Summer Limited Time 55% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 1271b8m643

CRISC Exam Dumps - Certified in Risk and Information Systems Control (CRISC)

Question # 4

Which of the following BEST contributes to the implementation of an effective risk response action plan?

A.

An IT tactical plan

B.

Disaster recovery and continuity testing

C.

Assigned roles and responsibilities

D.

A business impact analysis

Full Access
Question # 5

Which of the following provides the BEST evidence that risk responses have been executed according to their risk action plans?

A.

Risk policy review

B.

Business impact analysis (B1A)

C.

Control catalog

D.

Risk register

Full Access
Question # 6

Which of the following is performed after a risk assessment is completed?

A.

Defining risk taxonomy

B.

Identifying vulnerabilities

C.

Conducting an impact analysis

D.

Defining risk response options

Full Access
Question # 7

A bank has outsourced its statement printing function to an external service provider. Which of the following is the MOST critical requirement to include in the contract?

A.

Monitoring of service costs

B.

Provision of internal audit reports

C.

Notification of sub-contracting arrangements

D.

Confidentiality of customer data

Full Access
Question # 8

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an anti-virus program?

A.

Frequency of anti-virus software updates

B.

Number of alerts generated by the anti-virus software

C.

Number of false positives detected over a period of time

D.

Percentage of IT assets with current malware definitions

Full Access
Question # 9

Which of the following is the MOST important information to be communicated during security awareness training?

A.

Management's expectations

B.

Corporate risk profile

C.

Recent security incidents

D.

The current risk management capability

Full Access
Question # 10

Sensitive data has been lost after an employee inadvertently removed a file from the premises, in violation of organizational policy. Which of the following controls MOST likely failed?

A.

Background checks

B.

Awareness training

C.

User access

D.

Policy management

Full Access
Question # 11

Which of the following is the MOST effective way to help ensure an organization's current risk scenarios are relevant?

A.

Adoption of industry best practices

B.

Involvement of stakeholders in risk assessment

C.

Review of risk scenarios by independent parties

D.

Documentation of potential risk in business cases

Full Access
Question # 12

Which of the following is MOST important for developing effective key risk indicators (KRIs)?

A.

Engaging sponsorship by senior management

B.

Utilizing data and resources internal to the organization

C.

Including input from risk and business unit management

D.

Developing in collaboration with internal audit

Full Access
Question # 13

Which of the following will provide the BEST measure of compliance with IT policies?

A.

Evaluate past policy review reports.

B.

Conduct regular independent reviews.

C.

Perform penetration testing.

D.

Test staff on their compliance responsibilities.

Full Access
Question # 14

A monthly payment report is generated from the enterprise resource planning (ERP) software to validate data against the old and new payroll systems. What is the BEST way to mitigate the risk associated with data integrity loss in the new payroll system after data migration?

A.

Compare new system reports with functional requirements.

B.

Compare encrypted data with checksums.

C.

Compare results of user acceptance testing (UAT) with the testing criteria.

D.

Compare processing output from both systems using the previous month's data.

Full Access
Question # 15

An organization operates in a jurisdiction where heavy fines are imposed for leakage of customer data. Which of the following provides the BEST input to assess the inherent risk impact?

A.

Number of customer records held

B.

Number of databases that host customer data

C.

Number of encrypted customer databases

D.

Number of staff members having access to customer data

Full Access
Question # 16

Which of the following is MOST important for a risk practitioner to update when a software upgrade renders an existing key control ineffective?

A.

Audit engagement letter

B.

Risk profile

C.

IT risk register

D.

Change control documentation

Full Access
Question # 17

Which of the following statements BEST describes risk appetite?

A.

The amount of risk an organization is willing to accept

B.

The effective management of risk and internal control environments

C.

Acceptable variation between risk thresholds and business objectives

D.

The acceptable variation relative to the achievement of objectives

Full Access
Question # 18

Which of the following activities should be performed FIRST when establishing IT risk management processes?

A.

Collect data of past incidents and lessons learned.

B.

Conduct a high-level risk assessment based on the nature of business.

C.

Identify the risk appetite of the organization.

D.

Assess the goals and culture of the organization.

Full Access
Question # 19

Which of the following would BEST enable a risk practitioner to embed risk management within the organization?

A.

Provide risk management feedback to key stakeholders.

B.

Collect and analyze risk data for report generation.

C.

Monitor and prioritize risk data according to the heat map.

D.

Engage key stakeholders in risk management practices.

Full Access
Question # 20

When presenting risk, the BEST method to ensure that the risk is measurable against the organization's risk appetite is through the use of a:

A.

risk map

B.

cause-and-effect diagram

C.

maturity model

D.

technology strategy plan.

Full Access
Question # 21

Which of the following BEST helps to balance the costs and benefits of managing IT risk?

A.

Prioritizing risk responses

B.

Evaluating risk based on frequency and probability

C.

Considering risk factors that can be quantified

D.

Managing the risk by using controls

Full Access
Question # 22

It is MOST important for a risk practitioner to have an awareness of an organization s processes in order to:

A.

perform a business impact analysis.

B.

identify potential sources of risk.

C.

establish risk guidelines.

D.

understand control design.

Full Access
Question # 23

A risk practitioner is reviewing a vendor contract and finds there is no clause to control privileged access to the organization's systems by vendor employees. Which of the following is the risk practitioner's BEST course of action?

A.

Contact the control owner to determine if a gap in controls exists.

B.

Add this concern to the risk register and highlight it for management review.

C.

Report this concern to the contracts department for further action.

D.

Document this concern as a threat and conduct an impact analysis.

Full Access
Question # 24

Which of the following is MOST influential when management makes risk response decisions?

A.

Risk appetite

B.

Audit risk

C.

Residual risk

D.

Detection risk

Full Access
Question # 25

Which of the following would provide the MOST comprehensive information for updating an organization's risk register?

A.

Results of the latest risk assessment

B.

Results of a risk forecasting analysis

C.

A review of compliance regulations

D.

Findings of the most recent audit

Full Access
Question # 26

When prioritizing risk response, management should FIRST:

A.

evaluate the organization s ability and expertise to implement the solution.

B.

evaluate the risk response of similar organizations.

C.

address high risk factors that have efficient and effective solutions.

D.

determine which risk factors have high remediation costs

Full Access
Question # 27

What should a risk practitioner do FIRST when vulnerability assessment results identify a weakness in an application?

A.

Review regular control testing results.

B.

Recommend a penetration test.

C.

Assess the risk to determine mitigation needed.

D.

Analyze key performance indicators (KPIs).

Full Access
Question # 28

The FIRST task when developing a business continuity plan should be to:

A.

determine data backup and recovery availability at an alternate site.

B.

identify critical business functions and resources.

C.

define roles and responsibilities for implementation.

D.

identify recovery time objectives (RTOs) for critical business applications.

Full Access
Question # 29

When establishing leading indicators for the information security incident response process it is MOST important to consider the percentage of reported incidents:

A.

that result in a full root cause analysis.

B.

used for verification within the SLA.

C.

that are verified as actual incidents.

D.

resolved within the SLA.

Full Access
Question # 30

What should be the PRIMARY objective for a risk practitioner performing a post-implementation review of an IT risk mitigation project?

A.

Documenting project lessons learned

B.

Validating the risk mitigation project has been completed

C.

Confirming that the project budget was not exceeded

D.

Verifying that the risk level has been lowered

Full Access
Question # 31

A risk practitioner is reporting on an increasing trend of ransomware attacks in the industry. Which of the following information is MOST important to include to enable an informed response decision by key stakeholders?

A.

Methods of attack progression

B.

Losses incurred by industry peers

C.

Most recent antivirus scan reports

D.

Potential impact of events

Full Access
Question # 32

Which of the following should be the risk practitioner s FIRST course of action when an organization has decided to expand into new product areas?

A.

Identify any new business objectives with stakeholders.

B.

Present a business case for new controls to stakeholders.

C.

Revise the organization's risk and control policy.

D.

Review existing risk scenarios with stakeholders.

Full Access
Question # 33

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process?

A.

Percentage of vulnerabilities remediated within the agreed service level

B.

Number of vulnerabilities identified during the period

C.

Number of vulnerabilities re-opened during the period

D.

Percentage of vulnerabilities escalated to senior management

Full Access
Question # 34

Which of the following is MOST important to include in a Software as a Service (SaaS) vendor agreement?

A.

An annual contract review

B.

A service level agreement (SLA)

C.

A requirement to adopt an established risk management framework

D.

A requirement to provide an independent audit report

Full Access
Question # 35

An organization has granted a vendor access to its data in order to analyze customer behavior. Which of the following would be the MOST effective control to mitigate the risk of customer data leakage?

A.

Enforce criminal background checks.

B.

Mask customer data fields.

C.

Require vendor to sign a confidentiality agreement.

D.

Restrict access to customer data on a "need to know'' basis.

Full Access
Question # 36

The PRIMARY reason for periodically monitoring key risk indicators (KRIs) is to:

A.

rectify errors in results of KRIs.

B.

detect changes in the risk profile.

C.

reduce costs of risk mitigation controls.

D.

continually improve risk assessments.

Full Access
Question # 37

Who is responsible for IT security controls that are outsourced to an external service provider?

A.

Organization's information security manager

B.

Organization's risk function

C.

Service provider's IT management

D.

Service provider's information security manager

Full Access
Question # 38

Which of the following is MOST important when developing risk scenarios?

A.

The scenarios are based on industry best practice.

B.

The scenarios focus on current vulnerabilities.

C.

The scenarios are relevant to the organization.

D.

The scenarios include technical consequences.

Full Access
Question # 39

An organization has introduced risk ownership to establish clear accountability for each process. To ensure effective risk ownership, it is MOST important that:

A.

senior management has oversight of the process.

B.

process ownership aligns with IT system ownership.

C.

segregation of duties exists between risk and process owners.

D.

risk owners have decision-making authority.

Full Access
Question # 40

Which of the following is MOST important to enable well-informed cybersecurity risk decisions?

A.

Determine and understand the risk rating of scenarios.

B.

Conduct risk assessment peer reviews.

C.

Identify roles and responsibilities for security controls.

D.

Engage a third party to perform a risk assessment.

Full Access
Question # 41

An organization has identified that terminated employee accounts are not disabled or deleted within the time required by corporate policy. Unsure of the reason, the organization has decided to monitor the situation for three months to obtain more information. As a result of this decision, the risk has been:

A.

avoided.

B.

accepted.

C.

mitigated.

D.

transferred.

Full Access
Question # 42

Which of the following is the PRIMARY reason to update a risk register with risk assessment results?

A.

To communicate the level and priority of assessed risk to management

B.

To provide a comprehensive inventory of risk across the organization

C.

To assign a risk owner to manage the risk

D.

To enable the creation of action plans to address nsk

Full Access
Question # 43

Which of the following is MOST important for a risk practitioner to consider when evaluating plans for changes to IT services?

A.

Change testing schedule

B.

Impact assessment of the change

C.

Change communication plan

D.

User acceptance testing (UAT)

Full Access
Question # 44

Which of the following controls are BEST strengthened by a clear organizational code of ethics?

A.

Detective controls

B.

Administrative controls

C.

Technical controls

D.

Preventive controls

Full Access
Question # 45

Which of the following would BEST help identify the owner for each risk scenario in a risk register?

A.

Determining which departments contribute most to risk

B.

Allocating responsibility for risk factors equally to asset owners

C.

Mapping identified risk factors to specific business processes

D.

Determining resource dependency of assets

Full Access
Question # 46

Which of the following approaches will BEST help to ensure the effectiveness of risk awareness training?

A.

Piloting courses with focus groups

B.

Using reputable third-party training programs

C.

Reviewing content with senior management

D.

Creating modules for targeted audiences

Full Access
Question # 47

An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan. Which of the following is the risk practitioner's BEST course of action?

A.

Report the observation to the chief risk officer (CRO).

B.

Validate the adequacy of the implemented risk mitigation measures.

C.

Update the risk register with the implemented risk mitigation actions.

D.

Revert the implemented mitigation measures until approval is obtained

Full Access
Question # 48

Which of the following will be MOST effective in uniquely identifying the originator of electronic transactions?

A.

Digital signature

B.

Edit checks

C.

Encryption

D.

Multifactor authentication

Full Access
Question # 49

Of the following, who is BEST suited to assist a risk practitioner in developing a relevant set of risk scenarios?

A.

Internal auditor

B.

Asset owner

C.

Finance manager

D.

Control owner

Full Access
Question # 50

When updating the risk register after a risk assessment, which of the following is MOST important to include?

A.

Historical losses due to past risk events

B.

Cost to reduce the impact and likelihood

C.

Likelihood and impact of the risk scenario

D.

Actor and threat type of the risk scenario

Full Access
Question # 51

Which of the following should be the PRIMARY goal of developing information security metrics?

A.

Raising security awareness

B.

Enabling continuous improvement

C.

Identifying security threats

D.

Ensuring regulatory compliance

Full Access
Question # 52

An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?

A.

Identify systems that are vulnerable to being exploited by the attack.

B.

Confirm with the antivirus solution vendor whether the next update will detect the attack.

C.

Verify the data backup process and confirm which backups are the most recent ones available.

D.

Obtain approval for funding to purchase a cyber insurance plan.

Full Access
Question # 53

Which of the following management action will MOST likely change the likelihood rating of a risk scenario related to remote network access?

A.

Updating the organizational policy for remote access

B.

Creating metrics to track remote connections

C.

Implementing multi-factor authentication

D.

Updating remote desktop software

Full Access
Question # 54

An organization has provided legal text explaining the rights and expected behavior of users accessing a system from geographic locations that have strong privacy regulations. Which of the following control types has been applied?

A.

Detective

B.

Directive

C.

Preventive

D.

Compensating

Full Access
Question # 55

Which of the following should be determined FIRST when a new security vulnerability is made public?

A.

Whether the affected technology is used within the organization

B.

Whether the affected technology is Internet-facing

C.

What mitigating controls are currently in place

D.

How pervasive the vulnerability is within the organization

Full Access
Question # 56

An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the risk associated with these new entries has been;

A.

mitigated

B.

deferred

C.

accepted.

D.

transferred

Full Access
Question # 57

When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:

A.

information risk assessments with enterprise risk assessments.

B.

key risk indicators (KRIs) with risk appetite of the business.

C.

the control key performance indicators (KPIs) with audit findings.

D.

control performance with risk tolerance of business owners.

Full Access
Question # 58

When of the following provides the MOST tenable evidence that a business process control is effective?

A.

Demonstration that the control is operating as designed

B.

A successful walk-through of the associated risk assessment

C.

Management attestation that the control is operating effectively

D.

Automated data indicating that risk has been reduced

Full Access
Question # 59

An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?

A.

Business benefits of shadow IT

B.

Application-related expresses

C.

Classification of the data

D.

Volume of data

Full Access
Question # 60

Which of the following is the BEST way to determine whether new controls mitigate security gaps in a business system?

A.

Complete an offsite business continuity exercise.

B.

Conduct a compliance check against standards.

C.

Perform a vulnerability assessment.

D.

Measure the change in inherent risk.

Full Access
Question # 61

Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

A.

Implement segregation of duties.

B.

Enforce an internal data access policy.

C.

Enforce the use of digital signatures.

D.

Apply single sign-on for access control.

Full Access
Question # 62

Accountability for a particular risk is BEST represented in a:

A.

risk register

B.

risk catalog

C.

risk scenario

D.

RACI matrix

Full Access
Question # 63

Which of the following would BEST facilitate the implementation of data classification requirements?

A.

Assigning a data owner

B.

Implementing technical control over the assets

C.

Implementing a data loss prevention (DLP) solution

D.

Scheduling periodic audits

Full Access
Question # 64

Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?

A.

Customer database manager

B.

Customer data custodian

C.

Data privacy officer

D.

Audit committee

Full Access
Question # 65

Which of the following is the BEST indication that key risk indicators (KRls) should be revised?

A.

A decrease in the number of critical assets covered by risk thresholds

B.

An Increase In the number of risk threshold exceptions

C.

An increase in the number of change events pending management review

D.

A decrease In the number of key performance indicators (KPls)

Full Access
Question # 66

Participants in a risk workshop have become focused on the financial cost to mitigate risk rather than choosing the most appropriate response. Which of the following is the BEST way to address this type of issue in the long term?

A.

Perform a return on investment analysis.

B.

Review the risk register and risk scenarios.

C.

Calculate annualized loss expectancy of risk scenarios.

D.

Raise the maturity of organizational risk management.

Full Access
Question # 67

Which of the following should be considered when selecting a risk response?

A.

Risk scenarios analysis

B.

Risk response costs

C.

Risk factor awareness

D.

Risk factor identification

Full Access
Question # 68

The PRIMARY reason for prioritizing risk scenarios is to:

A.

provide an enterprise-wide view of risk

B.

support risk response tracking

C.

assign risk ownership

D.

facilitate risk response decisions.

Full Access
Question # 69

Which of the following is necessary to enable an IT risk register to be consolidated with the rest of the organization’s risk register?

A.

Risk taxonomy

B.

Risk response

C.

Risk appetite

D.

Risk ranking

Full Access
Question # 70

Which of the following provides the BEST evidence that a selected risk treatment plan is effective?

A.

Identifying key risk indicators (KRIs)

B.

Evaluating the return on investment (ROI)

C.

Evaluating the residual risk level

D.

Performing a cost-benefit analysis

Full Access
Question # 71

Which of the following BEST enables a risk practitioner to enhance understanding of risk among stakeholders?

A.

Key risk indicators (KRIs)

B.

Risk scenarios

C.

Business impact analysis (BIA)

D.

Threat analysis

Full Access
Question # 72

What are the MOST essential attributes of an effective Key control indicator (KCI)?

A.

Flexibility and adaptability

B.

Measurability and consistency

C.

Robustness and resilience

D.

Optimal cost and benefit

Full Access
Question # 73

The acceptance of control costs that exceed risk exposure MOST likely demonstrates:

A.

corporate culture alignment

B.

low risk tolerance

C.

high risk tolerance

D.

corporate culture misalignment.

Full Access
Question # 74

Which of the following should be of MOST concern to a risk practitioner reviewing an organization risk register after the completion of a series of risk assessments?

A.

Several risk action plans have missed target completion dates.

B.

Senior management has accepted more risk than usual.

C.

Risk associated with many assets is only expressed in qualitative terms.

D.

Many risk scenarios are owned by the same senior manager.

Full Access
Question # 75

Which of the following would be a risk practitioner'$ BEST recommendation to help ensure cyber risk is assessed and reflected in the enterprise-level risk profile?

A.

Manage cyber risk according to the organization's risk management framework.

B.

Define cyber roles and responsibilities across the organization

C.

Conduct cyber risk awareness training tailored specifically for senior management

D.

Implement a cyber risk program based on industry best practices

Full Access
Question # 76

Which of the following is a risk practitioner's MOST important responsibility in managing risk acceptance that exceeds risk tolerance?

A.

Verify authorization by senior management.

B.

Increase the risk appetite to align with the current risk level

C.

Ensure the acceptance is set to expire over lime

D.

Update the risk response in the risk register.

Full Access
Question # 77

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an antivirus program?

A.

Percentage of IT assets with current malware definitions

B.

Number of false positives defected over a period of time

C.

Number of alerts generated by the anti-virus software

D.

Frequency of anti-vinjs software updates

Full Access
Question # 78

When of the following 15 MOST important when developing a business case for a proposed security investment?

A.

identification of control requirements

B.

Alignment to business objectives

C.

Consideration of new business strategies

D.

inclusion of strategy for regulatory compliance

Full Access
Question # 79

An internal audit report reveals that not all IT application databases have encryption in place. Which of the following information would be MOST important for assessing the risk impact?

A.

The number of users who can access sensitive data

B.

A list of unencrypted databases which contain sensitive data

C.

The reason some databases have not been encrypted

D.

The cost required to enforce encryption

Full Access
Question # 80

An organization has recently been experiencing frequent data corruption incidents. Implementing a file corruption detection tool as a risk response strategy will help to:

A.

reduce the likelihood of future events

B.

restore availability

C.

reduce the impact of future events

D.

address the root cause

Full Access
Question # 81

Which of the following is MOST important information to review when developing plans for using emerging technologies?

A.

Existing IT environment

B.

IT strategic plan

C.

Risk register

D.

Organizational strategic plan

Full Access
Question # 82

What should be the PRIMARY driver for periodically reviewing and adjusting key risk indicators (KRIs)?

A.

Risk impact

B.

Risk likelihood

C.

Risk appropriate

D.

Control self-assessments (CSAs)

Full Access
Question # 83

Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?

A.

The program has not decreased threat counts.

B.

The program has not considered business impact.

C.

The program has been significantly revised

D.

The program uses non-customized training modules.

Full Access
Question # 84

While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially Which of the following would be the BEST approach for the risk practitioner to take?

A.

Temporarily suspend emergency changes.

B.

Document the control deficiency in the risk register.

C.

Conduct a root cause analysis.

D.

Continue monitoring change management metrics.

Full Access
Question # 85

Which of the following BEST indicates the condition of a risk management program?

A.

Number of risk register entries

B.

Number of controls

C.

Level of financial support

D.

Amount of residual risk

Full Access
Question # 86

During a risk assessment, a key external technology supplier refuses to provide control design and effectiveness information, citing confidentiality concerns. What should the risk practitioner do NEXT?

A.

Escalate the non-cooperation to management

B.

Exclude applicable controls from the assessment.

C.

Review the supplier's contractual obligations.

D.

Request risk acceptance from the business process owner.

Full Access
Question # 87

Which of the following approaches to bring your own device (BYOD) service delivery provides the BEST protection from data loss?

A.

Enable data wipe capabilities

B.

Penetration testing and session timeouts

C.

Implement remote monitoring

D.

Enforce strong passwords and data encryption

Full Access
Question # 88

Which of the following is the PRIMARY reason for monitoring activities performed in a production database environment?

A.

Ensuring that database changes are correctly applied

B.

Enforcing that changes are authorized

C.

Deterring illicit actions of database administrators

D.

Preventing system developers from accessing production data

Full Access
Question # 89

Which of the following should be included in a risk scenario to be used for risk analysis?

A.

Risk appetite

B.

Threat type

C.

Risk tolerance

D.

Residual risk

Full Access
Question # 90

Several network user accounts were recently created without the required management approvals. Which of the following would be the risk practitioner's BEST recommendation to address this situation?

A.

Conduct a comprehensive compliance review.

B.

Develop incident response procedures for noncompliance.

C.

Investigate the root cause of noncompliance.

D.

Declare a security breach and Inform management.

Full Access
Question # 91

When reviewing the business continuity plan (BCP) of an online sales order system, a risk practitioner notices that the recovery time objective (RTO) has a shorter lime than what is defined in the disaster recovery plan (DRP). Which of the following is the BEST way for the risk practitioner to address this concern?

A.

Adopt the RTO defined in the BCR

B.

Update the risk register to reflect the discrepancy.

C.

Adopt the RTO defined in the DRP.

D.

Communicate the discrepancy to the DR manager for follow-up.

Full Access
Question # 92

A bank recently incorporated Blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner’s BEST course of action?

A.

Determine whether risk responses are still adequate.

B.

Analyze and update control assessments with the new processes.

C.

Analyze the risk and update the risk register as needed.

D.

Conduct testing of the control that mitigate the existing risk.

Full Access
Question # 93

Which of the following will BEST help in communicating strategic risk priorities?

A.

Heat map

B.

Business impact analysis (BIA)

C.

Balanced Scorecard

D.

Risk register

Full Access
Question # 94

As pan of business continuity planning, which of the following is MOST important to include m a business impact analysis (BlA)?

A.

An assessment of threats to the organization

B.

An assessment of recovery scenarios

C.

industry standard framework

D.

Documentation of testing procedures

Full Access
Question # 95

Which of the following is the MOST important key performance indicator (KPI) to monitor the effectiveness of disaster recovery processes?

A.

Percentage of IT systems recovered within the mean time to restore (MTTR) during the disaster recovery test

B.

Percentage of issues arising from the disaster recovery test resolved on time

C.

Percentage of IT systems included in the disaster recovery test scope

D.

Percentage of IT systems meeting the recovery time objective (RTO) during the disaster recovery test

Full Access
Question # 96

Calculation of the recovery time objective (RTO) is necessary to determine the:

A.

time required to restore files.

B.

point of synchronization

C.

priority of restoration.

D.

annual loss expectancy (ALE).

Full Access
Question # 97

During testing, a risk practitioner finds the IT department's recovery time objective (RTO) for a key system does not align with the enterprise's business continuity plan (BCP). Which of the following should be done NEXT?

A.

Report the gap to senior management

B.

Consult with the IT department to update the RTO

C.

Complete a risk exception form.

D.

Consult with the business owner to update the BCP

Full Access
Question # 98

Which of the following would be the BEST recommendation if the level of risk in the IT risk profile has decreased and is now below management's risk appetite?

A.

Optimize the control environment.

B.

Realign risk appetite to the current risk level.

C.

Decrease the number of related risk scenarios.

D.

Reduce the risk management budget.

Full Access
Question # 99

Whether the results of risk analyses should be presented in quantitative or qualitative terms should be based PRIMARILY on the:

A.

requirements of management.

B.

specific risk analysis framework being used.

C.

organizational risk tolerance

D.

results of the risk assessment.

Full Access
Question # 100

An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:

A.

validate control process execution.

B.

determine if controls are effective.

C.

identify key process owners.

D.

conduct a baseline assessment.

Full Access
Question # 101

The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner s BEST recommendation?

A.

Perform a root cause analysis

B.

Perform a code review

C.

Implement version control software.

D.

Implement training on coding best practices

Full Access
Question # 102

Risk management strategies are PRIMARILY adopted to:

A.

take necessary precautions for claims and losses.

B.

achieve acceptable residual risk levels.

C.

avoid risk for business and IT assets.

D.

achieve compliance with legal requirements.

Full Access
Question # 103

To implement the MOST effective monitoring of key risk indicators (KRIs), which of the following needs to be in place?

A.

Threshold definition

B.

Escalation procedures

C.

Automated data feed

D.

Controls monitoring

Full Access
Question # 104

A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?

A.

The team that performed the risk assessment

B.

An assigned risk manager to provide oversight

C.

Action plans to address risk scenarios requiring treatment

D.

The methodology used to perform the risk assessment

Full Access
Question # 105

Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?

A.

impact due to failure of control

B.

Frequency of failure of control

C.

Contingency plan for residual risk

D.

Cost-benefit analysis of automation

Full Access
Question # 106

Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs?

A.

Ensuring availability of resources for log analysis

B.

Implementing log analysis tools to automate controls

C.

Ensuring the control is proportional to the risk

D.

Building correlations between logs collected from different sources

Full Access
Question # 107

Which of the following risk register updates is MOST important for senior management to review?

A.

Extending the date of a future action plan by two months

B.

Retiring a risk scenario no longer used

C.

Avoiding a risk that was previously accepted

D.

Changing a risk owner

Full Access
Question # 108

A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization. Which of the following components of this review would provide the MOST useful information?

A.

Risk appetite statement

B.

Enterprise risk management framework

C.

Risk management policies

D.

Risk register

Full Access
Question # 109

IT risk assessments can BEST be used by management:

A.

for compliance with laws and regulations

B.

as a basis for cost-benefit analysis.

C.

as input foe decision-making

D.

to measure organizational success.

Full Access
Question # 110

Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?

A.

Continuous monitoring

B.

A control self-assessment

C.

Transaction logging

D.

Benchmarking against peers

Full Access
Question # 111

Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:

A.

minimize the number of risk scenarios for risk assessment.

B.

aggregate risk scenarios identified across different business units.

C.

build a threat profile of the organization for management review.

D.

provide a current reference to stakeholders for risk-based decisions.

Full Access
Question # 112

An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?

A.

Invoke the disaster recovery plan during an incident.

B.

Prepare a cost-benefit analysis of alternatives available

C.

Implement redundant infrastructure for the application.

D.

Reduce the recovery time by strengthening the response team.

Full Access
Question # 113

Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario?

A.

Assess the vulnerability management process.

B.

Conduct a control serf-assessment.

C.

Conduct a vulnerability assessment.

D.

Reassess the inherent risk of the target.

Full Access
Question # 114

Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?

A.

Sensitivity analysis

B.

Level of residual risk

C.

Cost-benefit analysis

D.

Risk appetite

Full Access
Question # 115

An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:

A.

reduce the risk to an acceptable level.

B.

communicate the consequences for violations.

C.

implement industry best practices.

D.

reduce the organization's risk appetite

Full Access
Question # 116

An unauthorized individual has socially engineered entry into an organization's secured physical premises. Which of the following is the BEST way to prevent future occurrences?

A.

Employ security guards.

B.

Conduct security awareness training.

C.

Install security cameras.

D.

Require security access badges.

Full Access
Question # 117

A trusted third party service provider has determined that the risk of a client's systems being hacked is low. Which of the following would be the client's BEST course of action?

A.

Perform their own risk assessment

B.

Implement additional controls to address the risk.

C.

Accept the risk based on the third party's risk assessment

D.

Perform an independent audit of the third party.

Full Access
Question # 118

The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:

A.

align with audit results.

B.

benchmark with competitor s actions.

C.

reference best practice.

D.

focus on the business drivers

Full Access
Question # 119

Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?

A.

Control chart

B.

Sensitivity analysis

C.

Trend analysis

D.

Decision tree

Full Access
Question # 120

A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:

A.

a root cause analysis is required

B.

controls are effective for ensuring continuity

C.

hardware needs to be upgraded

D.

no action is required as there was no impact

Full Access
Question # 121

Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?

A.

Digital signatures

B.

Encrypted passwords

C.

One-time passwords

D.

Digital certificates

Full Access
Question # 122

Which of the following is the MAIN reason for documenting the performance of controls?

A.

Obtaining management sign-off

B.

Demonstrating effective risk mitigation

C.

Justifying return on investment

D.

Providing accurate risk reporting

Full Access
Question # 123

Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?

A.

Completeness of system documentation

B.

Results of end user acceptance testing

C.

Variances between planned and actual cost

D.

availability of in-house resources

Full Access
Question # 124

A key risk indicator (KRI) is reported to senior management on a periodic basis as exceeding thresholds, but each time senior management has decided to take no action to reduce the risk. Which of the following is the MOST likely reason for senior management's response?

A.

The underlying data source for the KRI is using inaccurate data and needs to be corrected.

B.

The KRI is not providing useful information and should be removed from the KRI inventory.

C.

The KRI threshold needs to be revised to better align with the organization s risk appetite

D.

Senior management does not understand the KRI and should undergo risk training.

Full Access
Question # 125

Who is the MOST appropriate owner for newly identified IT risk?

A.

The manager responsible for IT operations that will support the risk mitigation efforts

B.

The individual with authority to commit organizational resources to mitigate the risk

C.

A project manager capable of prioritizing the risk remediation efforts

D.

The individual with the most IT risk-related subject matter knowledge

Full Access
Question # 126

An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?

A.

The third party s management

B.

The organization's management

C.

The control operators at the third party

D.

The organization's vendor management office

Full Access
Question # 127

Which of the following will BEST quantify the risk associated with malicious users in an organization?

A.

Business impact analysis

B.

Risk analysis

C.

Threat risk assessment

D.

Vulnerability assessment

Full Access
Question # 128

Which of the following is the BEST method for assessing control effectiveness?

A.

Ad hoc control reporting

B.

Control self-assessment

C.

Continuous monitoring

D.

Predictive analytics

Full Access
Question # 129

Which of the following is MOST important to understand when determining an appropriate risk assessment approach?

A.

Complexity of the IT infrastructure

B.

Value of information assets

C.

Management culture

D.

Threats and vulnerabilities

Full Access
Question # 130

A contract associated with a cloud service provider MUST include:

A.

ownership of responsibilities.

B.

a business recovery plan.

C.

provision for source code escrow.

D.

the providers financial statements.

Full Access
Question # 131

Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?

A.

To build an organizational risk-aware culture

B.

To continuously improve risk management processes

C.

To comply with legal and regulatory requirements

D.

To identify gaps in risk management practices

Full Access
Question # 132

Which of the following is the BEST way to validate the results of a vulnerability assessment?

A.

Perform a penetration test.

B.

Review security logs.

C.

Conduct a threat analysis.

D.

Perform a root cause analysis.

Full Access
Question # 133

Which of the following is the PRIMARY reason to perform ongoing risk assessments?

A.

Emerging risk must be continuously reported to management.

B.

New system vulnerabilities emerge at frequent intervals.

C.

The risk environment is subject to change.

D.

The information security budget must be justified.

Full Access
Question # 134

Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?

A.

Better understanding of the risk appetite

B.

Improving audit results

C.

Enabling risk-based decision making

D.

Increasing process control efficiencies

Full Access
Question # 135

Which of the following is MOST effective against external threats to an organizations confidential information?

A.

Single sign-on

B.

Data integrity checking

C.

Strong authentication

D.

Intrusion detection system

Full Access
Question # 136

A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

A.

identification.

B.

treatment.

C.

communication.

D.

assessment

Full Access
Question # 137

A risk practitioner has identified that the organization's secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?

A.

Business continuity director

B.

Disaster recovery manager

C.

Business application owner

D.

Data center manager

Full Access
Question # 138

Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?

A.

Vulnerability and threat analysis

B.

Control remediation planning

C.

User acceptance testing (UAT)

D.

Control self-assessment (CSA)

Full Access
Question # 139

An organization has allowed its cyber risk insurance to lapse while seeking a new insurance provider. The risk practitioner should report to management that the risk has been:

A.

transferred

B.

mitigated.

C.

accepted

D.

avoided

Full Access
Question # 140

In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date?

A.

Risk questionnaire

B.

Risk register

C.

Management assertion

D.

Compliance manual

Full Access
Question # 141

Which of the following is the PRIMARY factor in determining a recovery time objective (RTO)?

A.

Cost of offsite backup premises

B.

Cost of downtime due to a disaster

C.

Cost of testing the business continuity plan

D.

Response time of the emergency action plan

Full Access
Question # 142

A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?

A.

The organization's strategic risk management projects

B.

Senior management roles and responsibilities

C.

The organizations risk appetite and tolerance

D.

Senior management allocation of risk management resources

Full Access
Question # 143

Which of the following is the BEST indication of an effective risk management program?

A.

Risk action plans are approved by senior management.

B.

Residual risk is within the organizational risk appetite

C.

Mitigating controls are designed and implemented.

D.

Risk is recorded and tracked in the risk register

Full Access
Question # 144

A data processing center operates in a jurisdiction where new regulations have significantly increased penalties for data breaches. Which of the following elements of the risk register is MOST important to update to reflect this change?

A.

Risk impact

B.

Risk trend

C.

Risk appetite

D.

Risk likelihood

Full Access
Question # 145

Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?

A.

Changes in control design

B.

A decrease in the number of key controls

C.

Changes in control ownership

D.

An increase in residual risk

Full Access
Question # 146

Which of the following is the MOST important key performance indicator (KPI) to establish in the service level agreement (SLA) for an outsourced data center?

A.

Percentage of systems included in recovery processes

B.

Number of key systems hosted

C.

Average response time to resolve system incidents

D.

Percentage of system availability

Full Access
Question # 147

Which of the following indicates an organization follows IT risk management best practice?

A.

The risk register template uses an industry standard.

B.

The risk register is regularly updated.

C.

All fields in the risk register have been completed.

D.

Controls are listed against risk entries in the register.

Full Access
Question # 148

The MOST important reason to aggregate results from multiple risk assessments on interdependent information systems is to:

A.

establish overall impact to the organization

B.

efficiently manage the scope of the assignment

C.

identify critical information systems

D.

facilitate communication to senior management

Full Access
Question # 149

A risk owner has accepted a high-impact risk because the control was adversely affecting process efficiency. Before updating the risk register, it is MOST important for the risk practitioner to:

A.

ensure suitable insurance coverage is purchased.

B.

negotiate with the risk owner on control efficiency.

C.

reassess the risk to confirm the impact.

D.

obtain approval from senior management.

Full Access
Question # 150

Which of the following is MOST important to understand when developing key risk indicators (KRIs)?

A.

KRI thresholds

B.

Integrity of the source data

C.

Control environment

D.

Stakeholder requirements

Full Access
Question # 151

Which of the following is MOST critical to the design of relevant risk scenarios?

A.

The scenarios are based on past incidents.

B.

The scenarios are linked to probable organizational situations.

C.

The scenarios are mapped to incident management capabilities.

D.

The scenarios are aligned with risk management capabilities.

Full Access
Question # 152

Which of the following will BEST help an organization evaluate the control environment of several third-party vendors?

A.

Review vendors' internal risk assessments covering key risk and controls.

B.

Obtain independent control reports from high-risk vendors.

C.

Review vendors performance metrics on quality and delivery of processes.

D.

Obtain vendor references from third parties.

Full Access
Question # 153

Read" rights to application files in a controlled server environment should be approved by the:

A.

business process owner.

B.

database administrator.

C.

chief information officer.

D.

systems administrator.

Full Access