Special Summer Sale - 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dm70dm

CRISC Certified in Risk and Information Systems Control Questions and Answers

Questions 4

Which of the following is the BEST approach to mitigate the risk associated with a control deficiency?

Options:

A.

Perform a business case analysis

B.

Implement compensating controls.

C.

Conduct a control sell-assessment (CSA)

D.

Build a provision for risk

Buy Now
Questions 5

Which of the following is the BEST approach for selecting controls to minimize risk?

Options:

A.

Industry best practice review

B.

Risk assessment

C.

Cost-benefit analysis

D.

Control-effectiveness evaluation

Buy Now
Questions 6

Which of the following scenarios presents the GREATEST risk of noncompliance with data privacy best practices?

Options:

A.

Making data available to a larger audience of customers

B.

Data not being disposed according to the retention policy

C.

Personal data not being de-identified properly

D.

Data being used for purposes the data subjects have not opted into

Buy Now
Questions 7

Which of the following is the PRIMARY benefit of consistently recording risk assessment results in the risk register?

Options:

A.

Assessment of organizational risk appetite

B.

Compliance with best practice

C.

Accountability for loss events

D.

Accuracy of risk profiles

Buy Now
Questions 8

Which of the following should be the GREATEST concern to a risk practitioner when process documentation is incomplete?

Options:

A.

Inability to allocate resources efficiently

B.

Inability to identify the risk owner

C.

Inability to complete the risk register

D.

Inability to identify process experts

Buy Now
Questions 9

Which of the following should be used as the PRIMARY basis for evaluating the state of an organization's cloud computing environment against leading practices?

Options:

A.

The cloud environment's capability maturity model

B.

The cloud environment's risk register

C.

The cloud computing architecture

D.

The organization's strategic plans for cloud computing

Buy Now
Questions 10

Which of the following would BEST enable a risk-based decision when considering the use of an emerging technology for data processing?

Options:

A.

Gap analysis

B.

Threat assessment

C.

Resource skills matrix

D.

Data quality assurance plan

Buy Now
Questions 11

A risk practitioner has identified that the agreed recovery time objective (RTO) with a Software as a Service (SaaS) provider is longer than the business expectation. Which ot the following is the risk practitioner's BEST course of action?

Options:

A.

Collaborate with the risk owner to determine the risk response plan.

B.

Document the gap in the risk register and report to senior management.

C.

Include a right to audit clause in the service provider contract.

D.

Advise the risk owner to accept the risk.

Buy Now
Questions 12

A risk practitioner is utilizing a risk heat map during a risk assessment. Risk events that are coded with the same color will have a similar:

Options:

A.

risk score

B.

risk impact

C.

risk response

D.

risk likelihood.

Buy Now
Questions 13

The MAIN reason for prioritizing IT risk responses is to enable an organization to:

Options:

A.

determine the risk appetite.

B.

determine the budget.

C.

define key performance indicators (KPIs).

D.

optimize resource utilization.

Buy Now
Questions 14

Which of the following is the BEST way to ensure adequate resources will be allocated to manage identified risk?

Options:

A.

Prioritizing risk within each business unit

B.

Reviewing risk ranking methodology

C.

Promoting an organizational culture of risk awareness

D.

Assigning risk ownership to appropriate roles

Buy Now
Questions 15

Business management is seeking assurance from the CIO that IT has a plan in place for early identification of potential issues that could impact the delivery of a new application Which of the following is the BEST way to increase the chances of a successful delivery'?

Options:

A.

Implement a release and deployment plan

B.

Conduct comprehensive regression testing.

C.

Develop enterprise-wide key risk indicators (KRls)

D.

Include business management on a weekly risk and issues report

Buy Now
Questions 16

Which of the following potential scenarios associated with the implementation of a new database technology presents the GREATEST risk to an organization?

Options:

A.

The organization may not have a sufficient number of skilled resources.

B.

Application and data migration cost for backups may exceed budget.

C.

Data may not be recoverable due to system failures.

D.

The database system may not be scalable in the future.

Buy Now
Questions 17

An organization wants to transfer risk by purchasing cyber insurance. Which of the following would be MOST important for the risk practitioner to communicate to senior management for contract negotiation purposes?

Options:

A.

Most recent IT audit report results

B.

Replacement cost of IT assets

C.

Current annualized loss expectancy report

D.

Cyber insurance industry benchmarking report

Buy Now
Questions 18

A bank recently incorporated blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

reflect the results of risk assessments.

B.

be available to all stakeholders.

C.

effectively support a business maturity model.

D.

be reviewed by the IT steering committee.

Buy Now
Questions 19

When is the BEST to identify risk associated with major project to determine a mitigation plan?

Options:

A.

Project execution phase

B.

Project initiation phase

C.

Project closing phase

D.

Project planning phase

Buy Now
Questions 20

A zero-day vulnerability has been discovered in a globally used brand of hardware server that allows hackers to gain

access to affected IT systems. Which of the following is MOST likely to change as a result of this situation?

Options:

A.

Control effectiveness

B.

Risk appetite

C.

Risk likelihood

D.

Key risk indicator (KRI)

Buy Now
Questions 21

Which of the following is the BEST way to ensure data is properly sanitized while in cloud storage?

Options:

A.

Deleting the data from the file system

B.

Cryptographically scrambling the data

C.

Formatting the cloud storage at the block level

D.

Degaussing the cloud storage media

Buy Now
Questions 22

Which of the following would be a risk practitioner's BEST course of action when a project team has accepted a risk outside the established risk appetite?

Options:

A.

Reject the risk acceptance and require mitigating controls.

B.

Monitor the residual risk level of the accepted risk.

C.

Escalate the risk decision to the project sponsor for review.

D.

Document the risk decision in the project risk register.

Buy Now
Questions 23

Which of the following would BEST mitigate an identified risk scenario?

Options:

A.

Conducting awareness training

B.

Executing a risk response plan

C.

Establishing an organization's risk tolerance

D.

Performing periodic audits

Buy Now
Questions 24

Which of the following is the PRIMARY reason for a risk practitioner to review an organization's IT asset inventory?

Options:

A.

To plan for the replacement of assets at the end of their life cycles

B.

To assess requirements for reducing duplicate assets

C.

To understand vulnerabilities associated with the use of the assets

D.

To calculate mean time between failures (MTBF) for the assets

Buy Now
Questions 25

Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

Options:

A.

Risk tolerance is decreased.

B.

Residual risk is increased.

C.

Inherent risk is increased.

D.

Risk appetite is decreased

Buy Now
Questions 26

It is MOST important that security controls for a new system be documented in:

Options:

A.

testing requirements

B.

the implementation plan.

C.

System requirements

D.

The security policy

Buy Now
Questions 27

The acceptance of control costs that exceed risk exposure is MOST likely an example of:

Options:

A.

low risk tolerance.

B.

corporate culture misalignment.

C.

corporate culture alignment.

D.

high risk tolerance

Buy Now
Questions 28

A technology company is developing a strategic artificial intelligence (Al)-driven application that has high potential business value. At what point should the enterprise risk profile be updated?

Options:

A.

After user acceptance testing (UAT)

B.

Upon approval of the business case

C.

When user stories are developed

D.

During post-implementation review

Buy Now
Questions 29

Which of the following provides the BEST assurance of the effectiveness of vendor security controls?

Options:

A.

Review vendor control self-assessments (CSA).

B.

Review vendor service level agreement (SLA) metrics.

C.

Require independent control assessments.

D.

Obtain vendor references from existing customers.

Buy Now
Questions 30

Which of the following would BEST prevent an unscheduled application of a patch?

Options:

A.

Network-based access controls

B.

Compensating controls

C.

Segregation of duties

D.

Change management

Buy Now
Questions 31

Which of the following stakeholders are typically included as part of a line of defense within the three lines of defense model?

Options:

A.

Board of directors

B.

Vendors

C.

Regulators

D.

Legal team

Buy Now
Questions 32

Which of the following will BEST help to ensure new IT policies address the enterprise's requirements?

Options:

A.

involve IT leadership in the policy development process

B.

Require business users to sign acknowledgment of the poises

C.

involve business owners in the pokey development process

D.

Provide policy owners with greater enforcement authority

Buy Now
Questions 33

Who is MOST appropriate to be assigned ownership of a control

Options:

A.

The individual responsible for control operation

B.

The individual informed of the control effectiveness

C.

The individual responsible for resting the control

D.

The individual accountable for monitoring control effectiveness

Buy Now
Questions 34

Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?

Options:

A.

Temporarily mitigate the OS vulnerabilities

B.

Document and implement a patching process

C.

Evaluate permanent fixes such as patches and upgrades

D.

Identify the vulnerabilities and applicable OS patches

Buy Now
Questions 35

An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning of the associated risk entries?

Options:

A.

The volume of risk scenarios is too large

B.

Risk aggregation has not been completed

C.

Risk scenarios are not applicable

D.

The risk analysts for each scenario is incomplete

Buy Now
Questions 36

Which component of a software inventory BEST enables the identification and mitigation of known vulnerabilities?

Options:

A.

Software version

B.

Assigned software manager

C.

Software support contract expiration

D.

Software licensing information

Buy Now
Questions 37

An organization has adopted an emerging technology without following proper processes. Which of the following is the risk practitioner's BEST course of action to address this risk?

Options:

A.

Accept the risk because the technology has already been adopted.

B.

Propose a transfer of risk to a third party with subsequent monitoring.

C.

Conduct a risk assessment to determine risk exposure.

D.

Recommend to senior management to decommission the technology.

Buy Now
Questions 38

Reviewing which of the following BEST helps an organization gam insight into its overall risk profile''

Options:

A.

Risk register

B.

Risk appetite

C.

Threat landscape

D.

Risk metrics

Buy Now
Questions 39

What is the MAIN benefit of using a top-down approach to develop risk scenarios?

Options:

A.

It describes risk events specific to technology used by the enterprise.

B.

It establishes the relationship between risk events and organizational objectives.

C.

It uses hypothetical and generic risk events specific to the enterprise.

D.

It helps management and the risk practitioner to refine risk scenarios.

Buy Now
Questions 40

Which of the following is MOST important to promoting a risk-aware culture?

Options:

A.

Regular testing of risk controls

B.

Communication of audit findings

C.

Procedures for security monitoring

D.

Open communication of risk reporting

Buy Now
Questions 41

An organization has agreed to a 99% availability for its online services and will not accept availability that falls below 98.5%. This is an example of:

Options:

A.

risk mitigation.

B.

risk evaluation.

C.

risk appetite.

D.

risk tolerance.

Buy Now
Questions 42

Which of the following BEST enables an organization to address new risk associated with an Internet of Things (IoT) solution?

Options:

A.

Transferring the risk

B.

Introducing control procedures early in the life cycle

C.

Updating the risk tolerance to include the new risk

D.

Implementing IoT device monitoring software

Buy Now
Questions 43

Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?

Options:

A.

Identify the potential risk.

B.

Monitor employee usage.

C.

Assess the potential risk.

D.

Develop risk awareness training.

Buy Now
Questions 44

An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:

Options:

A.

reduce the risk to an acceptable level.

B.

communicate the consequences for violations.

C.

implement industry best practices.

D.

reduce the organization's risk appetite

Buy Now
Questions 45

A highly regulated enterprise is developing a new risk management plan to specifically address legal and regulatory risk scenarios What should be done FIRST by IT governance to support this effort?

Options:

A.

Request a regulatory risk reporting methodology

B.

Require critical success factors (CSFs) for IT risks.

C.

Establish IT-specific compliance objectives

D.

Communicate IT key risk indicators (KRIs) and triggers

Buy Now
Questions 46

An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the risk associated with these new entries has been;

Options:

A.

mitigated

B.

deferred

C.

accepted.

D.

transferred

Buy Now
Questions 47

Which of the following should be considered FIRST when assessing risk associated with the adoption of emerging technologies?

Options:

A.

Organizational strategy

B.

Cost-benefit analysis

C.

Control self-assessment (CSA)

D.

Business requirements

Buy Now
Questions 48

The risk associated with a high-risk vulnerability in an application is owned by the:

Options:

A.

security department.

B.

business unit

C.

vendor.

D.

IT department.

Buy Now
Questions 49

In order to efficiently execute a risk response action plan, it is MOST important for the emergency response team members to understand:

Options:

A.

system architecture in target areas.

B.

IT management policies and procedures.

C.

business objectives of the organization.

D.

defined roles and responsibilities.

Buy Now
Questions 50

Which of the following is the MOST important reason for a risk practitioner to continuously monitor a critical security transformation program?

Options:

A.

To validate the quality of defined deliverables for the program

B.

To detect increases in program costs

C.

To ensure program risk events are mitigated in a timely manner

D.

To provide timely reporting to the governance steering committee

Buy Now
Questions 51

Of the following, who is BEST suited to assist a risk practitioner in developing a relevant set of risk scenarios?

Options:

A.

Internal auditor

B.

Asset owner

C.

Finance manager

D.

Control owner

Buy Now
Questions 52

Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data?

Options:

A.

The cost associated with incident response activitiesThe composition and number of records in the information asset

B.

The maximum levels of applicable regulatory fines

C.

The length of time between identification and containment of the incident

Buy Now
Questions 53

Which of the following activities BEST facilitates effective risk management throughout the organization?

Options:

A.

Reviewing risk-related process documentation

B.

Conducting periodic risk assessments

C.

Performing a business impact analysis (BIA)

D.

Performing frequent audits

Buy Now
Questions 54

An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?

Options:

A.

Review assignments of data ownership for key assets.

B.

Identify staff who have access to the organization’s sensitive data.

C.

Identify recent and historical incidents involving data loss.

D.

Review the organization's data inventory.

Buy Now
Questions 55

Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)?

Options:

A.

Management approval

B.

Annual review

C.

Relevance

D.

Automation

Buy Now
Questions 56

Which of the following is MOST important for senior management to review during an acquisition?

Options:

A.

Risk appetite and tolerance

B.

Risk framework and methodology

C.

Key risk indicator (KRI) thresholds

D.

Risk communication plan

Buy Now
Questions 57

An organization is considering outsourcing user administration controls tor a critical system. The potential vendor has offered to perform quarterly sett-audits of its controls instead of having annual independent audits. Which of the following should be of GREATEST concern to me risk practitioner?

Options:

A.

The controls may not be properly tested

B.

The vendor will not ensure against control failure

C.

The vendor will not achieve best practices

D.

Lack of a risk-based approach to access control

Buy Now
Questions 58

When of the following provides the MOST tenable evidence that a business process control is effective?

Options:

A.

Demonstration that the control is operating as designed

B.

A successful walk-through of the associated risk assessment

C.

Management attestation that the control is operating effectively

D.

Automated data indicating that risk has been reduced

Buy Now
Questions 59

The PRIMARY reason for prioritizing risk scenarios is to:

Options:

A.

provide an enterprise-wide view of risk

B.

support risk response tracking

C.

assign risk ownership

D.

facilitate risk response decisions.

Buy Now
Questions 60

Using key risk indicators (KRIs) to illustrate changes in the risk profile PRIMARILY helps to:

Options:

A.

communicate risk trends to stakeholders.

B.

assign ownership of emerging risk scenarios.

C.

highlight noncompliance with the risk policy

D.

identify threats to emerging technologies.

Buy Now
Questions 61

Which of the following presents the GREATEST challenge to managing an organization's end-user devices?

Options:

A.

Incomplete end-user device inventory

B.

Unsupported end-user applications

C.

Incompatible end-user devices

D.

Multiple end-user device models

Buy Now
Questions 62

An organization is considering the adoption of an aggressive business strategy to achieve desired growth From a risk management perspective what should the risk practitioner do NEXT?

Options:

A.

Identify new threats resorting from the new business strategy

B.

Update risk awareness training to reflect current levels of risk appetite and tolerance

C.

Inform the board of potential risk scenarios associated with aggressive business strategies

D.

Increase the scale for measuring impact due to threat materialization

Buy Now
Questions 63

An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?

Options:

A.

Business benefits of shadow IT

B.

Application-related expresses

C.

Classification of the data

D.

Volume of data

Buy Now
Questions 64

Which of the following is the GREATEST benefit of identifying appropriate risk owners?

Options:

A.

Accountability is established for risk treatment decisions

B.

Stakeholders are consulted about risk treatment options

C.

Risk owners are informed of risk treatment options

D.

Responsibility is established for risk treatment decisions.

Buy Now
Questions 65

Which of the following would MOST effectively reduce risk associated with an increase of online transactions on a retailer website?

Options:

A.

Scalable infrastructure

B.

A hot backup site

C.

Transaction limits

D.

Website activity monitoring

Buy Now
Questions 66

Which key performance efficiency IKPI) BEST measures the effectiveness of an organization's disaster recovery program?

Options:

A.

Number of service level agreement (SLA) violations

B.

Percentage of recovery issues identified during the exercise

C.

Number of total systems recovered within tie recovery point objective (RPO)

D.

Percentage of critical systems recovered within tie recovery time objective (RTO)

Buy Now
Questions 67

Which of the following BEST indicates that an organization has implemented IT performance requirements?

Options:

A.

Service level agreements(SLA)

B.

Vendor references

C.

Benchmarking data

D.

Accountability matrix

Buy Now
Questions 68

The BEST indicator of the risk appetite of an organization is the

Options:

A.

regulatory environment of the organization

B.

risk management capability of the organization

C.

board of directors' response to identified risk factors

D.

importance assigned to IT in meeting strategic goals

Buy Now
Questions 69

Which of the following should management consider when selecting a risk mitigation option?

Options:

A.

Maturity of the enterprise architecture

B.

Cost of control implementation

C.

Reliability of key performance indicators (KPIs)

D.

Reliability of key risk indicators (KPIs)

Buy Now
Questions 70

An organization recently implemented a machine learning-based solution to monitor IT usage and analyze user behavior in an effort to detect internal fraud. Which of the following is MOST likely to be reassessed as a result of this initiative?

Options:

A.

Risk likelihood

B.

Risk culture

C.

Risk appetite

D.

Risk capacity

Buy Now
Questions 71

A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?

Options:

A.

The methodology used to perform the risk assessment

B.

Action plans to address risk scenarios requiring treatment

C.

Date and status of the last project milestone

D.

The individuals assigned ownership of controls

Buy Now
Questions 72

To help ensure the success of a major IT project, it is MOST important to:

Options:

A.

obtain the appropriate stakeholders' commitment.

B.

align the project with the IT risk framework.

C.

obtain approval from business process owners.

D.

update the risk register on a regular basis.

Buy Now
Questions 73

Which of the following BEST reduces the likelihood of fraudulent activity that occurs through use of a digital wallet?

Options:

A.

Require multi-factor authentication (MFA) to access the digital wallet.

B.

Use a digital key to encrypt the contents of the wallet.

C.

Enable audit logging on the digital wallet's device.

D.

Require public key infrastructure (PKI) to authorize transactions.

Buy Now
Questions 74

Which of the following is the MOST effective way to validate organizational awareness of cybersecurity risk?

Options:

A.

Conducting security awareness training

B.

Updating the information security policy

C.

Implementing mock phishing exercises

D.

Requiring two-factor authentication

Buy Now
Questions 75

Which of the following is the GREATEST risk associated with inappropriate classification of data?

Options:

A.

Inaccurate record management data

B.

Users having unauthorized access to data

C.

Inaccurate recovery time objectives (RTOs)

D.

Lack of accountability for data ownership

Buy Now
Questions 76

An organization has been experiencing an increasing number of spear phishing attacks Which of the following would be the MOST effective way to mitigate the risk associated with these attacks?

Options:

A.

Update firewall configuration

B.

Require strong password complexity

C.

implement a security awareness program

D.

Implement two-factor authentication

Buy Now
Questions 77

Which of the following is MOST critical to the design of relevant risk scenarios?

Options:

A.

The scenarios are based on past incidents.

B.

The scenarios are linked to probable organizational situations.

C.

The scenarios are mapped to incident management capabilities.

D.

The scenarios are aligned with risk management capabilities.

Buy Now
Questions 78

Which of the following would provide the BEST evidence of an effective internal control environment/?

Options:

A.

Risk assessment results

B.

Adherence to governing policies

C.

Regular stakeholder briefings

D.

Independent audit results

Buy Now
Questions 79

The MAIN goal of the risk analysis process is to determine the:

Options:

A.

potential severity of impact

B.

frequency and magnitude of loss

C.

control deficiencies

D.

threats and vulnerabilities

Buy Now
Questions 80

Which of the following will BEST support management repotting on risk?

Options:

A.

Risk policy requirements

B.

A risk register

C.

Control self-assessment

D.

Key performance Indicators

Buy Now
Questions 81

Which of the following would be the result of a significant increase in the motivation of a malicious threat actor?

Options:

A.

Increase in mitigating control costs

B.

Increase in risk event impact

C.

Increase in risk event likelihood

D.

Increase in cybersecurity premium

Buy Now
Questions 82

An organization's business gap analysis reveals the need for a robust IT risk strategy. Which of the following should be the risk practitioner's PRIMARY consideration when participating in development of the new strategy?

Options:

A.

Scale of technology

B.

Risk indicators

C.

Risk culture

D.

Proposed risk budget

Buy Now
Questions 83

A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access. Who is responsible for ensuring the control is designed to effectively address risk?

Options:

A.

Risk manager

B.

Control owner

C.

Control tester

D.

Risk owner

Buy Now
Questions 84

When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes

Options:

A.

risk exposure in business terms

B.

a detailed view of individual risk exposures

C.

a summary of incidents that have impacted the organization.

D.

recommendations by an independent risk assessor.

Buy Now
Questions 85

Which of the following is the MOST important outcome of a business impact analysis (BIA)?

Options:

A.

Understanding and prioritization of critical processes

B.

Completion of the business continuity plan (BCP)

C.

Identification of regulatory consequences

D.

Reduction of security and business continuity threats

Buy Now
Questions 86

The following is the snapshot of a recently approved IT risk register maintained by an organization's information security department.

CRISC Question 86

After implementing countermeasures listed in ‘’Risk Response Descriptions’’ for each of the Risk IDs, which of the following component of the register MUST change?

Options:

A.

Risk Impact Rating

B.

Risk Owner

C.

Risk Likelihood Rating

D.

Risk Exposure

Buy Now
Questions 87

An organization recently configured a new business division Which of the following is MOST likely to be affected?

Options:

A.

Risk profile

B.

Risk culture

C.

Risk appetite

D.

Risk tolerance

Buy Now
Questions 88

Which of the following is the PRIMARY objective of maintaining an information asset inventory?

Options:

A.

To provide input to business impact analyses (BIAs)

B.

To protect information assets

C.

To facilitate risk assessments

D.

To manage information asset licensing

Buy Now
Questions 89

Which of the following will BEST help to ensure key risk indicators (KRIs) provide value to risk owners?

Options:

A.

Ongoing training

B.

Timely notification

C.

Return on investment (ROI)

D.

Cost minimization

Buy Now
Questions 90

Which of the following is MOST important information to review when developing plans for using emerging technologies?

Options:

A.

Existing IT environment

B.

IT strategic plan

C.

Risk register

D.

Organizational strategic plan

Buy Now
Questions 91

Which of the following is a risk practitioner's BEST course of action if a risk assessment identifies a risk that is extremely unlikely but would have a severe impact should it occur?

Options:

A.

Rate the risk as high priority based on the severe impact.

B.

Obtain management's consent to accept the risk.

C.

Ignore the risk due to the extremely low likelihood.

D.

Address the risk by analyzing treatment options.

Buy Now
Questions 92

An organization has been made aware of a newly discovered critical vulnerability in a regulatory reporting system. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Perform an impact assessment.

B.

Perform a penetration test.

C.

Request an external audit.

D.

Escalate the risk to senior management.

Buy Now
Questions 93

When implementing an IT risk management program, which of the following is the BEST time to evaluate current control effectiveness?

Options:

A.

Before defining a framework

B.

During the risk assessment

C.

When evaluating risk response

D.

When updating the risk register

Buy Now
Questions 94

As pan of business continuity planning, which of the following is MOST important to include m a business impact analysis (BlA)?

Options:

A.

An assessment of threats to the organization

B.

An assessment of recovery scenarios

C.

industry standard framework

D.

Documentation of testing procedures

Buy Now
Questions 95

Which of the following is the GREATEST benefit of centralizing IT systems?

Options:

A.

Risk reporting

B.

Risk classification

C.

Risk monitoring

D.

Risk identification

Buy Now
Questions 96

Which of the following is the BEST method of creating risk awareness in an organization?

Options:

A.

Marking the risk register available to project stakeholders

B.

Ensuring senior management commitment to risk training

C.

Providing regular communication to risk managers

D.

Appointing the risk manager from the business units

Buy Now
Questions 97

Which of the following is the MOST effective way to help ensure accountability for managing risk?

Options:

A.

Assign process owners to key risk areas.

B.

Obtain independent risk assessments.

C.

Assign incident response action plan responsibilities.

D.

Create accurate process narratives.

Buy Now
Questions 98

An organization has decided to commit to a business activity with the knowledge that the risk exposure is higher than the risk appetite. Which of the following is the risk practitioner's MOST important action related to this decision?

Options:

A.

Recommend risk remediation

B.

Change the level of risk appetite

C.

Document formal acceptance of the risk

D.

Reject the business initiative

Buy Now
Questions 99

A bank recently incorporated Blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner’s BEST course of action?

Options:

A.

Determine whether risk responses are still adequate.

B.

Analyze and update control assessments with the new processes.

C.

Analyze the risk and update the risk register as needed.

D.

Conduct testing of the control that mitigate the existing risk.

Buy Now
Questions 100

Which of the following has the GREATEST influence on an organization's risk appetite?

Options:

A.

Threats and vulnerabilities

B.

Internal and external risk factors

C.

Business objectives and strategies

D.

Management culture and behavior

Buy Now
Questions 101

A recent vulnerability assessment of a web-facing application revealed several weaknesses. Which of the following should be done NEXT to determine the risk exposure?

Options:

A.

Code review

B.

Penetration test

C.

Gap assessment

D.

Business impact analysis (BIA)

Buy Now
Questions 102

Which of the following resources is MOST helpful to a risk practitioner when updating the likelihood rating in the risk register?

Options:

A.

Risk control assessment

B.

Audit reports with risk ratings

C.

Penetration test results

D.

Business impact analysis (BIA)

Buy Now
Questions 103

An information security audit identified a risk resulting from the failure of an automated control Who is responsible for ensuring the risk register is updated accordingly?

Options:

A.

The risk practitioner

B.

The risk owner

C.

The control owner

D.

The audit manager

Buy Now
Questions 104

An organization control environment is MOST effective when:

Options:

A.

control designs are reviewed periodically

B.

controls perform as intended.

C.

controls are implemented consistently.

D.

controls operate efficiently

Buy Now
Questions 105

Which of the following BEST helps to identify significant events that could impact an organization?

Options:

A.

Control analysis

B.

Vulnerability analysis

C.

Scenario analysis

D.

Heat map analysis

Buy Now
Questions 106

Which of the following is the BEST control to minimize the risk associated with scope creep in software development?

Options:

A.

An established process for project change management

B.

Retention of test data and results for review purposes

C.

Business managements review of functional requirements

D.

Segregation between development, test, and production

Buy Now
Questions 107

Which of the following should be the FIRST consideration when establishing a new risk governance program?

Options:

A.

Developing an ongoing awareness and training program

B.

Creating policies and standards that are easy to comprehend

C.

Embedding risk management into the organization

D.

Completing annual risk assessments on critical resources

Buy Now
Questions 108

When documenting a risk response, which of the following provides the STRONGEST evidence to support the decision?

Options:

A.

Verbal majority acceptance of risk by committee

B.

List of compensating controls

C.

IT audit follow-up responses

D.

A memo indicating risk acceptance

Buy Now
Questions 109

Which of the following should be of GREATEST concern lo a risk practitioner reviewing the implementation of an emerging technology?

Options:

A.

Lack of alignment to best practices

B.

Lack of risk assessment

C.

Lack of risk and control procedures

D.

Lack of management approval

Buy Now
Questions 110

Which of the following would BEST help to address the risk associated with malicious outsiders modifying application data?

Options:

A.

Multi-factor authentication

B.

Role-based access controls

C.

Activation of control audits

D.

Acceptable use policies

Buy Now
Questions 111

Which of the following would provide the MOST useful information to a risk owner when reviewing the progress of risk mitigation?

Options:

A.

Key audit findings

B.

Treatment plan status

C.

Performance indicators

D.

Risk scenario results

Buy Now
Questions 112

An organization has provided legal text explaining the rights and expected behavior of users accessing a system from geographic locations that have strong privacy regulations. Which of the following control types has been applied?

Options:

A.

Detective

B.

Directive

C.

Preventive

D.

Compensating

Buy Now
Questions 113

A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to:

Options:

A.

include detailed deviations from industry benchmarks,

B.

include a summary linking information to stakeholder needs,

C.

include a roadmap to achieve operational excellence,

D.

publish the report on-demand for stakeholders.

Buy Now
Questions 114

An IT risk threat analysis is BEST used to establish

Options:

A.

risk scenarios

B.

risk maps

C.

risk appetite

D.

risk ownership.

Buy Now
Questions 115

Which of the following is MOST important to update following a change in organizational risk appetite and tolerance?

Options:

A.

Business impact assessment (BIA)

B.

Key performance indicators (KPIs)

C.

Risk profile

D.

Industry benchmark analysis

Buy Now
Questions 116

During a risk assessment of a financial institution, a risk practitioner discovers that tellers can initiate and approve transactions of significant value. This team is also responsible for ensuring transactions are recorded and balances are reconciled by the end of the day. Which of the following is the risk practitioner's BEST recommendation to mitigate the associated risk?

Options:

A.

Implement continuous monitoring.

B.

Require a second level of approval.

C.

Implement separation of duties.

D.

Require a code of ethics.

Buy Now
Questions 117

An application development team has a backlog of user requirements for a new system that will process insurance claim payments for customers. Which of the following should be the MOST important consideration for a risk-based review of the user requirements?

Options:

A.

Number of claims affected by the user requirements

B.

Number of customers impacted

C.

Impact to the accuracy of claim calculation

D.

Level of resources required to implement the user requirements

Buy Now
Questions 118

Which stakeholder is MOST important to include when defining a risk profile during me selection process for a new third party application'?

Options:

A.

The third-party risk manager

B.

The application vendor

C.

The business process owner

D.

The information security manager

Buy Now
Questions 119

After the implementation of internal of Things (IoT) devices, new risk scenarios were identified. What is the PRIMARY reason to report this information to risk owners?

Options:

A.

To reevaluate continued use to IoT devices

B.

The add new controls to mitigate the risk

C.

The recommend changes to the IoT policy

D.

To confirm the impact to the risk profile

Buy Now
Questions 120

Which of the following is the MOST important consideration when developing risk strategies?

Options:

A.

Organization's industry sector

B.

Long-term organizational goals

C.

Concerns of the business process owners

D.

History of risk events

Buy Now
Questions 121

Which of the following is the BEST method to mitigate the risk of an unauthorized employee viewing confidential data in a database''

Options:

A.

Implement role-based access control

B.

Implement a data masking process

C.

Include sanctions in nondisclosure agreements (NDAs)

D.

Install a data loss prevention (DLP) tool

Buy Now
Questions 122

Which of the following is the BEST way to determine whether system settings are in alignment with control baselines?

Options:

A.

Configuration validation

B.

Control attestation

C.

Penetration testing

D.

Internal audit review

Buy Now
Questions 123

A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?

Options:

A.

The contingency plan provides for backup media to be taken to the alternative site.

B.

The contingency plan for high priority applications does not involve a shared cold site.

C.

The alternative site is a hot site with equipment ready to resume processing immediately.

D.

The alternative site does not reside on the same fault no matter how far the distance apart.

Buy Now
Questions 124

Which of the following is a risk practitioner's BEST recommendation regarding disaster recovery management (DRM) for Software as a Service (SaaS) providers?

Options:

A.

Conduct inoremental backups of data in the SaaS environment to a local data center.

B.

Implement segregation of duties between multiple SaaS solution providers.

C.

Codify availability requirements in the SaaS provider's contract.

D.

Conduct performance benchmarking against other SaaS service providers.

Buy Now
Questions 125

Which of the following is the BEST method for determining an enterprise's current appetite for risk?

Options:

A.

Comparative analysis of peer companies

B.

Reviews of brokerage firm assessments

C.

Interviews with senior management

D.

Trend analysis using prior annual reports

Buy Now
Questions 126

The PRIMARY benefit of conducting a risk workshop using a top-down approach instead of a bottom-up approach is the ability to:

Options:

A.

identify specific project risk.

B.

obtain a holistic view of IT strategy risk.

C.

understand risk associated with complex processes.

D.

incorporate subject matter expertise.

Buy Now
Questions 127

Which of the following should be of MOST concern to a risk practitioner reviewing an organization risk register after the completion of a series of risk assessments?

Options:

A.

Several risk action plans have missed target completion dates.

B.

Senior management has accepted more risk than usual.

C.

Risk associated with many assets is only expressed in qualitative terms.

D.

Many risk scenarios are owned by the same senior manager.

Buy Now
Questions 128

Effective risk communication BEST benefits an organization by:

Options:

A.

helping personnel make better-informed decisions

B.

assisting the development of a risk register.

C.

improving the effectiveness of IT controls.

D.

increasing participation in the risk assessment process.

Buy Now
Questions 129

Which of the following is MOST helpful in providing a high-level overview of current IT risk severity*?

Options:

A.

Risk mitigation plans

B.

heat map

C.

Risk appetite statement

D.

Key risk indicators (KRls)

Buy Now
Questions 130

The PRIMARY objective of collecting information and reviewing documentation when performing periodic risk analysis should be to:

Options:

A.

Identify new or emerging risk issues.

B.

Satisfy audit requirements.

C.

Survey and analyze historical risk data.

D.

Understand internal and external threat agents.

Buy Now
Questions 131

Which of the following BEST balances the costs and benefits of managing IT risk*?

Options:

A.

Prioritizing and addressing risk in line with risk appetite. Eliminating risk through preventive and detective controls

B.

Considering risk that can be shared with a third party

C.

Evaluating the probability and impact of risk scenarios

Buy Now
Questions 132

Which of the following would BEST help to ensure that identified risk is efficiently managed?

Options:

A.

Reviewing the maturity of the control environment

B.

Regularly monitoring the project plan

C.

Maintaining a key risk indicator for each asset in the risk register

D.

Periodically reviewing controls per the risk treatment plan

Buy Now
Questions 133

A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization. Which of the following components of this review would provide the MOST useful information?

Options:

A.

Risk appetite statement

B.

Enterprise risk management framework

C.

Risk management policies

D.

Risk register

Buy Now
Questions 134

Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?

Options:

A.

impact due to failure of control

B.

Frequency of failure of control

C.

Contingency plan for residual risk

D.

Cost-benefit analysis of automation

Buy Now
Questions 135

Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?

Options:

A.

Better understanding of the risk appetite

B.

Improving audit results

C.

Enabling risk-based decision making

D.

Increasing process control efficiencies

Buy Now
Questions 136

A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?

Options:

A.

The team that performed the risk assessment

B.

An assigned risk manager to provide oversight

C.

Action plans to address risk scenarios requiring treatment

D.

The methodology used to perform the risk assessment

Buy Now
Questions 137

Which of the following is the BEST way to identify changes to the risk landscape?

Options:

A.

Internal audit reports

B.

Access reviews

C.

Threat modeling

D.

Root cause analysis

Buy Now
Questions 138

An organization delegates its data processing to the internal IT team to manage information through its applications. Which of the following is the role of the internal IT team in this situation?

Options:

A.

Data controllers

B.

Data processors

C.

Data custodians

D.

Data owners

Buy Now
Questions 139

Calculation of the recovery time objective (RTO) is necessary to determine the:

Options:

A.

time required to restore files.

B.

point of synchronization

C.

priority of restoration.

D.

annual loss expectancy (ALE).

Buy Now
Questions 140

Which of the following is the MOST important element of a successful risk awareness training program?

Options:

A.

Customizing content for the audience

B.

Providing incentives to participants

C.

Mapping to a recognized standard

D.

Providing metrics for measurement

Buy Now
Questions 141

The PRIMARY reason for a risk practitioner to review business processes is to:

Options:

A.

Benchmark against peer organizations.

B.

Identify appropriate controls within business processes.

C.

Assess compliance with global standards.

D.

Identify risk owners related to business processes.

Buy Now
Questions 142

A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:

Options:

A.

a root cause analysis is required

B.

controls are effective for ensuring continuity

C.

hardware needs to be upgraded

D.

no action is required as there was no impact

Buy Now
Questions 143

Which of the following is the BEST indication of an improved risk-aware culture following the implementation of a security awareness training program for all employees?

Options:

A.

A reduction in the number of help desk calls

B.

An increase in the number of identified system flaws

C.

A reduction in the number of user access resets

D.

An increase in the number of incidents reported

Buy Now
Questions 144

Which organizational role should be accountable for ensuring information assets are appropriately classified?

Options:

A.

Data protection officer

B.

Chief information officer (CIO)

C.

Information asset custodian

D.

Information asset owner

Buy Now
Questions 145

Which of the following is a PRIMARY reason for considering existing controls during initial risk assessment?

Options:

A.

To determine the inherent risk level

B.

To determine the acceptable risk level

C.

To determine the current risk level

D.

To determine the desired risk level

Buy Now
Questions 146

Which of the following is MOST important for a risk practitioner to confirm once a risk action plan has been completed?

Options:

A.

The risk register has been updated.

B.

The risk tolerance has been recalibrated.

C.

The risk has been mitigated to the intended level.

D.

The risk owner has reviewed the outcomes.

Buy Now
Questions 147

Which of the following BEST prevents control gaps in the Zero Trust model when implementing in the environment?

Options:

A.

Relying on multiple solutions for Zero Trust

B.

Utilizing rapid development during implementation

C.

Establishing a robust technical architecture

D.

Starting with a large initial scope

Buy Now
Questions 148

Following the implementation of an Internet of Things (loT) solution, a risk practitioner identifies new risk factors with impact to existing controls. Which of the following is MOST important to include in a report to stakeholders?

Options:

A.

Identified vulnerabilities

B.

Business managers' concerns

C.

Changes to residual risk

D.

Risk strategies of peer organizations

Buy Now
Questions 149

Which of the following describes the relationship between risk appetite and risk tolerance?

Options:

A.

Risk appetite is completely independent of risk tolerance.

B.

Risk tolerance is used to determine risk appetite.

C.

Risk appetite and risk tolerance are synonymous.

D.

Risk tolerance may exceed risk appetite.

Buy Now
Questions 150

Which of the following is the PRIMARY purpose for ensuring senior management understands the organization’s risk universe in relation to the IT risk management program?

Options:

A.

To define effective enterprise IT risk appetite and tolerance levels

B.

To execute the IT risk management strategy in support of business objectives

C.

To establish business-aligned IT risk management organizational structures

D.

To assess the capabilities and maturity of the organization’s IT risk management efforts

Buy Now
Questions 151

A hospital recently implemented a new technology to allow virtual patient appointments. Which of the following should be the risk practitioner's FIRST course of action?

Options:

A.

Reassess the risk profile.

B.

Modify the risk taxonomy.

C.

Increase the risk tolerance.

D.

Review the risk culture.

Buy Now
Questions 152

Which of the following BEST mitigates ethical risk?

Options:

A.

Ethics committees

B.

Contingency scenarios

C.

Awareness of consequences for violations

D.

Routine changes in senior management

Buy Now
Questions 153

Which of the following should be the PRIMARY input to determine risk tolerance?

Options:

A.

Regulatory requirements

B.

Organizational objectives

C.

Annual loss expectancy (ALE)

D.

Risk management costs

Buy Now
Questions 154

A robotic process automation (RPA) project has implemented new robots to enhance the efficiency of a sales business process. Which of the following provides the BEST evidence that the new controls have been implemented successfully?

Options:

A.

A post-implementation review has been conducted by key personnel.

B.

A qualified independent party assessed the new controls as effective.

C.

Senior management has signed off on the design of the controls.

D.

Robots have operated without human interference on a daily basis.

Buy Now
Questions 155

A data center has recently been migrated to a jurisdiction where heavy fines will be imposed should leakage of customer personal data occur. Assuming no other changes to the operating environment, which factor should be updated to reflect this situation as an input to scenario development for this particular risk event?

Options:

A.

Risk likelihood

B.

Risk impact

C.

Risk capacity

D.

Risk appetite

Buy Now
Questions 156

A failure in an organization s IT system build process has resulted in several computers on the network missing the corporate endpoint detection and response (EDR) software. Which of the following should be the risk practitioner’s IMMEDIATE concern?

Options:

A.

Multiple corporate build images exist.

B.

The process documentation was not updated.

C.

The IT build process was not followed.

D.

Threats are not being detected.

Buy Now
Questions 157

Risk mitigation is MOST effective when which of the following is optimized?

Options:

A.

Operational risk

B.

Residual risk

C.

Inherent risk

D.

Regulatory risk

Buy Now
Questions 158

Which of the following is MOST important to consider when assessing the likelihood that a recently discovered software vulnerability will be exploited?

Options:

A.

The skill level required of a threat actor

B.

The amount of personally identifiable information (PH) disclosed

C.

The ability to detect and trace the threat action

D.

The amount of data that might be exposed by a threat action

Buy Now
Questions 159

Which of the following is the BEST metric to demonstrate the effectiveness of an organization's patch management process?

Options:

A.

Average time to implement patches after vendor release

B.

Number of patches tested prior to deployment

C.

Increase in the frequency of patches deployed into production

D.

Percent of patches implemented within established timeframe

Buy Now
Questions 160

Which of the following is the MOST useful information an organization can obtain from external sources about emerging threats?

Options:

A.

Solutions for eradicating emerging threats

B.

Cost to mitigate the risk resulting from threats

C.

Indicators for detecting the presence of threatsl)

D.

Source and identity of attackers

Buy Now
Questions 161

Which of the following would BEST facilitate the maintenance of data classification requirements?

Options:

A.

Scheduling periodic audits

B.

Assigning a data custodian

C.

Implementing technical controls over the assets

D.

Establishing a data loss prevention (DLP) solution

Buy Now
Questions 162

An incentive program is MOST likely implemented to manage the risk associated with loss of which organizational asset?

Options:

A.

Employees

B.

Data

C.

Reputation

D.

Customer lists

Buy Now
Questions 163

The BEST way for management to validate whether risk response activities have been completed is to review:

Options:

A.

the risk register change log.

B.

evidence of risk acceptance.

C.

control effectiveness test results.

D.

control design documentation.

Buy Now
Questions 164

The percentage of unpatched systems is a:

Options:

A.

threat vector.

B.

critical success factor (CSF).

C.

key performance indicator (KPI).

D.

key risk indicator (KRI).

Buy Now
Questions 165

Which of the following actions should a risk practitioner do NEXT when an increased industry trend of external cyber attacks is identified?

Options:

A.

Conduct a threat and vulnerability analysis.

B.

Notify senior management of the new risk scenario.

C.

Update the risk impact rating in the risk register.

D.

Update the key risk indicator (KRI) in the risk register.

Buy Now
Questions 166

A MAJOR advantage of using key risk indicators (KRIs) is that they:

Options:

A.

Identify scenarios that exceed defined risk appetite.

B.

Help with internal control assessments concerning risk appetite.

C.

Assess risk scenarios that exceed defined thresholds.

D.

Identify when risk exceeds defined thresholds.

Buy Now
Questions 167

In addition to the risk exposure, which of the following is MOST important for senior management to understand prior to approving the use of artificial intelligence (Al) solutions?

Options:

A.

Potential benefits from use of Al solutions

B.

Monitoring techniques required for AI solutions

C.

Changes to existing infrastructure to support Al solutions

D.

Skills required to support Al solutions

Buy Now
Questions 168

When assessing the maturity level of an organization's risk management framework, which of the following should be of GREATEST concern to a risk practitioner?

Options:

A.

Reliance on qualitative analysis methods

B.

Lack of a governance, risk, and compliance (GRC) tool

C.

Lack of senior management involvement

D.

Use of multiple risk registers

Buy Now
Questions 169

Which of the following is the MOST useful input when developing risk scenarios?

Options:

A.

Common attacks in other industries

B.

Identification of risk events

C.

Impact on critical assets

D.

Probability of disruptive risk events

Buy Now
Questions 170

During a review of the asset life cycle process, a risk practitioner identified several unreturned and unencrypted laptops belonging to former employees. Which of the following is the GREATEST concern with this finding?

Options:

A.

Insufficient laptops for existing employees

B.

Abuse of leavers' account privileges

C.

Unauthorized access to organizational data

D.

Financial cost of replacing the laptops

Buy Now
Questions 171

Which of the following is MOST useful for measuring the existing risk management process against a desired state?

Options:

A.

Balanced scorecard

B.

Risk management framework

C.

Capability maturity model

D.

Risk scenario analysis

Buy Now
Questions 172

Which of the following is MOST important to ensure risk management practices are effective at all levels within the organization?

Options:

A.

Communicating risk awareness materials regularly

B.

Establishing key risk indicators (KRIs) to monitor risk management processes

C.

Ensuring that business activities minimize inherent risk

D.

Embedding risk management in business activities

Buy Now
Questions 173

Which of the following will BEST help to ensure implementation of corrective action plans?

Options:

A.

Contracting to third parties

B.

Establishing employee awareness training

C.

Setting target dates to complete actions

D.

Assigning accountability to risk owners

Buy Now
Questions 174

Which of the following will MOST likely change as a result of the decrease in risk appetite due to a new privacy regulation?

Options:

A.

Key risk indicator (KRI) thresholds

B.

Risk trends

C.

Key performance indicators (KPIs)

D.

Risk objectives

Buy Now
Questions 175

In a public company, which group is PRIMARILY accountable for ensuring sufficient attention and resources are applied to the risk management process?

Options:

A.

Board of directors

B.

Risk officers

C.

Line management

D.

Senior management

Buy Now
Questions 176

A risk practitioner has established that a particular control is working as desired, but the annual cost of maintenance has increased and now exceeds the expected annual loss exposure. The result is that the control is:

Options:

A.

mature

B.

ineffective.

C.

optimized.

D.

inefficient.

Buy Now
Questions 177

An organization operates in an environment where the impact of ransomware attacks is high, with a low likelihood. After quantifying the impact of the risk associated with ransomware attacks exceeds the organization's risk appetite and tolerance, which of the following is the risk practitioner's BEST recommendation?

Options:

A.

Obtain adequate cybersecurity insurance coverage.

B.

Ensure business continuity assessments are up to date.

C.

Adjust the organization's risk appetite and tolerance.

D.

Obtain certification to a global information security standard.

Buy Now
Questions 178

Of the following, who should be responsible for determining the inherent risk rating of an application?

Options:

A.

Application owner

B.

Senior management

C.

Risk practitioner

D.

Business process owner

Buy Now
Questions 179

A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges. What is the risk practitioner's BEST course of action?

Options:

A.

Review the design of the machine learning model against control objectives.

B.

Adopt the machine learning model as a replacement for current manual access reviews.

C.

Ensure the model assists in meeting regulatory requirements for access controls.

D.

Discourage the use of emerging technologies in key processes.

Buy Now
Questions 180

Mitigating technology risk to acceptable levels should be based PRIMARILY upon:

Options:

A.

organizational risk appetite.

B.

business sector best practices.

C.

business process requirements.

D.

availability of automated solutions

Buy Now
Questions 181

When assessing the maturity level of an organization's risk management framework, which of the following deficiencies should be of GREATEST concern to a risk practitioner?

Options:

A.

Unclear organizational risk appetite

B.

Lack of senior management participation

C.

Use of highly customized control frameworks

D.

Reliance on qualitative analysis methods

Buy Now
Questions 182

Which of the following BEST enables detection of ethical violations committed by employees?

Options:

A.

Transaction log monitoring

B.

Whistleblower program

C.

Access control attestation

D.

Periodic job rotation

Buy Now
Questions 183

An organization has built up its cash reserves and has now become financially able to support additional risk while meeting its objectives. What is this change MOST likely to impact?

Options:

A.

Risk profile

B.

Risk capacity

C.

Risk indicators

D.

Risk tolerance

Buy Now
Questions 184

An organization is implementing Zero Trust architecture to improve its security posture. Which of the following is the MOST important input to develop the architecture?

Options:

A.

Cloud services risk assessments

B.

The organization's threat model

C.

Access control logs

D.

Multi-factor authentication (MFA) architecture

Buy Now
Questions 185

Which of the following proposed benefits is MOST likely to influence senior management approval to reallocate budget for a new security initiative?

Options:

A.

Reduction in the number of incidents

B.

Reduction in inherent risk

C.

Reduction in residual risk

D.

Reduction in the number of known vulnerabilities

Buy Now
Questions 186

Concerned about system load capabilities during the month-end close process, management requires monitoring of the average time to complete tasks and monthly reporting of the findings. What type of measure has been established?

Options:

A.

Service level agreement (SLA)

B.

Critical success factor (CSF)

C.

Key risk indicator (KRI)

D.

Key performance indicator (KPI)

Buy Now
Questions 187

Which of the following BEST enables the development of a successful IT strategy focused on business risk mitigation?

Options:

A.

Providing risk awareness training for business units

B.

Obtaining input from business management

C.

Understanding the business controls currently in place

D.

Conducting a business impact analysis (BIA)

Buy Now
Questions 188

Which of the following is the PRIMARY accountability for a control owner?

Options:

A.

Communicate risk to senior management.

B.

Own the associated risk the control is mitigating.

C.

Ensure the control operates effectively.

D.

Identify and assess control weaknesses.

Buy Now
Questions 189

An organization uses a biometric access control system for authentication and access to its server room. Which control type has been implemented?

Options:

A.

Detective

B.

Deterrent

C.

Preventive

D.

Corrective

Buy Now
Questions 190

Which of the following should be the PRIMARY consideration when assessing the risk of using Internet of Things (loT) devices to collect and process personally identifiable information (Pll)?

Options:

A.

Costs and benefits

B.

Local laws and regulations

C.

Security features and support

D.

Business strategies and needs

Buy Now
Questions 191

Which process is MOST effective to determine relevance of threats for risk scenarios?

Options:

A.

Vulnerability assessment

B.

Business impact analysis (BIA)

C.

Penetration testing

D.

Root cause analysis

Buy Now
Questions 192

An organization has implemented a policy requiring staff members to take a minimum of five consecutive days' leave per year to mitigate the risk of malicious insider activities. Which of the following is the BEST key performance indicator (KPI) of the effectiveness of this policy?

Options:

A.

Financial loss incurred due to malicious activities since policy implementation

B.

Average number of consecutive days of leave per staff member

C.

Number of suspected malicious activities reported since policy implementation

D.

Percentage of staff turnover following five consecutive days of leave

Buy Now
Questions 193

Which of the following would be a risk practitioner’s GREATEST concern related to the monitoring of key risk indicators (KRIs)?

Options:

A.

Logs are retained for longer than required.

B.

Logs are reviewed annually.

C.

Logs are stored in a multi-tenant cloud environment.

D.

Logs are modified before analysis is conducted.

Buy Now
Questions 194

Which of the following is the BEST method for identifying vulnerabilities?

Options:

A.

Batch job failure monitoring

B.

Periodic network scanning

C.

Annual penetration testing

D.

Risk assessments

Buy Now
Questions 195

Which of the following is the GREATEST risk associated with inappropriate classification of data?

Options:

A.

Inaccurate record management data

B.

Inaccurate recovery time objectives (RTOs)

C.

Lack of accountability for data ownership

D.

Users having unauthorized access to data

Buy Now
Questions 196

Which of the following would provide the MOST useful input when evaluating the appropriateness of risk responses?

Options:

A.

Incident reports

B.

Cost-benefit analysis

C.

Risk tolerance

D.

Control objectives

Buy Now
Questions 197

A risk practitioner's BEST guidance to help an organization develop relevant risk scenarios is to ensure the scenarios are:

Options:

A.

Aligned with risk management capabilities.

B.

Based on industry trends.

C.

Related to probable events.

D.

Mapped to incident response plans.

Buy Now
Questions 198

A risk practitioner identifies an increasing trend of employees copying company information unrelated to their job functions to USB drives. Which of the following elements of the risk register should be updated to reflect this observation?

Options:

A.

Risk impact

B.

Key risk indicator (KRI)

C.

Risk appetite

D.

Risk likelihood

Buy Now
Questions 199

When evaluating a number of potential controls for treating risk, it is MOST important to consider:

Options:

A.

risk appetite and control efficiency.

B.

inherent risk and control effectiveness.

C.

residual risk and cost of control.

D.

risk tolerance and control complexity.

Buy Now
Questions 200

An organization is adopting block chain for a new financial system. Which of the following should be the GREATEST concern for a risk practitioner evaluating the system's production readiness?

Options:

A.

Limited organizational knowledge of the underlying technology

B.

Lack of commercial software support

C.

Varying costs related to implementation and maintenance

D.

Slow adoption of the technology across the financial industry

Buy Now
Questions 201

When developing a response plan to address security incidents regarding sensitive data loss, it is MOST important

Options:

A.

revalidate current key risk indicators (KRIs).

B.

revise risk management procedures.

C.

review the data classification policy.

D.

revalidate existing risk scenarios.

Buy Now
Questions 202

Which of the following should be accountable for ensuring that media containing financial information are adequately destroyed per an organization's data disposal policy?

Options:

A.

Compliance manager

B.

Data architect

C.

Data owner

D.

Chief information officer (CIO)

Buy Now
Questions 203

Which of the following BEST enables detection of ethical violations committed by employees?

Options:

A.

Transaction log monitoring

B.

Access control attestation

C.

Periodic job rotation

D.

Whistleblower program

Buy Now
Questions 204

Which of the following is the PRIMARY reason to update a risk register with risk assessment results?

Options:

A.

To communicate the level and priority of assessed risk to management

B.

To provide a comprehensive inventory of risk across the organization

C.

To assign a risk owner to manage the risk

D.

To enable the creation of action plans to address nsk

Buy Now
Questions 205

As part of an overall IT risk management plan, an IT risk register BEST helps management:

Options:

A.

align IT processes with business objectives.

B.

communicate the enterprise risk management policy.

C.

stay current with existing control status.

D.

understand the organizational risk profile.

Buy Now
Questions 206

The BEST key performance indicator (KPI) to measure the effectiveness of a backup process would be the number of:

Options:

A.

resources to monitor backups

B.

restoration monitoring reports

C.

backup recovery requests

D.

recurring restore failures

Buy Now
Questions 207

An organization is participating in an industry benchmarking study that involves providing customer transaction records for analysis Which of the following is the MOST important control to ensure the privacy of customer information?

Options:

A.

Nondisclosure agreements (NDAs)

B.

Data anonymization

C.

Data cleansing

D.

Data encryption

Buy Now
Questions 208

When outsourcing a business process to a cloud service provider, it is MOST important to understand that:

Options:

A.

insurance could be acquired for the risk associated with the outsourced process.

B.

service accountability remains with the cloud service provider.

C.

a risk owner must be designated within the cloud service provider.

D.

accountability for the risk will remain with the organization.

Buy Now
Questions 209

Which of the following is the MOST important characteristic of a key risk indicator (KRI) to enable decision-making?

Options:

A.

Monitoring the risk until the exposure is reduced

B.

Setting minimum sample sizes to ensure accuracy

C.

Listing alternative causes for risk events

D.

Illustrating changes in risk trends

Buy Now
Questions 210

Which of the following is the PRIMARY risk management responsibility of the second line of defense?

Options:

A.

Monitoring risk responses

B.

Applying risk treatments

C.

Implementing internal controls

D.

Providing assurance of control effectiveness

Buy Now
Questions 211

Which of the following is the GREATEST impact of implementing a risk mitigation strategy?

Options:

A.

Improved alignment with business goals.

B.

Reduction of residual risk.

C.

Increased costs due to control implementation.

D.

Decreased overall risk appetite.

Buy Now
Questions 212

An organization's stakeholders are unable to agree on appropriate risk responses. Which of the following would be the BEST course of action?

Options:

A.

Escalate to senior management.

B.

Identify a risk transfer option.

C.

Reassess risk scenarios.

D.

Benchmark with similar industries.

Buy Now
Questions 213

Which of the following is a PRIMARY objective of privacy impact assessments (PIAs)?

Options:

A.

To identify threats introduced by business processes

B.

To identify risk when personal information is collected

C.

To ensure senior management has approved the use of personal information

D.

To ensure compliance with data privacy laws and regulations

Buy Now
Questions 214

Which of the following is MOST important for the organization to consider before implementing a new in-house developed artificial intelligence (Al) solution?

Options:

A.

Industry trends in Al

B.

Expected algorithm outputs

C.

Data feeds

D.

Alert functionality

Buy Now
Questions 215

An organization has implemented a policy requiring staff members to take a minimum of five consecutive days' leave per year to mitigate the risk of malicious insider activities. Which of the following is the BEST key performance indicator (KPI) of the effectiveness of this policy?

Options:

A.

Percentage of staff turnover following five consecutive days of leave

B.

Average number of consecutive days of leave per staff member

C.

Number of suspected malicious activities reported since policy implementation

D.

Financial loss incurred due to malicious activities since policy implementation

Buy Now
Questions 216

Continuous monitoring of key risk indicators (KRIs) will:

Options:

A.

ensure that risk will not exceed the defined risk appetite of the organization.

B.

provide an early warning so that proactive action can be taken.

C.

provide a snapshot of the risk profile.

D.

ensure that risk tolerance and risk appetite are aligned.

Buy Now
Questions 217

Which of the following should be considered FIRST when creating a comprehensive IT risk register?

Options:

A.

Risk management budget

B.

Risk mitigation policies

C.

Risk appetite

D.

Risk analysis techniques

Buy Now
Questions 218

Within the three lines of defense model, the responsibility for managing risk and controls resides with:

Options:

A.

operational management.

B.

the risk practitioner.

C.

the internal auditor.

D.

executive management.

Buy Now
Questions 219

Which of the following is MOST important to review when an organization needs to transition the majority of its employees to remote work during a crisis?

Options:

A.

Customer notification plans

B.

Capacity management

C.

Access management

D.

Impacts on IT project delivery

Buy Now
Questions 220

Which of the following should be of MOST concern to a risk practitioner reviewing the system development life cycle (SDLC)?

Options:

A.

Testing is completed in phases, with user testing scheduled as the final phase.

B.

Segregation of duties controls are overridden during user testing phases.

C.

Data anonymization is used during all cycles of end-user testing.

D.

Testing is completed by IT support users without input from end users.

Buy Now
Questions 221

Which of the following is the MOST important document regarding the treatment of sensitive data?

Options:

A.

Encryption policy

B.

Organization risk profile

C.

Digital rights management policy

D.

Information classification policy

Buy Now
Questions 222

Which of the following should be done FIRST when a new risk scenario has been identified

Options:

A.

Estimate the residual risk.

B.

Establish key risk indicators (KRIs).

C.

Design control improvements.

D.

Identify the risk owner.

Buy Now
Questions 223

An internally developed payroll application leverages Platform as a Service (PaaS) infrastructure from the cloud. Who owns the related data confidentiality risk?

Options:

A.

IT infrastructure head

B.

Human resources head

C.

Supplier management head

D.

Application development head

Buy Now
Questions 224

An upward trend in which of the following metrics should be of MOST concern?

Options:

A.

Number of business change management requests

B.

Number of revisions to security policy

C.

Number of security policy exceptions approved

D.

Number of changes to firewall rules

Buy Now
Questions 225

IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:

Options:

A.

the cost associated with each control.

B.

historical risk assessments.

C.

key risk indicators (KRls).

D.

information from the risk register.

Buy Now
Questions 226

Which of the following would BEST enable mitigation of newly identified risk factors related to internet of Things (loT)?

Options:

A.

Introducing control procedures early in the life cycle

B.

Implementing loT device software monitoring

C.

Performing periodic risk assessments of loT

D.

Performing secure code reviews

Buy Now
Questions 227

Which of the following should a risk practitioner do FIRST when an organization decides to use a cloud service?

Options:

A.

Review the vendor selection process and vetting criteria.

B.

Assess whether use of service falls within risk tolerance thresholds.

C.

Establish service level agreements (SLAs) with the vendor.

D.

Check the contract for appropriate security risk and control provisions.

Buy Now
Questions 228

An organization has granted a vendor access to its data in order to analyze customer behavior. Which of the following would be the MOST effective control to mitigate the risk of customer data leakage?

Options:

A.

Enforce criminal background checks.

B.

Mask customer data fields.

C.

Require vendor to sign a confidentiality agreement.

D.

Restrict access to customer data on a "need to know'' basis.

Buy Now
Questions 229

The BEST way to test the operational effectiveness of a data backup procedure is to:

Options:

A.

conduct an audit of files stored offsite.

B.

interview employees to compare actual with expected procedures.

C.

inspect a selection of audit trails and backup logs.

D.

demonstrate a successful recovery from backup files.

Buy Now
Questions 230

Which of the following is MOST important when discussing risk within an organization?

Options:

A.

Adopting a common risk taxonomy

B.

Using key performance indicators (KPIs)

C.

Creating a risk communication policy

D.

Using key risk indicators (KRIs)

Buy Now
Questions 231

Which type of cloud computing deployment provides the consumer the GREATEST degree of control over the environment?

Options:

A.

Community cloud

B.

Private cloud

C.

Hybrid cloud

D.

Public cloud

Buy Now
Questions 232

Which of the following presents the GREATEST challenge for an IT risk practitioner who wants to report on trends in historical IT risk levels?

Options:

A.

Qualitative measures for potential loss events

B.

Changes in owners for identified IT risk scenarios

C.

Changes in methods used to calculate probability

D.

Frequent use of risk acceptance as a treatment option

Buy Now
Questions 233

Which of the following is MOST important for a risk practitioner to consider when determining the control requirements for data privacy arising from emerging technologies?

Options:

A.

internal audit recommendations

B.

Laws and regulations

C.

Policies and procedures

D.

Standards and frameworks

Buy Now
Questions 234

An organization's internal audit department is considering the implementation of robotics process automation (RPA) to automate certain continuous auditing tasks. Who would own the risk associated with ineffective design of the software bots?

Options:

A.

Lead auditor

B.

Project manager

C.

Chief audit executive (CAE)

D.

Chief information officer (CIO)

Buy Now
Questions 235

A key risk indicator (KRI) threshold has reached the alert level, indicating data leakage incidents are highly probable. What should be the risk practitioner's FIRST course of action?

Options:

A.

Update the KRI threshold.

B.

Recommend additional controls.

C.

Review incident handling procedures.

D.

Perform a root cause analysis.

Buy Now
Questions 236

The effectiveness of a control has decreased. What is the MOST likely effect on the associated risk?

Options:

A.

The risk impact changes.

B.

The risk classification changes.

C.

The inherent risk changes.

D.

The residual risk changes.

Buy Now
Questions 237

An organization's risk practitioner learns a new third-party system on the corporate network has introduced vulnerabilities that could compromise corporate IT systems. What should the risk practitioner do

FIRST?

Options:

A.

Confirm the vulnerabilities with the third party

B.

Identify procedures to mitigate the vulnerabilities.

C.

Notify information security management.

D.

Request IT to remove the system from the network.

Buy Now
Questions 238

When presenting risk, the BEST method to ensure that the risk is measurable against the organization's risk appetite is through the use of a:

Options:

A.

risk map

B.

cause-and-effect diagram

C.

maturity model

D.

technology strategy plan.

Buy Now
Questions 239

Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?

Options:

A.

A companion of risk assessment results to the desired state

B.

A quantitative presentation of risk assessment results

C.

An assessment of organizational maturity levels and readiness

D.

A qualitative presentation of risk assessment results

Buy Now
Questions 240

Which of the following is MOST effective in continuous risk management process improvement?

Options:

A.

Periodic assessments

B.

Change management

C.

Awareness training

D.

Policy updates

Buy Now
Questions 241

The PRIMARY objective of the board of directors periodically reviewing the risk profile is to help ensure:

Options:

A.

the risk strategy is appropriate

B.

KRIs and KPIs are aligned

C.

performance of controls is adequate

D.

the risk monitoring process has been established

Buy Now
Questions 242

Which of the following is the GREATEST concern associated with the transmission of healthcare data across the internet?

Options:

A.

Unencrypted data

B.

Lack of redundant circuits

C.

Low bandwidth connections

D.

Data integrity

Buy Now
Questions 243

Prior to selecting key performance indicators (KPIs), itis MOST important to ensure:

Options:

A.

trending data is available.

B.

process flowcharts are current.

C.

measurement objectives are defined.

D.

data collection technology is available.

Buy Now
Questions 244

Which of the following is a risk practitioner's BEST course of action upon learning that a control under internal review may no longer be necessary?

Options:

A.

Obtain approval to retire the control.

B.

Update the status of the control as obsolete.

C.

Consult the internal auditor for a second opinion.

D.

Verify the effectiveness of the original mitigation plan.

Buy Now
Questions 245

Which of the following resources is MOST helpful when creating a manageable set of IT risk scenarios?

Options:

A.

Results of current and past risk assessments

B.

Organizational strategy and objectives

C.

Lessons learned from materialized risk scenarios

D.

Internal and external audit findings

Buy Now
Questions 246

An organization's HR department has implemented a policy requiring staff members to take a minimum of five consecutive days leave per year to mitigate the risk of malicious insideractivities. Which of the following is the BEST key performance indicator (KPI) of the effectiveness of this policy?

Options:

A.

Number of malicious activities occurring during staff members leave

B.

Percentage of staff members seeking exception to the policy

C.

Percentage of staff members taking leave according to the policy

D.

Financial loss incurred due to malicious activities during staff members' leave

Buy Now
Questions 247

Which of the following would provide the MOST comprehensive information for updating an organization's risk register?

Options:

A.

Results of the latest risk assessment

B.

Results of a risk forecasting analysis

C.

A review of compliance regulations

D.

Findings of the most recent audit

Buy Now
Questions 248

Who should be responsible for strategic decisions on risk management?

Options:

A.

Chief information officer (CIO)

B.

Executive management team

C.

Audit committee

D.

Business process owner

Buy Now
Questions 249

After mapping generic risk scenarios to organizational security policies, the NEXT course of action should be to:

Options:

A.

record risk scenarios in the risk register for analysis.

B.

validate the risk scenarios for business applicability.

C.

reduce the number of risk scenarios to a manageable set.

D.

perform a risk analysis on the risk scenarios.

Buy Now
Questions 250

Which of the following is the BEST way for a risk practitioner to verify that management has addressed control issues identified during a previous external audit?

Options:

A.

Interview control owners.

B.

Observe the control enhancements in operation.

C.

Inspect external audit documentation.

D.

Review management's detailed action plans.

Buy Now
Questions 251

Which of the following would be the BEST justification to invest in the development of a governance, risk, and compliance (GRC) solution?

Options:

A.

Facilitating risk-aware decision making by stakeholders

B.

Demonstrating management commitment to mitigate risk

C.

Closing audit findings on a timely basis

D.

Ensuring compliance to industry standards

Buy Now
Questions 252

Which of the following is a KEY outcome of risk ownership?

Options:

A.

Risk responsibilities are addressed.

B.

Risk-related information is communicated.

C.

Risk-oriented tasks are defined.

D.

Business process risk is analyzed.

Buy Now
Questions 253

The risk associated with inadvertent disclosure of database records from a public cloud service provider (CSP) would MOST effectively be reduced by:

Options:

A.

encrypting the data

B.

including a nondisclosure clause in the CSP contract

C.

assessing the data classification scheme

D.

reviewing CSP access privileges

Buy Now
Questions 254

Which of the following would provide the MOST objective assessment of the effectiveness of an organization's security controls?

Options:

A.

An internal audit

B.

Security operations center review

C.

Internal penetration testing

D.

A third-party audit

Buy Now
Questions 255

The PRIMARY reason for periodic penetration testing of Internet-facing applications is to:

Options:

A.

ensure policy and regulatory compliance.

B.

assess the proliferation of new threats.

C.

verify Internet firewall control settings.

D.

identify vulnerabilities in the system.

Buy Now
Questions 256

Who is accountable for risk treatment?

Options:

A.

Enterprise risk management team

B.

Risk mitigation manager

C.

Business process owner

D.

Risk owner

Buy Now
Questions 257

The MOST significant benefit of using a consistent risk ranking methodology across an organization is that it enables:

Options:

A.

allocation of available resources

B.

clear understanding of risk levels

C.

assignment of risk to the appropriate owners

D.

risk to be expressed in quantifiable terms

Buy Now
Questions 258

An audit reveals that there are changes in the environment that are not reflected in the risk profile. Which of the following is the BEST course of action?

Options:

A.

Review the risk identification process.

B.

Inform the risk scenario owners.

C.

Create a risk awareness communication plan.

D.

Update the risk register.

Buy Now
Questions 259

Deviation from a mitigation action plan's completion date should be determined by which of the following?

Options:

A.

Change management as determined by a change control board

B.

Benchmarking analysis with similar completed projects

C.

Project governance criteria as determined by the project office

D.

The risk owner as determined by risk management processes

Buy Now
Questions 260

Which of the following MOST effectively limits the impact of a ransomware attack?

Options:

A.

Cyber insurance

B.

Cryptocurrency reserve

C.

Data backups

D.

End user training

Buy Now
Questions 261

Which of the following is a crucial component of a key risk indicator (KRI) to ensure appropriate action is taken to mitigate risk?

Options:

A.

Management intervention

B.

Risk appetite

C.

Board commentary

D.

Escalation triggers

Buy Now
Questions 262

An organization plans to migrate sensitive information to a public cloud infrastructure. Which of the following is the GREATEST security risk in this scenario?

Options:

A.

Data may be commingled with other tenants' data.

B.

System downtime does not meet the organization's thresholds.

C.

The infrastructure will be managed by the public cloud administrator.

D.

The cloud provider is not independently certified.

Buy Now
Questions 263

To minimize risk in a software development project, when is the BEST time to conduct a risk analysis?

Options:

A.

During the business requirement definitions phase

B.

Before periodic steering committee meetings

C.

At each stage of the development life cycle

D.

During the business case development

Buy Now
Questions 264

Which of the following could BEST detect an in-house developer inserting malicious functions into a web-based application?

Options:

A.

Segregation of duties

B.

Code review

C.

Change management

D.

Audit modules

Buy Now
Questions 265

Which of the following is the MOST important input when developing risk scenarios?

Options:

A.

Key performance indicators

B.

Business objectives

C.

The organization's risk framework

D.

Risk appetite

Buy Now
Questions 266

A payroll manager discovers that fields in certain payroll reports have been modified without authorization. Which of the following control weaknesses could have contributed MOST to this problem?

Options:

A.

The user requirements were not documented.

B.

Payroll files were not under the control of a librarian.

C.

The programmer had access to the production programs.

D.

The programmer did not involve the user in testing.

Buy Now
Questions 267

Which of the following is MOST important to sustainable development of secure IT services?

Options:

A.

Security training for systems development staff

B.

\Well-documented business cases

C.

Security architecture principles

D.

Secure coding practices

Buy Now
Questions 268

During a risk assessment, the risk practitioner finds a new risk scenario without controls has been entered into the risk register. Which of the following is the MOST appropriate action?

Options:

A.

Include the new risk scenario in the current risk assessment.

B.

Postpone the risk assessment until controls are identified.

C.

Request the risk scenario be removed from the register.

D.

Exclude the new risk scenario from the current risk assessment

Buy Now
Questions 269

Which of the following would be MOST helpful to a risk owner when making risk-aware decisions?

Options:

A.

Risk exposure expressed in business terms

B.

Recommendations for risk response options

C.

Resource requirements for risk responses

D.

List of business areas affected by the risk

Buy Now
Questions 270

Which of the following should be the PRIMARY focus of an independent review of a risk management process?

Options:

A.

Accuracy of risk tolerance levels

B.

Consistency of risk process results

C.

Participation of stakeholders

D.

Maturity of the process

Buy Now
Questions 271

Which of the following is MOST influential when management makes risk response decisions?

Options:

A.

Risk appetite

B.

Audit risk

C.

Residual risk

D.

Detection risk

Buy Now
Questions 272

Which of the following is the MOST important objective of regularly presenting the project risk register to the project steering committee?

Options:

A.

To allocate budget for resolution of risk issues

B.

To determine if new risk scenarios have been identified

C.

To ensure the project timeline is on target

D.

To track the status of risk mitigation actions

Buy Now
Questions 273

The PRIMARY purpose of using control metrics is to evaluate the:

Options:

A.

amount of risk reduced by compensating controls.

B.

amount of risk present in the organization.

C.

variance against objectives.

D.

number of incidents.

Buy Now
Questions 274

What should a risk practitioner do FIRST upon learning a risk treatment owner has implemented a different control than what was specified in the IT risk action plan?

Options:

A.

Seek approval from the control owner.

B.

Update the action plan in the risk register.

C.

Reassess the risk level associated with the new control.

D.

Validate that the control has an established testing method.

Buy Now
Questions 275

A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?

Options:

A.

The alternative site is a hot site with equipment ready to resume processing immediately.

B.

The contingency plan provides for backup media to be taken to the alternative site.

C.

The contingency plan for high priority applications does not involve a shared cold site.

D.

The alternative site does not reside on the same fault to matter how the distance apart.

Buy Now
Questions 276

When establishing leading indicators for the information security incident response process it is MOST important to consider the percentage of reported incidents:

Options:

A.

that results in a full root cause analysis.

B.

used for verification within the SLA.

C.

that are verified as actual incidents.

D.

resolved within the SLA.

Buy Now
Questions 277

A risk practitioner learns that the organization s industry is experiencing a trend of rising security incidents. Which of the following is the BEST course of action?

Options:

A.

Evaluate the relevance of the evolving threats.

B.

Review past internal audit results.

C.

Respond to organizational security threats.

D.

Research industry published studies.

Buy Now
Questions 278

Which of the following is the MOST effective way to help ensure an organization's current risk scenarios are relevant?

Options:

A.

Adoption of industry best practices

B.

Involvement of stakeholders in risk assessment

C.

Review of risk scenarios by independent parties

D.

Documentation of potential risk in business cases

Buy Now
Questions 279

An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?

Options:

A.

Project sponsor

B.

Process owner

C.

Risk manager

D.

Internal auditor

Buy Now
Questions 280

A risk practitioner notices a trend of noncompliance with an IT-related control. Which of the following would BEST assist in making a recommendation to management?

Options:

A.

Assessing the degree to which the control hinders business objectives

B.

Reviewing the IT policy with the risk owner

C.

Reviewing the roles and responsibilities of control process owners

D.

Assessing noncompliance with control best practices

Buy Now
Questions 281

Which of the following is MOST helpful to review when identifying risk scenarios associated with the adoption of Internet of Things (loT) technology in an organization?

Options:

A.

The business case for the use of loT

B.

The loT threat landscape

C.

Policy development for loT

D.

The network that loT devices can access

Buy Now
Questions 282

An organization has initiated a project to implement an IT risk management program for the first time. The BEST time for the risk practitioner to start populating the risk register is when:

Options:

A.

identifying risk scenarios.

B.

determining the risk strategy.

C.

calculating impact and likelihood.

D.

completing the controls catalog.

Buy Now
Questions 283

The PRIMARY purpose of a maturity model is to compare the:

Options:

A.

current state of key processes to their desired state.

B.

actual KPIs with target KPIs.

C.

organization to industry best practices.

D.

organization to peers.

Buy Now
Questions 284

A risk practitioner observes that the fraud detection controls in an online payment system do not perform as expected. Which of the following will MOST likely change as a result?

Options:

A.

Impact

B.

Residual risk

C.

Inherent risk

D.

Risk appetite

Buy Now
Questions 285

Once a risk owner has decided to implement a control to mitigate risk, it is MOST important to develop:

Options:

A.

a process for measuring and reporting control performance.

B.

an alternate control design in case of failure of the identified control.

C.

a process for bypassing control procedures in case of exceptions.

D.

procedures to ensure the effectiveness of the control.

Buy Now
Questions 286

Which of the following statements BEST describes risk appetite?

Options:

A.

The amount of risk an organization is willing to accept

B.

The effective management of risk and internal control environments

C.

Acceptable variation between risk thresholds and business objectives

D.

The acceptable variation relative to the achievement of objectives

Buy Now
Questions 287

When updating a risk register with the results of an IT risk assessment, the risk practitioner should log:

Options:

A.

high impact scenarios.

B.

high likelihood scenarios.

C.

treated risk scenarios.

D.

known risk scenarios.

Buy Now
Questions 288

Which of the following will be MOST effective to mitigate the risk associated with the loss of company data stored on personal devices?

Options:

A.

An acceptable use policy for personal devices

B.

Required user log-on before synchronizing data

C.

Enforced authentication and data encryption

D.

Security awareness training and testing

Buy Now
Questions 289

Which of the following BEST confirms the existence and operating effectiveness of information systems controls?

Options:

A.

Self-assessment questionnaires completed by management

B.

Review of internal audit and third-party reports

C.

Management review and sign-off on system documentation

D.

First-hand direct observation of the controls in operation

Buy Now
Questions 290

Which of the following BEST measures the efficiency of an incident response process?

Options:

A.

Number of incidents escalated to management

B.

Average time between changes and updating of escalation matrix

C.

Average gap between actual and agreed response times

D.

Number of incidents lacking responses

Buy Now
Questions 291

Which of the following is MOST important to include in a Software as a Service (SaaS) vendor agreement?

Options:

A.

An annual contract review

B.

A service level agreement (SLA)

C.

A requirement to adopt an established risk management framework

D.

A requirement to provide an independent audit report

Buy Now
Questions 292

An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?

Options:

A.

Identify staff members who have access to the organization's sensitive data.

B.

Identify locations where the organization's sensitive data is stored.

C.

Identify risk scenarios and owners associated with possible data loss vectors.

D.

Identify existing data loss controls and their levels of effectiveness.

Buy Now
Questions 293

When testing the security of an IT system, il is MOST important to ensure that;

Options:

A.

tests are conducted after business hours.

B.

operators are unaware of the test.

C.

external experts execute the test.

D.

agreement is obtained from stakeholders.

Buy Now
Questions 294

An organization has just implemented changes to close an identified vulnerability that impacted a critical business process. What should be the NEXT course of action?

Options:

A.

Redesign the heat map.

B.

Review the risk tolerance.

C.

Perform a business impact analysis (BIA)

D.

Update the risk register.

Buy Now
Questions 295

The annualized loss expectancy (ALE) method of risk analysis:

Options:

A.

helps in calculating the expected cost of controls

B.

uses qualitative risk rankings such as low. medium and high.

C.

can be used m a cost-benefit analysts

D.

can be used to determine the indirect business impact.

Buy Now
Questions 296

Which of the following requirements is MOST important to include in an outsourcing contract to help ensure sensitive data stored with a service provider is secure?

Options:

A.

A third-party assessment report of control environment effectiveness must be provided at least annually.

B.

Incidents related to data toss must be reported to the organization immediately after they occur.

C.

Risk assessment results must be provided to the organization at least annually.

D.

A cyber insurance policy must be purchased to cover data loss events.

Buy Now
Questions 297

It is MOST important to the effectiveness of an IT risk management function that the associated processes are:

Options:

A.

aligned to an industry-accepted framework.

B.

reviewed and approved by senior management.

C.

periodically assessed against regulatory requirements.

D.

updated and monitored on a continuous basis.

Buy Now
Questions 298

A large organization needs to report risk at all levels for a new centralized visualization project to reduce cost and improve performance. Which of the following would MOST effectively represent the overall risk of the project to senior management?

Options:

A.

Aggregated key performance indicators (KPls)

B.

Key risk indicators (KRIs)

C.

Centralized risk register

D.

Risk heat map

Buy Now
Questions 299

Which of the following is the MOST important consideration when determining whether to accept residual risk after security controls have been implemented on a critical system?

Options:

A.

Cost versus benefit of additional mitigating controls

B.

Annualized loss expectancy (ALE) for the system

C.

Frequency of business impact

D.

Cost of the Information control system

Buy Now
Questions 300

Which of the following is the BEST way to detect zero-day malware on an end user's workstation?

Options:

A.

An antivirus program

B.

Database activity monitoring

C.

Firewall log monitoring

D.

File integrity monitoring

Buy Now
Questions 301

Which of the following should be of GREATEST concern to a risk practitioner when determining the effectiveness of IT controls?

Options:

A.

Configuration updates do not follow formal change control.

B.

Operational staff perform control self-assessments.

C.

Controls are selected without a formal cost-benefit

D.

analysis-Management reviews security policies once every two years.

Buy Now
Questions 302

Which of the following is the BEST way to identify changes in the risk profile of an organization?

Options:

A.

Monitor key risk indicators (KRIs).

B.

Monitor key performance indicators (KPIs).

C.

Interview the risk owner.

D.

Conduct a gap analysis

Buy Now
Questions 303

Which of the following is the PRIMARY consideration when establishing an organization's risk management methodology?

Options:

A.

Business context

B.

Risk tolerance level

C.

Resource requirements

D.

Benchmarking information

Buy Now
Questions 304

A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner's BEST course of action when a compensating control needs to be applied?

Options:

A.

Obtain the risk owner's approval.

B.

Record the risk as accepted in the risk register.

C.

Inform senior management.

D.

update the risk response plan.

Buy Now
Questions 305

When an organization is having new software implemented under contract, which of the following is key to controlling escalating costs?

Options:

A.

Risk management

B.

Change management

C.

Problem management

D.

Quality management

Buy Now
Questions 306

Which of the following practices BEST mitigates risk related to enterprise-wide ethical decision making in a multi-national organization?

Options:

A.

Customized regional training on local laws and regulations

B.

Policies requiring central reporting of potential procedure exceptions

C.

Ongoing awareness training to support a common risk culture

D.

Zero-tolerance policies for risk taking by middle-level managers

Buy Now
Questions 307

Which of The following should be of GREATEST concern for an organization considering the adoption of a bring your own device (BYOD) initiative?

Options:

A.

Device corruption

B.

Data loss

C.

Malicious users

D.

User support

Buy Now
Questions 308

Which of the following is the MOST important objective of establishing an enterprise risk management (ERM) function within an organization?

Options:

A.

To have a unified approach to risk management across the organization

B.

To have a standard risk management process for complying with regulations

C.

To optimize risk management resources across the organization

D.

To ensure risk profiles are presented in a consistent format within the organization

Buy Now
Questions 309

Which of the following is the MOST important factor when deciding on a control to mitigate risk exposure?

Options:

A.

Relevance to the business process

B.

Regulatory compliance requirements

C.

Cost-benefit analysis

D.

Comparison against best practice

Buy Now
Questions 310

To communicate the risk associated with IT in business terms, which of the following MUST be defined?

Options:

A.

Compliance objectives

B.

Risk appetite of the organization

C.

Organizational objectives

D.

Inherent and residual risk

Buy Now
Questions 311

An organization's risk register contains a large volume of risk scenarios that senior management considers overwhelming. Which of the following would BEST help to improve the risk register?

Options:

A.

Analyzing the residual risk components

B.

Performing risk prioritization

C.

Validating the risk appetite level

D.

Conducting a risk assessment

Buy Now
Questions 312

Which of the following is the BEST way to manage the risk associated with malicious activities performed by database administrators (DBAs)?

Options:

A.

Activity logging and monitoring

B.

Periodic access review

C.

Two-factor authentication

D.

Awareness training and background checks

Buy Now
Questions 313

Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system?

Options:

A.

Data owner

B.

Control owner

C.

Risk owner

D.

System owner

Buy Now
Questions 314

Which of the following provides the MOST up-to-date information about the effectiveness of an organization's overall IT control environment?

Options:

A.

Key performance indicators (KPIs)

B.

Risk heat maps

C.

Internal audit findings

D.

Periodic penetration testing

Buy Now
Questions 315

Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Options:

A.

Including trend analysis of risk metrics

B.

Using an aggregated view of organizational risk

C.

Relying on key risk indicator (KRI) data

D.

Ensuring relevance to organizational goals

Buy Now
Questions 316

Which of the following provides the MOST useful information when determining if a specific control should be implemented?

Options:

A.

Business impact analysis (BIA)

B.

Cost-benefit analysis

C.

Attribute analysis

D.

Root cause analysis

Buy Now
Questions 317

Which of the following will help ensure the elective decision-making of an IT risk management committee?

Options:

A.

Key stakeholders are enrolled as members

B.

Approved minutes ate forwarded to senior management

C.

Committee meets at least quarterly

D.

Functional overlap across the business is minimized

Buy Now
Questions 318

Which of the following would present the MOST significant risk to an organization when updating the incident response plan?

Options:

A.

Obsolete response documentation

B.

Increased stakeholder turnover

C.

Failure to audit third-party providers

D.

Undefined assignment of responsibility

Buy Now
Questions 319

Which of the following approaches to bring your own device (BYOD) service delivery provides the BEST protection from data loss?

Options:

A.

Enable data wipe capabilities

B.

Penetration testing and session timeouts

C.

Implement remote monitoring

D.

Enforce strong passwords and data encryption

Buy Now
Questions 320

An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?

Options:

A.

Identify systems that are vulnerable to being exploited by the attack.

B.

Confirm with the antivirus solution vendor whether the next update will detect the attack.

C.

Verify the data backup process and confirm which backups are the most recent ones available.

D.

Obtain approval for funding to purchase a cyber insurance plan.

Buy Now
Questions 321

An organization has implemented a preventive control to lock user accounts after three unsuccessful login attempts. This practice has been proven to be unproductive, and a change in the control threshold value has been recommended. Who should authorize changing this threshold?

Options:

A.

Risk owner

B.

IT security manager

C.

IT system owner

D.

Control owner

Buy Now
Questions 322

Which of the following poses the GREATEST risk to an organization's operations during a major it transformation?

Options:

A.

Lack of robust awareness programs

B.

infrequent risk assessments of key controls

C.

Rapid changes in IT procedures

D.

Unavailability of critical IT systems

Buy Now
Questions 323

When reviewing a report on the performance of control processes, it is MOST important to verify whether the:

Options:

A.

business process objectives have been met.

B.

control adheres to regulatory standards.

C.

residual risk objectives have been achieved.

D.

control process is designed effectively.

Buy Now
Questions 324

Which of the following should be done FIRST when developing a data protection management plan?

Options:

A.

Perform a cost-benefit analysis.

B.

Identify critical data.

C.

Establish a data inventory.

D.

Conduct a risk analysis.

Buy Now
Questions 325

The BEST way to obtain senior management support for investment in a control implementation would be to articulate the reduction in:

Options:

A.

detected incidents.

B.

residual risk.

C.

vulnerabilities.

D.

inherent risk.

Buy Now
Questions 326

Who should be PRIMARILY responsible for establishing an organization's IT risk culture?

Options:

A.

Business process owner

B.

Executive management

C.

Risk management

D.

IT management

Buy Now
Questions 327

Who should have the authority to approve an exception to a control?

Options:

A.

information security manager

B.

Control owner

C.

Risk owner

D.

Risk manager

Buy Now
Questions 328

Which of the following scenarios presents the GREATEST risk for a global organization when implementing a data classification policy?

Options:

A.

Data encryption has not been applied to all sensitive data across the organization.

B.

There are many data assets across the organization that need to be classified.

C.

Changes to information handling procedures are not documented.

D.

Changes to data sensitivity during the data life cycle have not been considered.

Buy Now
Questions 329

Which of the following is the MOST effective way to incorporate stakeholder concerns when developing risk scenarios?

Options:

A.

Evaluating risk impact

B.

Establishing key performance indicators (KPIs)

C.

Conducting internal audits

D.

Creating quarterly risk reports

Buy Now
Questions 330

Which of the following would be considered a vulnerability?

Options:

A.

Delayed removal of employee access

B.

Authorized administrative access to HR files

C.

Corruption of files due to malware

D.

Server downtime due to a denial of service (DoS) attack

Buy Now
Questions 331

The PRIMARY objective of a risk identification process is to:

Options:

A.

evaluate how risk conditions are managed.

B.

determine threats and vulnerabilities.

C.

estimate anticipated financial impact of risk conditions.

D.

establish risk response options.

Buy Now
Questions 332

Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?

Options:

A.

Customer database manager

B.

Customer data custodian

C.

Data privacy officer

D.

Audit committee

Buy Now
Questions 333

Which of the following BEST indicates how well a web infrastructure protects critical information from an attacker?

Options:

A.

Failed login attempts

B.

Simulating a denial of service attack

C.

Absence of IT audit findings

D.

Penetration test

Buy Now
Questions 334

Which of the following is the MOST important objective of an enterprise risk management (ERM) program?

Options:

A.

To create a complete repository of risk to the organization

B.

To create a comprehensive view of critical risk to the organization

C.

To provide a bottom-up view of the most significant risk scenarios

D.

To optimize costs of managing risk scenarios in the organization

Buy Now
Questions 335

Which of the following approaches BEST identifies information systems control deficiencies?

Options:

A.

Countermeasures analysis

B.

Best practice assessment

C.

Gap analysis

D.

Risk assessment

Buy Now
Questions 336

Which of the following describes the relationship between Key risk indicators (KRIs) and key control indicators (KCIS)?

Options:

A.

KCIs are independent from KRIs KRIs.

B.

KCIs and KRIs help in determining risk appetite.

C.

KCIs are defined using data from KRIs.

D.

KCIs provide input for KRIs

Buy Now
Questions 337

An organization has initiated a project to launch an IT-based service to customers and take advantage of being the first to market. Which of the following should be of GREATEST concern to senior management?

Options:

A.

More time has been allotted for testing.

B.

The project is likely to deliver the product late.

C.

A new project manager is handling the project.

D.

The cost of the project will exceed the allotted budget.

Buy Now
Questions 338

What is the PRIMARY benefit of risk monitoring?

Options:

A.

It reduces the number of audit findings.

B.

It provides statistical evidence of control efficiency.

C.

It facilitates risk-aware decision making.

D.

It facilitates communication of threat levels.

Buy Now
Questions 339

An organization has been notified that a disgruntled, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization?

Options:

A.

Authentication logs have been disabled.

B.

An external vulnerability scan has been detected.

C.

A brute force attack has been detected.

D.

An increase in support requests has been observed.

Buy Now
Questions 340

Analyzing trends in key control indicators (KCIs) BEST enables a risk practitioner to proactively identify impacts on an organization's:

Options:

A.

risk classification methods

B.

risk-based capital allocation

C.

risk portfolio

D.

risk culture

Buy Now
Questions 341

Which of the following is the PRIMARY purpose of periodically reviewing an organization's risk profile?

Options:

A.

Align business objectives with risk appetite.

B.

Enable risk-based decision making.

C.

Design and implement risk response action plans.

D.

Update risk responses in the risk register

Buy Now
Questions 342

Which of the following is MOST helpful in aligning IT risk with business objectives?

Options:

A.

Introducing an approved IT governance framework

B.

Integrating the results of top-down risk scenario analyses

C.

Performing a business impact analysis (BlA)

D.

Implementing a risk classification system

Buy Now
Questions 343

Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness?

Options:

A.

To measure business exposure to risk

B.

To identify control vulnerabilities

C.

To monitor the achievement of set objectives

D.

To raise awareness of operational issues

Buy Now
Questions 344

Which of the following is the BEST key control indicator (KCI) for risk related to IT infrastructure failure?

Options:

A.

Number of times the recovery plan is reviewed

B.

Number of successful recovery plan tests

C.

Percentage of systems with outdated virus protection

D.

Percentage of employees who can work remotely

Buy Now
Questions 345

Which of the following is the BEST way to quantify the likelihood of risk materialization?

Options:

A.

Balanced scorecard

B.

Threat and vulnerability assessment

C.

Compliance assessments

D.

Business impact analysis (BIA)

Buy Now
Questions 346

Which of the following is the MOST critical element to maximize the potential for a successful security implementation?

Options:

A.

The organization's knowledge

B.

Ease of implementation

C.

The organization's culture

D.

industry-leading security tools

Buy Now
Questions 347

Which of the following scenarios represents a threat?

Options:

A.

Connecting a laptop to a free, open, wireless access point (hotspot)

B.

Visitors not signing in as per policy

C.

Storing corporate data in unencrypted form on a laptop

D.

A virus transmitted on a USB thumb drive

Buy Now
Questions 348

The MOST important reason for implementing change control procedures is to ensure:

Options:

A.

only approved changes are implemented

B.

timely evaluation of change events

C.

an audit trail exists.

D.

that emergency changes are logged.

Buy Now
Questions 349

Which of the following is the GREATEST benefit of using IT risk scenarios?

Options:

A.

They support compliance with regulations.

B.

They provide evidence of risk assessment.

C.

They facilitate communication of risk.

D.

They enable the use of key risk indicators (KRls)

Buy Now
Questions 350

Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?

Options:

A.

Occurrences of specific events

B.

A performance measurement

C.

The risk tolerance level

D.

Risk scenarios

Buy Now
Questions 351

Which of the following BEST protects an organization against breaches when using a software as a service (SaaS) application?

Options:

A.

Control self-assessment (CSA)

B.

Security information and event management (SIEM) solutions

C.

Data privacy impact assessment (DPIA)

D.

Data loss prevention (DLP) tools

Buy Now
Questions 352

Which of the following BEST indicates the risk appetite and tolerance level (or the risk associated with business interruption caused by IT system failures?

Options:

A.

Mean time to recover (MTTR)

B.

IT system criticality classification

C.

Incident management service level agreement (SLA)

D.

Recovery time objective (RTO)

Buy Now
Questions 353

Which of the following is the BEST indicator of an effective IT security awareness program?

Options:

A.

Decreased success rate of internal phishing tests

B.

Decreased number of reported security incidents

C.

Number of disciplinary actions issued for security violations

D.

Number of employees that complete security training

Buy Now
Questions 354

Which of the following would be- MOST helpful to understand the impact of a new technology system on an organization's current risk profile?

Options:

A.

Hire consultants specializing m the new technology.

B.

Review existing risk mitigation controls.

C.

Conduct a gap analysis.

D.

Perform a risk assessment.

Buy Now
Questions 355

The MAJOR reason to classify information assets is

Options:

A.

maintain a current inventory and catalog of information assets

B.

determine their sensitivity and critical

C.

establish recovery time objectives (RTOs)

D.

categorize data into groups

Buy Now
Questions 356

Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the following would BEST help to prioritize investment efforts?

Options:

A.

Analyzing cyber intelligence reports

B.

Engaging independent cybersecurity consultants

C.

Increasing the frequency of updates to the risk register

D.

Reviewing the outcome of the latest security risk assessment

Buy Now
Questions 357

An organization has operations in a location that regularly experiences severe weather events. Which of the following would BEST help to mitigate the risk to operations?

Options:

A.

Prepare a cost-benefit analysis to evaluate relocation.

B.

Prepare a disaster recovery plan (DRP).

C.

Conduct a business impact analysis (BIA) for an alternate location.

D.

Develop a business continuity plan (BCP).

Buy Now
Questions 358

The MOST important characteristic of an organization s policies is to reflect the organization's:

Options:

A.

risk assessment methodology.

B.

risk appetite.

C.

capabilities

D.

asset value.

Buy Now
Questions 359

Which of the following would be MOST helpful when estimating the likelihood of negative events?

Options:

A.

Business impact analysis

B.

Threat analysis

C.

Risk response analysis

D.

Cost-benefit analysis

Buy Now
Questions 360

Which of the following is the MOST important consideration for prioritizing risk treatment plans when faced with budget limitations?

Options:

A.

Inherent risk and likelihood

B.

Management action plans associated with audit findings

C.

Residual risk relative to appetite and tolerance

D.

Key risk indicator (KRI) trends

Buy Now
Questions 361

Which of the following is the result of a realized risk scenario?

Options:

A.

Technical event

B.

Threat event

C.

Vulnerability event

D.

Loss event

Buy Now
Questions 362

Which of the following provides the MOST useful information for developing key risk indicators (KRIs)?

Options:

A.

Business impact analysis (BIA) results

B.

Risk scenario ownership

C.

Risk thresholds

D.

Possible causes of materialized risk

Buy Now
Questions 363

An organization's chief information officer (CIO) has proposed investing in a new. untested technology to take advantage of being first to market Senior management has concerns about the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization's risk:

Options:

A.

capacity.

B.

appetite.

C.

management capability.

D.

treatment strategy.

Buy Now
Questions 364

Which of the following is MOST important for maintaining the effectiveness of an IT risk register?

Options:

A.

Removing entries from the register after the risk has been treated

B.

Recording and tracking the status of risk response plans within the register

C.

Communicating the register to key stakeholders

D.

Performing regular reviews and updates to the register

Buy Now
Questions 365

A rule-based data loss prevention {DLP) tool has recently been implemented to reduce the risk of sensitive data leakage. Which of the following is MOST likely to change as a result of this implementation?

Options:

A.

Risk likelihood

B.

Risk velocity

C.

Risk appetite

D.

Risk impact

Buy Now
Questions 366

Which of the following is the BEST indication of an effective risk management program?

Options:

A.

Risk action plans are approved by senior management.

B.

Residual risk is within the organizational risk appetite

C.

Mitigating controls are designed and implemented.

D.

Risk is recorded and tracked in the risk register

Buy Now
Questions 367

An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:

Options:

A.

chief risk officer.

B.

project manager.

C.

chief information officer.

D.

business process owner.

Buy Now
Questions 368

Which of the following is MOST important when developing key performance indicators (KPIs)?

Options:

A.

Alignment to risk responses

B.

Alignment to management reports

C.

Alerts when risk thresholds are reached

D.

Identification of trends

Buy Now
Questions 369

A key risk indicator (KRI) is reported to senior management on a periodic basis as exceeding thresholds, but each time senior management has decided to take no action to reduce the risk. Which of the following is the MOST likely reason for senior management's response?

Options:

A.

The underlying data source for the KRI is using inaccurate data and needs to be corrected.

B.

The KRI is not providing useful information and should be removed from the KRI inventory.

C.

The KRI threshold needs to be revised to better align with the organization s risk appetite

D.

Senior management does not understand the KRI and should undergo risk training.

Buy Now
Questions 370

An organization's senior management is considering whether to acquire cyber insurance. Which of the following is the BEST way for the risk practitioner to enable management’s decision?

Options:

A.

Perform a cost-benefit analysis.

B.

Conduct a SWOT analysis.

C.

Provide data on the number of risk events from the last year.

D.

Report on recent losses experienced by industry peers.

Buy Now
Questions 371

Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment?

Options:

A.

Improved senior management communication

B.

Optimized risk treatment decisions

C.

Enhanced awareness of risk management

D.

Improved collaboration among risk professionals

Buy Now
Questions 372

Which of the following is the MOST important consideration when implementing ethical remote work monitoring?

Options:

A.

Monitoring is only conducted between official hours of business

B.

Employees are informed of how they are bong monitored

C.

Reporting on nonproductive employees is sent to management on a scheduled basis

D.

Multiple data monitoring sources are integrated into security incident response procedures

Buy Now
Questions 373

Which of the following should be the FIRST step when a company is made aware of new regulatory requirements impacting IT?

Options:

A.

Perform a gap analysis.

B.

Prioritize impact to the business units.

C.

Perform a risk assessment.

D.

Review the risk tolerance and appetite.

Buy Now
Questions 374

An organization's IT infrastructure is running end-of-life software that is not allowed without exception approval. Which of the following would provide the MOST helpful information to justify investing in updated software?

Options:

A.

The balanced scorecard

B.

A cost-benefit analysis

C.

The risk management frameworkD, A roadmap of IT strategic planning

Buy Now
Questions 375

Which of the following will be the GREATEST concern when assessing the risk profile of an organization?

Options:

A.

The risk profile was not updated after a recent incident

B.

The risk profile was developed without using industry standards.

C.

The risk profile was last reviewed two years ago.

D.

The risk profile does not contain historical loss data.

Buy Now
Questions 376

A PRIMARY advantage of involving business management in evaluating and managing risk is that management:

Options:

A.

better understands the system architecture.

B.

is more objective than risk management.

C.

can balance technical and business risk.

D.

can make better-informed business decisions.

Buy Now
Questions 377

Which of the following is the MOST important topic to cover in a risk awareness training program for all staff?

Options:

A.

Internal and external information security incidents

B.

The risk department's roles and responsibilities

C.

Policy compliance requirements and exceptions process

D.

The organization's information security risk profile

Buy Now
Questions 378

In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities. The risk practitioner's BEST recommendation to further reduce the impact of ransomware attacks would be to implement:

Options:

A.

two-factor authentication.

B.

continuous data backup controls.

C.

encryption for data at rest.

D.

encryption for data in motion.

Buy Now
Questions 379

Which of the following is MOST important when developing risk scenarios?

Options:

A.

Reviewing business impact analysis (BIA)

B.

Collaborating with IT audit

C.

Conducting vulnerability assessments

D.

Obtaining input from key stakeholders

Buy Now
Questions 380

Which of the following is MOST important when considering risk in an enterprise risk management (ERM) process?

Options:

A.

Financial risk is given a higher priority.

B.

Risk with strategic impact is included.

C.

Security strategy is given a higher priority.

D.

Risk identified by industry benchmarking is included.

Buy Now
Questions 381

Which of the following is the MOST important consideration for protecting data assets m a Business application system?

Options:

A.

Application controls are aligned with data classification lutes

B.

Application users are periodically trained on proper data handling practices

C.

Encrypted communication is established between applications and data servers

D.

Offsite encrypted backups are automatically created by the application

Buy Now
Questions 382

Which of the following would be MOST helpful to a risk practitioner when ensuring that mitigated risk remains within acceptable limits?

Options:

A.

Building an organizational risk profile after updating the risk register

B.

Ensuring risk owners participate in a periodic control testing process

C.

Designing a process for risk owners to periodically review identified risk

D.

Implementing a process for ongoing monitoring of control effectiveness

Buy Now
Questions 383

Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)?

Options:

A.

Relevance

B.

Annual review

C.

Automation

D.

Management approval

Buy Now
Questions 384

A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology?

Options:

A.

IT system owner

B.

Chief financial officer

C.

Chief risk officer

D.

Business process owner

Buy Now
Questions 385

Which of the following should be determined FIRST when a new security vulnerability is made public?

Options:

A.

Whether the affected technology is used within the organization

B.

Whether the affected technology is Internet-facing

C.

What mitigating controls are currently in place

D.

How pervasive the vulnerability is within the organization

Buy Now
Questions 386

Which of the following is the BEST indication of a mature organizational risk culture?

Options:

A.

Corporate risk appetite is communicated to staff members.

B.

Risk owners understand and accept accountability for risk.

C.

Risk policy has been published and acknowledged by employees.

D.

Management encourages the reporting of policy breaches.

Buy Now
Questions 387

After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:

Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

CRISC Question 387

Options:

A.

External audit

B.

Internal audit

C.

Vendor performance scorecard

D.

Regulatory examination

Buy Now
Questions 388

Which of the following is the BEST course of action to help reduce the probability of an incident recurring?

Options:

A.

Perform a risk assessment.

B.

Perform root cause analysis.

C.

Initiate disciplinary action.

D.

Update the incident response plan.

Buy Now
Questions 389

Which of the following is the BEST approach when a risk practitioner has been asked by a business unit manager for special consideration during a risk assessment of a system?

Options:

A.

Conduct an abbreviated version of the assessment.

B.

Report the business unit manager for a possible ethics violation.

C.

Perform the assessment as it would normally be done.

D.

Recommend an internal auditor perform the review.

Buy Now
Questions 390

The PRIMARY reason for tracking the status of risk mitigation plans is to ensure:

Options:

A.

the proposed controls are implemented as scheduled.

B.

security controls are tested prior to implementation.

C.

compliance with corporate policies.

D.

the risk response strategy has been decided.

Buy Now
Questions 391

Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?

Options:

A.

Ongoing availability of data

B.

Ability to aggregate data

C.

Ability to predict trends

D.

Availability of automated reporting systems

Buy Now
Questions 392

Which of the following controls BEST enables an organization to ensure a complete and accurate IT asset inventory?

Options:

A.

Prohibiting the use of personal devices for business

B.

Performing network scanning for unknown devices

C.

Requesting an asset list from business owners

D.

Documenting asset configuration baselines

Buy Now
Questions 393

An IT control gap has been identified in a key process. Who would be the MOST appropriate owner of the risk associated with this gap?

Options:

A.

Key control owner

B.

Operational risk manager

C.

Business process owner

D.

Chief information security officer (CISO)

Buy Now
Questions 394

A highly regulated organization acquired a medical technology startup company that processes sensitive personal information with weak data protection controls. Which of the following is the BEST way for the acquiring company to reduce its risk while still enabling the flexibility needed by the startup company?

Options:

A.

Identify previous data breaches using the startup company’s audit reports.

B.

Have the data privacy officer review the startup company’s data protection policies.

C.

Classify and protect the data according to the parent company's internal standards.

D.

Implement a firewall and isolate the environment from the parent company's network.

Buy Now
Questions 395

Which of the following would be the BEST key performance indicator (KPI) for monitoring the effectiveness of the IT asset management process?

Options:

A.

Percentage of unpatched IT assets

B.

Percentage of IT assets without ownership

C.

The number of IT assets securely disposed during the past year

D.

The number of IT assets procured during the previous month

Buy Now
Questions 396

Which of the following is the BEST key control indicator (KCI) for a vulnerability management program?

Options:

A.

Percentage of high-risk vulnerabilities missed

B.

Number of high-risk vulnerabilities outstanding

C.

Defined thresholds for high-risk vulnerabilities

D.

Percentage of high-risk vulnerabilities addressed

Buy Now
Questions 397

An organization is implementing internet of Things (loT) technology to control temperature and lighting in its headquarters. Which of the following should be of GREATEST concern?

Options:

A.

Insufficient network isolation

B.

impact on network performance

C.

insecure data transmission protocols

D.

Lack of interoperability between sensors

Buy Now
Questions 398

When reporting on the performance of an organization's control environment including which of the following would BEST inform stakeholders risk decision-making?

Options:

A.

The audit plan for the upcoming period

B.

Spend to date on mitigating control implementation

C.

A report of deficiencies noted during controls testing

D.

A status report of control deployment

Buy Now
Questions 399

Which of the following BEST represents a critical threshold value for a key control indicator (KCI)?

Options:

A.

The value at which control effectiveness would fail

B.

Thresholds benchmarked to peer organizations

C.

A typical operational value

D.

A value that represents the intended control state

Buy Now
Questions 400

Days before the realization of an acquisition, a data breach is discovered at the company to be acquired. For the accruing organization, this situation represents which of the following?

Options:

A.

Threat event

B.

Inherent risk

C.

Risk event

D.

Security incident

Buy Now
Questions 401

A global organization is planning to collect customer behavior data through social media advertising. Which of the following is the MOST important business risk to be considered?

Options:

A.

Regulatory requirements may differ in each country.

B.

Data sampling may be impacted by various industry restrictions.

C.

Business advertising will need to be tailored by country.

D.

The data analysis may be ineffective in achieving objectives.

Buy Now
Questions 402

Which of the following is the BEST way to determine whether new controls mitigate security gaps in a business system?

Options:

A.

Complete an offsite business continuity exercise.

B.

Conduct a compliance check against standards.

C.

Perform a vulnerability assessment.

D.

Measure the change in inherent risk.

Buy Now
Questions 403

Winch of the following can be concluded by analyzing the latest vulnerability report for the it infrastructure?

Options:

A.

Likelihood of a threat

B.

Impact of technology risk

C.

Impact of operational risk

D.

Control weakness

Buy Now
Questions 404

An IT department has provided a shared drive for personnel to store information to which all employees have access. Which of the following parties is accountable for the risk of potential loss of confidential information?

Options:

A.

Risk manager

B.

Data owner

C.

End user

D.

IT department

Buy Now
Questions 405

The PRIMARY purpose of using a framework for risk analysis is to:

Options:

A.

improve accountability

B.

improve consistency

C.

help define risk tolerance

D.

help develop risk scenarios.

Buy Now
Questions 406

Risk acceptance of an exception to a security control would MOST likely be justified when:

Options:

A.

automation cannot be applied to the control

B.

business benefits exceed the loss exposure.

C.

the end-user license agreement has expired.

D.

the control is difficult to enforce in practice.

Buy Now
Questions 407

In which of the following system development life cycle (SDLC) phases should controls be incorporated into system specifications?

Options:

A.

Implementation

B.

Development

C.

Design

D.

Feasibility

Buy Now
Questions 408

What is the MOST important consideration when aligning IT risk management with the enterprise risk management (ERM) framework?

Options:

A.

Risk and control ownership

B.

Senior management participation

C.

Business unit support

D.

Risk nomenclature and taxonomy

Buy Now
Questions 409

From a business perspective, which of the following is the MOST important objective of a disaster recovery test?

Options:

A.

The organization gains assurance it can recover from a disaster

B.

Errors are discovered in the disaster recovery process.

C.

All business-critical systems are successfully tested.

D.

All critical data is recovered within recovery time objectives (RTOs).

Buy Now
Questions 410

An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?

Options:

A.

The third party s management

B.

The organization's management

C.

The control operators at the third party

D.

The organization's vendor management office

Buy Now
Questions 411

In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization's risk profile?

Options:

A.

The control catalog

B.

The asset profile

C.

Business objectives

D.

Key risk indicators (KRls)

Buy Now
Questions 412

Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:

Options:

A.

minimize the number of risk scenarios for risk assessment.

B.

aggregate risk scenarios identified across different business units.

C.

build a threat profile of the organization for management review.

D.

provide a current reference to stakeholders for risk-based decisions.

Buy Now
Questions 413

Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization's risk appetite?

Options:

A.

Developing contingency plans for key processes

B.

Implementing key performance indicators (KPIs)

C.

Adding risk triggers to entries in the risk register

D.

Establishing a series of key risk indicators (KRIs)

Buy Now
Questions 414

IT management has asked for a consolidated view into the organization's risk profile to enable project prioritization and resource allocation. Which of the following materials would

be MOST helpful?

Options:

A.

IT risk register

B.

List of key risk indicators

C.

Internal audit reports

D.

List of approved projects

Buy Now
Questions 415

During testing, a risk practitioner finds the IT department's recovery time objective (RTO) for a key system does not align with the enterprise's business continuity plan (BCP). Which of the following should be done NEXT?

Options:

A.

Report the gap to senior management

B.

Consult with the IT department to update the RTO

C.

Complete a risk exception form.

D.

Consult with the business owner to update the BCP

Buy Now
Questions 416

Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs?

Options:

A.

Ensuring availability of resources for log analysis

B.

Implementing log analysis tools to automate controls

C.

Ensuring the control is proportional to the risk

D.

Building correlations between logs collected from different sources

Buy Now
Questions 417

A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?

Options:

A.

An increase in attempted distributed denial of service (DDoS) attacks

B.

An increase in attempted website phishing attacks

C.

A decrease in achievement of service level agreements (SLAs)

D.

A decrease in remediated web security vulnerabilities

Buy Now
Questions 418

The MOST effective way to increase the likelihood that risk responses will be implemented is to:

Options:

A.

create an action plan

B.

assign ownership

C.

review progress reports

D.

perform regular audits.

Buy Now
Questions 419

Which of the following is the BEST key performance indicator (KPI) to measure the maturity of an organization's security incident handling process?

Options:

A.

The number of security incidents escalated to senior management

B.

The number of resolved security incidents

C.

The number of newly identified security incidents

D.

The number of recurring security incidents

Buy Now
Questions 420

A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

Options:

A.

identification.

B.

treatment.

C.

communication.

D.

assessment

Buy Now
Questions 421

Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?

Options:

A.

Sensitivity analysis

B.

Level of residual risk

C.

Cost-benefit analysis

D.

Risk appetite

Buy Now
Questions 422

During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?

Options:

A.

Data validation

B.

Identification

C.

Authentication

D.

Data integrity

Buy Now
Questions 423

A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?

Options:

A.

The organization's strategic risk management projects

B.

Senior management roles and responsibilities

C.

The organizations risk appetite and tolerance

D.

Senior management allocation of risk management resources

Buy Now
Questions 424

IT risk assessments can BEST be used by management:

Options:

A.

for compliance with laws and regulations

B.

as a basis for cost-benefit analysis.

C.

as input for decision-making

D.

to measure organizational success.

Buy Now
Questions 425

After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:

Options:

A.

recommend a program that minimizes the concerns of that production system.

B.

inform the development team of the concerns, and together formulate risk reduction measures.

C.

inform the process owner of the concerns and propose measures to reduce them

D.

inform the IT manager of the concerns and propose measures to reduce them.

Buy Now
Questions 426

Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?

Options:

A.

Performing a benchmark analysis and evaluating gaps

B.

Conducting risk assessments and implementing controls

C.

Communicating components of risk and their acceptable levels

D.

Participating in peer reviews and implementing best practices

Buy Now
Questions 427

Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?

Options:

A.

Testing the transmission of credit card numbers

B.

Reviewing logs for unauthorized data transfers

C.

Configuring the DLP control to block credit card numbers

D.

Testing the DLP rule change control process

Buy Now
Questions 428

Which of the following would BEST provide early warning of a high-risk condition?

Options:

A.

Risk register

B.

Risk assessment

C.

Key risk indicator (KRI)

D.

Key performance indicator (KPI)

Buy Now
Questions 429

A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?

Options:

A.

Implement a tool to create and distribute violation reports

B.

Raise awareness of encryption requirements for sensitive data.

C.

Block unencrypted outgoing emails which contain sensitive data.

D.

Implement a progressive disciplinary process for email violations.

Buy Now
Questions 430

Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?

Options:

A.

Derive scenarios from IT risk policies and standards.

B.

Map scenarios to a recognized risk management framework.

C.

Gather scenarios from senior management.

D.

Benchmark scenarios against industry peers.

Buy Now
Questions 431

Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?

Options:

A.

A control self-assessment

B.

A third-party security assessment report

C.

Internal audit reports from the vendor

D.

Service level agreement monitoring

Buy Now
Questions 432

When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?

Options:

A.

Assess management's risk tolerance.

B.

Recommend management accept the low-risk scenarios.

C.

Propose mitigating controls

D.

Re-evaluate the risk scenarios associated with the control

Buy Now
Questions 433

Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?

Options:

A.

Risk mitigation budget

B.

Business Impact analysis

C.

Cost-benefit analysis

D.

Return on investment

Buy Now
Questions 434

The MAIN purpose of conducting a control self-assessment (CSA) is to:

Options:

A.

gain a better understanding of the control effectiveness in the organization

B.

gain a better understanding of the risk in the organization

C.

adjust the controls prior to an external audit

D.

reduce the dependency on external audits

Buy Now
Questions 435

Which of the following is the MOST important data source for monitoring key risk indicators (KRIs)?

Options:

A.

Directives from legal and regulatory authorities

B.

Audit reports from internal information systems audits

C.

Automated logs collected from different systems

D.

Trend analysis of external risk factors

Buy Now
Questions 436

Risk management strategies are PRIMARILY adopted to:

Options:

A.

take necessary precautions for claims and losses.

B.

achieve acceptable residual risk levels.

C.

avoid risk for business and IT assets.

D.

achieve compliance with legal requirements.

Buy Now
Questions 437

Which of the following should be the HIGHEST priority when developing a risk response?

Options:

A.

The risk response addresses the risk with a holistic view.

B.

The risk response is based on a cost-benefit analysis.

C.

The risk response is accounted for in the budget.

D.

The risk response aligns with the organization's risk appetite.

Buy Now
Questions 438

The PRIMARY reason a risk practitioner would be interested in an internal audit report is to:

Options:

A.

plan awareness programs for business managers.

B.

evaluate maturity of the risk management process.

C.

assist in the development of a risk profile.

D.

maintain a risk register based on noncompliance.

Buy Now
Questions 439

Which of the following is the MOST important requirement for monitoring key risk indicators (KRls) using log analysis?

Options:

A.

Obtaining logs m an easily readable format

B.

Providing accurate logs m a timely manner

C.

Collecting logs from the entire set of IT systems

D.

implementing an automated log analysis tool

Buy Now
Questions 440

Which of the following is the BEST method to identify unnecessary controls?

Options:

A.

Evaluating the impact of removing existing controls

B.

Evaluating existing controls against audit requirements

C.

Reviewing system functionalities associated with business processes

D.

Monitoring existing key risk indicators (KRIs)

Buy Now
Questions 441

Which of the following situations reflects residual risk?

Options:

A.

Risk that is present before risk acceptance has been finalized

B.

Risk that is removed after a risk acceptance has been finalized

C.

Risk that is present before mitigation controls have been applied

D.

Risk that remains after mitigation controls have been applied

Buy Now
Questions 442

Which of the following is the MOST important outcome of reviewing the risk management process?

Options:

A.

Assuring the risk profile supports the IT objectives

B.

Improving the competencies of employees who performed the review

C.

Determining what changes should be made to IS policies to reduce risk

D.

Determining that procedures used in risk assessment are appropriate

Buy Now
Questions 443

Improvements in the design and implementation of a control will MOST likely result in an update to:

Options:

A.

inherent risk.

B.

residual risk.

C.

risk appetite

D.

risk tolerance

Buy Now
Questions 444

The head of a business operations department asks to review the entire IT risk register. Which of the following would be the risk manager s BEST approach to this request before sharing the register?

Options:

A.

Escalate to senior management

B.

Require a nondisclosure agreement.

C.

Sanitize portions of the register

D.

Determine the purpose of the request

Buy Now
Questions 445

A risk practitioner discovers several key documents detailing the design of a product currently in development have been posted on the Internet. What should be the risk practitioner's FIRST course of action?

Options:

A.

invoke the established incident response plan.

B.

Inform internal audit.

C.

Perform a root cause analysis

D.

Conduct an immediate risk assessment

Buy Now
Questions 446

When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?

Options:

A.

Risk analysis results

B.

Exception handling policy

C.

Vulnerability assessment results

D.

Benchmarking assessments

Buy Now
Questions 447

During which phase of the system development life cycle (SDLC) should information security requirements for the implementation of a new IT system be defined?

Options:

A.

Monitoring

B.

Development

C.

Implementation

D.

Initiation

Buy Now
Questions 448

Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?

Options:

A.

Changes in control design

B.

A decrease in the number of key controls

C.

Changes in control ownership

D.

An increase in residual risk

Buy Now
Questions 449

A trusted third-party service provider has determined that the risk of a client's systems being hacked is low. Which of the following would be the client's BEST course of action?

Options:

A.

Perform their own risk assessment

B.

Implement additional controls to address the risk.

C.

Accept the risk based on the third party's risk assessment

D.

Perform an independent audit of the third party.

Buy Now
Questions 450

Which of the following is MOST important to understand when determining an appropriate risk assessment approach?

Options:

A.

Complexity of the IT infrastructure

B.

Value of information assets

C.

Management culture

D.

Threats and vulnerabilities

Buy Now
Questions 451

An effective control environment is BEST indicated by controls that:

Options:

A.

minimize senior management's risk tolerance.

B.

manage risk within the organization's risk appetite.

C.

reduce the thresholds of key risk indicators (KRIs).

D.

are cost-effective to implement

Buy Now
Questions 452

An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk?

Options:

A.

Perform a risk assessment

B.

Disable user access.

C.

Develop an access control policy.

D.

Perform root cause analysis.

Buy Now
Questions 453

Which of the following is the MOST effective key performance indicator (KPI) for change management?

Options:

A.

Percentage of changes with a fallback plan

B.

Number of changes implemented

C.

Percentage of successful changes

D.

Average time required to implement a change

Buy Now
Questions 454

An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?

Options:

A.

Develop a compensating control.

B.

Allocate remediation resources.

C.

Perform a cost-benefit analysis.

D.

Identify risk responses

Buy Now
Questions 455

A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:

Options:

A.

conduct a gap analysis against compliance criteria.

B.

identify necessary controls to ensure compliance.

C.

modify internal assurance activities to include control validation.

D.

collaborate with management to meet compliance requirements.

Buy Now
Questions 456

A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

Options:

A.

communication

B.

identification.

C.

treatment.

D.

assessment.

Buy Now
Questions 457

Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

Options:

A.

a gap analysis

B.

a root cause analysis.

C.

an impact assessment.

D.

a vulnerability assessment.

Buy Now
Questions 458

Which of the following will BEST quantify the risk associated with malicious users in an organization?

Options:

A.

Business impact analysis

B.

Risk analysis

C.

Threat risk assessment

D.

Vulnerability assessment

Buy Now
Questions 459

Which of the following is the BEST course of action to reduce risk impact?

Options:

A.

Create an IT security policy.

B.

Implement corrective measures.

C.

Implement detective controls.

D.

Leverage existing technology

Buy Now
Questions 460

During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?

Options:

A.

Describe IT risk scenarios in terms of business risk.

B.

Recommend the formation of an executive risk council to oversee IT risk.

C.

Provide an estimate of IT system downtime if IT risk materializes.

D.

Educate business executives on IT risk concepts.

Buy Now
Questions 461

The risk associated with an asset before controls are applied can be expressed as:

Options:

A.

a function of the likelihood and impact

B.

the magnitude of an impact

C.

a function of the cost and effectiveness of control.

D.

the likelihood of a given threat

Buy Now
Questions 462

Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?

Options:

A.

Control chart

B.

Sensitivity analysis

C.

Trend analysis

D.

Decision tree

Buy Now
Questions 463

Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?

Options:

A.

Completeness of system documentation

B.

Results of end user acceptance testing

C.

Variances between planned and actual cost

D.

availability of in-house resources

Buy Now
Questions 464

Which of the following is MOST critical when designing controls?

Options:

A.

Involvement of internal audit

B.

Involvement of process owner

C.

Quantitative impact of the risk

D.

Identification of key risk indicators

Buy Now
Questions 465

A risk practitioner is organizing a training session lo communicate risk assessment methodologies to ensure a consistent risk view within the organization Which of the following i< the MOST important topic to cover in this training?

Options:

A.

Applying risk appetite

B.

Applying risk factors

C.

Referencing risk event data

D.

Understanding risk culture

Buy Now
Questions 466

During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:

Options:

A.

compensating controls are in place.

B.

a control mitigation plan is in place.

C.

risk management is effective.

D.

residual risk is accepted.

Buy Now
Questions 467

Which of the following is the PRIMARY factor in determining a recovery time objective (RTO)?

Options:

A.

Cost of offsite backup premises

B.

Cost of downtime due to a disaster

C.

Cost of testing the business continuity plan

D.

Response time of the emergency action plan

Buy Now
Questions 468

A contract associated with a cloud service provider MUST include:

Options:

A.

ownership of responsibilities.

B.

a business recovery plan.

C.

provision for source code escrow.

D.

the providers financial statements.

Buy Now
Questions 469

What is the BEST approach for determining the inherent risk of a scenario when the actual likelihood of the risk is unknown?

Options:

A.

Use the severity rating to calculate risk.

B.

Classify the risk scenario as low-probability.

C.

Use the highest likelihood identified by risk management.

D.

Rely on range-based estimates provided by subject-matter experts.

Buy Now
Questions 470

An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?

Options:

A.

Invoke the disaster recovery plan during an incident.

B.

Prepare a cost-benefit analysis of alternatives available

C.

Implement redundant infrastructure for the application.

D.

Reduce the recovery time by strengthening the response team.

Buy Now
Questions 471

Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?

Options:

A.

Encrypted storage of data

B.

Links to source data

C.

Audit trails for updates and deletions

D.

Check totals on data records and data fields

Buy Now
Questions 472

The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:

Options:

A.

align with audit results.

B.

benchmark with competitor s actions.

C.

reference best practice.

D.

focus on the business drivers

Buy Now
Exam Code: CRISC
Exam Name: Certified in Risk and Information Systems Control
Last Update: Mar 31, 2025
Questions: 1575

PDF + Testing Engine

$49.5  $164.99

Testing Engine

$37.5  $124.99
buy now CRISC testing engine

PDF (Q&A)

$31.5  $104.99
buy now CRISC pdf
dumpsmate guaranteed to pass
24/7 Customer Support

DumpsMate's team of experts is always available to respond your queries on exam preparation. Get professional answers on any topic of the certification syllabus. Our experts will thoroughly satisfy you.

Site Secure

mcafee secure

TESTED 02 Apr 2025