now
Questions 280

Which of the following risk register updates is MOST important for senior management to review?

Options:

A.

Extending the date of a future action plan by two months

B.

Retiring a risk scenario no longer used

C.

Avoiding a risk that was previously accepted

D.

Changing a risk owner

Buy Now
Questions 281

Which of the following is the BEST way to address a board's concern about the organization's current cybersecurity posture?

Options:

A.

Increase the frequency of vulnerability testing.

B.

Assess security capabilities against an industry framework

C.

Update security risk scenarios.

D.

Create a new security risk officer role.

Buy Now
Questions 282

A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:

Options:

A.

updating the risk register.

B.

validating the risk scenarios.

C.

documenting the risk scenarios.

D.

identifying risk mitigation controls.

Buy Now
Questions 283

Which of the following is MOST important for a risk practitioner to consider when evaluating plans for changes to IT services?

Options:

A.

Change testing schedule

B.

Impact assessment of the change

C.

Change communication plan

D.

User acceptance testing (UAT)

Buy Now
Questions 284

Which of the following is a PRIMARY benefit to an organization that is using threat intelligence?

Options:

A.

Timely insight into potential threats

B.

Automated vulnerability management

C.

Accurate threat information

D.

Verification of threat information

Buy Now
Questions 285

Which of the following is the ULTIMATE objective of utilizing key control indicators (KCIs) in the risk management process?

Options:

A.

To provide a basis for determining the criticality of risk mitigation controls

B.

To provide early warning signs of a potential change in risk level

C.

To provide benchmarks for assessing control design effectiveness against industry peers

D.

To provide insight into the effectiveness of the intemnal control environment

Buy Now
Questions 286

Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are:

Options:

A.

accountable for the affected processes.

B.

members of senior management.

C.

authorized to select risk mitigation options.

D.

independent from the business operations.

Buy Now
Questions 287

The MAIN purpose of a risk register is to:

Options:

A.

document the risk universe of the organization.

B.

promote an understanding of risk across the organization.

C.

enable well-informed risk management decisions.

D.

identify stakeholders associated with risk scenarios.

Buy Now
Questions 288

Zero Trust architecture is designed and deployed with adherence to which of the following basic tenets?

Options:

A.

Incoming traffic must be inspected before connection is established.

B.

Security frameworks and libraries should be leveraged.

C.

Digital identities should be implemented.

D.

All communication is secured regardless of network location.

Buy Now
Questions 289

An organization has restructured its business processes, and the business continuity plan (BCP) needs to be revised accordingly. Which of the following should be identified FIRST?

Options:

A.

Variances in recovery times

B.

Ownership assignment for controls

C.

New potentially disruptive scenarios

D.

Contractual changes with customers

Buy Now
Questions 290

Which of the following BEST supports the management of identified risk scenarios?

Options:

A.

Collecting risk event data

B.

Maintaining a risk register

C.

Using key risk indicators (KRIs)

D.

Defining risk parameters

Buy Now
Questions 291

Which group has PRIMARY ownership of reputational risk stemming from unethical behavior within the organization?

Options:

A.

Board of directors

B.

Human resources (HR)

C.

Risk management committee

D.

Audit committee

Buy Now
Questions 292

Which of the following is the PRIMARY purpose for ensuring senior management understands the organization’s risk universe in relation to the IT risk management program?

Options:

A.

To define effective enterprise IT risk appetite and tolerance levels

B.

To execute the IT risk management strategy in support of business objectives

C.

To establish business-aligned IT risk management organizational structures

D.

To assess the capabilities and maturity of the organization’s IT risk management efforts

Buy Now
Questions 293

Which of the following is the MOST effective control to maintain the integrity of system configuration files?

Options:

A.

Recording changes to configuration files

B.

Implementing automated vulnerability scanning

C.

Restricting access to configuration documentation

D.

Monitoring against the configuration standard

Buy Now
Questions 294

A risk register BEST facilitates which of the following risk management functions?

Options:

A.

Analyzing the organization's risk appetite

B.

Influencing the risk culture of the organization

C.

Reviewing relevant risk scenarios with stakeholders

D.

Articulating senior management's intent

Buy Now
Questions 295

Which of the following would MOST likely result in updates to an IT risk appetite statement?

Options:

A.

External audit findings

B.

Feedback from focus groups

C.

Self-assessment reports

D.

Changes in senior management

Buy Now
Questions 296

Which of the following is the BEST way to address IT regulatory compliance risk?

Options:

A.

Assign highest priority to remediation of related risk scenarios.

B.

Prevent acceptance of related risk scenarios.

C.

Conduct specialized business impact analyses (BIAs).

D.

Manage risk like other types of operational risk.

Buy Now
Questions 297

Which of the following tools is MOST effective in identifying trends in the IT risk profile?

Options:

A.

Risk self-assessment

B.

Risk register

C.

Risk dashboard

D.

Risk map

Buy Now
Questions 298

Which of the following BEST represents a critical threshold value for a key control indicator (KCI)?

Options:

A.

The value at which control effectiveness would fail

B.

Thresholds benchmarked to peer organizations

C.

A typical operational value

D.

A value that represents the intended control state

Buy Now
Questions 299

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process?

Options:

A.

Percentage of vulnerabilities remediated within the agreed service level

B.

Number of vulnerabilities identified during the period

C.

Number of vulnerabilities re-opened during the period

D.

Percentage of vulnerabilities escalated to senior management

Buy Now
Questions 300

Which of the following will BEST help ensure that risk factors identified during an information systems review are addressed?

Options:

A.

Informing business process owners of the risk

B.

Reviewing and updating the risk register

C.

Assigning action items and deadlines to specific individuals

D.

Implementing new control technologies

Buy Now
Questions 301

What would be MOST helpful to ensuring the effective implementation of a new cybersecurity program?

Options:

A.

Creating metrics to report the number of security incidents

B.

Hiring subject matter experts for the program

C.

Establishing a budget for additional resources

D.

Assigning clear ownership of the program

Buy Now
Questions 302

During the internal review of an accounts payable process, a risk practitioner determines that the transaction approval limits configured in the system are not being enforced. Which of the following should be done NEXT?

Options:

A.

Identify the extent of the approval limit violations.

B.

Notify senior management of the system deficiency.

C.

Update the risk register with higher risk likelihood of violation.

D.

Remind users of the importance of adhering to approval limits.

Buy Now
Questions 303

Which of the following should be done FIRST when a new risk scenario has been identified

Options:

A.

Estimate the residual risk.

B.

Establish key risk indicators (KRIs).

C.

Design control improvements.

D.

Identify the risk owner.

Buy Now
Questions 304

A root because analysis indicates a major service disruption due to a lack of competency of newly hired IT system administrators Who should be accountable for resolving the situation?

Options:

A.

HR training director

B.

Business process owner

C.

HR recruitment manager

D.

Chief information officer (CIO)

Buy Now
Questions 305

Which of the following is the BEST way to mitigate the risk to IT infrastructure availability?

Options:

A.

Establishing a disaster recovery plan (DRP)

B.

Establishing recovery time objectives (RTOs)

C.

Maintaining a current list of staff contact delays

D.

Maintaining a risk register

Buy Now
Questions 306

Which of the following will be the GREATEST concern when assessing the risk profile of an organization?

Options:

A.

The risk profile was not updated after a recent incident

B.

The risk profile was developed without using industry standards.

C.

The risk profile was last reviewed two years ago.

D.

The risk profile does not contain historical loss data.

Buy Now
Questions 307

Which of the following is MOST helpful in identifying loss magnitude during risk analysis of a new system?

Options:

A.

Recovery time objective (RTO)

B.

Cost-benefit analysis

C.

Business impact analysis (BIA)

D.

Cyber insurance coverage

Buy Now
Questions 308

A risk practitioner discovers that an IT operations team manager bypassed web filtering controls by using a mobile device, in violation of the network security policy. Which of the following should the risk practitioner do FIRST?

Options:

A.

Report the incident.

B.

Plan a security awareness session.

C.

Assess the new risk.

D.

Update the risk register.

Buy Now
Questions 309

An organization wants to launch a campaign to advertise a new product Using data analytics, the campaign can be targeted to reach potential customers. Which of the following should be of GREATEST concern to the risk practitioner?

Options:

A.

Data minimization

B.

Accountability

C.

Accuracy

D.

Purpose limitation

Buy Now
Questions 310

Which of the following is the BEST indication that key risk indicators (KRIs) should be revised?

Options:

A.

An increase in the number of risk threshold exceptions

B.

An increase in the number of change events pending management review

C.

A decrease in the number of key performance indicators (KPIs)

D.

A decrease in the number of critical assets covered by risk thresholds

Buy Now
Questions 311

Which of the following MUST be updated to maintain an IT risk register?

Options:

A.

Expected frequency and potential impact

B.

Risk tolerance

C.

Enterprise-wide IT risk assessment

D.

Risk appetite

Buy Now
Questions 312

Which of the following attributes of a key risk indicator (KRI) is MOST important?

Options:

A.

Repeatable

B.

Automated

C.

Quantitative

D.

Qualitative

Buy Now
Questions 313

An organization has implemented immutable backups to prevent successful ransomware attacks. Which of the following is the MOST effective control for the risk practitioner to review?

Options:

A.

Data recovery testing of the backups

B.

Physical security of the backups

C.

Configuration of the backup solution

D.

Retention policy for the backups

Buy Now
Questions 314

Which of the following BEST facilitates the identification of emerging risk?

Options:

A.

Performing scenario-based assessments

B.

Reviewing audit reports annually

C.

Conducting root cause analyses

D.

Engaging a risk-focused audit team

Buy Now
Questions 315

Which of the following is the BEST method to mitigate the risk of an unauthorized employee viewing confidential data in a database''

Options:

A.

Implement role-based access control

B.

Implement a data masking process

C.

Include sanctions in nondisclosure agreements (NDAs)

D.

Install a data loss prevention (DLP) tool

Buy Now
Questions 316

A key risk indicator (KRI) that incorporates data from external open-source threat intelligence sources has shown changes in risk trend data. Which of the following is MOST important to update in the risk register?

Options:

A.

Impact of risk occurrence

B.

Frequency of risk occurrence

C.

Cost of risk response

D.

Legal aspects of risk realization

Buy Now
Questions 317

Which of the following MOST effectively limits the impact of a ransomware attack?

Options:

A.

Cyber insurance

B.

Cryptocurrency reserve

C.

Data backups

D.

End user training

Buy Now
Questions 318

The software version of an enterprise's critical business application has reached end-of-life and is no longer supported by the vendor. IT has decided to develop an in-house replacement application. Which of the following should be the PRIMARY concern?

Options:

A.

The system documentation is not available.

B.

Enterprise risk management (ERM) has not approved the decision.

C.

The board of directors has not approved the decision.

D.

The business process owner is not an active participant.

Buy Now
Questions 319

The MAIN purpose of conducting a control self-assessment (CSA) is to:

Options:

A.

gain a better understanding of the control effectiveness in the organization

B.

gain a better understanding of the risk in the organization

C.

adjust the controls prior to an external audit

D.

reduce the dependency on external audits

Buy Now
Questions 320

Which of the following is MOST important to understand when developing key risk indicators (KRIs)?

Options:

A.

KRI thresholds

B.

Integrity of the source data

C.

Control environment

D.

Stakeholder requirements

Buy Now
Questions 321

Which of the following would be MOST helpful when estimating the likelihood of negative events?

Options:

A.

Business impact analysis

B.

Threat analysis

C.

Risk response analysis

D.

Cost-benefit analysis

Buy Now
Questions 322

During a risk treatment plan review, a risk practitioner finds the approved risk action plan has not been completed However, there were other risk mitigation actions implemented. Which of the fallowing is the BEST course of action?

Options:

A.

Review the cost-benefit of mitigating controls

B.

Mark the risk status as unresolved within the risk register

C.

Verify the sufficiency of mitigating controls with the risk owner

D.

Update the risk register with implemented mitigating actions

Buy Now
Questions 323

Which of the following would MOST likely drive the need to review and update key performance indicators (KPIs) for critical IT assets?

Options:

A.

The outsourcing of related IT processes

B.

Outcomes of periodic risk assessments

C.

Changes in service level objectives

D.

Findings from continuous monitoring

Buy Now
Questions 324

Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness?

Options:

A.

To measure business exposure to risk

B.

To identify control vulnerabilities

C.

To monitor the achievement of set objectives

D.

To raise awareness of operational issues

Buy Now
Questions 325

The GREATEST concern when maintaining a risk register is that:

Options:

A.

impacts are recorded in qualitative terms.

B.

executive management does not perform periodic reviews.

C.

IT risk is not linked with IT assets.

D.

significant changes in risk factors are excluded.

Buy Now
Questions 326

Which of the following would be the GREATEST risk associated with a new implementation of single sign-on?

Options:

A.

Inability to access key information

B.

Complex security administration

C.

User resistance to single sign-on

D.

Single point of failure

Buy Now
Questions 327

While conducting an organization-wide risk assessment, it is noted that many of the information security policies have not changed in the past three years. The BEST course of action is to:

Options:

A.

review and update the policies to align with industry standards.

B.

determine that the policies should be updated annually.

C.

report that the policies are adequate and do not need to be updated frequently.

D.

review the policies against current needs to determine adequacy.

Buy Now
Questions 328

Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?

Options:

A.

Perform an in-depth code review with an expert

B.

Validate functionality by running in a test environment

C.

Implement a service level agreement.

D.

Utilize the change management process.

Buy Now
Questions 329

Which of the following should be the PRIMARY goal of developing information security metrics?

Options:

A.

Raising security awareness

B.

Enabling continuous improvement

C.

Identifying security threats

D.

Ensuring regulatory compliance

Buy Now
Questions 330

What should be the PRIMARY consideration related to data privacy protection when there are plans for a business initiative to make use of personal information?

Options:

A.

Do not collect or retain data that is not needed.

B.

Redact data where possible.

C.

Limit access to the personal data.

D.

Ensure all data is encrypted at rest and during transit.

Buy Now
Questions 331

A risk practitioner has just learned about new malware that has severely impacted industry peers worldwide data loss?

Options:

A.

Customer database manager

B.

Customer data custodian

C.

Data privacy officer

D.

Audit committee

Buy Now
Questions 332

Which of the following risk management practices BEST facilitates the incorporation of IT risk scenarios into the enterprise-wide risk register?

Options:

A.

Key risk indicators (KRls) are developed for key IT risk scenarios

B.

IT risk scenarios are assessed by the enterprise risk management team

C.

Risk appetites for IT risk scenarios are approved by key business stakeholders.

D.

IT risk scenarios are developed in the context of organizational objectives.

Buy Now
Questions 333

Which of the following would MOST likely cause a risk practitioner to reassess risk scenarios?

Options:

A.

A change in the risk management policy

B.

A major security incident

C.

A change in the regulatory environment

D.

An increase in intrusion attempts

Buy Now
Questions 334

Which of the following is the MOST important benefit of implementing a data classification program?

Options:

A.

Reduction in data complexity

B.

Reduction in processing times

C.

Identification of appropriate ownership

D.

Identification of appropriate controls

Buy Now
Questions 335

Which of the following is the PRIMARY advantage of having a single integrated business continuity plan (BCP) rather than each business unit developing its own BCP?

Options:

A.

It provides assurance of timely business process response and effectiveness.

B.

It supports effective use of resources and provides reasonable confidence of recoverability.

C.

It enables effective BCP maintenance and updates to reflect organizational changes.

D.

It decreases the risk of downtime and operational losses in the event of a disruption.

Buy Now
Questions 336

An IT department has provided a shared drive for personnel to store information to which all employees have access. Which of the following parties is accountable for the risk of potential loss of confidential information?

Options:

A.

Risk manager

B.

Data owner

C.

End user

D.

IT department

Buy Now
Questions 337

Which of the following should be a risk practitioner's GREATEST concern upon learning of failures in a data migration activity?

Options:

A.

Availability of test data

B.

Integrity of data

C.

Cost overruns

D.

System performance

Buy Now
Questions 338

Which of the following would be MOST useful to management when allocating resources to mitigate risk to the organization?

Options:

A.

Risk assessments

B.

Control self-assessments (CSAs)

C.

Risk-based audits

D.

Vulnerability analysis

Buy Now
Questions 339

Which of the following is the MOST important consideration for protecting data assets m a Business application system?

Options:

A.

Application controls are aligned with data classification lutes

B.

Application users are periodically trained on proper data handling practices

C.

Encrypted communication is established between applications and data servers

D.

Offsite encrypted backups are automatically created by the application

Buy Now
Questions 340

Options:

A.

Some risk remediation activities from the last assessment are still in progress.

B.

The risk scenarios have never been updated.

C.

The risk scenario development process was led by an external consultant.

D.

The number of risk scenarios is very high.

Buy Now
Questions 341

When of the following 15 MOST important when developing a business case for a proposed security investment?

Options:

A.

identification of control requirements

B.

Alignment to business objectives

C.

Consideration of new business strategies

D.

inclusion of strategy for regulatory compliance

Buy Now
Questions 342

Which of the following provides the BEST evidence that robust risk management practices are in place within an organization?

Options:

A.

A management-approved risk dashboard

B.

A current control framework

C.

A regularly updated risk register

D.

Regularly updated risk management procedures

Buy Now
Questions 343

Which of the following would be MOST relevant to stakeholders regarding ineffective control implementation?

Options:

A.

Threat to IT

B.

Number of control failures

C.

Impact on business

D.

Risk ownership

Buy Now
Questions 344

Which of the following is the MOST important reason for a risk practitioner to identify stakeholders for each IT risk scenario?

Options:

A.

To ensure enterprise-wide risk management

B.

To establish control ownership

C.

To enable a comprehensive view of risk

D.

To identify key risk indicators (KRIs)

Buy Now
Questions 345

The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:

Options:

A.

vulnerability scans.

B.

recurring vulnerabilities.

C.

vulnerabilities remediated,

D.

new vulnerabilities identified.

Buy Now
Questions 346

Risk appetite should be PRIMARILY driven by which of the following?

Options:

A.

Enterprise security architecture roadmap

B.

Stakeholder requirements

C.

Legal and regulatory requirements

D.

Business impact analysis (BIA)

Buy Now
Questions 347

Which of the following is the GREATEST concern when establishing key risk indicators (KRIs)?

Options:

A.

High percentage of lagging indicators

B.

Nonexistent benchmark analysis

C.

Incomplete documentation for KRI monitoring

D.

Ineffective methods to assess risk

Buy Now
Questions 348

Prudent business practice requires that risk appetite not exceed:

Options:

A.

inherent risk.

B.

risk tolerance.

C.

risk capacity.

D.

residual risk.

Buy Now
Questions 349

Which of the following should a risk practitioner recommend be done prior to disposal of server hardware containing confidential data?

Options:

A.

Destroy the hard drives.

B.

Encrypt the backup.

C.

Update the asset inventory.

D.

Remove all user access.

Buy Now
Questions 350

A risk practitioner is reviewing the status of an action plan to mitigate an emerging IT risk and finds the risk level has increased. The BEST course of action would be to:

Options:

A.

implement the planned controls and accept the remaining risk.

B.

suspend the current action plan in order to reassess the risk.

C.

revise the action plan to include additional mitigating controls.

D.

evaluate whether selected controls are still appropriate.

Buy Now
Questions 351

Whether the results of risk analyses should be presented in quantitative or qualitative terms should be based PRIMARILY on the:

Options:

A.

requirements of management.

B.

specific risk analysis framework being used.

C.

organizational risk tolerance

D.

results of the risk assessment.

Buy Now
Questions 352

Which of the following describes the relationship between risk appetite and risk tolerance?

Options:

A.

Risk appetite is completely independent of risk tolerance.

B.

Risk tolerance is used to determine risk appetite.

C.

Risk appetite and risk tolerance are synonymous.

D.

Risk tolerance may exceed risk appetite.

Buy Now
Questions 353

Which of the following should be done FIRST upon learning that the organization will be affected by a new regulation in its industry?

Options:

A.

Transfer the risk.

B.

Perform a gap analysis.

C.

Determine risk appetite for the new regulation.

D.

Implement specific monitoring controls.

Buy Now
Questions 354

A risk practitioner identifies a database application that has been developed and implemented by the business independently of IT. Which of the following is the BEST course of action?

Options:

A.

Escalate the concern to senior management.

B.

Document the reasons for the exception.

C.

Include the application in IT risk assessments.

D.

Propose that the application be transferred to IT.

Buy Now
Questions 355

It was discovered that a service provider's administrator was accessing sensitive information without the approval of the customer in an Infrastructure as a Service (laaS) model. Which of the following would BEST protect against a future recurrence?

Options:

A.

Data encryption

B.

Intrusion prevention system (IPS)

C.

Two-factor authentication

D.

Contractual requirements

Buy Now
Questions 356

After an annual risk assessment is completed, which of the following would be MOST important to communicate to stakeholders?

Options:

A.

A decrease in threats

B.

A change in the risk profile

C.

An increase in reported vulnerabilities

D.

An increase in identified risk scenarios

Buy Now
Questions 357

Which of the following provides the BEST evidence of the effectiveness of an organization's account provisioning process?

Options:

A.

User provisioning

B.

Role-based access controls

C.

Security log monitoring

D.

Entitlement reviews

Buy Now
Questions 358

Which of the following actions should a risk practitioner do NEXT when an increased industry trend of external cyber attacks is identified?

Options:

A.

Conduct a threat and vulnerability analysis.

B.

Notify senior management of the new risk scenario.

C.

Update the risk impact rating in the risk register.

D.

Update the key risk indicator (KRI) in the risk register.

Buy Now
Questions 359

Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization's risk appetite?

Options:

A.

Establishing a series of key risk indicators (KRIs).

B.

Adding risk triggers to entries in the risk register.

C.

Implementing key performance indicators (KPIs).

D.

Developing contingency plans for key processes.

Buy Now
Questions 360

Which of the following should be the risk practitioner's FIRST course of action when an organization plans to adopt a cloud computing strategy?

Options:

A.

Request a budget for implementation

B.

Conduct a threat analysis.

C.

Create a cloud computing policy.

D.

Perform a controls assessment.

Buy Now
Questions 361

Which of the following is the MOST important factor when deciding on a control to mitigate risk exposure?

Options:

A.

Relevance to the business process

B.

Regulatory compliance requirements

C.

Cost-benefit analysis

D.

Comparison against best practice

Buy Now
Questions 362

Senior management is deciding whether to share confidential data with the organization's business partners. The BEST course of action for a risk practitioner would be to submit a report to senior management containing the:

Options:

A.

possible risk and suggested mitigation plans.

B.

design of controls to encrypt the data to be shared.

C.

project plan for classification of the data.

D.

summary of data protection and privacy legislation.

Buy Now
Questions 363

An organization's chief information officer (CIO) has proposed investing in a new. untested technology to take advantage of being first to market Senior management has concerns about the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization's risk:

Options:

A.

capacity.

B.

appetite.

C.

management capability.

D.

treatment strategy.

Buy Now
Questions 364

A vendor's planned maintenance schedule will cause a critical application to temporarily lose failover capabilities. Of the following, who should approve this proposed schedule?

Options:

A.

IT infrastructure manager

B.

Chief Risk Officer (CRO)

C.

Business continuity manager

D.

Business application owner

Buy Now
Questions 365

Which of the following is MOST important for senior management to review during an acquisition?

Options:

A.

Risk appetite and tolerance

B.

Risk framework and methodology

C.

Key risk indicator (KRI) thresholds

D.

Risk communication plan

Buy Now
Questions 366

Reviewing which of the following provides the BEST indication of an organizations risk tolerance?

Options:

A.

Risk sharing strategy

B.

Risk transfer agreements

C.

Risk policies

D.

Risk assessments

Buy Now
Questions 367

Who is PRIMARILY accountable for identifying risk on a daily basis and ensuring adherence to the organization's policies?

Options:

A.

Third line of defense

B.

Line of defense subject matter experts

C.

Second line of defense

D.

First line of defense

Buy Now
Questions 368

A risk practitioner discovers several key documents detailing the design of a product currently in development have been posted on the Internet. What should be the risk practitioner's FIRST course of action?

Options:

A.

invoke the established incident response plan.

B.

Inform internal audit.

C.

Perform a root cause analysis

D.

Conduct an immediate risk assessment

Buy Now
Questions 369

Which of the following presents the GREATEST concern associated with the

use of artificial intelligence (Al) systems?

Options:

A.

Al systems need to be available continuously.

B.

Al systems can be affected by bias.

C.

Al systems are expensive to maintain.

D.

Al systems can provide false positives.

Buy Now
Questions 370

When developing risk scenario using a list of generic scenarios based on industry best practices, it is MOST imported to:

Options:

A.

Assess generic risk scenarios with business users.

B.

Validate the generic risk scenarios for relevance.

C.

Select the maximum possible risk scenarios from the list.

D.

Identify common threats causing generic risk scenarios

Buy Now
Questions 371

In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization's risk profile?

Options:

A.

The control catalog

B.

The asset profile

C.

Business objectives

D.

Key risk indicators (KRls)

Buy Now
Questions 372

Which of the following facilitates a completely independent review of test results for evaluating control effectiveness?

Options:

A.

Segregation of duties

B.

Three lines of defense

C.

Compliance review

D.

Quality assurance review

Buy Now
Questions 373

What is the MAIN benefit of using a top-down approach to develop risk scenarios?

Options:

A.

It describes risk events specific to technology used by the enterprise.

B.

It establishes the relationship between risk events and organizational objectives.

C.

It uses hypothetical and generic risk events specific to the enterprise.

D.

It helps management and the risk practitioner to refine risk scenarios.

Buy Now
Questions 374

Which of the following will BEST help to ensure that information system controls are effective?

Options:

A.

Responding promptly to control exceptions

B.

Implementing compensating controls

C.

Testing controls periodically

D.

Automating manual controls

Buy Now
Questions 375

A business manager wants to leverage an existing approved vendor solution from another area within the organization. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Recommend allowing the new usage based on prior approval.

B.

Request a new third-party review.

C.

Request revalidation of the original use case.

D.

Assess the risk associated with the new use case.

Buy Now
Questions 376

An organization has been experiencing an increasing number of spear phishing attacks Which of the following would be the MOST effective way to mitigate the risk associated with these attacks?

Options:

A.

Update firewall configuration

B.

Require strong password complexity

C.

implement a security awareness program

D.

Implement two-factor authentication

Buy Now
Questions 377

Which of the following should be a risk practitioner's PRIMARY focus when tasked with ensuring organization records are being retained for a sufficient period of time to meet legal obligations?

Options:

A.

Data duplication processes

B.

Data archival processes

C.

Data anonymization processes

D.

Data protection processes

Buy Now
Questions 378

Which of the following provides the BEST protection for Internet of Things (loT) devices that are accessed within an organization?

Options:

A.

Identity and access management (IAM)

B.

Comprehensive patching program

C.

Source code reviews

D.

Adoption of a defense-in-depth strategy

Buy Now
Questions 379

Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?

Options:

A.

To build an organizational risk-aware culture

B.

To continuously improve risk management processes

C.

To comply with legal and regulatory requirements

D.

To identify gaps in risk management practices

Buy Now
Questions 380

Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?

Options:

A.

A companion of risk assessment results to the desired state

B.

A quantitative presentation of risk assessment results

C.

An assessment of organizational maturity levels and readiness

D.

A qualitative presentation of risk assessment results

Buy Now
Questions 381

Which of the following is the BEST control for a large organization to implement to effectively mitigate risk related to fraudulent transactions?

Options:

A.

Segregation of duties

B.

Monetary approval limits

C.

Clear roles and responsibilities

D.

Password policies

Buy Now
Questions 382

Upon learning that the number of failed back-up attempts continually exceeds the current risk threshold, the risk practitioner should:

Options:

A.

inquire about the status of any planned corrective actions

B.

keep monitoring the situation as there is evidence that this is normal

C.

adjust the risk threshold to better reflect actual performance

D.

initiate corrective action to address the known deficiency

Buy Now
Questions 383

A penetration testing team discovered an ineffectively designed access control. Who is responsible for ensuring the control design gap is remediated?

Options:

A.

Control owner

B.

Risk owner

C.

IT security manager

D.

Control operator

Buy Now
Questions 384

Which of the following emerging technologies is frequently used for botnet distributed denial of service (DDoS) attacks?

Options:

A.

Internet of Things (IoT)

B.

Quantum computing

C.

Virtual reality (VR)

D.

Machine learning

Buy Now
Questions 385

Which of the following is the MOST effective way to reduce potential losses due to ongoing expense fraud?

Options:

A.

Implement user access controls

B.

Perform regular internal audits

C.

Develop and communicate fraud prevention policies

D.

Conduct fraud prevention awareness training.

Buy Now
Questions 386

A risk practitioner notices that a particular key risk indicator (KRI) has remained below its established trigger point for an extended period of time. Which of the following should be done FIRST?

Options:

A.

Recommend a re-evaluation of the current threshold of the KRI.

B.

Notify management that KRIs are being effectively managed.

C.

Update the risk rating associated with the KRI In the risk register.

D.

Update the risk tolerance and risk appetite to better align to the KRI.

Buy Now
Questions 387

A new international data privacy regulation requires personal data to be

disposed after the specified retention period, which is different from the local

regulatory requirement. Which of the following is the risk practitioner's

BEST course of action?

Options:

A.

The application code has not been version controlled.

B.

Knowledge of the applications is limited to few employees.

C.

An IT project manager is not assigned to oversee development.

D.

Controls are not applied to the applications.

Buy Now
Questions 388

It is MOST important for a risk practitioner to have an awareness of an organization s processes in order to:

Options:

A.

perform a business impact analysis.

B.

identify potential sources of risk.

C.

establish risk guidelines.

D.

understand control design.

Buy Now
Questions 389

Which of the following is the PRIMARY role of the first line of defense with respect to information security policies?

Options:

A.

Draft the information security policy.

B.

Approve the information security policy.

C.

Audit the implementation of the information security policy.

D.

Implement controls in response to the policy requirements.

Buy Now
Questions 390

A risk practitioner has been asked to assess the risk associated with a new critical application used by a financial process team that the risk practitioner was a member of two years ago. Which of the following is the GREATEST concern with this request?

Options:

A.

The risk assessment team may be overly confident of its ability to identify issues.

B.

The risk practitioner may be unfamiliar with recent application and process changes.

C.

The risk practitioner may still have access rights to the financial system.

D.

Participation in the risk assessment may constitute a conflict of interest.

Buy Now
Questions 391

Key risk indicators (KRIs) are MOST useful during which of the following risk management phases?

Options:

A.

Monitoring

B.

Analysis

C.

Identification

D.

Response selection

Buy Now
Questions 392

Which of the following is the PRIMARY advantage of aligning generic risk scenarios with business objectives?

Options:

A.

It establishes where controls should be implemented.

B.

It ensures relevance to the organization.

C.

It quantifies the materiality of any losses that may occur.

D.

It provides better estimates of the impact of current threats.

Buy Now
Questions 393

Which of the following should a risk practitioner recommend FIRST when an increasing trend of risk events and subsequent losses has been identified?

Options:

A.

Conduct root cause analyses for risk events.

B.

Educate personnel on risk mitigation strategies.

C.

Integrate the risk event and incident management processes.

D.

Implement controls to prevent future risk events.

Buy Now
Questions 394

The MAIN purpose of having a documented risk profile is to:

Options:

A.

comply with external and internal requirements.

B.

enable well-informed decision making.

C.

prioritize investment projects.

D.

keep the risk register up-to-date.

Buy Now
Questions 395

Which of the following is MOST commonly compared against the risk appetite?

Options:

A.

IT risk

B.

Inherent risk

C.

Financial risk

D.

Residual risk

Buy Now
Questions 396

Options:

A.

Recovery point objective (RPO) of 48 hours

B.

Recovery time objective (RTO) of 48 hours

C.

Mean time between failures (MTBF) of 48 hours

D.

Mean time to recover (MTTR) of 48 hours

Buy Now
Questions 397

An organization has agreed to a 99% availability for its online services and will not accept availability that falls below 98.5%. This is an example of:

Options:

A.

risk mitigation.

B.

risk evaluation.

C.

risk appetite.

D.

risk tolerance.

Buy Now
Questions 398

Several newly identified risk scenarios are being integrated into an organization's risk register. The MOST appropriate risk owner would be the individual who:

Options:

A.

is in charge of information security.

B.

is responsible for enterprise risk management (ERM)

C.

can implement remediation action plans.

D.

is accountable for loss if the risk materializes.

Buy Now
Questions 399

A risk practitioner recently discovered that personal information from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation?

Options:

A.

Enable data encryption in the test environment.

B.

Prevent the use of production data in the test environment

C.

De-identify data before being transferred to the test environment.

D.

Enforce multi-factor authentication within the test environment.

Buy Now
Questions 400

Which of the following is the MOST important data attribute of key risk indicators (KRIs)?

Options:

A.

The data is measurable.

B.

The data is calculated continuously.

C.

The data is relevant.

D.

The data is automatically produced.

Buy Now
Questions 401

An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?

Options:

A.

Project sponsor

B.

Process owner

C.

Risk manager

D.

Internal auditor

Buy Now
Questions 402

Which of the following BEST reduces the likelihood of employees unintentionally disclosing sensitive information to outside parties?

Options:

A.

Regular employee security awareness training

B.

Sensitive information classification and handling policies

C.

Anti-malware controls on endpoint devices

D.

An egress intrusion detection system (IDS)

Buy Now
Questions 403

Which of the following approaches MOST effectively enables accountability for data protection?

Options:

A.

Establishing ownership for data within applications and systems

B.

Establishing discipline for policy violations by data owners

C.

Implementing data protection policies across the organization

D.

Conducting data protection awareness and training campaigns

Buy Now
Questions 404

Which of the following BEST enables a risk practitioner to identify the consequences of losing critical resources due to a disaster?

Options:

A.

Risk management action plans

B.

Business impact analysis (BIA)

C.

What-if technique

D.

Tabletop exercise results

Buy Now
Questions 405

A MAJOR advantage of using key risk indicators (KRIs) is that they:

Options:

A.

Identify scenarios that exceed defined risk appetite.

B.

Help with internal control assessments concerning risk appetite.

C.

Assess risk scenarios that exceed defined thresholds.

D.

Identify when risk exceeds defined thresholds.

Buy Now
Questions 406

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?

Options:

A.

Number of users that participated in the DRP testing

B.

Number of issues identified during DRP testing

C.

Percentage of applications that met the RTO during DRP testing

D.

Percentage of issues resolved as a result of DRP testing

Buy Now
Questions 407

Which of the following is the BEST method to identify unnecessary controls?

Options:

A.

Evaluating the impact of removing existing controls

B.

Evaluating existing controls against audit requirements

C.

Reviewing system functionalities associated with business processes

D.

Monitoring existing key risk indicators (KRIs)

Buy Now
Questions 408

Which of the following BEST facilitates the identification of appropriate key performance indicators (KPIs) for a risk management program?

Options:

A.

Reviewing control objectives

B.

Aligning with industry best practices

C.

Consulting risk owners

D.

Evaluating KPIs in accordance with risk appetite

Buy Now
Questions 409

Which of the following is the PRIMARY reason to establish the root cause of an IT security incident?

Options:

A.

Prepare a report for senior management.

B.

Assign responsibility and accountability for the incident.

C.

Update the risk register.

D.

Avoid recurrence of the incident.

Buy Now
Questions 410

Which of the following is the GREATEST benefit of centralizing IT systems?

Options:

A.

Risk reporting

B.

Risk classification

C.

Risk monitoring

D.

Risk identification

Buy Now
Questions 411

An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?

Options:

A.

Identify systems that are vulnerable to being exploited by the attack.

B.

Confirm with the antivirus solution vendor whether the next update will detect the attack.

C.

Verify the data backup process and confirm which backups are the most recent ones available.

D.

Obtain approval for funding to purchase a cyber insurance plan.

Buy Now
Questions 412

The implementation of a risk treatment plan will exceed the resources originally allocated for the risk response. Which of the following should be the risk owner's NEXT action?

Options:

A.

Perform a risk assessment.

B.

Accept the risk of not implementing.

C.

Escalate to senior management.

D.

Update the implementation plan.

Buy Now
Questions 413

Which of the following controls BEST enables an organization to ensure a complete and accurate IT asset inventory?

Options:

A.

Prohibiting the use of personal devices for business

B.

Performing network scanning for unknown devices

C.

Requesting an asset list from business owners

D.

Documenting asset configuration baselines

Buy Now
Questions 414

Which of the following trends would cause the GREATEST concern regarding the effectiveness of an organization's user access control processes? An increase in the:

Options:

A.

ratio of disabled to active user accounts.

B.

percentage of users with multiple user accounts.

C.

average number of access entitlements per user account.

D.

average time between user transfers and access updates.

Buy Now
Questions 415

Mapping open risk issues to an enterprise risk heat map BEST facilitates:

Options:

A.

risk response.

B.

control monitoring.

C.

risk identification.

D.

risk ownership.

Buy Now
Questions 416

Which of the following is the MOST important technology control to reduce the likelihood of fraudulent payments committed internally?

Options:

A.

Automated access revocation

B.

Daily transaction reconciliation

C.

Rule-based data analytics

D.

Role-based user access model

Buy Now
Questions 417

An organization is measuring the effectiveness of its change management program to reduce the number of unplanned production changes. Which of the following would be the BEST metric to determine if the program is performing as expected?

Options:

A.

Decrease in the time to move changes to production

B.

Ratio of emergency fixes to total changes

C.

Ratio of system changes to total changes

D.

Decrease in number of changes without a fallback plan

Buy Now
Questions 418

Which of the following provides the MOST useful information to assess the magnitude of identified deficiencies in the IT control environment?

Options:

A.

Peer benchmarks

B.

Internal audit reports

C.

Business impact analysis (BIA) results

D.

Threat analysis results

Buy Now
Questions 419

Improvements in the design and implementation of a control will MOST likely result in an update to:

Options:

A.

inherent risk.

B.

residual risk.

C.

risk appetite

D.

risk tolerance

Buy Now
Questions 420

Which of the following is MOST important for managing ethical risk?

Options:

A.

Involving senior management in resolving ethical disputes

B.

Developing metrics to trend reported ethics violations

C.

Identifying the ethical concerns of each stakeholder

D.

Establishing a code of conduct for employee behavior

Buy Now
Questions 421

Which of the following is the PRIMARY reason to update a risk register with risk assessment results?

Options:

A.

To communicate the level and priority of assessed risk to management

B.

To provide a comprehensive inventory of risk across the organization

C.

To assign a risk owner to manage the risk

D.

To enable the creation of action plans to address nsk

Buy Now
Questions 422

Which of the following provides the BEST assurance of the effectiveness of vendor security controls?

Options:

A.

Review vendor control self-assessments (CSA).

B.

Review vendor service level agreement (SLA) metrics.

C.

Require independent control assessments.

D.

Obtain vendor references from existing customers.

Buy Now
Questions 423

External penetration tests MUST include:

Options:

A.

use of consultants to ensure completeness.

B.

communications to users of the target systems.

C.

changes to target data to prove the attack was successful.

D.

advance approval from system owners.

Buy Now
Questions 424

Which of the following is MOST important when determining risk appetite?

Options:

A.

Assessing regulatory requirements

B.

Benchmarking against industry standards

C.

Gaining management consensus

D.

Identifying risk tolerance

Buy Now
Questions 425

Which of the following BEST supports the communication of risk assessment results to stakeholders?

Options:

A.

Monitoring of high-risk areas

B.

Classification of risk profiles

C.

Periodic review of the risk register

D.

Assignment of risk ownership

Buy Now
Questions 426

Within the three lines of defense model, the accountability for the system of internal control resides with:

Options:

A.

the chief information officer (CIO).

B.

the board of directors

C.

enterprise risk management

D.

the risk practitioner

Buy Now
Questions 427

Which of the following is MOST helpful to facilitate the decision of recovery priorities in a disaster situation?

Options:

A.

Business Impact Analysis (BIA)

B.

Key Risk Indicators (KRIs)

C.

Recovery Point Objective (RPO)

D.

Risk Scenario Analysis

Buy Now
Questions 428

Which of the following should be accountable for ensuring that media containing financial information are adequately destroyed per an organization's data disposal policy?

Options:

A.

Compliance manager

B.

Data architect

C.

Data owner

D.

Chief information officer (CIO)

Buy Now
Questions 429

A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology?

Options:

A.

IT system owner

B.

Chief financial officer

C.

Chief risk officer

D.

Business process owner

Buy Now
Questions 430

Which of the following would be a risk practitioner's GREATEST concern with the use of a vulnerability scanning tool?

Options:

A.

Increased time to remediate vulnerabilities

B.

Inaccurate reporting of results

C.

Increased number of vulnerabilities

D.

Network performance degradation

Buy Now
Questions 431

An unauthorized individual has socially engineered entry into an organization's secured physical premises. Which of the following is the BEST way to prevent future occurrences?

Options:

A.

Employ security guards.

B.

Conduct security awareness training.

C.

Install security cameras.

D.

Require security access badges.

Buy Now
Questions 432

All business units within an organization have the same risk response plan for creating local disaster recovery plans. In an effort to achieve cost effectiveness, the BEST course of action would be to:

Options:

A.

select a provider to standardize the disaster recovery plans.

B.

outsource disaster recovery to an external provider.

C.

centralize the risk response function at the enterprise level.

D.

evaluate opportunities to combine disaster recovery plans.

Buy Now
Questions 433

A failure in an organization s IT system build process has resulted in several computers on the network missing the corporate endpoint detection and response (EDR) software. Which of the following should be the risk practitioner’s IMMEDIATE concern?

Options:

A.

Multiple corporate build images exist.

B.

The process documentation was not updated.

C.

The IT build process was not followed.

D.

Threats are not being detected.

Buy Now
Questions 434

Which of the following should an organization perform to forecast the effects of a disaster?

Options:

A.

Develop a business impact analysis (BIA).

B.

Define recovery time objectives (RTO).

C.

Analyze capability maturity model gaps.

D.

Simulate a disaster recovery.

Buy Now
Questions 435

During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?

Options:

A.

Data validation

B.

Identification

C.

Authentication

D.

Data integrity

Buy Now
Questions 436

Which of the following is the BEST way to determine the value of information assets for risk management purposes?

Options:

A.

Assess the loss impact if the information is inadvertently disclosed

B.

Calculate the overhead required to keep the information secure throughout its life cycle

C.

Calculate the replacement cost of obtaining the information from alternate sources

D.

Assess the market value offered by consumers of the information

Buy Now
Questions 437

Which of the following criteria associated with key risk indicators (KRIs) BEST enables effective risk monitoring?

Options:

A.

Approval by senior management

B.

Low cost of development and maintenance

C.

Sensitivity to changes in risk levels

D.

Use of industry risk data sources

Buy Now
Questions 438

A bank is experiencing an increasing incidence of customer identity theft. Which of the following is the BEST way to mitigate this risk?

Options:

A.

Implement monitoring techniques.

B.

Implement layered security.

C.

Outsource to a local processor.

D.

Conduct an awareness campaign.

Buy Now
Questions 439

Which of the following is a risk practitioner's BEST recommendation to help reduce IT risk associated with scheduling overruns when starting a new application development project?

Options:

A.

Implement a tool to track the development team's deliverables.

B.

Review the software development life cycle.

C.

Involve the development team in planning.

D.

Assign more developers to the project team.

Buy Now
Questions 440

Management has determined that it will take significant time to remediate exposures in the current IT control environment. Which of the following is the BEST course of action?

Options:

A.

Implement control monitoring.

B.

Improve project management methodology.

C.

Reassess the risk periodically.

D.

Identify compensating controls.

Buy Now
Questions 441

Controls should be defined during the design phase of system development because:

Options:

A.

it is more cost-effective to determine controls in the early design phase.

B.

structured analysis techniques exclude identification of controls.

C.

structured programming techniques require that controls be designed before coding begins.

D.

technical specifications are defined during this phase.

Buy Now
Questions 442

Which of the following is the MOST important consideration when selecting either a qualitative or quantitative risk analysis?

Options:

A.

Expertise in both methodologies

B.

Maturity of the risk management program

C.

Time available for risk analysis

D.

Resources available for data analysis

Buy Now
Questions 443

Which of the following is the MOST important consideration when multiple risk practitioners capture risk scenarios in a single risk register?

Options:

A.

Aligning risk ownership and control ownership

B.

Developing risk escalation and reporting procedures

C.

Maintaining up-to-date risk treatment plans

D.

Using a consistent method for risk assessment

Buy Now
Questions 444

Which of the following BEST indicates the effective implementation of a risk treatment plan?

Options:

A.

Inherent risk is managed within an acceptable level.

B.

Residual risk is managed within appetite and tolerance.

C.

Risk treatments are aligned with industry peers.

D.

Key controls are identified and documented.

Buy Now
Questions 445

Which of the following is the MOST important risk management activity during project initiation?

Options:

A.

Defining key risk indicators (KRIs)

B.

Classifying project data

C.

Identifying key risk stakeholders

D.

Establishing a risk mitigation plan

Buy Now
Questions 446

Which of the following would present the GREATEST challenge when assigning accountability for control ownership?

Options:

A.

Weak governance structures

B.

Senior management scrutiny

C.

Complex regulatory environment

D.

Unclear reporting relationships

Buy Now
Questions 447

An upward trend in which of the following metrics should be of MOST concern?

Options:

A.

Number of business change management requests

B.

Number of revisions to security policy

C.

Number of security policy exceptions approved

D.

Number of changes to firewall rules

Buy Now
Questions 448

Which of the following is the ULTIMATE goal of conducting a privacy impact analysis (PIA)?

Options:

A.

To identify gaps in data protection controls

B.

To develop a customer notification plan

C.

To identify personally identifiable information (Pll)

D.

To determine gaps in data identification processes

Buy Now
Questions 449

What is the MOST important consideration when aligning IT risk management with the enterprise risk management (ERM) framework?

Options:

A.

Risk and control ownership

B.

Senior management participation

C.

Business unit support

D.

Risk nomenclature and taxonomy

Buy Now
Questions 450

A risk practitioner is asked to present the results of the most recent technology risk assessment to executive management in a concise manner. Which of the following is MOST important to include in the presentation?

Options:

A.

Residual risk levels

B.

Compensating controls

C.

Details of vulnerabilities

D.

Failed high-risk controls

Buy Now
Questions 451

An effective control environment is BEST indicated by controls that:

Options:

A.

minimize senior management's risk tolerance.

B.

manage risk within the organization's risk appetite.

C.

reduce the thresholds of key risk indicators (KRIs).

D.

are cost-effective to implement

Buy Now
Questions 452

Who is accountable for authorizing application access in a cloud Software as a Service (SaaS) solution?

Options:

A.

Cloud service provider

B.

IT department

C.

Senior management

D.

Business unit owner

Buy Now
Questions 453

An organization is considering the adoption of an aggressive business strategy to achieve desired growth From a risk management perspective what should the risk practitioner do NEXT?

Options:

A.

Identify new threats resorting from the new business strategy

B.

Update risk awareness training to reflect current levels of risk appetite and tolerance

C.

Inform the board of potential risk scenarios associated with aggressive business strategies

D.

Increase the scale for measuring impact due to threat materialization

Buy Now
Questions 454

Which of the following is the PRIMARY factor in determining a recovery time objective (RTO)?

Options:

A.

Cost of offsite backup premises

B.

Cost of downtime due to a disaster

C.

Cost of testing the business continuity plan

D.

Response time of the emergency action plan

Buy Now
Questions 455

Implementing which of the following controls would BEST reduce the impact of a vulnerability that has been exploited?

Options:

A.

Detective control

B.

Deterrent control

C.

Preventive control

D.

Corrective control

Buy Now
Questions 456

Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?

Options:

A.

Ongoing availability of data

B.

Ability to aggregate data

C.

Ability to predict trends

D.

Availability of automated reporting systems

Buy Now
Questions 457

A hospital recently implemented a new technology to allow virtual patient appointments. Which of the following should be the risk practitioner's FIRST course of action?

Options:

A.

Reassess the risk profile.

B.

Modify the risk taxonomy.

C.

Increase the risk tolerance.

D.

Review the risk culture.

Buy Now
Questions 458

A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?

Options:

A.

Implement a tool to create and distribute violation reports

B.

Raise awareness of encryption requirements for sensitive data.

C.

Block unencrypted outgoing emails which contain sensitive data.

D.

Implement a progressive disciplinary process for email violations.

Buy Now
Questions 459

What should a risk practitioner do FIRST when vulnerability assessment results identify a weakness in an application?

Options:

A.

Review regular control testing results.

B.

Recommend a penetration test.

C.

Assess the risk to determine mitigation needed.

D.

Analyze key performance indicators (KPIs).

Buy Now
Questions 460

A public online information security training course is available to an organization's staff. The online course contains free-form discussion fields. Which of the following should be of MOST concern to the organization's risk practitioner?

Options:

A.

The form may be susceptible to SQL injection attacks.

B.

Data is not encrypted in transit to the site.

C.

Proprietary corporate information may be disclosed.

D.

Staff nondisclosure agreements (NDAs) are not in place.

Buy Now
Questions 461

Which of the following provides the MOST important information to facilitate a risk response decision?

Options:

A.

Audit findings

B.

Risk appetite

C.

Key risk indicators

D.

Industry best practices

Buy Now
Questions 462

Which of the following stakeholders are typically included as part of a line of defense within the three lines of defense model?

Options:

A.

Board of directors

B.

Vendors

C.

Regulators

D.

Legal team

Buy Now
Questions 463

Which of the following is a KEY consideration for a risk practitioner to communicate to senior management evaluating the introduction of artificial intelligence (Al) solutions into the organization?

Options:

A.

Al requires entirely new risk management processes.

B.

Al potentially introduces new types of risk.

C.

Al will result in changes to business processes.

D.

Third-party Al solutions increase regulatory obligations.

Buy Now
Questions 464

Which of the following provides the BEST evidence that a selected risk treatment plan is effective?

Options:

A.

Identifying key risk indicators (KRIs)

B.

Evaluating the return on investment (ROI)

C.

Evaluating the residual risk level

D.

Performing a cost-benefit analysis

Buy Now
Questions 465

An IT operations team implements disaster recovery controls based on decisions from application owners regarding the level of resiliency needed. Who is the risk owner in this scenario?

Options:

A.

Business resilience manager

B.

Disaster recovery team lead

C.

Application owner

D.

IT operations manager

Buy Now
Questions 466

An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program. Which of the following is MOST useful for this purpose?

Options:

A.

Balanced scorecard

B.

Capability maturity level

C.

Internal audit plan

D.

Control self-assessment (CSA)

Buy Now
Questions 467

Which of the following would be a weakness in procedures for controlling the migration of changes to production libraries?

Options:

A.

The programming project leader solely reviews test results before approving the transfer to production.

B.

Test and production programs are in distinct libraries.

C.

Only operations personnel are authorized to access production libraries.

D.

A synchronized migration of executable and source code from the test environment to the production environment is allowed.

Buy Now
Questions 468

Which of the following methods would BEST contribute to identifying obscure risk scenarios?

Options:

A.

Brainstorming sessions

B.

Control self-assessments

C.

Vulnerability analysis

D.

Monte Carlo analysis

Buy Now
Questions 469

Which of the following is MOST important to ensure risk management practices are effective at all levels within the organization?

Options:

A.

Communicating risk awareness materials regularly

B.

Establishing key risk indicators (KRIs) to monitor risk management processes

C.

Ensuring that business activities minimize inherent risk

D.

Embedding risk management in business activities

Buy Now
Questions 470

Which of the following is the BEST approach when a risk practitioner has been asked by a business unit manager for special consideration during a risk assessment of a system?

Options:

A.

Conduct an abbreviated version of the assessment.

B.

Report the business unit manager for a possible ethics violation.

C.

Perform the assessment as it would normally be done.

D.

Recommend an internal auditor perform the review.

Buy Now
Questions 471

An organization has determined that risk is not being adequately tracked and

managed due to a distributed operating model. Which of the following is the

BEST way to address this issue?

Options:

A.

Increase the frequency of risk assessments.

B.

Revalidate the organization's risk appetite

C.

Create a centralized portfolio of risk scenarios.

D.

Create dashboards for risk metrics.

Buy Now
Questions 472

Which of the following will BEST help to ensure implementation of corrective action plans?

Options:

A.

Establishing employee awareness training

B.

Assigning accountability to risk owners

C.

Selling target dates to complete actions

D.

Contracting to third parties

Buy Now
Questions 473

After the review of a risk record, internal audit questioned why the risk was lowered from medium to low. Which of the following is the BEST course of action in responding to this inquiry?

Options:

A.

Obtain industry benchmarks related to the specific risk.

B.

Provide justification for the lower risk rating.

C.

Notify the business at the next risk briefing.

D.

Reopen the risk issue and complete a full assessment.

Buy Now
Questions 474

A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

Options:

A.

identification.

B.

treatment.

C.

communication.

D.

assessment

Buy Now
Questions 475

The PRIMARY reason for establishing various Threshold levels for a set of key risk indicators (KRIs) is to:

Options:

A.

highlight trends of developing risk.

B.

ensure accurate and reliable monitoring.

C.

take appropriate actions in a timely manner.

D.

set different triggers for each stakeholder.

Buy Now
Questions 476

Which of the following methods is the BEST way to measure the effectiveness of automated information security controls prior to going live?

Options:

A.

Testing in a non-production environment

B.

Performing a security control review

C.

Reviewing the security audit report

D.

Conducting a risk assessment

Buy Now
Questions 477

A risk practitioner has become aware of production data being used in a test environment. Which of the following should be the practitioner's PRIMARY concern?

Options:

A.

Sensitivity of the data

B.

Readability of test data

C.

Security of the test environment

D.

Availability of data to authorized staff

Buy Now
Questions 478

Which of the following would BEST help secure online financial transactions from improper users?

Options:

A.

Review of log-in attempts

B.

multi-level authorization

C.

Periodic review of audit trails

D.

multi-factor authentication

Buy Now
Questions 479

Which of the following BEST indicates effective information security incident management?

Options:

A.

Monthly trend of information security-related incidents

B.

Average time to identify critical information security incidents

C.

Frequency of information security incident response plan testing

D.

Percentage of high-risk security incidents

Buy Now
Questions 480

Before selecting a final risk response option for a given risk scenario, management should FIRST:

Options:

A.

determine control ownership.

B.

evaluate the risk response of similar sized organizations.

C.

evaluate the organization's ability to implement the solution.

D.

determine the remediation timeline.

Buy Now
Questions 481

Which of the following should be the PRIMARY focus of an independent review of a risk management process?

Options:

A.

Accuracy of risk tolerance levels

B.

Consistency of risk process results

C.

Participation of stakeholders

D.

Maturity of the process

Buy Now
Questions 482

Which of the following activities should only be performed by the third line of defense?

Options:

A.

Operating controls for risk mitigation

B.

Testing the effectiveness and efficiency of internal controls

C.

Providing assurance on risk management processes

D.

Recommending risk treatment options

Buy Now
Questions 483

During a control review, the control owner states that an existing control has deteriorated over time. What is the BEST recommendation to the control owner?

Options:

A.

Implement compensating controls to reduce residual risk

B.

Escalate the issue to senior management

C.

Discuss risk mitigation options with the risk owner.

D.

Certify the control after documenting the concern.

Buy Now
Questions 484

Which of the following is the GREATEST benefit of updating the risk register to include outcomes from a risk assessment?

Options:

A.

It maintains evidence of compliance with risk policy.

B.

It facilitates timely risk-based decisions.

C.

It validates the organization's risk appetite.

D.

It helps to mitigate internal and external risk factors.

Buy Now
Questions 485

Which of the following would be MOST useful to senior management when determining an appropriate risk response?

Options:

A.

A comparison of current risk levels with established tolerance

B.

A comparison of cost variance with defined response strategies

C.

A comparison of current risk levels with estimated inherent risk levels

D.

A comparison of accepted risk scenarios associated with regulatory compliance

Buy Now
Questions 486

To drive effective risk management, it is MOST important that an organization's policy framework is:

Options:

A.

Approved by relevant stakeholders.

B.

Aligned to the functional business structure.

C.

Included in employee onboarding materials.

D.

Mapped to an industry-standard framework.

Buy Now
Questions 487

Which of the following information is MOST useful to a risk practitioner for developing IT risk scenarios?

Options:

A.

Published vulnerabilities relevant to the business

B.

Threat actors that can trigger events

C.

Events that could potentially impact the business

D.

IT assets requiring the greatest investment

Buy Now
Questions 488

Which of the following is the PRIMARY benefit of consistently recording risk assessment results in the risk register?

Options:

A.

Assessment of organizational risk appetite

B.

Compliance with best practice

C.

Accountability for loss events

D.

Accuracy of risk profiles

Buy Now
Questions 489

Which of the following is the GREATEST concern when using artificial intelligence (AI) language models?

Options:

A.

The model could be hacked or exploited.

B.

The model could be used to generate inaccurate content.

C.

Staff could become overly reliant on the model.

D.

It could lead to biased recommendations.

Buy Now
Questions 490

Which of the following is the BEST indicator of the effectiveness of a control action plan's implementation?

Options:

A.

Increased number of controls

B.

Reduced risk level

C.

Increased risk appetite

D.

Stakeholder commitment

Buy Now
Questions 491

Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?

Options:

A.

Obtain objective assessment of the control environment.

B.

Ensure the risk profile is defined and communicated.

C.

Validate the threat management process.

D.

Obtain an objective view of process gaps and systemic errors.

Buy Now
Questions 492

Which of the following risk scenarios would be the GREATEST concern as a result of a single sign-on implementation?

Options:

A.

User access may be restricted by additional security.

B.

Unauthorized access may be gained to multiple systems.

C.

Security administration may become more complex.

D.

User privilege changes may not be recorded.

Buy Now
Questions 493

Which of the following BEST enables risk-based decision making in support of a business continuity plan (BCP)?

Options:

A.

Impact analysis

B.

Control analysis

C.

Root cause analysis

D.

Threat analysis

Buy Now
Questions 494

A risk practitioner has been notified that an employee sent an email in error containing customers' personally identifiable information (Pll). Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Report it to the chief risk officer.

B.

Advise the employee to forward the email to the phishing team.

C.

follow incident reporting procedures.

D.

Advise the employee to permanently delete the email.

Buy Now
Questions 495

Which of the following would BEST help to ensure that suspicious network activity is identified?

Options:

A.

Analyzing intrusion detection system (IDS) logs

B.

Analyzing server logs

C.

Using a third-party monitoring provider

D.

Coordinating events with appropriate agencies

Buy Now
Questions 496

What is the BEST information to present to business control owners when justifying costs related to controls?

Options:

A.

Loss event frequency and magnitude

B.

The previous year's budget and actuals

C.

Industry benchmarks and standards

D.

Return on IT security-related investments

Buy Now
Questions 497

Which of the following is a risk practitioner's MOST appropriate course of action upon learning that an organization is not compliant with its patch management policy?

Options:

A.

Document the concern in an issue tracker.

B.

Strengthen data loss prevention (DLP) controls.

C.

Apply the most recent available patches.

D.

Escalate the issue to the ethics committee.

Buy Now
Questions 498

Which of the following would provide the MOST objective assessment of the effectiveness of an organization's security controls?

Options:

A.

An internal audit

B.

Security operations center review

C.

Internal penetration testing

D.

A third-party audit

Buy Now
Questions 499

Which of the following is the GREATEST benefit of a three lines of defense structure?

Options:

A.

An effective risk culture that empowers employees to report risk

B.

Effective segregation of duties to prevent internal fraud

C.

Clear accountability for risk management processes

D.

Improved effectiveness and efficiency of business operations

Buy Now
Questions 500

Which of the following should be done FIRST when developing an initial set of risk scenarios for an organization?

Options:

A.

Refer to industry standard scenarios.

B.

Use a top-down approach.

C.

Consider relevant business activities.

D.

Use a bottom-up approach.

Buy Now
Questions 501

Which of the following is MOST important when conducting a post-implementation review as part of the system development life cycle (SDLC)?

Options:

A.

Verifying that project objectives are met

B.

Identifying project cost overruns

C.

Leveraging an independent review team

D.

Reviewing the project initiation risk matrix

Buy Now
Questions 502

Which of the following is the MOST effective way for a large and diversified organization to minimize risk associated with unauthorized software on company devices?

Options:

A.

Scan end points for applications not included in the asset inventory.

B.

Prohibit the use of cloud-based virtual desktop software.

C.

Conduct frequent reviews of software licenses.

D.

Perform frequent internal audits of enterprise IT infrastructure.

Buy Now
Questions 503

After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:

Options:

A.

recommend a program that minimizes the concerns of that production system.

B.

inform the development team of the concerns, and together formulate risk reduction measures.

C.

inform the process owner of the concerns and propose measures to reduce them

D.

inform the IT manager of the concerns and propose measures to reduce them.

Buy Now
Questions 504

Which of the following is the MOST important reason to validate that risk responses have been executed as outlined in the risk response plan''

Options:

A.

To ensure completion of the risk assessment cycle

B.

To ensure controls arc operating effectively

C.

To ensure residual risk Is at an acceptable level

D.

To ensure control costs do not exceed benefits

Buy Now
Questions 505

The BEST use of key risk indicators (KRIs) is to provide:

Options:

A.

Early indication of increasing exposure to a specific risk.

B.

Lagging indication of major information security incidents.

C.

Early indication of changes to required risk response.

D.

Insight into the performance of a monitored process.

Buy Now
Questions 506

Which of the following should be determined FIRST when a new security vulnerability is made public?

Options:

A.

Whether the affected technology is used within the organization

B.

Whether the affected technology is Internet-facing

C.

What mitigating controls are currently in place

D.

How pervasive the vulnerability is within the organization

Buy Now
Questions 507

A business is conducting a proof of concept on a vendor's Al technology. Which of the following is the MOST important consideration for managing risk?

Options:

A.

Use of a non-production environment

B.

Adequate vendor support

C.

Third-party management plan

D.

Regular security updates

Buy Now
Questions 508

Which of the following would be MOST useful when measuring the progress of a risk response action plan?

Options:

A.

Percentage of mitigated risk scenarios

B.

Annual loss expectancy (ALE) changes

C.

Resource expenditure against budget

D.

An up-to-date risk register

Buy Now
Questions 509

Which of the following situations would cause the GREATEST concern around the integrity of application logs?

Options:

A.

Weak privileged access management controls

B.

Lack of a security information and event management (SIEM) system

C.

Lack of data classification policies

D.

Use of hashing algorithms

Buy Now
Questions 510

Options:

A.

Average time to contain security incidents

B.

Percentage of systems being monitored

C.

Number of false positives reported

D.

Number of personnel dedicated to security monitoring

Buy Now
Questions 511

Which of the following indicates an organization follows IT risk management best practice?

Options:

A.

The risk register template uses an industry standard.

B.

The risk register is regularly updated.

C.

All fields in the risk register have been completed.

D.

Controls are listed against risk entries in the register.

Buy Now
Questions 512

The BEST reason to classify IT assets during a risk assessment is to determine the:

Options:

A.

priority in the risk register.

B.

business process owner.

C.

enterprise risk profile.

D.

appropriate level of protection.

Buy Now
Questions 513

Which of the following controls will BEST mitigate risk associated with excessive access privileges?

Options:

A.

Review of user access logs

B.

Frequent password expiration

C.

Separation of duties

D.

Entitlement reviews

Buy Now
Questions 514

Options:

A.

To gain stakeholder support for the implementation of controls

B.

To address multiple risk scenarios mitigated by technical controls

C.

To comply with industry best practices by balancing multiple types of controls

D.

To improve the effectiveness of controls that mitigate risk

Buy Now
Questions 515

Which of the following would MOST likely cause management to unknowingly accept excessive risk?

Options:

A.

Satisfactory audit results

B.

Risk tolerance being set too low

C.

Inaccurate risk ratings

D.

Lack of preventive controls

Buy Now
Questions 516

Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?

Options:

A.

Temporarily mitigate the OS vulnerabilities

B.

Document and implement a patching process

C.

Evaluate permanent fixes such as patches and upgrades

D.

Identify the vulnerabilities and applicable OS patches

Buy Now
Questions 517

To define the risk management strategy which of the following MUST be set by the board of directors?

Options:

A.

Operational strategies

B.

Risk governance

C.

Annualized loss expectancy (ALE)

D.

Risk appetite

Buy Now
Questions 518

An organization has decided to outsource a web application, and customer data will be stored in the vendor's public cloud. To protect customer data, it is MOST important to ensure which of the following?

Options:

A.

The organization's incident response procedures have been updated.

B.

The vendor stores the data in the same jurisdiction.

C.

Administrative access is only held by the vendor.

D.

The vendor's responsibilities are defined in the contract.

Buy Now
Questions 519

A financial organization is considering a project to implement the use of blockchain technology. To help ensure the organization's management team can make informed decisions on the project, which of the following should the risk practitioner reassess?

Options:

A.

Risk classification

B.

Risk profile

C.

Business impact analysis (BIA)

D.

Risk tolerance

Buy Now
Questions 520

Which of the following is the BEST way to help ensure risk will be managed properly after a business process has been re-engineered?

Options:

A.

Reassessing control effectiveness of the process

B.

Conducting a post-implementation review to determine lessons learned

C.

Reporting key performance indicators (KPIs) for core processes

D.

Establishing escalation procedures for anomaly events

Buy Now
Questions 521

Which of the following should be the PRIMARY consideration when assessing the risk of using Internet of Things (loT) devices to collect and process personally identifiable information (Pll)?

Options:

A.

Costs and benefits

B.

Local laws and regulations

C.

Security features and support

D.

Business strategies and needs

Buy Now
Questions 522

An organization has established a single enterprise-wide risk register that records high-level risk scenarios. The IT risk department has created its own register to record more granular scenarios applicable to IT. Which of the following is the BEST way to ensure alignment between these two registers?

Options:

A.

Map the granular risk scenarios to the high-level risk register items.

B.

List application and server vulnerabilities in the IT risk register.

C.

Identify overlapping risk scenarios between the two registers.

D.

Maintain both high-level and granular risk scenarios in a single register.

Buy Now
Questions 523

When confirming whether implemented controls are operating effectively, which of the following is MOST important to review?

Options:

A.

Results of benchmarking studies

B.

Results of risk assessments

C.

Number of emergency change requests

D.

Maturity model

Buy Now
Questions 524

Which of the following is a drawback in the use of quantitative risk analysis?

Options:

A.

It assigns numeric values to exposures of assets.

B.

It requires more resources than other methods

C.

It produces the results in numeric form.

D.

It is based on impact analysis of information assets.

Buy Now
Questions 525

During a risk assessment of a financial institution, a risk practitioner discovers that tellers can initiate and approve transactions of significant value. This team is also responsible for ensuring transactions are recorded and balances are reconciled by the end of the day. Which of the following is the risk practitioner's BEST recommendation to mitigate the associated risk?

Options:

A.

Implement continuous monitoring.

B.

Require a second level of approval.

C.

Implement separation of duties.

D.

Require a code of ethics.

Buy Now
Questions 526

Which of the following will BEST help to ensure key risk indicators (KRIs) provide value to risk owners?

Options:

A.

Ongoing training

B.

Timely notification

C.

Return on investment (ROI)

D.

Cost minimization

Buy Now
Questions 527

Which of the following is the PRIMARY reason to perform ongoing risk assessments?

Options:

A.

Emerging risk must be continuously reported to management.

B.

New system vulnerabilities emerge at frequent intervals.

C.

The risk environment is subject to change.

D.

The information security budget must be justified.

Buy Now
Questions 528

From a business perspective, which of the following is the MOST important objective of a disaster recovery test?

Options:

A.

The organization gains assurance it can recover from a disaster

B.

Errors are discovered in the disaster recovery process.

C.

All business-critical systems are successfully tested.

D.

All critical data is recovered within recovery time objectives (RTOs).

Buy Now
Questions 529

A global organization is considering the transfer of its customer information systems to an overseas cloud service provider in the event of a disaster. Which of the following should be the MOST important risk consideration?

Options:

A.

Regulatory restrictions for cross-border data transfer

B.

Service level objectives in the vendor contract

C.

Organizational culture differences between each country

D.

Management practices within each company

Buy Now
Questions 530

Which of the following would provide the BEST evidence of an effective internal control environment/?

Options:

A.

Risk assessment results

B.

Adherence to governing policies

C.

Regular stakeholder briefings

D.

Independent audit results

Buy Now
Questions 531

Vulnerabilities have been detected on an organization's systems. Applications installed on these systems will not operate if the underlying servers are updated. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Recommend the business change the application.

B.

Recommend a risk treatment plan.

C.

Include the risk in the next quarterly update to management.

D.

Implement compensating controls.

Buy Now
Questions 532

Which of the following would be the GREATEST concern for an IT risk practitioner when an employees.....

Options:

A.

The organization's structure has not been updated

B.

Unnecessary access permissions have not been removed.

C.

Company equipment has not been retained by IT

D.

Job knowledge was not transferred to employees m the former department

Buy Now
Questions 533

The risk associated with data loss from a website which contains sensitive customer information is BEST owned by:

Options:

A.

the third-party website manager

B.

the business process owner

C.

IT security

D.

the compliance manager

Buy Now
Questions 534

Which of the following is the GREATEST risk associated with the misclassification of data?

Options:

A.

inadequate resource allocation

B.

Data disruption

C.

Unauthorized access

D.

Inadequate retention schedules

Buy Now
Questions 535

The MOST significant benefit of using a consistent risk ranking methodology across an organization is that it enables:

Options:

A.

allocation of available resources

B.

clear understanding of risk levels

C.

assignment of risk to the appropriate owners

D.

risk to be expressed in quantifiable terms

Buy Now
Questions 536

After several security incidents resulting in significant financial losses, IT management has decided to outsource the security function to a third party that provides 24/7 security operation services. Which risk response option has management implemented?

Options:

A.

Risk mitigation

B.

Risk avoidance

C.

Risk acceptance

D.

Risk transfer

Buy Now
Questions 537

Which of the following is the BEST method for identifying vulnerabilities?

Options:

A.

Batch job failure monitoring

B.

Periodic network scanning

C.

Annual penetration testing

D.

Risk assessments

Buy Now
Questions 538

Which of the following is the PRIMARY objective of risk management?

Options:

A.

Identify and analyze risk.

B.

Achieve business objectives

C.

Minimi2e business disruptions.

D.

Identify threats and vulnerabilities.

Buy Now
Questions 539

Who is MOST important lo include in the assessment of existing IT risk scenarios?

Options:

A.

Technology subject matter experts

B.

Business process owners

C.

Business users of IT systems

D.

Risk management consultants

Buy Now
Questions 540

An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:

Options:

A.

validate control process execution.

B.

determine if controls are effective.

C.

identify key process owners.

D.

conduct a baseline assessment.

Buy Now
Questions 541

The risk associated with a high-risk vulnerability in an application is owned by the:

Options:

A.

security department.

B.

business unit

C.

vendor.

D.

IT department.

Buy Now
Questions 542

Which of the following is the BEST indication of an improved risk-aware culture following the implementation of a security awareness training program for all employees?

Options:

A.

A reduction in the number of help desk calls

B.

An increase in the number of identified system flaws

C.

A reduction in the number of user access resets

D.

An increase in the number of incidents reported

Buy Now
Questions 543

Which of the following is MOST important to consider when determining the risk associated with re-identification of obfuscated personal data?

Options:

A.

The type of shared data

B.

The level of residual risk after data loss prevention (DLP) controls are implemented

C.

The monetary value of the unique records that could be re-identified

D.

The impact to affected stakeholders

Buy Now
Exam Code: CRISC
Exam Name: Certified in Risk and Information Systems Control
Last Update: Oct 16, 2025
Questions: 1810

PDF + Testing Engine

$72.6  $181.49

Testing Engine

$57.8  $144.49
buy now CRISC testing engine

PDF (Q&A)

$49.8  $124.49
buy now CRISC pdf