Month End Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

CRISC Certified in Risk and Information Systems Control Questions and Answers

Questions 4

Who should be accountable for ensuring effective cybersecurity controls are established?

Options:

A.

Risk owner

B.

Security management function

C.

IT management

D.

Enterprise risk function

Buy Now
Questions 5

Which of the following risk register updates is MOST important for senior management to review?

Options:

A.

Extending the date of a future action plan by two months

B.

Retiring a risk scenario no longer used

C.

Avoiding a risk that was previously accepted

D.

Changing a risk owner

Buy Now
Questions 6

Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?

Options:

A.

Perform an m-depth code review with an expert

B.

Validate functionality by running in a test environment

C.

Implement a service level agreement.

D.

Utilize the change management process.

Buy Now
Questions 7

Which of the following is the BEST way to identify changes to the risk landscape?

Options:

A.

Internal audit reports

B.

Access reviews

C.

Threat modeling

D.

Root cause analysis

Buy Now
Questions 8

When using a third party to perform penetration testing, which of the following is the MOST important control to minimize operational impact?

Options:

A.

Perform a background check on the vendor.

B.

Require the vendor to sign a nondisclosure agreement.

C.

Require the vendor to have liability insurance.

D.

Clearly define the project scope

Buy Now
Questions 9

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?

Options:

A.

Number of users that participated in the DRP testing

B.

Number of issues identified during DRP testing

C.

Percentage of applications that met the RTO during DRP testing

D.

Percentage of issues resolved as a result of DRP testing

Buy Now
Questions 10

Which of the following would be MOST useful when measuring the progress of a risk response action plan?

Options:

A.

Percentage of mitigated risk scenarios

B.

Annual loss expectancy (ALE) changes

C.

Resource expenditure against budget

D.

An up-to-date risk register

Buy Now
Questions 11

A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?

Options:

A.

An increase in attempted distributed denial of service (DDoS) attacks

B.

An increase in attempted website phishing attacks

C.

A decrease in achievement of service level agreements (SLAs)

D.

A decrease in remediated web security vulnerabilities

Buy Now
Questions 12

An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?

Options:

A.

Develop a compensating control.

B.

Allocate remediation resources.

C.

Perform a cost-benefit analysis.

D.

Identify risk responses

Buy Now
Questions 13

Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?

Options:

A.

Control chart

B.

Sensitivity analysis

C.

Trend analysis

D.

Decision tree

Buy Now
Questions 14

Which of the following would be- MOST helpful to understand the impact of a new technology system on an organization's current risk profile?

Options:

A.

Hire consultants specializing m the new technology.

B.

Review existing risk mitigation controls.

C.

Conduct a gap analysis.

D.

Perform a risk assessment.

Buy Now
Questions 15

In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization's risk profile?

Options:

A.

The control catalog

B.

The asset profile

C.

Business objectives

D.

Key risk indicators (KRls)

Buy Now
Questions 16

A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

Options:

A.

identification.

B.

treatment.

C.

communication.

D.

assessment

Buy Now
Questions 17

The acceptance of control costs that exceed risk exposure is MOST likely an example of:

Options:

A.

low risk tolerance.

B.

corporate culture misalignment.

C.

corporate culture alignment.

D.

high risk tolerance

Buy Now
Questions 18

An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:

Options:

A.

validate control process execution.

B.

determine if controls are effective.

C.

identify key process owners.

D.

conduct a baseline assessment.

Buy Now
Questions 19

Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?

Options:

A.

Continuous monitoring

B.

A control self-assessment

C.

Transaction logging

D.

Benchmarking against peers

Buy Now
Questions 20

A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:

Options:

A.

map findings to objectives.

B.

provide quantified detailed analysis

C.

recommend risk tolerance thresholds.

D.

quantify key risk indicators (KRls).

Buy Now
Questions 21

Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register?

Options:

A.

Corporate incident escalation protocols are established.

B.

Exposure is integrated into the organization's risk profile.

C.

Risk appetite cascades to business unit management

D.

The organization-wide control budget is expanded.

Buy Now
Questions 22

A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

Options:

A.

communication

B.

identification.

C.

treatment.

D.

assessment.

Buy Now
Questions 23

An organization's senior management is considering whether to acquire cyber insurance. Which of the following is the BEST way for the risk practitioner to enable management’s decision?

Options:

A.

Perform a cost-benefit analysis.

B.

Conduct a SWOT analysis.

C.

Provide data on the number of risk events from the last year.

D.

Report on recent losses experienced by industry peers.

Buy Now
Questions 24

Which of the following is the MOST important data source for monitoring key risk indicators (KRIs)?

Options:

A.

Directives from legal and regulatory authorities

B.

Audit reports from internal information systems audits

C.

Automated logs collected from different systems

D.

Trend analysis of external risk factors

Buy Now
Questions 25

Which of the following is MOST important for effective communication of a risk profile to relevant stakeholders?

Options:

A.

Emphasizing risk in the risk profile that is related to critical business activities

B.

Customizing the presentation of the risk profile to the intended audience

C.

Including details of risk with high deviation from the risk appetite

D.

Providing information on the efficiency of controls for risk mitigation

Buy Now
Questions 26

Which of the following is the MOST important benefit of implementing a data classification program?

Options:

A.

Reduction in data complexity

B.

Reduction in processing times

C.

Identification of appropriate ownership

D.

Identification of appropriate controls

Buy Now
Questions 27

Whether the results of risk analyses should be presented in quantitative or qualitative terms should be based PRIMARILY on the:

Options:

A.

requirements of management.

B.

specific risk analysis framework being used.

C.

organizational risk tolerance

D.

results of the risk assessment.

Buy Now
Questions 28

Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?

Options:

A.

Risk mitigation budget

B.

Business Impact analysis

C.

Cost-benefit analysis

D.

Return on investment

Buy Now
Questions 29

Which of the following is the BEST indication of an effective risk management program?

Options:

A.

Risk action plans are approved by senior management.

B.

Residual risk is within the organizational risk appetite

C.

Mitigating controls are designed and implemented.

D.

Risk is recorded and tracked in the risk register

Buy Now
Questions 30

A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:

Options:

A.

reduces risk to an acceptable level

B.

quantifies risk impact

C.

aligns with business strategy

D.

advances business objectives.

Buy Now
Questions 31

Which of the following would be MOST important for a risk practitioner to provide to the internal audit department during the audit planning process?

Options:

A.

Closed management action plans from the previous audit

B.

Annual risk assessment results

C.

An updated vulnerability management report

D.

A list of identified generic risk scenarios

Buy Now
Questions 32

Which of the following would be a risk practitioners’ BEST recommendation for preventing cyber intrusion?

Options:

A.

Establish a cyber response plan

B.

Implement data loss prevention (DLP) tools.

C.

Implement network segregation.

D.

Strengthen vulnerability remediation efforts.

Buy Now
Questions 33

Which of the following is the MAIN reason for documenting the performance of controls?

Options:

A.

Obtaining management sign-off

B.

Demonstrating effective risk mitigation

C.

Justifying return on investment

D.

Providing accurate risk reporting

Buy Now
Questions 34

Which of the following is the MOST cost-effective way to test a business continuity plan?

Options:

A.

Conduct interviews with key stakeholders.

B.

Conduct a tabletop exercise.

C.

Conduct a disaster recovery exercise.

D.

Conduct a full functional exercise.

Buy Now
Questions 35

Which of the following is a specific concern related to machine learning algorithms?

Options:

A.

Low software quality

B.

Lack of access controls

C.

Data breaches

D.

Data bias

Buy Now
Questions 36

The PRIMARY reason for a risk practitioner to review business processes is to:

Options:

A.

Benchmark against peer organizations.

B.

Identify appropriate controls within business processes.

C.

Assess compliance with global standards.

D.

Identify risk owners related to business processes.

Buy Now
Questions 37

Which of the following tools is MOST effective in identifying trends in the IT risk profile?

Options:

A.

Risk self-assessment

B.

Risk register

C.

Risk dashboard

D.

Risk map

Buy Now
Questions 38

Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?

Options:

A.

It compares performance levels of IT assets to value delivered.

B.

It facilitates the alignment of strategic IT objectives to business objectives.

C.

It provides input to business managers when preparing a business case for new IT projects.

D.

It helps assess the effects of IT decisions on risk exposure

Buy Now
Questions 39

When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?

Options:

A.

Assess management's risk tolerance.

B.

Recommend management accept the low-risk scenarios.

C.

Propose mitigating controls

D.

Re-evaluate the risk scenarios associated with the control

Buy Now
Questions 40

After several security incidents resulting in significant financial losses, IT management has decided to outsource the security function to a third party that provides 24/7 security operation services. Which risk response option has management implemented?

Options:

A.

Risk mitigation

B.

Risk avoidance

C.

Risk acceptance

D.

Risk transfer

Buy Now
Questions 41

During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?

Options:

A.

Describe IT risk scenarios in terms of business risk.

B.

Recommend the formation of an executive risk council to oversee IT risk.

C.

Provide an estimate of IT system downtime if IT risk materializes.

D.

Educate business executives on IT risk concepts.

Buy Now
Questions 42

Which of the following is the MOST important consideration when developing an organization's risk taxonomy?

Options:

A.

Leading industry frameworks

B.

Business context

C.

Regulatory requirements

D.

IT strategy

Buy Now
Questions 43

Real-time monitoring of security cameras implemented within a retail store is an example of which type of control?

Options:

A.

Preventive

B.

Deterrent

C.

Compensating

D.

Detective

Buy Now
Questions 44

Which of the following controls will BEST detect unauthorized modification of data by a database administrator?

Options:

A.

Reviewing database access rights

B.

Reviewing database activity logs

C.

Comparing data to input records

D.

Reviewing changes to edit checks

Buy Now
Questions 45

A risk practitioner is assisting with the preparation of a report on the organization s disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?

Options:

A.

The percentage of systems meeting recovery target times has increased.

B.

The number of systems tested in the last year has increased.

C.

The number of systems requiring a recovery plan has increased.

D.

The percentage of systems with long recovery target times has decreased.

Buy Now
Questions 46

Which of the following would BEST ensure that identified risk scenarios are addressed?

Options:

A.

Reviewing the implementation of the risk response

B.

Creating a separate risk register for key business units

C.

Performing real-time monitoring of threats

D.

Performing regular risk control self-assessments

Buy Now
Questions 47

Which of the following is the PRIMARY factor in determining a recovery time objective (RTO)?

Options:

A.

Cost of offsite backup premises

B.

Cost of downtime due to a disaster

C.

Cost of testing the business continuity plan

D.

Response time of the emergency action plan

Buy Now
Questions 48

A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:

Options:

A.

a root cause analysis is required

B.

controls are effective for ensuring continuity

C.

hardware needs to be upgraded

D.

no action is required as there was no impact

Buy Now
Questions 49

Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?

Options:

A.

Number of tickets for provisioning new accounts

B.

Average time to provision user accounts

C.

Password reset volume per month

D.

Average account lockout time

Buy Now
Questions 50

IT risk assessments can BEST be used by management:

Options:

A.

for compliance with laws and regulations

B.

as a basis for cost-benefit analysis.

C.

as input for decision-making

D.

to measure organizational success.

Buy Now
Questions 51

The PRIMARY advantage of implementing an IT risk management framework is the:

Options:

A.

establishment of a reliable basis for risk-aware decision making.

B.

compliance with relevant legal and regulatory requirements.

C.

improvement of controls within the organization and minimized losses.

D.

alignment of business goals with IT objectives.

Buy Now
Questions 52

When developing risk treatment alternatives for a Business case, it is MOST helpful to show risk reduction based on:

Options:

A.

cost-benefit analysis.

B.

risk appetite.

C.

regulatory guidelines

D.

control efficiency

Buy Now
Questions 53

An organization has allowed its cyber risk insurance to lapse while seeking a new insurance provider. The risk practitioner should report to management that the risk has been:

Options:

A.

transferred

B.

mitigated.

C.

accepted

D.

avoided

Buy Now
Questions 54

After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?

Options:

A.

The risk practitioner

B.

The business process owner

C.

The risk owner

D.

The control owner

Buy Now
Questions 55

Which of the following is the MOST important key performance indicator (KPI) to establish in the service level agreement (SLA) for an outsourced data center?

Options:

A.

Percentage of systems included in recovery processes

B.

Number of key systems hosted

C.

Average response time to resolve system incidents

D.

Percentage of system availability

Buy Now
Questions 56

Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Options:

A.

Using an aggregated view of organizational risk

B.

Ensuring relevance to organizational goals

C.

Relying on key risk indicator (KRI) data Including

D.

Trend analysis of risk metrics

Buy Now
Questions 57

Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?

Options:

A.

Implementing record retention tools and techniques

B.

Establishing e-discovery and data loss prevention (DLP)

C.

Sending notifications when near storage quota

D.

Implementing a bring your own device 1BVOD) policy

Buy Now
Questions 58

Which of the following is MOST effective against external threats to an organizations confidential information?

Options:

A.

Single sign-on

B.

Data integrity checking

C.

Strong authentication

D.

Intrusion detection system

Buy Now
Questions 59

During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?

Options:

A.

Data validation

B.

Identification

C.

Authentication

D.

Data integrity

Buy Now
Questions 60

A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?

Options:

A.

Document the finding in the risk register.

B.

Invoke the incident response plan.

C.

Re-evaluate key risk indicators.

D.

Modify the design of the control.

Buy Now
Questions 61

An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:

Options:

A.

reduce the risk to an acceptable level.

B.

communicate the consequences for violations.

C.

implement industry best practices.

D.

reduce the organization's risk appetite

Buy Now
Questions 62

The head of a business operations department asks to review the entire IT risk register. Which of the following would be the risk manager s BEST approach to this request before sharing the register?

Options:

A.

Escalate to senior management

B.

Require a nondisclosure agreement.

C.

Sanitize portions of the register

D.

Determine the purpose of the request

Buy Now
Questions 63

Which of the following is MOST important to identify when developing generic risk scenarios?

Options:

A.

The organization’s vision and mission

B.

Resources required for risk mitigation

C.

Impact to business objectives

D.

Risk-related trends within the industry

Buy Now
Questions 64

A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?

Options:

A.

The organization's strategic risk management projects

B.

Senior management roles and responsibilities

C.

The organizations risk appetite and tolerance

D.

Senior management allocation of risk management resources

Buy Now
Questions 65

Which of the following will BEST quantify the risk associated with malicious users in an organization?

Options:

A.

Business impact analysis

B.

Risk analysis

C.

Threat risk assessment

D.

Vulnerability assessment

Buy Now
Questions 66

A rule-based data loss prevention {DLP) tool has recently been implemented to reduce the risk of sensitive data leakage. Which of the following is MOST likely to change as a result of this implementation?

Options:

A.

Risk likelihood

B.

Risk velocity

C.

Risk appetite

D.

Risk impact

Buy Now
Questions 67

Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization's risk appetite?

Options:

A.

Developing contingency plans for key processes

B.

Implementing key performance indicators (KPIs)

C.

Adding risk triggers to entries in the risk register

D.

Establishing a series of key risk indicators (KRIs)

Buy Now
Questions 68

Which of the following is the MOST important benefit of key risk indicators (KRIs)'

Options:

A.

Assisting in continually optimizing risk governance

B.

Enabling the documentation and analysis of trends

C.

Ensuring compliance with regulatory requirements

D.

Providing an early warning to take proactive actions

Buy Now
Questions 69

Which of the following would be considered a vulnerability?

Options:

A.

Delayed removal of employee access

B.

Authorized administrative access to HR files

C.

Corruption of files due to malware

D.

Server downtime due to a denial of service (DoS) attack

Buy Now
Questions 70

Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario?

Options:

A.

Assess the vulnerability management process.

B.

Conduct a control serf-assessment.

C.

Conduct a vulnerability assessment.

D.

Reassess the inherent risk of the target.

Buy Now
Questions 71

Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?

Options:

A.

Vulnerability and threat analysis

B.

Control remediation planning

C.

User acceptance testing (UAT)

D.

Control self-assessment (CSA)

Buy Now
Questions 72

Which of the following would be MOST helpful when estimating the likelihood of negative events?

Options:

A.

Business impact analysis

B.

Threat analysis

C.

Risk response analysis

D.

Cost-benefit analysis

Buy Now
Questions 73

Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?

Options:

A.

Testing the transmission of credit card numbers

B.

Reviewing logs for unauthorized data transfers

C.

Configuring the DLP control to block credit card numbers

D.

Testing the DLP rule change control process

Buy Now
Questions 74

Which of the following would BEST help to ensure that suspicious network activity is identified?

Options:

A.

Analyzing intrusion detection system (IDS) logs

B.

Analyzing server logs

C.

Using a third-party monitoring provider

D.

Coordinating events with appropriate agencies

Buy Now
Questions 75

Which of the following controls would BEST reduce the risk of account compromise?

Options:

A.

Enforce password changes.

B.

Enforce multi-factor authentication (MFA).

C.

Enforce role-based authentication.

D.

Enforce password encryption.

Buy Now
Questions 76

An organization needs to send files to a business partner to perform a quality control audit on the organization’s record-keeping processes. The files include personal information on theorganization's customers. Which of the following is the BEST recommendation to mitigate privacy risk?

Options:

A.

Obfuscate the customers’ personal information.

B.

Require the business partner to delete personal information following the audit.

C.

Use a secure channel to transmit the files.

D.

Ensure the contract includes provisions for sharing personal information.

Buy Now
Questions 77

Improvements in the design and implementation of a control will MOST likely result in an update to:

Options:

A.

inherent risk.

B.

residual risk.

C.

risk appetite

D.

risk tolerance

Buy Now
Questions 78

Risk mitigation procedures should include:

Options:

A.

buying an insurance policy.

B.

acceptance of exposures

C.

deployment of counter measures.

D.

enterprise architecture implementation.

Buy Now
Questions 79

What is the BEST information to present to business control owners when justifying costs related to controls?

Options:

A.

Loss event frequency and magnitude

B.

The previous year's budget and actuals

C.

Industry benchmarks and standards

D.

Return on IT security-related investments

Buy Now
Questions 80

Which of the following roles would provide the MOST important input when identifying IT risk scenarios?

Options:

A.

Information security managers

B.

Internal auditors

C.

Business process owners

D.

Operational risk managers

Buy Now
Questions 81

Reviewing which of the following BEST helps an organization gain insight into its overall risk profile?

Options:

A.

Threat landscape

B.

Risk appetite

C.

Risk register

D.

Risk metrics

Buy Now
Questions 82

An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:

Options:

A.

chief risk officer.

B.

project manager.

C.

chief information officer.

D.

business process owner.

Buy Now
Questions 83

Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?

Options:

A.

Align business objectives to the risk profile.

B.

Assess risk against business objectives

C.

Implement an organization-specific risk taxonomy.

D.

Explain risk details to management.

Buy Now
Questions 84

An effective control environment is BEST indicated by controls that:

Options:

A.

minimize senior management's risk tolerance.

B.

manage risk within the organization's risk appetite.

C.

reduce the thresholds of key risk indicators (KRIs).

D.

are cost-effective to implement

Buy Now
Questions 85

Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?

Options:

A.

Maintain and review the classified data inventor.

B.

Implement mandatory encryption on data

C.

Conduct an awareness program for data owners and users.

D.

Define and implement a data classification policy

Buy Now
Questions 86

After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:

Options:

A.

recommend a program that minimizes the concerns of that production system.

B.

inform the development team of the concerns, and together formulate risk reduction measures.

C.

inform the process owner of the concerns and propose measures to reduce them

D.

inform the IT manager of the concerns and propose measures to reduce them.

Buy Now
Questions 87

An online payment processor would be severely impacted if the fraud detection system has an outage. Which of the following is the BEST way to address this risk?

Options:

A.

Implement continuous control monitoring.

B.

Communicate the risk to management.

C.

Introduce recovery control procedures.

D.

Document a risk response plan.

Buy Now
Questions 88

When an organization's business continuity plan (BCP) states that it cannot afford to lose more than three hours of a critical application's data, the three hours is considered the application’s:

Options:

A.

Maximum tolerable outage (MTO).

B.

Recovery point objective (RPO).

C.

Mean time to restore (MTTR).

D.

Recovery time objective (RTO).

Buy Now
Questions 89

Which of the following is MOST important to ensure risk management practices are effective at all levels within the organization?

Options:

A.

Communicating risk awareness materials regularly

B.

Establishing key risk indicators (KRIs) to monitor risk management processes

C.

Ensuring that business activities minimize inherent risk

D.

Embedding risk management in business activities

Buy Now
Questions 90

A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?

Options:

A.

Business continuity manager (BCM)

B.

Human resources manager (HRM)

C.

Chief risk officer (CRO)

D.

Chief information officer (CIO)

Buy Now
Questions 91

An organization uses one centralized single sign-on (SSO) control to cover many applications. Which of the following is the BEST course of action when a new application is added to the environment after testing of the SSO control has been completed?

Options:

A.

Initiate a retest of the full control

B.

Retest the control using the new application as the only sample.

C.

Review the corresponding change control documentation

D.

Re-evaluate the control during (he next assessment

Buy Now
Questions 92

Which of the following is the GREATEST risk associated with inappropriate classification of data?

Options:

A.

Inaccurate record management data

B.

Inaccurate recovery time objectives (RTOs)

C.

Lack of accountability for data ownership

D.

Users having unauthorized access to data

Buy Now
Questions 93

What is the BEST approach for determining the inherent risk of a scenario when the actual likelihood of the risk is unknown?

Options:

A.

Use the severity rating to calculate risk.

B.

Classify the risk scenario as low-probability.

C.

Use the highest likelihood identified by risk management.

D.

Rely on range-based estimates provided by subject-matter experts.

Buy Now
Questions 94

Which of the following would BEST help to ensure that identified risk is efficiently managed?

Options:

A.

Reviewing the maturity of the control environment

B.

Regularly monitoring the project plan

C.

Maintaining a key risk indicator for each asset in the risk register

D.

Periodically reviewing controls per the risk treatment plan

Buy Now
Questions 95

Which of the following is the MOST important document regarding the treatment of sensitive data?

Options:

A.

Encryption policy

B.

Organization risk profile

C.

Digital rights management policy

D.

Information classification policy

Buy Now
Questions 96

Which of the following is the MOST important criteria for selecting key risk indicators (KRIs)?

Options:

A.

Historical data availability

B.

Implementation and reporting effort

C.

Ability to display trends

D.

Sensitivity and reliability

Buy Now
Questions 97

Which of the following should be the PRIMARY input to determine risk tolerance?

Options:

A.

Regulatory requirements

B.

Organizational objectives

C.

Annual loss expectancy (ALE)

D.

Risk management costs

Buy Now
Questions 98

A business impact analysis (BIA) enables an organization to determine appropriate IT risk mitigation actions by:

Options:

A.

validating whether critical IT risk has been addressed.

B.

assigning accountability for IT risk to business functions.

C.

identifying IT assets that support key business processes.

D.

defining the requirements for an IT risk-aware culture

Buy Now
Questions 99

The BEST way for an organization to ensure that servers are compliant to security policy is

to review:

Options:

A.

change logs.

B.

configuration settings.

C.

server access logs.

D.

anti-malware compliance.

Buy Now
Questions 100

An organization's IT team has proposed the adoption of cloud computing as a cost-saving measure for the business. Which of the following should be of GREATEST concern to the risk practitioner?

Options:

A.

Due diligence for the recommended cloud vendor has not been performed.

B.

The business can introduce new Software as a Service (SaaS) solutions without IT approval.

C.

The maintenance of IT infrastructure has been outsourced to an Infrastructure as a Service (laaS) provider.

D.

Architecture responsibilities may not be clearly defined.

Buy Now
Questions 101

Which of the following criteria for assigning owners to IT risk scenarios provides the GREATEST benefit to an organization?

Options:

A.

The risk owner understands the effect of loss events on business operations.

B.

The risk owner is a member of senior leadership in the IT organization.

C.

The risk owner has strong technical aptitude across multiple business systems.

D.

The risk owner has extensive risk management experience.

Buy Now
Questions 102

An organization has established a policy prohibiting ransom payments if subjected to a ransomware attack. Which of the following is the MOST effective control to support this policy?

Options:

A.

Conducting periodic vulnerability scanning

B.

Creating immutable backups

C.

Performing required patching

D.

Implementing continuous intrusion detection monitoring

Buy Now
Questions 103

Which of the following actions should a risk practitioner do NEXT when an increased industry trend of external cyber attacks is identified?

Options:

A.

Conduct a threat and vulnerability analysis.

B.

Notify senior management of the new risk scenario.

C.

Update the risk impact rating in the risk register.

D.

Update the key risk indicator (KRI) in the risk register.

Buy Now
Questions 104

An organization has established workflows in its service desk to support employee reports of security-related concerns. Which of the following is the MOST efficient approach to analyze these concerns?

Options:

A.

Map concerns to organizational assets.

B.

Sort concerns by likelihood.

C.

Align concerns to key vendors.

D.

Prioritize concerns based on frequency of reports.

Buy Now
Questions 105

The PRIMARY reason a risk practitioner would be interested in an internal audit report is to:

Options:

A.

plan awareness programs for business managers.

B.

evaluate maturity of the risk management process.

C.

assist in the development of a risk profile.

D.

maintain a risk register based on noncompliance.

Buy Now
Questions 106

What should a risk practitioner do FIRST when a shadow IT application is identified in a business owner's business impact analysis (BIA)?

Options:

A.

Include the application in the business continuity plan (BCP).

B.

Determine the business purpose of the application.

C.

Segregate the application from the network.

D.

Report the finding to management.

Buy Now
Questions 107

Which of the following should be considered FIRST when creating a comprehensive IT risk register?

Options:

A.

Risk management budget

B.

Risk mitigation policies

C.

Risk appetite

D.

Risk analysis techniques

Buy Now
Questions 108

A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner s NEXT step? r

Options:

A.

Prepare a business case for the response options.

B.

Identify resources for implementing responses.

C.

Develop a mechanism for monitoring residual risk.

D.

Update the risk register with the results.

Buy Now
Questions 109

When assessing the maturity level of an organization's risk management framework, which of the following should be of GREATEST concern to a risk practitioner?

Options:

A.

Reliance on qualitative analysis methods

B.

Lack of a governance, risk, and compliance (GRC) tool

C.

Lack of senior management involvement

D.

Use of multiple risk registers

Buy Now
Questions 110

Who is ULTIMATELY accountable for risk treatment?

Options:

A.

Risk owner

B.

Enterprise risk management (ERM)

C.

Risk practitioner

D.

Control owner

Buy Now
Questions 111

An organization has established a contract with a vendor that includes penalties for loss of availability. Which risk treatment has been adopted by the organization?

Options:

A.

Acceptance

B.

Avoidance

C.

Transfer

D.

Reduction

Buy Now
Questions 112

The results of a risk assessment reveal risk scenarios with high impact and low likelihood of occurrence. Which of the following would be the BEST action to address these scenarios?

Options:

A.

Assemble an incident response team.

B.

Create a disaster recovery plan (DRP).

C.

Develop a risk response plan.

D.

Initiate a business impact analysis (BIA).

Buy Now
Questions 113

A risk practitioner wants to identify potential risk events that affect the continuity of a critical business process. Which of the following should the risk practitioner do FIRST?

Options:

A.

Evaluate current risk management alignment with relevant regulations.

B.

Determine if business continuity procedures are reviewed and updated on a regular basis.

C.

Review the methodology used to conduct the business impact analysis (BIA).

D.

Conduct a benchmarking exercise against industry peers.

Buy Now
Questions 114

Which of the following is a risk practitioner's BEST recommendation to help reduce IT risk associated with scheduling overruns when starting a new application development project?

Options:

A.

Implement a tool to track the development team's deliverables.

B.

Review the software development life cycle.

C.

Involve the development team in planning.

D.

Assign more developers to the project team.

Buy Now
Questions 115

Which of the following is the BEST metric to demonstrate the effectiveness of an organization's patch management process?

Options:

A.

Average time to implement patches after vendor release

B.

Number of patches tested prior to deployment

C.

Increase in the frequency of patches deployed into production

D.

Percent of patches implemented within established timeframe

Buy Now
Questions 116

Which of the following should be of MOST concern to a risk practitioner reviewing the system development life cycle (SDLC)?

Options:

A.

Testing is completed in phases, with user testing scheduled as the final phase.

B.

Segregation of duties controls are overridden during user testing phases.

C.

Data anonymization is used during all cycles of end-user testing.

D.

Testing is completed by IT support users without input from end users.

Buy Now
Questions 117

An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?

Options:

A.

Review assignments of data ownership for key assets.

B.

Identify staff who have access to the organization’s sensitive data.

C.

Identify recent and historical incidents involving data loss.

D.

Review the organization's data inventory.

Buy Now
Questions 118

A penetration test reveals several vulnerabilities in a web-facing application. Which of the following should be the FIRST step in selecting a risk response?

Options:

A.

Correct the vulnerabilities to mitigate potential risk exposure.

B.

Develop a risk response action plan with key stakeholders.

C.

Assess the level of risk associated with the vulnerabilities.

D.

Communicate the vulnerabilities to the risk owner.

Buy Now
Questions 119

A risk practitioner's BEST guidance to help an organization develop relevant risk scenarios is to ensure the scenarios are:

Options:

A.

Aligned with risk management capabilities.

B.

Based on industry trends.

C.

Related to probable events.

D.

Mapped to incident response plans.

Buy Now
Questions 120

During the control evaluation phase of a risk assessment, it is noted that multiple controls are ineffective. Which of the following should be the risk practitioner's FIRST course of action?

Options:

A.

Compare the residual risk to the current risk appetite.

B.

Recommend risk remediation of the ineffective controls.

C.

Implement key control indicators (KCIs).

D.

Escalate the control failures to senior management.

Buy Now
Questions 121

An organization has just started accepting credit card payments from customers via the corporate website. Which of the following is MOST likely to increase as a result of this new initiative?

Options:

A.

Risk tolerance

B.

Risk appetite

C.

Inherent risk

D.

Residual risk

Buy Now
Questions 122

Which of the following should be a risk practitioner's NEXT step after learning of an incident that has affected a competitor?

Options:

A.

Activate the incident response plan.

B.

Implement compensating controls.

C.

Update the risk register.

D.

Develop risk scenarios.

Buy Now
Questions 123

Which of the following is the BEST way to validate whether controls to reduce user device vulnerabilities have been implemented according to management's action plan?

Options:

A.

Survey device owners.

B.

Rescan the user environment.

C.

Require annual end user policy acceptance.

D.

Review awareness training assessment results

Buy Now
Questions 124

Which of the following BEST enables the integration of IT risk management across an organization?

Options:

A.

Enterprise risk management (ERM) framework

B.

Enterprise-wide risk awareness training

C.

Robust risk reporting practices

D.

Risk management policies

Buy Now
Questions 125

An incentive program is MOST likely implemented to manage the risk associated with loss of which organizational asset?

Options:

A.

Employees

B.

Data

C.

Reputation

D.

Customer lists

Buy Now
Questions 126

A risk practitioner has been asked to evaluate a new cloud-based service to enhance an organization's access management capabilities. When is the BEST time for the risk practitioner to provide opinions on control strength?

Options:

A.

After the initial design

B.

Before production rollout

C.

After a few weeks in use

D.

Before end-user testing

Buy Now
Questions 127

Which of the following is the BEST response when a potential IT control deficiency has been identified?

Options:

A.

Remediate and report the deficiency to the enterprise risk committee.

B.

Verify the deficiency and then notify the business process owner.

C.

Verify the deficiency and then notify internal audit.

D.

Remediate and report the deficiency to senior executive management.

Buy Now
Questions 128

A MAJOR advantage of using key risk indicators (KRIs) is that they:

Options:

A.

Identify scenarios that exceed defined risk appetite.

B.

Help with internal control assessments concerning risk appetite.

C.

Assess risk scenarios that exceed defined thresholds.

D.

Identify when risk exceeds defined thresholds.

Buy Now
Questions 129

Which of the following is the PRIMARY advantage of having a single integrated business continuity plan (BCP) rather than each business unit developing its own BCP?

Options:

A.

It provides assurance of timely business process response and effectiveness.

B.

It supports effective use of resources and provides reasonable confidence of recoverability.

C.

It enables effective BCP maintenance and updates to reflect organizational changes.

D.

It decreases the risk of downtime and operational losses in the event of a disruption.

Buy Now
Questions 130

Which of the following would be MOST helpful in assessing the risk associated with data loss due to human vulnerabilities?

Options:

A.

Reviewing password change history

B.

Performing periodic access recertification

C.

Conducting social engineering exercises

D.

Reviewing the results of security awareness surveys

Buy Now
Questions 131

Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

Options:

A.

Risk appetite is decreased.

B.

Inherent risk is increased.

C.

Risk tolerance is decreased.

D.

Residual risk is increased.

Buy Now
Questions 132

A risk practitioner has been asked to assess the risk associated with a new critical application used by a financial process team that the risk practitioner was a member of two years ago. Which of the following is the GREATEST concern with this request?

Options:

A.

The risk assessment team may be overly confident of its ability to identify issues.

B.

The risk practitioner may be unfamiliar with recent application and process changes.

C.

The risk practitioner may still have access rights to the financial system.

D.

Participation in the risk assessment may constitute a conflict of interest.

Buy Now
Questions 133

Following the implementation of an Internet of Things (loT) solution, a risk practitioner identifies new risk factors with impact to existing controls. Which of the following is MOST important to include in a report to stakeholders?

Options:

A.

Identified vulnerabilities

B.

Business managers' concerns

C.

Changes to residual risk

D.

Risk strategies of peer organizations

Buy Now
Questions 134

A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?

Options:

A.

The contingency plan provides for backup media to be taken to the alternative site.

B.

The contingency plan for high priority applications does not involve a shared cold site.

C.

The alternative site is a hot site with equipment ready to resume processing immediately.

D.

The alternative site does not reside on the same fault no matter how far the distance apart.

Buy Now
Questions 135

Which of the following should be the PRIMARY consideration when assessing the risk of using Internet of Things (loT) devices to collect and process personally identifiable information (PII)?

Options:

A.

Business strategies and needs

B.

Security features and support

C.

Costs and benefits

D.

Local laws and regulations

Buy Now
Questions 136

Which of the following events is MOST likely to trigger the need to conduct a risk assessment?

Options:

A.

An incident resulting in data loss

B.

Changes in executive management

C.

Updates to the information security policy

D.

Introduction of a new product line

Buy Now
Questions 137

An organization has adopted an emerging technology without following proper processes. Which of the following is the risk practitioner's BEST course of action to address this risk?

Options:

A.

Accept the risk because the technology has already been adopted.

B.

Propose a transfer of risk to a third party with subsequent monitoring.

C.

Conduct a risk assessment to determine risk exposure.

D.

Recommend to senior management to decommission the technology.

Buy Now
Questions 138

During the creation of an organization's IT risk management program, the BEST time to identify key risk indicators (KRIs) is while:

Options:

A.

Interviewing data owners

B.

Reviewing risk response plans with internal audit

C.

Developing a risk monitoring process

D.

Reviewing an external risk assessment

Buy Now
Questions 139

Which of the following is the BEST method for determining an enterprise's current appetite for risk?

Options:

A.

Comparative analysis of peer companies

B.

Reviews of brokerage firm assessments

C.

Interviews with senior management

D.

Trend analysis using prior annual reports

Buy Now
Questions 140

During a risk assessment of a financial institution, a risk practitioner discovers that tellers can initiate and approve transactions of significant value. This team is also responsible for ensuring transactions are recorded and balances are reconciled by the end of the day. Which of the following is the risk practitioner's BEST recommendation to mitigate the associated risk?

Options:

A.

Implement continuous monitoring.

B.

Require a second level of approval.

C.

Implement separation of duties.

D.

Require a code of ethics.

Buy Now
Questions 141

It was discovered that a service provider's administrator was accessing sensitive information without the approval of the customer in an Infrastructure as a Service (laaS) model. Which of the following would BEST protect against a future recurrence?

Options:

A.

Data encryption

B.

Intrusion prevention system (IPS)

C.

Two-factor authentication

D.

Contractual requirements

Buy Now
Questions 142

Which of the following is the ULTIMATE goal of conducting a privacy impact analysis (PIA)?

Options:

A.

To identify gaps in data protection controls

B.

To develop a customer notification plan

C.

To identify personally identifiable information (Pll)

D.

To determine gaps in data identification processes

Buy Now
Questions 143

Which of the following BEST helps to ensure disaster recovery staff members

are able to complete their assigned tasks effectively during a disaster?

Options:

A.

Performing parallel disaster recovery testing

B.

Documenting the order of system and application restoration

C.

Involving disaster recovery staff members in risk assessments

D.

Conducting regular tabletop exercises and scenario analysis

Buy Now
Questions 144

A technology company is developing a strategic artificial intelligence (Al)-driven application that has high potential business value. At what point should the enterprise risk profile be updated?

Options:

A.

After user acceptance testing (UAT)

B.

Upon approval of the business case

C.

When user stories are developed

D.

During post-implementation review

Buy Now
Questions 145

Which of the following is MOST important when determining risk appetite?

Options:

A.

Assessing regulatory requirements

B.

Benchmarking against industry standards

C.

Gaining management consensus

D.

Identifying risk tolerance

Buy Now
Questions 146

An organization has updated its acceptable use policy to mitigate the risk of employees disclosing confidential information. Which of the following is the BEST way to reinforce the effectiveness of this policy?

Options:

A.

Communicate sanctions for policy violations to all staff.

B.

Obtain signed acceptance of the new policy from employees.

C.

Train all staff on relevant information security best practices.

D.

Implement data loss prevention (DLP) within the corporate network.

Buy Now
Questions 147

Risk mitigation is MOST effective when which of the following is optimized?

Options:

A.

Operational risk

B.

Residual risk

C.

Inherent risk

D.

Regulatory risk

Buy Now
Questions 148

WhichT5f the following is the MOST effective way to promote organization-wide awareness of data security in response to an increase in regulatory penalties for data leakage?

Options:

A.

Enforce sanctions for noncompliance with security procedures.

B.

Conduct organization-w>de phishing simulations.

C.

Require training on the data handling policy.

D.

Require regular testing of the data breach response plan.

Buy Now
Questions 149

A penetration testing team discovered an ineffectively designed access control. Who is responsible for ensuring the control design gap is remediated?

Options:

A.

Control owner

B.

Risk owner

C.

IT security manager

D.

Control operator

Buy Now
Questions 150

Which of the following emerging technologies is frequently used for botnet distributed denial of service (DDoS) attacks?

Options:

A.

Internet of Things (IoT)

B.

Quantum computing

C.

Virtual reality (VR)

D.

Machine learning

Buy Now
Questions 151

Which of the following is the PRIMARY objective of a risk awareness program?

Options:

A.

To demonstrate senior management support

B.

To enhance organizational risk culture

C.

To increase awareness of risk mitigation controls

D.

To clearly define ownership of risk

Buy Now
Questions 152

Which of the following would MOST likely cause management to unknowingly accept excessive risk?

Options:

A.

Satisfactory audit results

B.

Risk tolerance being set too low

C.

Inaccurate risk ratings

D.

Lack of preventive controls

Buy Now
Questions 153

In the three lines of defense model, a PRIMARY objective of the second line is to:

Options:

A.

Review and evaluate the risk management program.

B.

Ensure risk and controls are effectively managed.

C.

Implement risk management policies regarding roles and responsibilities.

D.

Act as the owner for any operational risk identified as part of the risk program.

Buy Now
Questions 154

The PRIMARY reason for communicating risk assessment results to data owners is to enable the:

Options:

A.

design of appropriate controls.

B.

industry benchmarking of controls.

C.

prioritization of response efforts.

D.

classification of information assets.

Buy Now
Questions 155

An organization is subject to a new regulation that requires nearly real-time recovery of its services following a disruption. Which of the following is the BEST way to manage the risk in this situation?

Options:

A.

Move redundant IT infrastructure to a closer location.

B.

Obtain insurance and ensure sufficient funds are available for disaster recovery.

C.

Review the business continuity plan (BCP) and align it with the new business needs.

D.

Outsource disaster recovery services to a third-party IT service provider.

Buy Now
Questions 156

Which of me following is MOST helpful to mitigate the risk associated with an application under development not meeting business objectives?

Options:

A.

Identifying tweets that may compromise enterprise architecture (EA)

B.

Including diverse Business scenarios in user acceptance testing (UAT)

C.

Performing risk assessments during the business case development stage

D.

Including key stakeholders in review of user requirements

Buy Now
Questions 157

An organization has restructured its business processes, and the business continuity plan (BCP) needs to be revised accordingly. Which of the following should be identified FIRST?

Options:

A.

Variances in recovery times

B.

Ownership assignment for controls

C.

New potentially disruptive scenarios

D.

Contractual changes with customers

Buy Now
Questions 158

Which of the following is the BEST course of action for a system administrator who suspects a colleague may be intentionally weakening a system's validation controls in order to pass through fraudulent transactions?

Options:

A.

Implement compensating controls to deter fraud attempts.

B.

Share the concern through a whistleblower communication channel.

C.

Monitor the activity to collect evidence.

D.

Determine whether the system environment has flaws that may motivate fraud attempts.

Buy Now
Questions 159

A business unit has implemented robotic process automation (RPA) for its

repetitive back-office tasks. Which of the following should be the risk

practitioner's GREATEST concern?

Options:

A.

The security team is unaware of the implementation.

B.

The organization may lose institutional knowledge.

C.

The robots may fail to work effectively.

D.

Virtual clients are used for implementation.

Buy Now
Questions 160

A user has contacted the risk practitioner regarding malware spreading laterally across the organization's corporate network. Which of the following is the risk practitioner’s BEST course of action?

Options:

A.

Review all log files generated during the period of malicious activity.

B.

Perform a root cause analysis.

C.

Notify the cybersecurity incident response team.

D.

Update the risk register.

Buy Now
Questions 161

Within the three lines of defense model, the PRIMARY responsibility for ensuring risk mitigation controls are properly configured belongs with:

Options:

A.

line management.

B.

the IT risk function.

C.

enterprise compliance.

D.

internal audit.

Buy Now
Questions 162

A risk practitioner has been asked to evaluate the adoption of a third-party blockchain integration platform based on the value added by the platform and the organization's risk appetite. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Conduct a risk assessment with stakeholders.

B.

Conduct third-party resilience tests.

C.

Update the risk register with the process changes.

D.

Review risk related to standards and regulations.

Buy Now
Questions 163

A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?

Options:

A.

The methodology used to perform the risk assessment

B.

Action plans to address risk scenarios requiring treatment

C.

Date and status of the last project milestone

D.

The individuals assigned ownership of controls

Buy Now
Questions 164

A risk assessment has revealed that the probability of a successful cybersecurity attack is increasing. The potential loss could exceed the organization's risk appetite. Which of the following ould be the MOST effective course of action?

Options:

A.

Re-evaluate the organization's risk appetite.

B.

Outsource the cybersecurity function.

C.

Purchase cybersecurity insurance.

D.

Review cybersecurity incident response procedures.

Buy Now
Questions 165

To help ensure the success of a major IT project, it is MOST important to:

Options:

A.

obtain the appropriate stakeholders' commitment.

B.

align the project with the IT risk framework.

C.

obtain approval from business process owners.

D.

update the risk register on a regular basis.

Buy Now
Questions 166

Which of the following BEST protects organizational data within a production cloud environment?

Options:

A.

Data encryption

B.

Continuous log monitoring

C.

Right to audit

D.

Data obfuscation

Buy Now
Questions 167

Which of the following would be MOST helpful to an information security management team when allocating resources to mitigate exposures?

Options:

A.

Relevant risk case studies

B.

Internal audit findings

C.

Risk assessment results

D.

Penetration testing results

Buy Now
Questions 168

A PRIMARY advantage of involving business management in evaluating and managing risk is that management:

Options:

A.

better understands the system architecture.

B.

is more objective than risk management.

C.

can balance technical and business risk.

D.

can make better-informed business decisions.

Buy Now
Questions 169

One of an organization's key IT systems cannot be patched because the patches interfere with critical business application functionalities. Which of the following would be the risk practitioner's BEST recommendation?

Options:

A.

Additional mitigating controls should be identified.

B.

The system should not be used until the application is changed

C.

The organization's IT risk appetite should be adjusted.

D.

The associated IT risk should be accepted by management.

Buy Now
Questions 170

Reviewing which of the following would provide the MOST useful information when preparing to evaluate the effectiveness of existing controls?

Options:

A.

Previous audit reports

B.

Control objectives

C.

Risk responses in the risk register

D.

Changes in risk profiles

Buy Now
Questions 171

Which of the following is the BEST method to track asset inventory?

Options:

A.

Periodic asset review by management

B.

Asset registration form

C.

Automated asset management software

D.

IT resource budgeting process

Buy Now
Questions 172

Which of the following BEST enables detection of ethical violations committed by employees?

Options:

A.

Transaction log monitoring

B.

Access control attestation

C.

Periodic job rotation

D.

Whistleblower program

Buy Now
Questions 173

The operational risk associated with attacks on a web application should be owned by the individual in charge of:

Options:

A.

network operations.

B.

the cybersecurity function.

C.

application development.

D.

the business function.

Buy Now
Questions 174

Which of the following is the GREATEST benefit of using IT risk scenarios?

Options:

A.

They support compliance with regulations.

B.

They provide evidence of risk assessment.

C.

They facilitate communication of risk.

D.

They enable the use of key risk indicators (KRls)

Buy Now
Questions 175

The PRIMARY reason to implement a formalized risk taxonomy is to:

Options:

A.

reduce subjectivity in risk management.

B.

comply with regulatory requirements.

C.

demonstrate best industry practice.

D.

improve visibility of overall risk exposure.

Buy Now
Questions 176

Which of the following is MOST important to the effectiveness of a senior oversight committee for risk monitoring?

Options:

A.

Key risk indicators (KRIs)

B.

Risk governance charter

C.

Organizational risk appetite

D.

Cross-business representation

Buy Now
Questions 177

A risk practitioner's BEST guidance to help an organization develop relevant risk scenarios is to ensure the scenarios are:

Options:

A.

based on industry trends.

B.

mapped to incident response plans.

C.

related to probable events.

D.

aligned with risk management capabilities.

Buy Now
Questions 178

Which of the following is the BEST way to mitigate the risk associated with fraudulent use of an enterprise's brand on Internet sites?

Options:

A.

Utilizing data loss prevention (DLP) technology

B.

Monitoring the enterprise's use of the Internet

C.

Scanning the Internet to search for unauthorized usage

D.

Developing training and awareness campaigns

Buy Now
Questions 179

An organization is concerned that a change in its market situation may impact the current level of acceptable risk for senior management. As a result, which of the following is MOST important to reevaluate?

Options:

A.

Risk classification

B.

Risk policy

C.

Risk strategy

D.

Risk appetite

Buy Now
Questions 180

Which of the following has the GREATEST positive impact on ethical compliance within the risk management process?

Options:

A.

Senior management demonstrates ethics in their day-to-day decision making.

B.

An independent ethics investigation team has been established.

C.

Employees are required to complete ethics training courses annually.

D.

The risk practitioner is required to consult with the ethics committee.

Buy Now
Questions 181

Which of the following analyses is MOST useful for prioritizing risk scenarios associated with loss of IT assets?

Options:

A.

SWOT analysis

B.

Business impact analysis (BIA)

C.

Cost-benefit analysis

D.

Root cause analysis

Buy Now
Questions 182

IT disaster recovery point objectives (RPOs) should be based on the:

Options:

A.

maximum tolerable downtime.

B.

maximum tolerable loss of data.

C.

need of each business unit.

D.

type of business.

Buy Now
Questions 183

Which of the following is the BEST way to reduce the likelihood of an individual performing a potentially harmful action as the result of unnecessary entitlement?

Options:

A.

Application monitoring

B.

Separation of duty

C.

Least privilege

D.

Nonrepudiation

Buy Now
Questions 184

A key risk indicator (KRI) threshold has reached the alert level, indicating data leakage incidents are highly probable. What should be the risk practitioner's FIRST course of action?

Options:

A.

Update the KRI threshold.

B.

Recommend additional controls.

C.

Review incident handling procedures.

D.

Perform a root cause analysis.

Buy Now
Questions 185

An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner's FIRST course of action?

Options:

A.

Determine whether the impact is outside the risk appetite.

B.

Request a formal acceptance of risk from senior management.

C.

Report the ineffective control for inclusion in the next audit report.

D.

Deploy a compensating control to address the identified deficiencies.

Buy Now
Questions 186

Which of the following risk scenarios would be the GREATEST concern as a result of a single sign-on implementation?

Options:

A.

User access may be restricted by additional security.

B.

Unauthorized access may be gained to multiple systems.

C.

Security administration may become more complex.

D.

User privilege changes may not be recorded.

Buy Now
Questions 187

Which of the following would provide the MOST objective assessment of the effectiveness of an organization's security controls?

Options:

A.

An internal audit

B.

Security operations center review

C.

Internal penetration testing

D.

A third-party audit

Buy Now
Questions 188

Which of the following is MOST important to review when determining whether a potential IT service provider’s control environment is effective?

Options:

A.

Independent audit report

B.

Control self-assessment

C.

MOST important to update when an

D.

Service level agreements (SLAs)

Buy Now
Questions 189

Which of the following will be MOST effective to mitigate the risk associated with the loss of company data stored on personal devices?

Options:

A.

An acceptable use policy for personal devices

B.

Required user log-on before synchronizing data

C.

Enforced authentication and data encryption

D.

Security awareness training and testing

Buy Now
Questions 190

What is the MOST important consideration when aligning IT risk management with the enterprise risk management (ERM) framework?

Options:

A.

Risk and control ownership

B.

Senior management participation

C.

Business unit support

D.

Risk nomenclature and taxonomy

Buy Now
Questions 191

Which of the following criteria is MOST important when developing a response to an attack that would compromise data?

Options:

A.

The recovery time objective (RTO)

B.

The likelihood of a recurring attack

C.

The organization's risk tolerance

D.

The business significance of the information

Buy Now
Questions 192

Which of the following is the BEST method for identifying vulnerabilities?

Options:

A.

Batch job failure monitoring

B.

Periodic network scanning

C.

Annual penetration testing

D.

Risk assessments

Buy Now
Questions 193

The BEST criteria when selecting a risk response is the:

Options:

A.

capability to implement the response

B.

importance of IT risk within the enterprise

C.

effectiveness of risk response options

D.

alignment of response to industry standards

Buy Now
Questions 194

Which of the following would offer the MOST insight with regard to an organization's risk culture?

Options:

A.

Risk management procedures

B.

Senior management interviews

C.

Benchmark analyses

D.

Risk management framework

Buy Now
Questions 195

As part of an overall IT risk management plan, an IT risk register BEST helps management:

Options:

A.

align IT processes with business objectives.

B.

communicate the enterprise risk management policy.

C.

stay current with existing control status.

D.

understand the organizational risk profile.

Buy Now
Questions 196

Which of the following would be the BEST justification to invest in the development of a governance, risk, and compliance (GRC) solution?

Options:

A.

Facilitating risk-aware decision making by stakeholders

B.

Demonstrating management commitment to mitigate risk

C.

Closing audit findings on a timely basis

D.

Ensuring compliance to industry standards

Buy Now
Questions 197

Implementing which of the following controls would BEST reduce the impact of a vulnerability that has been exploited?

Options:

A.

Detective control

B.

Deterrent control

C.

Preventive control

D.

Corrective control

Buy Now
Questions 198

Which of the following is the PRIMARY consideration when establishing an organization's risk management methodology?

Options:

A.

Business context

B.

Risk tolerance level

C.

Resource requirements

D.

Benchmarking information

Buy Now
Questions 199

A bank has outsourced its statement printing function to an external service provider. Which of the following is the MOST critical requirement to include in the contract?

Options:

A.

Monitoring of service costs

B.

Provision of internal audit reports

C.

Notification of sub-contracting arrangements

D.

Confidentiality of customer data

Buy Now
Questions 200

Which of the following is MOST important for developing effective key risk indicators (KRIs)?

Options:

A.

Engaging sponsorship by senior management

B.

Utilizing data and resources internal to the organization

C.

Including input from risk and business unit management

D.

Developing in collaboration with internal audit

Buy Now
Questions 201

A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?

Options:

A.

The alternative site is a hot site with equipment ready to resume processing immediately.

B.

The contingency plan provides for backup media to be taken to the alternative site.

C.

The contingency plan for high priority applications does not involve a shared cold site.

D.

The alternative site does not reside on the same fault to matter how the distance apart.

Buy Now
Questions 202

Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are:

Options:

A.

accountable for the affected processes.

B.

members of senior management.

C.

authorized to select risk mitigation options.

D.

independent from the business operations.

Buy Now
Questions 203

Which of the following is MOST important for a risk practitioner to consider when evaluating plans for changes to IT services?

Options:

A.

Change testing schedule

B.

Impact assessment of the change

C.

Change communication plan

D.

User acceptance testing (UAT)

Buy Now
Questions 204

Which of the following would be of GREATEST assistance when justifying investment in risk response strategies?

Options:

A.

Total cost of ownership

B.

Resource dependency analysis

C.

Cost-benefit analysis

D.

Business impact analysis

Buy Now
Questions 205

Which type of cloud computing deployment provides the consumer the GREATEST degree of control over the environment?

Options:

A.

Community cloud

B.

Private cloud

C.

Hybrid cloud

D.

Public cloud

Buy Now
Questions 206

Which of the following is the MOST important component of effective security incident response?

Options:

A.

Network time protocol synchronization

B.

Identification of attack sources

C.

Early detection of breaches

D.

A documented communications plan

Buy Now
Questions 207

Which of the following is the MOST important objective of regularly presenting the project risk register to the project steering committee?

Options:

A.

To allocate budget for resolution of risk issues

B.

To determine if new risk scenarios have been identified

C.

To ensure the project timeline is on target

D.

To track the status of risk mitigation actions

Buy Now
Questions 208

Which of the following is MOST important for a risk practitioner to ensure once a risk action plan has been completed?

Options:

A.

The risk owner has validated outcomes.

B.

The risk register has been updated.

C.

The control objectives are mapped to risk objectives.

D.

The requirements have been achieved.

Buy Now
Questions 209

The risk associated with data loss from a website which contains sensitive customer information is BEST owned by:

Options:

A.

the third-party website manager

B.

the business process owner

C.

IT security

D.

the compliance manager

Buy Now
Questions 210

A business manager wants to leverage an existing approved vendor solution from another area within the organization. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Recommend allowing the new usage based on prior approval.

B.

Request a new third-party review.

C.

Request revalidation of the original use case.

D.

Assess the risk associated with the new use case.

Buy Now
Questions 211

Which of the following will BEST help an organization select a recovery strategy for critical systems?

Options:

A.

Review the business impact analysis.

B.

Create a business continuity plan.

C.

Analyze previous disaster recovery reports.

D.

Conduct a root cause analysis.

Buy Now
Questions 212

Which of the following would BEST enable mitigation of newly identified risk factors related to internet of Things (loT)?

Options:

A.

Introducing control procedures early in the life cycle

B.

Implementing loT device software monitoring

C.

Performing periodic risk assessments of loT

D.

Performing secure code reviews

Buy Now
Questions 213

During the initial risk identification process for a business application, it is MOST important to include which of the following stakeholders?

Options:

A.

Business process owners

B.

Business process consumers

C.

Application architecture team

D.

Internal audit

Buy Now
Questions 214

An organization has decided to implement an emerging technology and incorporate the new capabilities into its strategic business plan. Business operations for the technology will be outsourced. What will be the risk practitioner's PRIMARY role during the change?

Options:

A.

Managing third-party risk

B.

Developing risk scenarios

C.

Managing the threat landscape

D.

Updating risk appetite

Buy Now
Questions 215

Which of the following would be a weakness in procedures for controlling the migration of changes to production libraries?

Options:

A.

The programming project leader solely reviews test results before approving the transfer to production.

B.

Test and production programs are in distinct libraries.

C.

Only operations personnel are authorized to access production libraries.

D.

A synchronized migration of executable and source code from the test environment to the production environment is allowed.

Buy Now
Questions 216

When establishing leading indicators for the information security incident response process it is MOST important to consider the percentage of reported incidents:

Options:

A.

that results in a full root cause analysis.

B.

used for verification within the SLA.

C.

that are verified as actual incidents.

D.

resolved within the SLA.

Buy Now
Questions 217

A control owner identifies that the organization's shared drive contains personally identifiable information (Pll) that can be accessed by all personnel. Which of the following is the MOST effective risk response?

Options:

A.

Protect sensitive information with access controls.

B.

Implement a data loss prevention (DLP) solution.

C.

Re-communicate the data protection policy.

D.

Implement a data encryption solution.

Buy Now
Questions 218

Which of the following should a risk practitioner do FIRST when an organization decides to use a cloud service?

Options:

A.

Review the vendor selection process and vetting criteria.

B.

Assess whether use of service falls within risk tolerance thresholds.

C.

Establish service level agreements (SLAs) with the vendor.

D.

Check the contract for appropriate security risk and control provisions.

Buy Now
Questions 219

The MAIN goal of the risk analysis process is to determine the:

Options:

A.

potential severity of impact

B.

frequency and magnitude of loss

C.

control deficiencies

D.

threats and vulnerabilities

Buy Now
Questions 220

Which of the following is the MOST important information to be communicated during security awareness training?

Options:

A.

Management's expectations

B.

Corporate risk profile

C.

Recent security incidents

D.

The current risk management capability

Buy Now
Questions 221

Which of the following is MOST helpful in developing key risk indicator (KRl) thresholds?

Options:

A.

Loss expectancy information

B.

Control performance predictions

C.

IT service level agreements (SLAs)

D.

Remediation activity progress

Buy Now
Questions 222

A risk assessment indicates the residual risk associated with a new bring your own device (BYOD) program is within organizational risk tolerance. Which of the following should the risk practitioner

recommend be done NEXT?

Options:

A.

Implement targeted awareness training for new BYOD users.

B.

Implement monitoring to detect control deterioration.

C.

Identify log sources to monitor BYOD usage and risk impact.

D.

Reduce the risk tolerance level.

Buy Now
Questions 223

An organization is making significant changes to an application. At what point should the application risk profile be updated?

Options:

A.

After user acceptance testing (UAT)

B.

Upon release to production

C.

During backlog scheduling

D.

When reviewing functional requirements

Buy Now
Questions 224

An external security audit has reported multiple findings related to control noncompliance. Which of the following would be MOST important for the risk practitioner to communicate to senior management?

Options:

A.

A recommendation for internal audit validation

B.

Plans for mitigating the associated risk

C.

Suggestions for improving risk awareness training

D.

The impact to the organization’s risk profile

Buy Now
Questions 225

The risk appetite for an organization could be derived from which of the following?

Options:

A.

Cost of controls

B.

Annual loss expectancy (ALE)

C.

Inherent risk

D.

Residual risk

Buy Now
Questions 226

An organization is considering allowing users to access company data from their personal devices. Which of the following is the MOST important factor when assessing the risk?

Options:

A.

Classification of the data

B.

Type of device

C.

Remote management capabilities

D.

Volume of data

Buy Now
Questions 227

Which of the following is a KEY responsibility of the second line of defense?

Options:

A.

Implementing control activities

B.

Monitoring control effectiveness

C.

Conducting control self-assessments

D.

Owning risk scenarios

Buy Now
Questions 228

A risk practitioner is reviewing a vendor contract and finds there is no clause to control privileged access to the organization's systems by vendor employees. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Contact the control owner to determine if a gap in controls exists.

B.

Add this concern to the risk register and highlight it for management review.

C.

Report this concern to the contracts department for further action.

D.

Document this concern as a threat and conduct an impact analysis.

Buy Now
Questions 229

A bank is experiencing an increasing incidence of customer identity theft. Which of the following is the BEST way to mitigate this risk?

Options:

A.

Implement monitoring techniques.

B.

Implement layered security.

C.

Outsource to a local processor.

D.

Conduct an awareness campaign.

Buy Now
Questions 230

Sensitive data has been lost after an employee inadvertently removed a file from the premises, in violation of organizational policy. Which of the following controls MOST likely failed?

Options:

A.

Background checks

B.

Awareness training

C.

User access

D.

Policy management

Buy Now
Questions 231

A risk owner has accepted a high-impact risk because the control was adversely affecting process efficiency. Before updating the risk register, it is MOST important for the risk practitioner to:

Options:

A.

ensure suitable insurance coverage is purchased.

B.

negotiate with the risk owner on control efficiency.

C.

reassess the risk to confirm the impact.

D.

obtain approval from senior management.

Buy Now
Questions 232

What are the MOST important criteria to consider when developing a data classification scheme to facilitate risk assessment and the prioritization of risk mitigation activities?

Options:

A.

Mitigation and control value

B.

Volume and scope of data generated daily

C.

Business criticality and sensitivity

D.

Recovery point objective (RPO) and recovery time objective (RTO)

Buy Now
Questions 233

Which of the following is a detective control?

Options:

A.

Limit check

B.

Periodic access review

C.

Access control software

D.

Rerun procedures

Buy Now
Questions 234

An organization's internal audit department is considering the implementation of robotics process automation (RPA) to automate certain continuous auditing tasks. Who would own the risk associated with ineffective design of the software bots?

Options:

A.

Lead auditor

B.

Project manager

C.

Chief audit executive (CAE)

D.

Chief information officer (CIO)

Buy Now
Questions 235

An organization has received notification that it is a potential victim of a cybercrime that may have compromised sensitive customer data. What should be The FIRST course of action?

Options:

A.

Invoke the incident response plan.

B.

Determine the business impact.

C.

Conduct a forensic investigation.

D.

Invoke the business continuity plan (BCP).

Buy Now
Questions 236

Business areas within an organization have engaged various cloud service providers directly without assistance from the IT department. What should the risk practitioner do?

Options:

A.

Recommend the IT department remove access to the cloud services.

B.

Engage with the business area managers to review controls applied.

C.

Escalate to the risk committee.

D.

Recommend a risk assessment be conducted.

Buy Now
Questions 237

Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk?

Options:

A.

A data extraction tool

B.

An access control list

C.

An intrusion detection system (IDS)

D.

An acceptable usage policy

Buy Now
Questions 238

Which of the following is the MOST important input when developing risk scenarios?

Options:

A.

Key performance indicators

B.

Business objectives

C.

The organization's risk framework

D.

Risk appetite

Buy Now
Questions 239

Which of these documents is MOST important to request from a cloud service

provider during a vendor risk assessment?

Options:

A.

Nondisclosure agreement (NDA)

B.

Independent audit report

C.

Business impact analysis (BIA)

D.

Service level agreement (SLA)

Buy Now
Questions 240

Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?

Options:

A.

Improving risk awareness

B.

Obtaining buy-in from risk owners

C.

Leveraging existing metrics

D.

Optimizing risk treatment decisions

Buy Now
Questions 241

An organization has recently updated its disaster recovery plan (DRP). Which of the following would be the GREATEST risk if the new plan is not tested?

Options:

A.

External resources may need to be involved.

B.

Data privacy regulations may be violated.

C.

Recovery costs may increase significantly.

D.

Service interruptions may be longer than anticipated.

Buy Now
Questions 242

The BEST way to demonstrate alignment of the risk profile with business objectives is through:

Options:

A.

risk scenarios.

B.

risk tolerance.

C.

risk policy.

D.

risk appetite.

Buy Now
Questions 243

When reporting risk assessment results to senior management, which of the following is MOST important to include to enable risk-based decision making?

Options:

A.

Risk action plans and associated owners

B.

Recent audit and self-assessment results

C.

Potential losses compared to treatment cost

D.

A list of assets exposed to the highest risk

Buy Now
Questions 244

A risk practitioner learns that the organization s industry is experiencing a trend of rising security incidents. Which of the following is the BEST course of action?

Options:

A.

Evaluate the relevance of the evolving threats.

B.

Review past internal audit results.

C.

Respond to organizational security threats.

D.

Research industry published studies.

Buy Now
Questions 245

Which of the following is MOST important to enable well-informed cybersecurity risk decisions?

Options:

A.

Determine and understand the risk rating of scenarios.

B.

Conduct risk assessment peer reviews.

C.

Identify roles and responsibilities for security controls.

D.

Engage a third party to perform a risk assessment.

Buy Now
Questions 246

An organization has opened a subsidiary in a foreign country. Which of the following would be the BEST way to measure the effectiveness of the subsidiary's IT systems controls?

Options:

A.

Implement IT systems in alignment with business objectives.

B.

Review metrics and key performance indicators (KPIs).

C.

Review design documentation of IT systems.

D.

Evaluate compliance with legal and regulatory requirements.

Buy Now
Questions 247

Which of the following would BEST enable a risk practitioner to embed risk management within the organization?

Options:

A.

Provide risk management feedback to key stakeholders.

B.

Collect and analyze risk data for report generation.

C.

Monitor and prioritize risk data according to the heat map.

D.

Engage key stakeholders in risk management practices.

Buy Now
Questions 248

When presenting risk, the BEST method to ensure that the risk is measurable against the organization's risk appetite is through the use of a:

Options:

A.

risk map

B.

cause-and-effect diagram

C.

maturity model

D.

technology strategy plan.

Buy Now
Questions 249

An organization has introduced risk ownership to establish clear accountability for each process. To ensure effective risk ownership, it is MOST important that:

Options:

A.

senior management has oversight of the process.

B.

process ownership aligns with IT system ownership.

C.

segregation of duties exists between risk and process owners.

D.

risk owners have decision-making authority.

Buy Now
Questions 250

The MAIN purpose of having a documented risk profile is to:

Options:

A.

comply with external and internal requirements.

B.

enable well-informed decision making.

C.

prioritize investment projects.

D.

keep the risk register up-to-date.

Buy Now
Questions 251

An upward trend in which of the following metrics should be of MOST concern?

Options:

A.

Number of business change management requests

B.

Number of revisions to security policy

C.

Number of security policy exceptions approved

D.

Number of changes to firewall rules

Buy Now
Questions 252

A new regulator/ requirement imposes severe fines for data leakage involving customers' personally identifiable information (Pll). The risk practitioner has recommended avoiding the risk. Which of the following actions would BEST align with this recommendation?

Options:

A.

Reduce retention periods for Pll data.

B.

Move Pll to a highly-secured outsourced site.

C.

Modify business processes to stop collecting Pll.

D.

Implement strong encryption for Pll.

Buy Now
Questions 253

Of the following, who should be responsible for determining the inherent risk rating of an application?

Options:

A.

Application owner

B.

Senior management

C.

Risk practitioner

D.

Business process owner

Buy Now
Questions 254

Which of the following BEST reduces the probability of laptop theft?

Options:

A.

Cable lock

B.

Acceptable use policy

C.

Data encryption

D.

Asset tag with GPS

Buy Now
Questions 255

An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?

Options:

A.

Mitigate

B.

Accept

C.

Transfer

D.

Avoid

Buy Now
Questions 256

Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?

Options:

A.

An updated risk register

B.

Risk assessment results

C.

Technical control validation

D.

Control testing results

Buy Now
Questions 257

Which of the following BEST enables a proactive approach to minimizing the potential impact of unauthorized data disclosure?

Options:

A.

Cyber insurance

B.

Data backups

C.

Incident response plan

D.

Key risk indicators (KRIs)

Buy Now
Questions 258

A risk owner has identified a risk with high impact and very low likelihood. The potential loss is covered by insurance. Which of the following should the risk practitioner do NEXT?

Options:

A.

Recommend avoiding the risk.

B.

Validate the risk response with internal audit.

C.

Update the risk register.

D.

Evaluate outsourcing the process.

Buy Now
Questions 259

Which of the following would be MOST beneficial as a key risk indicator (KRI)?

Options:

A.

Current capital allocation reserves

B.

Negative security return on investment (ROI)

C.

Project cost variances

D.

Annualized loss projections

Buy Now
Questions 260

Which of the following is the PRIMARY reason for an organization to ensure the risk register is updated regularly?

Options:

A.

Risk assessment results are accessible to senior management and stakeholders.

B.

Risk mitigation activities are managed and coordinated.

C.

Key risk indicators (KRIs) are evaluated to validate they are still within the risk threshold.

D.

Risk information is available to enable risk-based decisions.

Buy Now
Questions 261

Which of the following is the BEST way to ensure ongoing control effectiveness?

Options:

A.

Establishing policies and procedures

B.

Periodically reviewing control design

C.

Measuring trends in control performance

D.

Obtaining management control attestations

Buy Now
Questions 262

An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?

CRISC Question 262

Options:

A.

Project Charlie

B.

Project Bravo

C.

Project Alpha

D.

Project Delta

Buy Now
Questions 263

A large organization needs to report risk at all levels for a new centralized visualization project to reduce cost and improve performance. Which of the following would MOST effectively represent the overall risk of the project to senior management?

Options:

A.

Aggregated key performance indicators (KPls)

B.

Key risk indicators (KRIs)

C.

Centralized risk register

D.

Risk heat map

Buy Now
Questions 264

Which of the following would be the GREATEST concern related to data privacy when implementing an Internet of Things (loT) solution that collects personally identifiable information (Pll)?

Options:

A.

A privacy impact assessment has not been completed.

B.

Data encryption methods apply to a subset of Pll obtained.

C.

The data privacy officer was not consulted.

D.

Insufficient access controls are used on the loT devices.

Buy Now
Questions 265

A department has been granted an exception to bypass the existing approval process for purchase orders. The risk practitioner should verify the exception has been approved by which of the following?

Options:

A.

Internal audit

B.

Control owner

C.

Senior management

D.

Risk manager

Buy Now
Questions 266

An IT operations team implements disaster recovery controls based on decisions from application owners regarding the level of resiliency needed. Who is the risk owner in this scenario?

Options:

A.

Business resilience manager

B.

Disaster recovery team lead

C.

Application owner

D.

IT operations manager

Buy Now
Questions 267

A risk practitioner has been notified that an employee sent an email in error containing customers' personally identifiable information (Pll). Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Report it to the chief risk officer.

B.

Advise the employee to forward the email to the phishing team.

C.

follow incident reporting procedures.

D.

Advise the employee to permanently delete the email.

Buy Now
Questions 268

Which of the following MOST effectively limits the impact of a ransomware attack?

Options:

A.

Cyber insurance

B.

Cryptocurrency reserve

C.

Data backups

D.

End user training

Buy Now
Questions 269

An organization operates in a jurisdiction where heavy fines are imposed for leakage of customer data. Which of the following provides the BEST input to assess the inherent risk impact?

Options:

A.

Number of customer records held

B.

Number of databases that host customer data

C.

Number of encrypted customer databases

D.

Number of staff members having access to customer data

Buy Now
Questions 270

An organization has identified that terminated employee accounts are not disabled or deleted within the time required by corporate policy. Unsure of the reason, the organization has decided to monitor the situation for three months to obtain more information. As a result of this decision, the risk has been:

Options:

A.

avoided.

B.

accepted.

C.

mitigated.

D.

transferred.

Buy Now
Questions 271

Which of the following should be the risk practitioner s FIRST course of action when an organization has decided to expand into new product areas?

Options:

A.

Identify any new business objectives with stakeholders.

B.

Present a business case for new controls to stakeholders.

C.

Revise the organization's risk and control policy.

D.

Review existing risk scenarios with stakeholders.

Buy Now
Questions 272

Which of the following is the MOST effective way to integrate business risk management with IT operations?

Options:

A.

Perform periodic IT control self-assessments.

B.

Require a risk assessment with change requests.

C.

Provide security awareness training.

D.

Perform periodic risk assessments.

Buy Now
Questions 273

What should a risk practitioner do FIRST when vulnerability assessment results identify a weakness in an application?

Options:

A.

Review regular control testing results.

B.

Recommend a penetration test.

C.

Assess the risk to determine mitigation needed.

D.

Analyze key performance indicators (KPIs).

Buy Now
Questions 274

An organization has initiated a project to implement an IT risk management program for the first time. The BEST time for the risk practitioner to start populating the risk register is when:

Options:

A.

identifying risk scenarios.

B.

determining the risk strategy.

C.

calculating impact and likelihood.

D.

completing the controls catalog.

Buy Now
Questions 275

Which of the following can be interpreted from a single data point on a risk heat map?

Options:

A.

Risk tolerance

B.

Risk magnitude

C.

Risk response

D.

Risk appetite

Buy Now
Questions 276

A recent internal risk review reveals the majority of core IT application recovery time objectives (RTOs) have exceeded the maximum time defined by the business application owners. Which of the following is MOST likely to change as a result?

Options:

A.

Risk forecasting

B.

Risk tolerance

C.

Risk likelihood

D.

Risk appetite

Buy Now
Questions 277

The annualized loss expectancy (ALE) method of risk analysis:

Options:

A.

helps in calculating the expected cost of controls

B.

uses qualitative risk rankings such as low. medium and high.

C.

can be used m a cost-benefit analysts

D.

can be used to determine the indirect business impact.

Buy Now
Questions 278

Which of the following is MOST important to communicate to senior management during the initial implementation of a risk management program?

Options:

A.

Regulatory compliance

B.

Risk ownership

C.

Best practices

D.

Desired risk level

Buy Now
Questions 279

Winch of the following can be concluded by analyzing the latest vulnerability report for the it infrastructure?

Options:

A.

Likelihood of a threat

B.

Impact of technology risk

C.

Impact of operational risk

D.

Control weakness

Buy Now
Questions 280

Which of the following is the GREATEST concern associated with redundant data in an organization's inventory system?

Options:

A.

Poor access control

B.

Unnecessary data storage usage

C.

Data inconsistency

D.

Unnecessary costs of program changes

Buy Now
Questions 281

Which of the following MUST be updated to maintain an IT risk register?

Options:

A.

Expected frequency and potential impact

B.

Risk tolerance

C.

Enterprise-wide IT risk assessment

D.

Risk appetite

Buy Now
Questions 282

Which of the following presents the GREATEST concern associated with the

use of artificial intelligence (Al) systems?

Options:

A.

Al systems need to be available continuously.

B.

Al systems can be affected by bias.

C.

Al systems are expensive to maintain.

D.

Al systems can provide false positives.

Buy Now
Questions 283

Which of the following scenarios presents the GREATEST risk of noncompliance with data privacy best practices?

Options:

A.

Making data available to a larger audience of customers

B.

Data not being disposed according to the retention policy

C.

Personal data not being de-identified properly

D.

Data being used for purposes the data subjects have not opted into

Buy Now
Questions 284

To minimize the risk of a potential acquisition being exposed externally, an organization has selected a few key employees to be engaged in the due diligence process. A member of the due diligence team realizes a close acquaintance is a high-ranking IT professional at a subsidiary of the company about to be acquired. What is the BEST course of action for this team member?

Options:

A.

Enforce segregation of duties.

B.

Disclose potential conflicts of interest.

C.

Delegate responsibilities involving the acquaintance.

D.

Notify the subsidiary's legal team.

Buy Now
Questions 285

Which of the following is the BEST way for an organization to enable risk treatment decisions?

Options:

A.

Allocate sufficient funds for risk remediation.

B.

Promote risk and security awareness.

C.

Establish clear accountability for risk.

D.

Develop comprehensive policies and standards.

Buy Now
Questions 286

Which of the following provides the MOST useful information when determining if a specific control should be implemented?

Options:

A.

Business impact analysis (BIA)

B.

Cost-benefit analysis

C.

Attribute analysis

D.

Root cause analysis

Buy Now
Questions 287

Which of the following should be included in a risk scenario to be used for risk analysis?

Options:

A.

Risk appetite

B.

Threat type

C.

Risk tolerance

D.

Residual risk

Buy Now
Questions 288

Which of the following should be done FIRST when information is no longer required to support business objectives?

Options:

A.

Archive the information to a backup database.

B.

Protect the information according to the classification policy.

C.

Assess the information against the retention policy.

D.

Securely and permanently erase the information

Buy Now
Questions 289

What information is MOST helpful to asset owners when classifying organizational assets for risk assessment?

Options:

A.

Potential loss to tie business due to non-performance of the asset

B.

Known emerging environmental threats

C.

Known vulnerabilities published by the asset developer

D.

Cost of replacing the asset with a new asset providing similar services

Buy Now
Questions 290

From a risk management perspective, the PRIMARY objective of using maturity models is to enable:

Options:

A.

solution delivery.

B.

resource utilization.

C.

strategic alignment.

D.

performance evaluation.

Buy Now
Questions 291

Which of the following should be the MOST important consideration for senior management when developing a risk response strategy?

Options:

A.

Cost of controls

B.

Risk tolerance

C.

Risk appetite

D.

Probability definition

Buy Now
Questions 292

The MOST important consideration when selecting a control to mitigate an identified risk is whether:

Options:

A.

the cost of control exceeds the mitigation value

B.

there are sufficient internal resources to implement the control

C.

the mitigation measures create compounding effects

D.

the control eliminates the risk

Buy Now
Questions 293

While reviewing the risk register, a risk practitioner notices that different business units have significant variances in inherent risk for the same risk scenario. Which of the following is the BEST course of action?

Options:

A.

Update the risk register with the average of residual risk for both business units.

B.

Review the assumptions of both risk scenarios to determine whether the variance is reasonable.

C.

Update the risk register to ensure both risk scenarios have the highest residual risk.

D.

Request that both business units conduct another review of the risk.

Buy Now
Questions 294

Which of the following is the BEST evidence that a user account has been properly authorized?

Options:

A.

An email from the user accepting the account

B.

Notification from human resources that the account is active

C.

User privileges matching the request form

D.

Formal approval of the account by the user's manager

Buy Now
Questions 295

Which of the following is MOST important to include in a risk assessment of an emerging technology?

Options:

A.

Risk response plans

B.

Risk and control ownership

C.

Key controls

D.

Impact and likelihood ratings

Buy Now
Questions 296

A department allows multiple users to perform maintenance on a system using a single set of credentials. A risk practitioner determined this practice to be high-risk. Which of the following is the MOST effective way to mitigate this risk?

Options:

A.

Single sign-on

B.

Audit trail review

C.

Multi-factor authentication

D.

Data encryption at rest

Buy Now
Questions 297

Which of the following should be an element of the risk appetite of an organization?

Options:

A.

The effectiveness of compensating controls

B.

The enterprise's capacity to absorb loss

C.

The residual risk affected by preventive controls

D.

The amount of inherent risk considered appropriate

Buy Now
Questions 298

Which of the following should be the PRIMARY focus of a risk owner once a decision is made to mitigate a risk?

Options:

A.

Updating the risk register to include the risk mitigation plan

B.

Determining processes for monitoring the effectiveness of the controls

C.

Ensuring that control design reduces risk to an acceptable level

D.

Confirming to management the controls reduce the likelihood of the risk

Buy Now
Questions 299

Which of the following is the PRIMARY risk management responsibility of the second line of defense?

Options:

A.

Monitoring risk responses

B.

Applying risk treatments

C.

Providing assurance of control effectiveness

D.

Implementing internal controls

Buy Now
Questions 300

An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Report the observation to the chief risk officer (CRO).

B.

Validate the adequacy of the implemented risk mitigation measures.

C.

Update the risk register with the implemented risk mitigation actions.

D.

Revert the implemented mitigation measures until approval is obtained

Buy Now
Questions 301

An organization moved its payroll system to a Software as a Service (SaaS) application. A new data privacy regulation stipulates that data can only be processed within the countrywhere it is collected. Which of the following should be done FIRST when addressing this situation?

Options:

A.

Analyze data protection methods.

B.

Understand data flows.

C.

Include a right-to-audit clause.

D.

Implement strong access controls.

Buy Now
Questions 302

Which of The following should be of GREATEST concern for an organization considering the adoption of a bring your own device (BYOD) initiative?

Options:

A.

Device corruption

B.

Data loss

C.

Malicious users

D.

User support

Buy Now
Questions 303

Which of the following is the BEST key control indicator (KCI) for a vulnerability management program?

Options:

A.

Percentage of high-risk vulnerabilities missed

B.

Number of high-risk vulnerabilities outstanding

C.

Defined thresholds for high-risk vulnerabilities

D.

Percentage of high-risk vulnerabilities addressed

Buy Now
Questions 304

Which of the following BEST informs decision-makers about the value of a notice and consent control for the collection of personal information?

Options:

A.

A comparison of the costs of notice and consent control options

B.

Examples of regulatory fines incurred by industry peers for noncompliance

C.

A report of critical controls showing the importance of notice and consent

D.

A cost-benefit analysis of the control versus probable legal action

Buy Now
Questions 305

Which of the following is the GREATEST benefit for an organization with a strong risk awareness culture?

Options:

A.

Reducing the involvement by senior management

B.

Using more risk specialists

C.

Reducing the need for risk policies and guidelines

D.

Discussing and managing risk as a team

Buy Now
Questions 306

An IT control gap has been identified in a key process. Who would be the MOST appropriate owner of the risk associated with this gap?

Options:

A.

Key control owner

B.

Operational risk manager

C.

Business process owner

D.

Chief information security officer (CISO)

Buy Now
Questions 307

The MOST important reason for implementing change control procedures is to ensure:

Options:

A.

only approved changes are implemented

B.

timely evaluation of change events

C.

an audit trail exists.

D.

that emergency changes are logged.

Buy Now
Questions 308

A risk practitioner has discovered a deficiency in a critical system that cannot be patched. Which of the following should be the risk practitioner's FIRST course of action?

Options:

A.

Report the issue to internal audit.

B.

Submit a request to change management.

C.

Conduct a risk assessment.

D.

Review the business impact assessment.

Buy Now
Questions 309

Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents:

Options:

A.

a threat.

B.

a vulnerability.

C.

an impact

D.

a control.

Buy Now
Questions 310

What is the PRIMARY reason to periodically review key performance indicators (KPIs)?

Options:

A.

Ensure compliance.

B.

Identify trends.

C.

Promote a risk-aware culture.

D.

Optimize resources needed for controls

Buy Now
Questions 311

Which of the following is a drawback in the use of quantitative risk analysis?

Options:

A.

It assigns numeric values to exposures of assets.

B.

It requires more resources than other methods

C.

It produces the results in numeric form.

D.

It is based on impact analysis of information assets.

Buy Now
Questions 312

Which of the following BEST mitigates the risk associated with inadvertent data leakage by users who work remotely?

Options:

A.

Conducting training on the protection of organizational assets

B.

Configuring devices to use virtual IP addresses

C.

Ensuring patching for end-user devices

D.

Providing encrypted access to organizational assets

Buy Now
Questions 313

Which of the following provides the MOST useful information to determine risk exposure following control implementations?

Options:

A.

Strategic plan and risk management integration

B.

Risk escalation and process for communication

C.

Risk limits, thresholds, and indicators

D.

Policies, standards, and procedures

Buy Now
Questions 314

Who should have the authority to approve an exception to a control?

Options:

A.

information security manager

B.

Control owner

C.

Risk owner

D.

Risk manager

Buy Now
Questions 315

An organization discovers significant vulnerabilities in a recently purchased commercial off-the-shelf software product which will not be corrected until the next release. Which of the following is the risk manager's BEST course of action?

Options:

A.

Review the risk of implementing versus postponing with stakeholders.

B.

Run vulnerability testing tools to independently verify the vulnerabilities.

C.

Review software license to determine the vendor's responsibility regarding vulnerabilities.

D.

Require the vendor to correct significant vulnerabilities prior to installation.

Buy Now
Questions 316

When formulating a social media policy lo address information leakage, which of the following is the MOST important concern to address?

Options:

A.

Sharing company information on social media

B.

Sharing personal information on social media

C.

Using social media to maintain contact with business associates

D.

Using social media for personal purposes during working hours

Buy Now
Questions 317

Which of the following is the BEST approach when a risk practitioner has been asked by a business unit manager for special consideration during a risk assessment of a system?

Options:

A.

Conduct an abbreviated version of the assessment.

B.

Report the business unit manager for a possible ethics violation.

C.

Perform the assessment as it would normally be done.

D.

Recommend an internal auditor perform the review.

Buy Now
Questions 318

Which of the following approaches would BEST help to identify relevant risk scenarios?

Options:

A.

Engage line management in risk assessment workshops.

B.

Escalate the situation to risk leadership.

C.

Engage internal audit for risk assessment workshops.

D.

Review system and process documentation.

Buy Now
Questions 319

When reviewing a business continuity plan (BCP). which of the following would be the MOST significant deficiency?

Options:

A.

BCP testing is net in conjunction with the disaster recovery plan (DRP)

B.

Recovery time objectives (RTOs) do not meet business requirements.

C.

BCP is often tested using the walk-through method.

D.

Each business location has separate, inconsistent BCPs.

Buy Now
Questions 320

Which of the following BEST mitigates the risk of sensitive personal data leakage from a software development environment?

Options:

A.

Tokenized personal data only in test environments

B.

Data loss prevention tools (DLP) installed in passive mode

C.

Anonymized personal data in non-production environments

D.

Multi-factor authentication for access to non-production environments

Buy Now
Questions 321

Which of the following approaches to bring your own device (BYOD) service delivery provides the BEST protection from data loss?

Options:

A.

Enable data wipe capabilities

B.

Penetration testing and session timeouts

C.

Implement remote monitoring

D.

Enforce strong passwords and data encryption

Buy Now
Questions 322

An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern?

Options:

A.

Potential increase in regulatory scrutiny

B.

Potential system downtime

C.

Potential theft of personal information

D.

Potential legal risk

Buy Now
Questions 323

Which of the following is MOST helpful in aligning IT risk with business objectives?

Options:

A.

Introducing an approved IT governance framework

B.

Integrating the results of top-down risk scenario analyses

C.

Performing a business impact analysis (BlA)

D.

Implementing a risk classification system

Buy Now
Questions 324

The BEST way to determine the likelihood of a system availability risk scenario is by assessing the:

Options:

A.

availability of fault tolerant software.

B.

strategic plan for business growth.

C.

vulnerability scan results of critical systems.

D.

redundancy of technical infrastructure.

Buy Now
Questions 325

Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

Options:

A.

Implement segregation of duties.

B.

Enforce an internal data access policy.

C.

Enforce the use of digital signatures.

D.

Apply single sign-on for access control.

Buy Now
Questions 326

Which of the following is the BEST reason to use qualitative measures to express residual risk levels related to emerging threats?

Options:

A.

Qualitative measures require less ongoing monitoring.

B.

Qualitative measures are better aligned to regulatory requirements.

C.

Qualitative measures are better able to incorporate expert judgment.

D.

Qualitative measures are easier to update.

Buy Now
Questions 327

During an internal IT audit, an active network account belonging to a former employee was identified. Which of the following is the BEST way to prevent future occurrences?

Options:

A.

Conduct a comprehensive review of access management processes.

B.

Declare a security incident and engage the incident response team.

C.

Conduct a comprehensive awareness session for system administrators.

D.

Evaluate system administrators' technical skills to identify if training is required.

Buy Now
Questions 328

Which of the following is the MOST important objective of establishing an enterprise risk management (ERM) function within an organization?

Options:

A.

To have a unified approach to risk management across the organization

B.

To have a standard risk management process for complying with regulations

C.

To optimize risk management resources across the organization

D.

To ensure risk profiles are presented in a consistent format within the organization

Buy Now
Questions 329

An organization is preparing to transfer a large number of customer service representatives to the sales department. Of the following, who is responsible for mitigating the risk associated with residual system access?

Options:

A.

IT service desk manager

B.

Sales manager

C.

Customer service manager

D.

Access control manager

Buy Now
Questions 330

Which of the following is the BEST way to manage the risk associated with malicious activities performed by database administrators (DBAs)?

Options:

A.

Activity logging and monitoring

B.

Periodic access review

C.

Two-factor authentication

D.

Awareness training and background checks

Buy Now
Questions 331

After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:

Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

CRISC Question 331

Options:

A.

External audit

B.

Internal audit

C.

Vendor performance scorecard

D.

Regulatory examination

Buy Now
Questions 332

While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:

Options:

A.

control is ineffective and should be strengthened

B.

risk is inefficiently controlled.

C.

risk is efficiently controlled.

D.

control is weak and should be removed.

Buy Now
Questions 333

Which of the following is the BEST method for assessing control effectiveness against technical vulnerabilities that could be exploited to compromise an information system?

Options:

A.

Vulnerability scanning

B.

Systems log correlation analysis

C.

Penetration testing

D.

Monitoring of intrusion detection system (IDS) alerts

Buy Now
Questions 334

Which of the following BEST enables a risk practitioner to enhance understanding of risk among stakeholders?

Options:

A.

Key risk indicators (KRIs)

B.

Risk scenarios

C.

Business impact analysis (BIA)

D.

Threat analysis

Buy Now
Questions 335

When of the following 15 MOST important when developing a business case for a proposed security investment?

Options:

A.

identification of control requirements

B.

Alignment to business objectives

C.

Consideration of new business strategies

D.

inclusion of strategy for regulatory compliance

Buy Now
Questions 336

A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:

Options:

A.

updating the risk register

B.

documenting the risk scenarios.

C.

validating the risk scenarios

D.

identifying risk mitigation controls.

Buy Now
Questions 337

The BEST key performance indicator (KPI) to measure the effectiveness of a backup process would be the number of:

Options:

A.

resources to monitor backups

B.

restoration monitoring reports

C.

backup recovery requests

D.

recurring restore failures

Buy Now
Questions 338

An organization automatically approves exceptions to security policies on a recurring basis. This practice is MOST likely the result of:

Options:

A.

a lack of mitigating actions for identified risk

B.

decreased threat levels

C.

ineffective service delivery

D.

ineffective IT governance

Buy Now
Questions 339

Which of the following is the MOST important objective of an enterprise risk management (ERM) program?

Options:

A.

To create a complete repository of risk to the organization

B.

To create a comprehensive view of critical risk to the organization

C.

To provide a bottom-up view of the most significant risk scenarios

D.

To optimize costs of managing risk scenarios in the organization

Buy Now
Questions 340

An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?

Options:

A.

Identify systems that are vulnerable to being exploited by the attack.

B.

Confirm with the antivirus solution vendor whether the next update will detect the attack.

C.

Verify the data backup process and confirm which backups are the most recent ones available.

D.

Obtain approval for funding to purchase a cyber insurance plan.

Buy Now
Questions 341

When evaluating enterprise IT risk management it is MOST important to:

Options:

A.

create new control processes to reduce identified IT risk scenarios

B.

confirm the organization’s risk appetite and tolerance

C.

report identified IT risk scenarios to senior management

D.

review alignment with the organization's investment plan

Buy Now
Questions 342

An IT department originally planned to outsource the hosting of its data center at an overseas location to reduce operational expenses. After a risk assessment, the department has decided to keep the data center in-house. How should the risk treatment response be reflected in the risk register?

Options:

A.

Risk mitigation

B.

Risk avoidance

C.

Risk acceptance

D.

Risk transfer

Buy Now
Questions 343

An employee lost a personal mobile device that may contain sensitive corporate information. What should be the risk practitioner's recommendation?

Options:

A.

Conduct a risk analysis.

B.

Initiate a remote data wipe.

C.

Invoke the incident response plan

D.

Disable the user account.

Buy Now
Questions 344

A change management process has recently been updated with new testing procedures. What is the NEXT course of action?

Options:

A.

Monitor processes to ensure recent updates are being followed.

B.

Communicate to those who test and promote changes.

C.

Conduct a cost-benefit analysis to justify the cost of the control.

D.

Assess the maturity of the change management process.

Buy Now
Questions 345

Which of the following scenarios presents the GREATEST risk for a global organization when implementing a data classification policy?

Options:

A.

Data encryption has not been applied to all sensitive data across the organization.

B.

There are many data assets across the organization that need to be classified.

C.

Changes to information handling procedures are not documented.

D.

Changes to data sensitivity during the data life cycle have not been considered.

Buy Now
Questions 346

An organization outsources the processing of us payroll data A risk practitioner identifies a control weakness at the third party trial exposes the payroll data. Who should own this risk?

Options:

A.

The third party's IT operations manager

B.

The organization's process owner

C.

The third party's chief risk officer (CRO)

D.

The organization's risk practitioner

Buy Now
Questions 347

Which of the following provides the BEST measurement of an organization's risk management maturity level?

Options:

A.

Level of residual risk

B.

The results of a gap analysis

C.

IT alignment to business objectives

D.

Key risk indicators (KRIs)

Buy Now
Questions 348

Which of the following would BEST mitigate the risk associated with reputational damage from inappropriate use of social media sites by employees?

Options:

A.

Validating employee social media accounts and passwords

B.

Monitoring Internet usage on employee workstations

C.

Disabling social media access from the organization's technology

D.

Implementing training and awareness programs

Buy Now
Questions 349

Which of the following BEST measures the impact of business interruptions caused by an IT service outage?

Options:

A.

Sustained financial loss

B.

Cost of remediation efforts

C.

Duration of service outage

D.

Average time to recovery

Buy Now
Questions 350

Which of the following should be of GREATEST concern lo a risk practitioner reviewing the implementation of an emerging technology?

Options:

A.

Lack of alignment to best practices

B.

Lack of risk assessment

C.

Lack of risk and control procedures

D.

Lack of management approval

Buy Now
Questions 351

Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?

Options:

A.

Occurrences of specific events

B.

A performance measurement

C.

The risk tolerance level

D.

Risk scenarios

Buy Now
Questions 352

What are the MOST essential attributes of an effective Key control indicator (KCI)?

Options:

A.

Flexibility and adaptability

B.

Measurability and consistency

C.

Robustness and resilience

D.

Optimal cost and benefit

Buy Now
Questions 353

Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness?

Options:

A.

To measure business exposure to risk

B.

To identify control vulnerabilities

C.

To monitor the achievement of set objectives

D.

To raise awareness of operational issues

Buy Now
Questions 354

When an organization’s disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment options is being applied?

Options:

A.

Acceptance

B.

Mitigation

C.

Transfer

D.

Avoidance

Buy Now
Questions 355

Which of the following is MOST important for a risk practitioner to verify when evaluating the effectiveness of an organization's existing controls?

Options:

A.

Senior management has approved the control design.

B.

Inherent risk has been reduced from original levels.

C.

Residual risk remains within acceptable levels.

D.

Costs for control maintenance are reasonable.

Buy Now
Questions 356

Which of the following BEST enables an organization to determine whether external emerging risk factors will impact the organization's risk profile?

Options:

A.

Control identification and mitigation

B.

Adoption of a compliance-based approach

C.

Prevention and detection techniques

D.

Scenario analysis and stress testing

Buy Now
Questions 357

Which of the following BEST indicates how well a web infrastructure protects critical information from an attacker?

Options:

A.

Failed login attempts

B.

Simulating a denial of service attack

C.

Absence of IT audit findings

D.

Penetration test

Buy Now
Questions 358

When updating the risk register after a risk assessment, which of the following is MOST important to include?

Options:

A.

Historical losses due to past risk events

B.

Cost to reduce the impact and likelihood

C.

Likelihood and impact of the risk scenario

D.

Actor and threat type of the risk scenario

Buy Now
Questions 359

An organization is implementing internet of Things (loT) technology to control temperature and lighting in its headquarters. Which of the following should be of GREATEST concern?

Options:

A.

Insufficient network isolation

B.

impact on network performance

C.

insecure data transmission protocols

D.

Lack of interoperability between sensors

Buy Now
Questions 360

When a high-risk security breach occurs, which of the following would be MOST important to the person responsible for managing the incident?

Options:

A.

An analysis of the security logs that illustrate the sequence of events

B.

An analysis of the impact of similar attacks in other organizations

C.

A business case for implementing stronger logical access controls

D.

A justification of corrective action taken

Buy Now
Questions 361

Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment?

Options:

A.

Improved senior management communication

B.

Optimized risk treatment decisions

C.

Enhanced awareness of risk management

D.

Improved collaboration among risk professionals

Buy Now
Questions 362

Which of the following is the PRIMARY role of a data custodian in the risk management process?

Options:

A.

Performing periodic data reviews according to policy

B.

Reporting and escalating data breaches to senior management

C.

Being accountable for control design

D.

Ensuring data is protected according to the classification

Buy Now
Questions 363

When of the following is the MOST significant exposure when an application uses individual user accounts to access the underlying database?

Options:

A.

Users may share accounts with business system analyst

B.

Application may not capture a complete audit trail.

C.

Users may be able to circumvent application controls.

D.

Multiple connects to the database are used and slow the process

Buy Now
Questions 364

Days before the realization of an acquisition, a data breach is discovered at the company to be acquired. For the accruing organization, this situation represents which of the following?

Options:

A.

Threat event

B.

Inherent risk

C.

Risk event

D.

Security incident

Buy Now
Questions 365

Key risk indicators (KRIs) are MOST useful during which of the following risk management phases?

Options:

A.

Monitoring

B.

Analysis

C.

Identification

D.

Response selection

Buy Now
Questions 366

Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?

Options:

A.

A high number of approved exceptions exist with compensating controls.

B.

Successive assessments have the same recurring vulnerabilities.

C.

Redundant compensating controls are in place.

D.

Asset custodians are responsible for defining controls instead of asset owners.

Buy Now
Questions 367

A maturity model is MOST useful to an organization when it:

Options:

A.

benchmarks against other organizations

B.

defines a qualitative measure of risk

C.

provides a reference for progress

D.

provides risk metrics.

Buy Now
Questions 368

Which of the following BEST indicates the condition of a risk management program?

Options:

A.

Number of risk register entries

B.

Number of controls

C.

Level of financial support

D.

Amount of residual risk

Buy Now
Questions 369

Which of the following is the MOST common concern associated with outsourcing to a service provider?

Options:

A.

Lack of technical expertise

B.

Combining incompatible duties

C.

Unauthorized data usage

D.

Denial of service attacks

Buy Now
Questions 370

Which of the following will BEST support management reporting on risk?

Options:

A.

Control self-assessment (CSA)

B.

Risk policy requirements

C.

A risk register

D.

Key performance indicators (KPIs)

Buy Now
Questions 371

Which of the following is the BEST way to ensure adequate resources will be allocated to manage identified risk?

Options:

A.

Prioritizing risk within each business unit

B.

Reviewing risk ranking methodology

C.

Promoting an organizational culture of risk awareness

D.

Assigning risk ownership to appropriate roles

Buy Now
Questions 372

Which of the following would MOST effectively reduce risk associated with an increase of online transactions on a retailer website?

Options:

A.

Scalable infrastructure

B.

A hot backup site

C.

Transaction limits

D.

Website activity monitoring

Buy Now
Questions 373

Which of the following is the MOST effective way 10 identify an application backdoor prior to implementation'?

Options:

A.

User acceptance testing (UAT)

B.

Database activity monitoring

C.

Source code review

D.

Vulnerability analysis

Buy Now
Questions 374

Which of the following is the PRIMARY benefit of stakeholder involvement in risk scenario development?

Options:

A.

Ability to determine business impact

B.

Up-to-date knowledge on risk responses

C.

Decision-making authority for risk treatment

D.

Awareness of emerging business threats

Buy Now
Questions 375

An organization has experienced several incidents of extended network outages that have exceeded tolerance. Which of the following should be the risk practitioner's FIRST step to address this situation?

Options:

A.

Recommend additional controls to address the risk.

B.

Update the risk tolerance level to acceptable thresholds.

C.

Update the incident-related risk trend in the risk register.

D.

Recommend a root cause analysis of the incidents.

Buy Now
Questions 376

When developing a response plan to address security incidents regarding sensitive data loss, it is MOST important

Options:

A.

revalidate current key risk indicators (KRIs).

B.

revise risk management procedures.

C.

review the data classification policy.

D.

revalidate existing risk scenarios.

Buy Now
Questions 377

The BEST metric to demonstrate that servers are configured securely is the total number of servers:

Options:

A.

exceeding availability thresholds

B.

experiencing hardware failures

C.

exceeding current patching standards.

D.

meeting the baseline for hardening.

Buy Now
Questions 378

During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition phase?

Options:

A.

Risk management framework adopted by each company

B.

Risk registers of both companies

C.

IT balanced scorecard of each company

D.

Most recent internal audit findings from both companies

Buy Now
Questions 379

When a risk practitioner is determining a system's criticality. it is MOST helpful to review the associated:

Options:

A.

process flow.

B.

business impact analysis (BIA).

C.

service level agreement (SLA).

D.

system architecture.

Buy Now
Questions 380

Who is MOST appropriate to be assigned ownership of a control

Options:

A.

The individual responsible for control operation

B.

The individual informed of the control effectiveness

C.

The individual responsible for resting the control

D.

The individual accountable for monitoring control effectiveness

Buy Now
Questions 381

Which of the following is the MOST critical factor to consider when determining an organization's risk appetite?

Options:

A.

Fiscal management practices

B.

Business maturity

C.

Budget for implementing security

D.

Management culture

Buy Now
Questions 382

Which of the following is the BEST method to maintain a common view of IT risk within an organization?

Options:

A.

Collecting data for IT risk assessment

B.

Establishing and communicating the IT risk profile

C.

Utilizing a balanced scorecard

D.

Performing and publishing an IT risk analysis

Buy Now
Questions 383

Which of the following should be the FIRST consideration when establishing a new risk governance program?

Options:

A.

Developing an ongoing awareness and training program

B.

Creating policies and standards that are easy to comprehend

C.

Embedding risk management into the organization

D.

Completing annual risk assessments on critical resources

Buy Now
Questions 384

An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning of the associated risk entries?

Options:

A.

The volume of risk scenarios is too large

B.

Risk aggregation has not been completed

C.

Risk scenarios are not applicable

D.

The risk analysts for each scenario is incomplete

Buy Now
Questions 385

Which of the following would provide the BEST evidence of an effective internal control environment/?

Options:

A.

Risk assessment results

B.

Adherence to governing policies

C.

Regular stakeholder briefings

D.

Independent audit results

Buy Now
Questions 386

Which of the following stakeholders are typically included as part of a line of defense within the three lines of defense model?

Options:

A.

Board of directors

B.

Vendors

C.

Regulators

D.

Legal team

Buy Now
Questions 387

A control process has been implemented in response to a new regulatory requirement, but has significantly reduced productivity. Which of the following is the BEST way to resolve this concern?

Options:

A.

Absorb the loss in productivity.

B.

Request a waiver to the requirements.

C.

Escalate the issue to senior management

D.

Remove the control to accommodate business objectives.

Buy Now
Questions 388

An organization recently configured a new business division Which of the following is MOST likely to be affected?

Options:

A.

Risk profile

B.

Risk culture

C.

Risk appetite

D.

Risk tolerance

Buy Now
Questions 389

Which of the following will BEST help to ensure the continued effectiveness of the IT risk management function within an organization experiencing high employee turnover?

Options:

A.

Well documented policies and procedures

B.

Risk and issue tracking

C.

An IT strategy committee

D.

Change and release management

Buy Now
Questions 390

Which of the following is MOST important for maintaining the effectiveness of an IT risk register?

Options:

A.

Removing entries from the register after the risk has been treated

B.

Recording and tracking the status of risk response plans within the register

C.

Communicating the register to key stakeholders

D.

Performing regular reviews and updates to the register

Buy Now
Questions 391

An organization is participating in an industry benchmarking study that involves providing customer transaction records for analysis Which of the following is the MOST important control to ensure the privacy of customer information?

Options:

A.

Nondisclosure agreements (NDAs)

B.

Data anonymization

C.

Data cleansing

D.

Data encryption

Buy Now
Questions 392

Recovery the objectives (RTOs) should be based on

Options:

A.

minimum tolerable downtime

B.

minimum tolerable loss of data.

C.

maximum tolerable downtime.

D.

maximum tolerable loss of data

Buy Now
Questions 393

Which of the following contributes MOST to the effective implementation of risk responses?

Options:

A.

Clear understanding of the risk

B.

Comparable industry risk trends

C.

Appropriate resources

D.

Detailed standards and procedures

Buy Now
Questions 394

Which of the following is the MOST comprehensive resource for prioritizing the implementation of information systems controls?

Options:

A.

Data classification policy

B.

Emerging technology trends

C.

The IT strategic plan

D.

The risk register

Buy Now
Questions 395

An organization control environment is MOST effective when:

Options:

A.

control designs are reviewed periodically

B.

controls perform as intended.

C.

controls are implemented consistently.

D.

controls operate efficiently

Buy Now
Questions 396

Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board''

Options:

A.

A summary of risk response plans with validation results

B.

A report with control environment assessment results

C.

A dashboard summarizing key risk indicators (KRIs)

D.

A summary of IT risk scenarios with business cases

Buy Now
Questions 397

Which of the following is the GREATEST benefit of identifying appropriate risk owners?

Options:

A.

Accountability is established for risk treatment decisions

B.

Stakeholders are consulted about risk treatment options

C.

Risk owners are informed of risk treatment options

D.

Responsibility is established for risk treatment decisions.

Buy Now
Questions 398

Which of the following is the GREATEST concern when establishing key risk indicators (KRIs)?

Options:

A.

High percentage of lagging indicators

B.

Nonexistent benchmark analysis

C.

Incomplete documentation for KRI monitoring

D.

Ineffective methods to assess risk

Buy Now
Questions 399

Which of the following is the BEST way to determine whether system settings are in alignment with control baselines?

Options:

A.

Configuration validation

B.

Control attestation

C.

Penetration testing

D.

Internal audit review

Buy Now
Questions 400

In order to determining a risk is under-controlled the risk practitioner will need to

Options:

A.

understand the risk tolerance

B.

monitor and evaluate IT performance

C.

identify risk management best practices

D.

determine the sufficiency of the IT risk budget

Buy Now
Questions 401

Before assigning sensitivity levels to information it is MOST important to:

Options:

A.

define recovery time objectives (RTOs).

B.

define the information classification policy

C.

conduct a sensitivity analyse

D.

Identify information custodians

Buy Now
Questions 402

Which of the following provides the MOST comprehensive information when developing a risk profile for a system?

Options:

A.

Results of a business impact analysis (BIA)

B.

Risk assessment results

C.

A mapping of resources to business processes

D.

Key performance indicators (KPIs)

Buy Now
Questions 403

Which of the following is the PRIMARY reason for a risk practitioner to review an organization's IT asset inventory?

Options:

A.

To plan for the replacement of assets at the end of their life cycles

B.

To assess requirements for reducing duplicate assets

C.

To understand vulnerabilities associated with the use of the assets

D.

To calculate mean time between failures (MTBF) for the assets

Buy Now
Questions 404

The MAIN reason for prioritizing IT risk responses is to enable an organization to:

Options:

A.

determine the risk appetite.

B.

determine the budget.

C.

define key performance indicators (KPIs).

D.

optimize resource utilization.

Buy Now
Questions 405

When performing a risk assessment of a new service to support a core business process, which of the following should be done FIRST to ensure continuity of operations?

Options:

A.

Define metrics for restoring availability.

B.

Identify conditions that may cause disruptions.

C.

Review incident response procedures.

D.

Evaluate the probability of risk events.

Buy Now
Questions 406

Which of the following is MOST important when conducting a post-implementation review as part of the system development life cycle (SDLC)?

Options:

A.

Verifying that project objectives are met

B.

Identifying project cost overruns

C.

Leveraging an independent review team

D.

Reviewing the project initiation risk matrix

Buy Now
Questions 407

Which of the following is the PRIMARY purpose of creating and documenting control procedures?

Options:

A.

To facilitate ongoing audit and control testing

B.

To help manage risk to acceptable tolerance levels

C.

To establish and maintain a control inventory

D.

To increase the likelihood of effective control operation

Buy Now
Questions 408

An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the risk associated with these new entries has been;

Options:

A.

mitigated

B.

deferred

C.

accepted.

D.

transferred

Buy Now
Questions 409

Which of the following BEST reduces the risk associated with the theft of a laptop containing sensitive information?

Options:

A.

Cable lock

B.

Data encryption

C.

Periodic backup

D.

Biometrics access control

Buy Now
Questions 410

Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data?

Options:

A.

The cost associated with incident response activitiesThe composition and number of records in the information asset

B.

The maximum levels of applicable regulatory fines

C.

The length of time between identification and containment of the incident

Buy Now
Questions 411

Which of the following is MOST important to consider before determining a response to a vulnerability?

Options:

A.

The likelihood and impact of threat events

B.

The cost to implement the risk response

C.

Lack of data to measure threat events

D.

Monetary value of the asset

Buy Now
Questions 412

An internal audit report reveals that a legacy system is no longer supported Which of the following is the risk practitioner's MOST important action before recommending a risk response'

Options:

A.

Review historical application down me and frequency

B.

Assess the potential impact and cost of mitigation

C.

identify other legacy systems within the organization

D.

Explore the feasibility of replacing the legacy system

Buy Now
Questions 413

As pan of business continuity planning, which of the following is MOST important to include m a business impact analysis (BlA)?

Options:

A.

An assessment of threats to the organization

B.

An assessment of recovery scenarios

C.

industry standard framework

D.

Documentation of testing procedures

Buy Now
Questions 414

Which of The following BEST represents the desired risk posture for an organization?

Options:

A.

Inherent risk is lower than risk tolerance.

B.

Operational risk is higher than risk tolerance.

C.

Accepted risk is higher than risk tolerance.

D.

Residual risk is lower than risk tolerance.

Buy Now
Questions 415

Which of the following is the MOST important key performance indicator (KPI) to monitor the effectiveness of disaster recovery processes?

Options:

A.

Percentage of IT systems recovered within the mean time to restore (MTTR) during the disaster recovery test

B.

Percentage of issues arising from the disaster recovery test resolved on time

C.

Percentage of IT systems included in the disaster recovery test scope

D.

Percentage of IT systems meeting the recovery time objective (RTO) during the disaster recovery test

Buy Now
Questions 416

An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?

Options:

A.

Business benefits of shadow IT

B.

Application-related expresses

C.

Classification of the data

D.

Volume of data

Buy Now
Questions 417

Which of the following is a risk practitioner's BEST recommendation upon learning that an employee inadvertently disclosed sensitive data to a vendor?

Options:

A.

Enroll the employee in additional security training.

B.

Invoke the incident response plan.

C.

Conduct an internal audit.

D.

Instruct the vendor to delete the data.

Buy Now
Questions 418

An organization is concerned that its employees may be unintentionally disclosing data through the use of social media sites. Which of the following will MOST effectively mitigate tins risk?

Options:

A.

Requiring the use of virtual private networks (VPNs)

B.

Establishing a data classification policy

C.

Conducting user awareness training

D.

Requiring employee agreement of the acceptable use policy

Buy Now
Questions 419

A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner's NEXT step?

Options:

A.

Develop a mechanism for monitoring residual risk.

B.

Update the risk register with the results.

C.

Prepare a business case for the response options.

D.

Identify resources for implementing responses.

Buy Now
Questions 420

Which of the following would be a risk practitioner’s BEST recommendation upon learning of an updated cybersecurity regulation that could impact the organization?

Options:

A.

Perform a gap analysis

B.

Conduct system testing

C.

Implement compensating controls

D.

Update security policies

Buy Now
Questions 421

Which of the following will BEST help to ensure implementation of corrective action plans?

Options:

A.

Establishing employee awareness training

B.

Assigning accountability to risk owners

C.

Selling target dates to complete actions

D.

Contracting to third parties

Buy Now
Questions 422

Which of the following is the result of a realized risk scenario?

Options:

A.

Technical event

B.

Threat event

C.

Vulnerability event

D.

Loss event

Buy Now
Questions 423

When documenting a risk response, which of the following provides the STRONGEST evidence to support the decision?

Options:

A.

Verbal majority acceptance of risk by committee

B.

List of compensating controls

C.

IT audit follow-up responses

D.

A memo indicating risk acceptance

Buy Now
Questions 424

Which of the following is the BEST way to ensure data is properly sanitized while in cloud storage?

Options:

A.

Deleting the data from the file system

B.

Cryptographically scrambling the data

C.

Formatting the cloud storage at the block level

D.

Degaussing the cloud storage media

Buy Now
Questions 425

Of the following, who is responsible for approval when a change in an application system is ready for release to production?

Options:

A.

Information security officer

B.

IT risk manager

C.

Business owner

D.

Chief risk officer (CRO)

Buy Now
Questions 426

Which of the following BEST facilitates the identification of appropriate key performance indicators (KPIs) for a risk management program?

Options:

A.

Reviewing control objectives

B.

Aligning with industry best practices

C.

Consulting risk owners

D.

Evaluating KPIs in accordance with risk appetite

Buy Now
Questions 427

Which of the following is the BEST approach to mitigate the risk associated with a control deficiency?

Options:

A.

Perform a business case analysis

B.

Implement compensating controls.

C.

Conduct a control sell-assessment (CSA)

D.

Build a provision for risk

Buy Now
Questions 428

When developing risk scenario using a list of generic scenarios based on industry best practices, it is MOST imported to:

Options:

A.

Assess generic risk scenarios with business users.

B.

Validate the generic risk scenarios for relevance.

C.

Select the maximum possible risk scenarios from the list.

D.

Identify common threats causing generic risk scenarios

Buy Now
Questions 429

The MAJOR reason to classify information assets is

Options:

A.

maintain a current inventory and catalog of information assets

B.

determine their sensitivity and critical

C.

establish recovery time objectives (RTOs)

D.

categorize data into groups

Buy Now
Questions 430

The objective of aligning mitigating controls to risk appetite is to ensure that:

Options:

A.

exposures are reduced to the fullest extent

B.

exposures are reduced only for critical business systems

C.

insurance costs are minimized

D.

the cost of controls does not exceed the expected loss.

Buy Now
Questions 431

Which of the following is the PRIMARY objective of establishing an organization's risk tolerance and appetite?

Options:

A.

To align with board reporting requirements

B.

To assist management in decision making

C.

To create organization-wide risk awareness

D.

To minimize risk mitigation efforts

Buy Now
Questions 432

Which of the following is MOST helpful to understand the consequences of an IT risk event?

Options:

A.

Fault tree analysis

B.

Historical trend analysis

C.

Root cause analysis

D.

Business impact analysis (BIA)

Buy Now
Questions 433

Which stakeholder is MOST important to include when defining a risk profile during me selection process for a new third party application'?

Options:

A.

The third-party risk manager

B.

The application vendor

C.

The business process owner

D.

The information security manager

Buy Now
Questions 434

A risk practitioner implemented a process to notify management of emergency changes that may not be approved. Which of the following is the BEST way to provide this information to management?

Options:

A.

Change logs

B.

Change management meeting minutes

C.

Key control indicators (KCIs)

D.

Key risk indicators (KRIs)

Buy Now
Questions 435

Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?

Options:

A.

To provide input to the organization's risk appetite

B.

To monitor the vendor's control effectiveness

C.

To verify the vendor's ongoing financial viability

D.

To assess the vendor's risk mitigation plans

Buy Now
Questions 436

Which of the following will BEST help to ensure new IT policies address the enterprise's requirements?

Options:

A.

involve IT leadership in the policy development process

B.

Require business users to sign acknowledgment of the poises

C.

involve business owners in the pokey development process

D.

Provide policy owners with greater enforcement authority

Buy Now
Questions 437

Which of the following would be a risk practitioner's BEST course of action when a project team has accepted a risk outside the established risk appetite?

Options:

A.

Reject the risk acceptance and require mitigating controls.

B.

Monitor the residual risk level of the accepted risk.

C.

Escalate the risk decision to the project sponsor for review.

D.

Document the risk decision in the project risk register.

Buy Now
Questions 438

Who is the BEST person to the employee personal data?

Options:

A.

Human resources (HR) manager

B.

System administrator

C.

Data privacy manager

D.

Compliance manager

Buy Now
Questions 439

Which of the following provides the MOST useful information to assess the magnitude of identified deficiencies in the IT control environment?

Options:

A.

Peer benchmarks

B.

Internal audit reports

C.

Business impact analysis (BIA) results

D.

Threat analysis results

Buy Now
Questions 440

When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:

Options:

A.

information risk assessments with enterprise risk assessments.

B.

key risk indicators (KRIs) with risk appetite of the business.

C.

the control key performance indicators (KPIs) with audit findings.

D.

control performance with risk tolerance of business owners.

Buy Now
Questions 441

Which of the following is the BEST method to mitigate the risk of an unauthorized employee viewing confidential data in a database''

Options:

A.

Implement role-based access control

B.

Implement a data masking process

C.

Include sanctions in nondisclosure agreements (NDAs)

D.

Install a data loss prevention (DLP) tool

Buy Now
Questions 442

Which of the following is the MOST important consideration when communicating the risk associated with technology end-of-life to business owners?

Options:

A.

Cost and benefit

B.

Security and availability

C.

Maintainability and reliability

D.

Performance and productivity

Buy Now
Questions 443

A zero-day vulnerability has been discovered in a globally used brand of hardware server that allows hackers to gain

access to affected IT systems. Which of the following is MOST likely to change as a result of this situation?

Options:

A.

Control effectiveness

B.

Risk appetite

C.

Risk likelihood

D.

Key risk indicator (KRI)

Buy Now
Questions 444

What is the BEST recommendation to reduce the risk associated with potential system compromise when a vendor stops releasing security patches and updates for a business-critical legacy system?

Options:

A.

Segment the system on its own network.

B.

Ensure regular backups take place.

C.

Virtualize the system in the cloud.

D.

Install antivirus software on the system.

Buy Now
Questions 445

Which of the following would be the result of a significant increase in the motivation of a malicious threat actor?

Options:

A.

Increase in mitigating control costs

B.

Increase in risk event impact

C.

Increase in risk event likelihood

D.

Increase in cybersecurity premium

Buy Now
Questions 446

Which of the following would MOST likely require a risk practitioner to update the risk register?

Options:

A.

An alert being reported by the security operations center.

B.

Development of a project schedule for implementing a risk response

C.

Completion of a project for implementing a new control

D.

Engagement of a third party to conduct a vulnerability scan

Buy Now
Questions 447

Which of the following sources is MOST relevant to reference when updating security awareness training materials?

Options:

A.

Risk management framework

B.

Risk register

C.

Global security standards

D.

Recent security incidents reported by competitors

Buy Now
Questions 448

Which of the following would be the GREATEST concern for an IT risk practitioner when an employees.....

Options:

A.

The organization's structure has not been updated

B.

Unnecessary access permissions have not been removed.

C.

Company equipment has not been retained by IT

D.

Job knowledge was not transferred to employees m the former department

Buy Now
Questions 449

Which of the following would be of MOST concern to a risk practitioner reviewing risk action plans for documented IT risk scenarios?

Options:

A.

Individuals outside IT are managing action plans for the risk scenarios.

B.

Target dates for completion are missing from some action plans.

C.

Senior management approved multiple changes to several action plans.

D.

Many action plans were discontinued after senior management accepted the risk.

Buy Now
Questions 450

When is the BEST to identify risk associated with major project to determine a mitigation plan?

Options:

A.

Project execution phase

B.

Project initiation phase

C.

Project closing phase

D.

Project planning phase

Buy Now
Questions 451

An organization has decided to use an external auditor to review the control environment of an outsourced service provider. The BEST control criteria to evaluate the provider would be based on:

Options:

A.

a recognized industry control framework

B.

guidance provided by the external auditor

C.

the service provider's existing controls

D.

The organization's specific control requirements

Buy Now
Questions 452

Which of the following is the BEST course of action when an organization wants to reduce likelihood in order to reduce a risk level?

Options:

A.

Monitor risk controls.

B.

Implement preventive measures.

C.

Implement detective controls.

D.

Transfer the risk.

Buy Now
Questions 453

An organization's chief information officer (CIO) has proposed investing in a new. untested technology to take advantage of being first to market Senior management has concerns about the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization's risk:

Options:

A.

capacity.

B.

appetite.

C.

management capability.

D.

treatment strategy.

Buy Now
Questions 454

An organization has operations in a location that regularly experiences severe weather events. Which of the following would BEST help to mitigate the risk to operations?

Options:

A.

Prepare a cost-benefit analysis to evaluate relocation.

B.

Prepare a disaster recovery plan (DRP).

C.

Conduct a business impact analysis (BIA) for an alternate location.

D.

Develop a business continuity plan (BCP).

Buy Now
Questions 455

Which of the following is the BEST approach for an organization in a heavily regulated industry to comprehensively test application functionality?

Options:

A.

Use production data in a non-production environment

B.

Use masked data in a non-production environment

C.

Use test data in a production environment

D.

Use anonymized data in a non-production environment

Buy Now
Questions 456

Of the following, who is BEST suited to assist a risk practitioner in developing a relevant set of risk scenarios?

Options:

A.

Internal auditor

B.

Asset owner

C.

Finance manager

D.

Control owner

Buy Now
Questions 457

Which of the following s MOST likely to deter an employee from engaging in inappropriate use of company owned IT systems?

Options:

A.

A centralized computer security response team

B.

Regular performance reviews and management check-ins

C.

Code of ethics training for all employees

D.

Communication of employee activity monitoring

Buy Now
Questions 458

When establishing an enterprise IT risk management program, it is MOST important to:

Options:

A.

review alignment with the organizations strategy.

B.

understand the organization's information security policy.

C.

validate the organization's data classification scheme.

D.

report identified IT risk scenarios to senior management.

Buy Now
Questions 459

An organization is adopting block chain for a new financial system. Which of the following should be the GREATEST concern for a risk practitioner evaluating the system's production readiness?

Options:

A.

Limited organizational knowledge of the underlying technology

B.

Lack of commercial software support

C.

Varying costs related to implementation and maintenance

D.

Slow adoption of the technology across the financial industry

Buy Now
Questions 460

Which of the following would be a risk practitioner's GREATEST concern with the use of a vulnerability scanning tool?

Options:

A.

Increased time to remediate vulnerabilities

B.

Inaccurate reporting of results

C.

Increased number of vulnerabilities

D.

Network performance degradation

Buy Now
Questions 461

During a risk assessment, a key external technology supplier refuses to provide control design and effectiveness information, citing confidentiality concerns. What should the risk practitioner do NEXT?

Options:

A.

Escalate the non-cooperation to management

B.

Exclude applicable controls from the assessment.

C.

Review the supplier's contractual obligations.

D.

Request risk acceptance from the business process owner.

Buy Now
Questions 462

Which of the following is MOST important for senior management to review during an acquisition?

Options:

A.

Risk appetite and tolerance

B.

Risk framework and methodology

C.

Key risk indicator (KRI) thresholds

D.

Risk communication plan

Buy Now
Questions 463

Which organization is implementing a project to automate the purchasing process, including the modification of approval controls. Which of the following tasks is lie responsibility of the risk practitioner*?

Options:

A.

Verify that existing controls continue to properly mitigate defined risk

B.

Test approval process controls once the project is completed

C.

Update the existing controls for changes in approval processes from this project

D.

Perform a gap analysis of the impacted control processes

Buy Now
Questions 464

Which of the following would be the BEST way for a risk practitioner to validate the effectiveness of a patching program?

Options:

A.

Conduct penetration testing.

B.

Interview IT operations personnel.

C.

Conduct vulnerability scans.

D.

Review change control board documentation.

Buy Now
Questions 465

Which of the following elements of a risk register is MOST likely to change as a result of change in management's risk appetite?

Options:

A.

Key risk indicator (KRI) thresholds

B.

Inherent risk

C.

Risk likelihood and impact

D.

Risk velocity

Buy Now
Questions 466

When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?

Options:

A.

Risk analysis results

B.

Exception handling policy

C.

Vulnerability assessment results

D.

Benchmarking assessments

Buy Now
Questions 467

A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:

Options:

A.

conduct a gap analysis against compliance criteria.

B.

identify necessary controls to ensure compliance.

C.

modify internal assurance activities to include control validation.

D.

collaborate with management to meet compliance requirements.

Buy Now
Questions 468

Which of the following is the MOST important element of a successful risk awareness training program?

Options:

A.

Customizing content for the audience

B.

Providing incentives to participants

C.

Mapping to a recognized standard

D.

Providing metrics for measurement

Buy Now
Questions 469

Which of the following is MOST important when developing key performance indicators (KPIs)?

Options:

A.

Alignment to risk responses

B.

Alignment to management reports

C.

Alerts when risk thresholds are reached

D.

Identification of trends

Buy Now
Questions 470

Which of the following would BEST provide early warning of a high-risk condition?

Options:

A.

Risk register

B.

Risk assessment

C.

Key risk indicator (KRI)

D.

Key performance indicator (KPI)

Buy Now
Exam Code: CRISC
Exam Name: Certified in Risk and Information Systems Control
Last Update: May 1, 2025
Questions: 1568

PDF + Testing Engine

$57.75  $164.99

Testing Engine

$43.75  $124.99
buy now CRISC testing engine

PDF (Q&A)

$36.75  $104.99
buy now CRISC pdf