Happy Halloween Limited Time 50% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 5550b640

CRISC Exam Dumps - Certified in Risk and Information Systems Control (CRISC)

Question # 4

An organization has allowed its cyber risk insurance to lapse while seeking a new insurance provider. The risk practitioner should report to management that the risk has been:

A.

transferred

B.

mitigated.

C.

accepted

D.

avoided

Full Access
Question # 5

A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:

A.

reduces risk to an acceptable level

B.

quantifies risk impact

C.

aligns with business strategy

D.

advances business objectives.

Full Access
Question # 6

An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?

A.

Develop a compensating control.

B.

Allocate remediation resources.

C.

Perform a cost-benefit analysis.

D.

Identify risk responses

Full Access
Question # 7

A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?

A.

The organization's strategic risk management projects

B.

Senior management roles and responsibilities

C.

The organizations risk appetite and tolerance

D.

Senior management allocation of risk management resources

Full Access
Question # 8

Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?

A.

Sensitivity analysis

B.

Level of residual risk

C.

Cost-benefit analysis

D.

Risk appetite

Full Access
Question # 9

Which of the following is the BEST metric to demonstrate the effectiveness of an organization's change management process?

A.

Increase in the frequency of changes

B.

Percent of unauthorized changes

C.

Increase in the number of emergency changes

D.

Average time to complete changes

Full Access
Question # 10

A risk practitioner is assisting with the preparation of a report on the organization s disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?

A.

The percentage of systems meeting recovery target times has increased.

B.

The number of systems tested in the last year has increased.

C.

The number of systems requiring a recovery plan has increased.

D.

The percentage of systems with long recovery target times has decreased.

Full Access
Question # 11

Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?

A.

Maintain and review the classified data inventor.

B.

Implement mandatory encryption on data

C.

Conduct an awareness program for data owners and users.

D.

Define and implement a data classification policy

Full Access
Question # 12

During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?

A.

Data validation

B.

Identification

C.

Authentication

D.

Data integrity

Full Access
Question # 13

Which of the following would be MOST useful when measuring the progress of a risk response action plan?

A.

Percentage of mitigated risk scenarios

B.

Annual loss expectancy (ALE) changes

C.

Resource expenditure against budget

D.

An up-to-date risk register

Full Access
Question # 14

The PRIMARY advantage of implementing an IT risk management framework is the:

A.

establishment of a reliable basis for risk-aware decision making.

B.

compliance with relevant legal and regulatory requirements.

C.

improvement of controls within the organization and minimized losses.

D.

alignment of business goals with IT objectives.

Full Access
Question # 15

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?

A.

Number of users that participated in the DRP testing

B.

Number of issues identified during DRP testing

C.

Percentage of applications that met the RTO during DRP testing

D.

Percentage of issues resolved as a result of DRP testing

Full Access
Question # 16

The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:

A.

implement uniform controls for common risk scenarios.

B.

ensure business unit risk is uniformly distributed.

C.

build a risk profile for management review.

D.

quantify the organization's risk appetite.

Full Access
Question # 17

Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?

A.

Testing the transmission of credit card numbers

B.

Reviewing logs for unauthorized data transfers

C.

Configuring the DLP control to block credit card numbers

D.

Testing the DLP rule change control process

Full Access
Question # 18

Whether the results of risk analyses should be presented in quantitative or qualitative terms should be based PRIMARILY on the:

A.

requirements of management.

B.

specific risk analysis framework being used.

C.

organizational risk tolerance

D.

results of the risk assessment.

Full Access
Question # 19

Who should be accountable for ensuring effective cybersecurity controls are established?

A.

Risk owner

B.

Security management function

C.

IT management

D.

Enterprise risk function

Full Access
Question # 20

A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?

A.

Implement a tool to create and distribute violation reports

B.

Raise awareness of encryption requirements for sensitive data.

C.

Block unencrypted outgoing emails which contain sensitive data.

D.

Implement a progressive disciplinary process for email violations.

Full Access
Question # 21

During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:

A.

compensating controls are in place.

B.

a control mitigation plan is in place.

C.

risk management is effective.

D.

residual risk is accepted.

Full Access
Question # 22

Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:

A.

minimize the number of risk scenarios for risk assessment.

B.

aggregate risk scenarios identified across different business units.

C.

build a threat profile of the organization for management review.

D.

provide a current reference to stakeholders for risk-based decisions.

Full Access
Question # 23

Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?

A.

Align business objectives to the risk profile.

B.

Assess risk against business objectives

C.

Implement an organization-specific risk taxonomy.

D.

Explain risk details to management.

Full Access
Question # 24

A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:

A.

a root cause analysis is required

B.

controls are effective for ensuring continuity

C.

hardware needs to be upgraded

D.

no action is required as there was no impact

Full Access
Question # 25

Which of the following elements of a risk register is MOST likely to change as a result of change in management's risk appetite?

A.

Key risk indicator (KRI) thresholds

B.

Inherent risk

C.

Risk likelihood and impact

D.

Risk velocity

Full Access
Question # 26

A risk practitioner discovers several key documents detailing the design of a product currently in development have been posted on the Internet. What should be the risk practitioner's FIRST course of action?

A.

invoke the established incident response plan.

B.

Inform internal audit.

C.

Perform a root cause analysis

D.

Conduct an immediate risk assessment

Full Access
Question # 27

Which of the following is MOST effective against external threats to an organizations confidential information?

A.

Single sign-on

B.

Data integrity checking

C.

Strong authentication

D.

Intrusion detection system

Full Access
Question # 28

Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?

A.

Perform an m-depth code review with an expert

B.

Validate functionality by running in a test environment

C.

Implement a service level agreement.

D.

Utilize the change management process.

Full Access
Question # 29

Which of the following roles would provide the MOST important input when identifying IT risk scenarios?

A.

Information security managers

B.

Internal auditors

C.

Business process owners

D.

Operational risk managers

Full Access
Question # 30

Which of the following controls will BEST detect unauthorized modification of data by a database administrator?

A.

Reviewing database access rights

B.

Reviewing database activity logs

C.

Comparing data to input records

D.

Reviewing changes to edit checks

Full Access
Question # 31

IT risk assessments can BEST be used by management:

A.

for compliance with laws and regulations

B.

as a basis for cost-benefit analysis.

C.

as input foe decision-making

D.

to measure organizational success.

Full Access
Question # 32

It is MOST appropriate for changes to be promoted to production after they are;

A.

communicated to business management

B.

tested by business owners.

C.

approved by the business owner.

D.

initiated by business users.

Full Access
Question # 33

Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?

A.

Digital signatures

B.

Encrypted passwords

C.

One-time passwords

D.

Digital certificates

Full Access
Question # 34

Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?

A.

Performing a benchmark analysis and evaluating gaps

B.

Conducting risk assessments and implementing controls

C.

Communicating components of risk and their acceptable levels

D.

Participating in peer reviews and implementing best practices

Full Access
Question # 35

Which of the following is the MOST cost-effective way to test a business continuity plan?

A.

Conduct interviews with key stakeholders.

B.

Conduct a tabletop exercise.

C.

Conduct a disaster recovery exercise.

D.

Conduct a full functional exercise.

Full Access
Question # 36

In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization's risk profile?

A.

The control catalog

B.

The asset profile

C.

Business objectives

D.

Key risk indicators (KRls)

Full Access
Question # 37

Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?

A.

Implementing record retention tools and techniques

B.

Establishing e-discovery and data loss prevention (DLP)

C.

Sending notifications when near storage quota

D.

Implementing a bring your own device 1BVOD) policy

Full Access
Question # 38

An effective control environment is BEST indicated by controls that:

A.

minimize senior management's risk tolerance.

B.

manage risk within the organization's risk appetite.

C.

reduce the thresholds of key risk indicators (KRIs).

D.

are cost-effective to implement

Full Access
Question # 39

Risk management strategies are PRIMARILY adopted to:

A.

take necessary precautions for claims and losses.

B.

achieve acceptable residual risk levels.

C.

avoid risk for business and IT assets.

D.

achieve compliance with legal requirements.

Full Access
Question # 40

From a business perspective, which of the following is the MOST important objective of a disaster recovery test?

A.

The organization gains assurance it can recover from a disaster

B.

Errors are discovered in the disaster recovery process.

C.

All business critical systems are successfully tested.

D.

All critical data is recovered within recovery time objectives (RTOs).

Full Access
Question # 41

When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?

A.

Risk analysis results

B.

Exception handling policy

C.

Vulnerability assessment results

D.

Benchmarking assessments

Full Access
Question # 42

A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?

A.

An increase in attempted distributed denial of service (DDoS) attacks

B.

An increase in attempted website phishing attacks

C.

A decrease in achievement of service level agreements (SLAs)

D.

A decrease in remediated web security vulnerabilities

Full Access
Question # 43

Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register?

A.

Corporate incident escalation protocols are established.

B.

Exposure is integrated into the organization's risk profile.

C.

Risk appetite cascades to business unit management

D.

The organization-wide control budget is expanded.

Full Access
Question # 44

Which of the following is the MOST important key performance indicator (KPI) to establish in the service level agreement (SLA) for an outsourced data center?

A.

Percentage of systems included in recovery processes

B.

Number of key systems hosted

C.

Average response time to resolve system incidents

D.

Percentage of system availability

Full Access
Question # 45

A risk assessment has identified that departments have installed their own WiFi access points on the enterprise network. Which of the following would be MOST important to include in a report to senior management?

A.

The network security policy

B.

Potential business impact

C.

The WiFi access point configuration

D.

Planned remediation actions

Full Access
Question # 46

The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:

A.

align with audit results.

B.

benchmark with competitor s actions.

C.

reference best practice.

D.

focus on the business drivers

Full Access
Question # 47

Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

A.

Risk tolerance is decreased.

B.

Residual risk is increased.

C.

Inherent risk is increased.

D.

Risk appetite is decreased

Full Access
Question # 48

A risk practitioner is reviewing a vendor contract and finds there is no clause to control privileged access to the organization's systems by vendor employees. Which of the following is the risk practitioner's BEST course of action?

A.

Contact the control owner to determine if a gap in controls exists.

B.

Add this concern to the risk register and highlight it for management review.

C.

Report this concern to the contracts department for further action.

D.

Document this concern as a threat and conduct an impact analysis.

Full Access
Question # 49

A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges. What is the risk practitioner's BEST course of action?

A.

Review the design of the machine learning model against control objectives.

B.

Adopt the machine learning model as a replacement for current manual access reviews.

C.

Ensure the model assists in meeting regulatory requirements for access controls.

D.

Discourage the use of emerging technologies in key processes.

Full Access
Question # 50

Which of the following BEST enables the risk profile to serve as an effective resource to support business objectives?

A.

Engaging external risk professionals to periodically review the risk

B.

Prioritizing global standards over local requirements in the risk profile

C.

Updating the risk profile with risk assessment results

D.

Assigning quantitative values to qualitative metrics in the risk register

Full Access
Question # 51

What should a risk practitioner do FIRST when vulnerability assessment results identify a weakness in an application?

A.

Review regular control testing results.

B.

Recommend a penetration test.

C.

Assess the risk to determine mitigation needed.

D.

Analyze key performance indicators (KPIs).

Full Access
Question # 52

An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?

A.

Identify staff members who have access to the organization's sensitive data.

B.

Identify locations where the organization's sensitive data is stored.

C.

Identify risk scenarios and owners associated with possible data loss vectors.

D.

Identify existing data loss controls and their levels of effectiveness.

Full Access
Question # 53

A recent internal risk review reveals the majority of core IT application recovery time objectives (RTOs) have exceeded the maximum time defined by the business application owners. Which of the following is MOST likely to change as a result?

A.

Risk forecasting

B.

Risk tolerance

C.

Risk likelihood

D.

Risk appetite

Full Access
Question # 54

Quantifying the value of a single asset helps the organization to understand the:

A.

overall effectiveness of risk management

B.

consequences of risk materializing

C.

necessity of developing a risk strategy,

D.

organization s risk threshold.

Full Access
Question # 55

Which of The following is the PRIMARY consideration when establishing an organization's risk management methodology?

A.

Business context

B.

Risk tolerance level

C.

Resource requirements

D.

Benchmarking information

Full Access
Question # 56

Which of the following should be the PRIMARY focus of an independent review of a risk management process?

A.

Accuracy of risk tolerance levels

B.

Consistency of risk process results

C.

Participation of stakeholders

D.

Maturity of the process

Full Access
Question # 57

A risk practitioner is reporting on an increasing trend of ransomware attacks in the industry. Which of the following information is MOST important to include to enable an informed response decision by key stakeholders?

A.

Methods of attack progression

B.

Losses incurred by industry peers

C.

Most recent antivirus scan reports

D.

Potential impact of events

Full Access
Question # 58

Which of the following provides The MOST useful information when determining a risk management program's maturity level?

A.

Risk assessment results

B.

A recently reviewed risk register

C.

Key performance indicators (KPIs)

D.

The organization's risk framework

Full Access
Question # 59

Which of the following provides the MOST helpful reference point when communicating the results of a risk assessment to stakeholders?

A.

Risk tolerance

B.

Risk appetite

C.

Risk awareness

D.

Risk policy

Full Access
Question # 60

Which of the following is MOST important to sustainable development of secure IT services?

A.

Security training for systems development staff

B.

\Well-documented business cases

C.

Security architecture principles

D.

Secure coding practices

Full Access
Question # 61

To minimize risk in a software development project, when is the BEST time to conduct a risk analysis?

A.

During the business requirement definitions phase

B.

Before periodic steering committee meetings

C.

At each stage of the development life cycle

D.

During the business case development

Full Access
Question # 62

Which of the following should an organization perform to forecast the effects of a disaster?

A.

Develop a business impact analysis (BIA).

B.

Define recovery time objectives (RTO).

C.

Analyze capability maturity model gaps.

D.

Simulate a disaster recovery.

Full Access
Question # 63

Which of the following will be MOST effective to mitigate the risk associated with the loss of company data stored on personal devices?

A.

An acceptable use policy for personal devices

B.

Required user log-on before synchronizing data

C.

Enforced authentication and data encryption

D.

Security awareness training and testing

Full Access
Question # 64

Which of the following should be included in a risk assessment report to BEST facilitate senior management's understanding of the results?

A.

Benchmarking parameters likely to affect the results

B.

Tools and techniques used by risk owners to perform the assessments

C.

A risk heat map with a summary of risk identified and assessed

D.

The possible impact of internal and external risk factors on the assessment results

Full Access
Question # 65

The BEST way to test the operational effectiveness of a data backup procedure is to:

A.

conduct an audit of files stored offsite.

B.

interview employees to compare actual with expected procedures.

C.

inspect a selection of audit trails and backup logs.

D.

demonstrate a successful recovery from backup files.

Full Access
Question # 66

Which of the following is the BEST method for identifying vulnerabilities?

A.

Batch job failure monitoring

B.

Periodic network scanning

C.

Annual penetration testing

D.

Risk assessments

Full Access
Question # 67

Which of the following should be a risk practitioner’s MOST important consideration when developing IT risk scenarios?

A.

The impact of controls on the efficiency of the business in delivering services

B.

Linkage of identified risk scenarios with enterprise risk management

C.

Potential threats and vulnerabilities that may have an impact on the business

D.

Results of network vulnerability scanning and penetration testing

Full Access
Question # 68

Which of the following is the BEST key performance indicator (KPI) for determining how well an IT policy is aligned to business requirements?

A.

Total cost to support the policy

B.

Number of exceptions to the policy

C.

Total cost of policy breaches

D.

Number of inquiries regarding the policy

Full Access
Question # 69

An organization is making significant changes to an application. At what point should the application risk profile be updated?

A.

After user acceptance testing (UAT)

B.

Upon release to production

C.

During backlog scheduling

D.

When reviewing functional requirements

Full Access
Question # 70

The MOST significant benefit of using a consistent risk ranking methodology across an organization is that it enables:

A.

allocation of available resources

B.

clear understanding of risk levels

C.

assignment of risk to the appropriate owners

D.

risk to be expressed in quantifiable terms

Full Access
Question # 71

Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk?

A.

A data extraction tool

B.

An access control list

C.

An intrusion detection system (IDS)

D.

An acceptable usage policy

Full Access
Question # 72

Which of the following provides The BEST information when determining whether to accept residual risk of a critical system to be implemented?

A.

Single loss expectancy (SLE)

B.

Cost of the information system

C.

Availability of additional compensating controls

D.

Potential business impacts are within acceptable levels

Full Access
Question # 73

An organization has decided to outsource a web application, and customer data will be stored in the vendor's public cloud. To protect customer data, it is MOST important to ensure which of the following?

A.

The organization's incident response procedures have been updated.

B.

The vendor stores the data in the same jurisdiction.

C.

Administrative access is only held by the vendor.

D.

The vendor's responsibilities are defined in the contract.

Full Access
Question # 74

Which of the following is MOST important for an organization that wants to reduce IT operational risk?

A.

Increasing senior management's understanding of IT operations

B.

Increasing the frequency of data backups

C.

Minimizing complexity of IT infrastructure

D.

Decentralizing IT infrastructure

Full Access
Question # 75

Who should be responsible for implementing and maintaining security controls?

A.

End user

B.

Internal auditor

C.

Data owner

D.

Data custodian

Full Access
Question # 76

A business manager wants to leverage an existing approved vendor solution from another area within the organization. Which of the following is the risk practitioner's BEST course of action?

A.

Recommend allowing the new usage based on prior approval.

B.

Request a new third-party review.

C.

Request revalidation of the original use case.

D.

Assess the risk associated with the new use case.

Full Access
Question # 77

A risk practitioner shares the results of a vulnerability assessment for a critical business application with the business manager. Which of the following is the NEXT step?

A.

Develop a risk action plan to address the findings.

B.

Evaluate the impact of the vulnerabilities to the business application.

C.

Escalate the findings to senior management and internal audit.

D.

Conduct a penetration test to validate the vulnerabilities from the findings.

Full Access
Question # 78

Which of the following is the MOST important input when developing risk scenarios?

A.

Key performance indicators

B.

Business objectives

C.

The organization's risk framework

D.

Risk appetite

Full Access
Question # 79

Who is responsible for IT security controls that are outsourced to an external service provider?

A.

Organization's information security manager

B.

Organization's risk function

C.

Service provider's IT management

D.

Service provider's information security manager

Full Access
Question # 80

An organization striving to be on the leading edge in regard to risk monitoring would MOST likely implement:

A.

procedures to monitor the operation of controls.

B.

a tool for monitoring critical activities and controls.

C.

real-time monitoring of risk events and control exceptions.

D.

monitoring activities for all critical assets.

E.

Perform a controls assessment.

Full Access
Question # 81

An organization is measuring the effectiveness of its change management program to reduce the number of unplanned production changes. Which of the following would be the BEST metric to determine if the program is performing as expected?

A.

Decrease in the time to move changes to production

B.

Ratio of emergency fixes to total changes

C.

Ratio of system changes to total changes

D.

Decrease in number of changes without a fallback plan

Full Access
Question # 82

During a risk assessment, the risk practitioner finds a new risk scenario without controls has been entered into the risk register. Which of the following is the MOST appropriate action?

A.

Include the new risk scenario in the current risk assessment.

B.

Postpone the risk assessment until controls are identified.

C.

Request the risk scenario be removed from the register.

D.

Exclude the new risk scenario from the current risk assessment

Full Access
Question # 83

Performing a background check on a new employee candidate before hiring is an example of what type of control?

A.

Detective

B.

Compensating

C.

Corrective

D.

Preventive

Full Access
Question # 84

Which of the following would be MOST relevant to stakeholders regarding ineffective control implementation?

A.

Threat to IT

B.

Number of control failures

C.

Impact on business

D.

Risk ownership

Full Access
Question # 85

Sensitive data has been lost after an employee inadvertently removed a file from the premises, in violation of organizational policy. Which of the following controls MOST likely failed?

A.

Background checks

B.

Awareness training

C.

User access

D.

Policy management

Full Access
Question # 86

The PRIMARY purpose of a maturity model is to compare the:

A.

current state of key processes to their desired state.

B.

actual KPIs with target KPIs.

C.

organization to industry best practices.

D.

organization to peers.

Full Access
Question # 87

Which of these documents is MOST important to request from a cloud service

provider during a vendor risk assessment?

A.

Nondisclosure agreement (NDA)

B.

Independent audit report

C.

Business impact analysis (BIA)

D.

Service level agreement (SLA)

Full Access
Question # 88

Which of the following is the MOST important reason to create risk scenarios?

A.

To assist with risk identification

B.

To determine risk tolerance

C.

To determine risk appetite

D.

To assist in the development of risk responses

Full Access
Question # 89

Which of the following will BEST help to ensure that information system controls are effective?

A.

Responding promptly to control exceptions

B.

Implementing compensating controls

C.

Testing controls periodically

D.

Automating manual controls

Full Access
Question # 90

Which of the following is the MAIN reason for analyzing risk scenarios?

A.

Identifying additional risk scenarios

B.

Updating the heat map

C.

Assessing loss expectancy

D.

Establishing a risk appetite

Full Access
Question # 91

After migrating a key financial system to a new provider, it was discovered that a developer could gain access to the production environment. Which of the following is the BEST way to mitigate the risk in this situation?

A.

Escalate the issue to the service provider.

B.

Re-certify the application access controls.

C.

Remove the developer's access.

D.

Review the results of pre-migration testing.

Full Access
Question # 92

Which of the following would be the BEST justification to invest in the development of a governance, risk, and compliance (GRC) solution?

A.

Facilitating risk-aware decision making by stakeholders

B.

Demonstrating management commitment to mitigate risk

C.

Closing audit findings on a timely basis

D.

Ensuring compliance to industry standards

Full Access
Question # 93

Which of the following is the BEST way to identify changes in the risk profile of an organization?

A.

Monitor key risk indicators (KRIs).

B.

Monitor key performance indicators (KPIs).

C.

Interview the risk owner.

D.

Conduct a gap analysis

Full Access
Question # 94

Risk aggregation in a complex organization will be MOST successful when:

A.

using the same scales in assessing risk

B.

utilizing industry benchmarks

C.

using reliable qualitative data for risk Hems

D.

including primarily low level risk factors

Full Access
Question # 95

Which of the following is the BEST control to detect an advanced persistent threat (APT)?

A.

Utilizing antivirus systems and firewalls

B.

Conducting regular penetration tests

C.

Monitoring social media activities

D.

Implementing automated log monitoring

Full Access
Question # 96

Which of the following is the BEST evidence that a user account has been properly authorized?

A.

An email from the user accepting the account

B.

Notification from human resources that the account is active

C.

User privileges matching the request form

D.

Formal approval of the account by the user's manager

Full Access
Question # 97

A risk practitioner has received an updated enterprise risk management (ERM) report showing that residual risk is now within the organization's defined appetite and tolerance levels. Which of the following is the risk practitioner's BEST course of action?

A.

Identify new risk entries to include in ERM.

B.

Remove the risk entries from the ERM register.

C.

Re-perform the risk assessment to confirm results.

D.

Verify the adequacy of risk monitoring plans.

Full Access
Question # 98

Which of the following should be an element of the risk appetite of an organization?

A.

The effectiveness of compensating controls

B.

The enterprise's capacity to absorb loss

C.

The residual risk affected by preventive controls

D.

The amount of inherent risk considered appropriate

Full Access
Question # 99

Which of the following would BEST mitigate the risk associated with reputational damage from inappropriate use of social media sites by employees?

A.

Validating employee social media accounts and passwords

B.

Monitoring Internet usage on employee workstations

C.

Disabling social media access from the organization's technology

D.

Implementing training and awareness programs

Full Access
Question # 100

Before assigning sensitivity levels to information it is MOST important to:

A.

define recovery time objectives (RTOs).

B.

define the information classification policy

C.

conduct a sensitivity analyse

D.

Identify information custodians

Full Access
Question # 101

Which of the following would be MOST helpful to an information security management team when allocating resources to mitigate exposures?

A.

Relevant risk case studies

B.

Internal audit findings

C.

Risk assessment results

D.

Penetration testing results

Full Access
Question # 102

Which of the following is the BEST source for identifying key control indicators (KCIs)?

A.

Privileged user activity monitoring controls

B.

Controls mapped to organizational risk scenarios

C.

Recent audit findings of control weaknesses

D.

A list of critical security processes

Full Access
Question # 103

What are the MOST essential attributes of an effective Key control indicator (KCI)?

A.

Flexibility and adaptability

B.

Measurability and consistency

C.

Robustness and resilience

D.

Optimal cost and benefit

Full Access
Question # 104

An employee lost a personal mobile device that may contain sensitive corporate information. What should be the risk practitioner's recommendation?

A.

Conduct a risk analysis.

B.

Initiate a remote data wipe.

C.

Invoke the incident response plan

D.

Disable the user account.

Full Access
Question # 105

Which of the following should be implemented to BEST mitigate the risk associated with infrastructure updates?

A.

Role-specific technical training

B.

Change management audit

C.

Change control process

D.

Risk assessment

Full Access
Question # 106

An organization uses a vendor to destroy hard drives. Which of the following would BEST reduce the risk of data leakage?

A.

Require the vendor to degauss the hard drives

B.

Implement an encryption policy for the hard drives.

C.

Require confirmation of destruction from the IT manager.

D.

Use an accredited vendor to dispose of the hard drives.

Full Access
Question # 107

Which of the following statements describes the relationship between key risk indicators (KRIs) and key control indicators (KCIs)?

A.

KRI design must precede definition of KCIs.

B.

KCIs and KRIs are independent indicators and do not impact each other.

C.

A decreasing trend of KRI readings will lead to changes to KCIs.

D.

Both KRIs and KCIs provide insight to potential changes in the level of risk.

Full Access
Question # 108

Who is BEST suited to provide objective input when updating residual risk to reflect the results of control effectiveness?

A.

Control owner

B.

Risk owner

C.

Internal auditor

D.

Compliance manager

Full Access
Question # 109

Which of the following BEST indicates that additional or improved controls ate needed m the environment?

A.

Management, has decreased organisational risk appetite

B.

The risk register and portfolio do not include all risk scenarios

C.

merging risk scenarios have been identified

D.

Risk events and losses exceed risk tolerance

Full Access
Question # 110

Which of the following approaches would BEST help to identify relevant risk scenarios?

A.

Engage line management in risk assessment workshops.

B.

Escalate the situation to risk leadership.

C.

Engage internal audit for risk assessment workshops.

D.

Review system and process documentation.

Full Access
Question # 111

Legal and regulatory risk associated with business conducted over the Internet is driven by:

A.

the jurisdiction in which an organization has its principal headquarters

B.

international law and a uniform set of regulations.

C.

the laws and regulations of each individual country

D.

international standard-setting bodies.

Full Access
Question # 112

When of the following provides the MOST tenable evidence that a business process control is effective?

A.

Demonstration that the control is operating as designed

B.

A successful walk-through of the associated risk assessment

C.

Management attestation that the control is operating effectively

D.

Automated data indicating that risk has been reduced

Full Access
Question # 113

Which of the following BEST indicates how well a web infrastructure protects critical information from an attacker?

A.

Failed login attempts

B.

Simulating a denial of service attack

C.

Absence of IT audit findings

D.

Penetration test

Full Access
Question # 114

When developing a risk awareness training program, which of the following training topics would BEST facilitate a thorough understanding of risk scenarios?

A.

Mapping threats to organizational objectives

B.

Reviewing past audits

C.

Analyzing key risk indicators (KRIs)

D.

Identifying potential sources of risk

Full Access
Question # 115

Which of the following is the MOST important consideration for protecting data assets m a Business application system?

A.

Application controls are aligned with data classification lutes

B.

Application users are periodically trained on proper data handling practices

C.

Encrypted communication is established between applications and data servers

D.

Offsite encrypted backups are automatically created by the application

Full Access
Question # 116

Recovery the objectives (RTOs) should be based on

A.

minimum tolerable downtime

B.

minimum tolerable loss of data.

C.

maximum tolerable downtime.

D.

maximum tolerable loss of data

Full Access
Question # 117

Which of the following is the MOST effective way to integrate risk and compliance management?

A.

Embedding risk management into compliance decision-making

B.

Designing corrective actions to improve risk response capabilities

C.

Embedding risk management into processes that are aligned with business drivers

D.

Conducting regular self-assessments to verify compliance

Full Access
Question # 118

Which of the following is MOST helpful in aligning IT risk with business objectives?

A.

Introducing an approved IT governance framework

B.

Integrating the results of top-down risk scenario analyses

C.

Performing a business impact analysis (BlA)

D.

Implementing a risk classification system

Full Access
Question # 119

Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?

A.

Obtain objective assessment of the control environment.

B.

Ensure the risk profile is defined and communicated.

C.

Validate the threat management process.

D.

Obtain an objective view of process gaps and systemic errors.

Full Access
Question # 120

An organization has initiated a project to launch an IT-based service to customers and take advantage of being the first to market. Which of the following should be of GREATEST concern to senior management?

A.

More time has been allotted for testing.

B.

The project is likely to deliver the product late.

C.

A new project manager is handling the project.

D.

The cost of the project will exceed the allotted budget.

Full Access
Question # 121

An organization operates in an environment where reduced time-to-market for new software products is a top business priority. Which of the following should be the risk practitioner's GREATEST concern?

A.

Sufficient resources are not assigned to IT development projects.

B.

Customer support help desk staff does not have adequate training.

C.

Email infrastructure does not have proper rollback plans.

D.

The corporate email system does not identify and store phishing emails.

Full Access
Question # 122

A deficient control has been identified which could result in great harm to an organization should a low frequency threat event occur. When communicating the associated risk to senior management the risk practitioner should explain:

A.

mitigation plans for threat events should be prepared in the current planning period.

B.

this risk scenario is equivalent to more frequent but lower impact risk scenarios.

C.

the current level of risk is within tolerance.

D.

an increase in threat events could cause a loss sooner than anticipated.

Full Access
Question # 123

Which of the following should be the MOST important consideration for senior management when developing a risk response strategy?

A.

Cost of controls

B.

Risk tolerance

C.

Risk appetite

D.

Probability definition

Full Access
Question # 124

Which of The following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?

A.

Perform a post-implementation review.

B.

Conduct user acceptance testing.

C.

Review the key performance indicators (KPIs).

D.

Interview process owners.

Full Access
Question # 125

Which of the following would present the MOST significant risk to an organization when updating the incident response plan?

A.

Obsolete response documentation

B.

Increased stakeholder turnover

C.

Failure to audit third-party providers

D.

Undefined assignment of responsibility

Full Access
Question # 126

After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:

Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

A.

External audit

B.

Internal audit

C.

Vendor performance scorecard

D.

Regulatory examination

Full Access
Question # 127

Which of the following is the GREATEST benefit when enterprise risk management (ERM) provides oversight of IT risk management?

A.

Aligning IT with short-term and long-term goals of the organization

B.

Ensuring the IT budget and resources focus on risk management

C.

Ensuring senior management's primary focus is on the impact of identified risk

D.

Prioritizing internal departments that provide service to customers

Full Access
Question # 128

Which of the following is MOST important when developing risk scenarios?

A.

Reviewing business impact analysis (BIA)

B.

Collaborating with IT audit

C.

Conducting vulnerability assessments

D.

Obtaining input from key stakeholders

Full Access
Question # 129

Which of the following is the MOST effective control to ensure user access is maintained on a least-privilege basis?

A.

User authorization

B.

User recertification

C.

Change log review

D.

Access log monitoring

Full Access
Question # 130

Which of the following BEST enables an organization to determine whether external emerging risk factors will impact the organization's risk profile?

A.

Control identification and mitigation

B.

Adoption of a compliance-based approach

C.

Prevention and detection techniques

D.

Scenario analysis and stress testing

Full Access
Question # 131

Which of the following BEST facilitates the mitigation of identified gaps between current and desired risk environment states?

A.

Develop a risk treatment plan.

B.

Validate organizational risk appetite.

C.

Review results of prior risk assessments.

D.

Include the current and desired states in the risk register.

Full Access
Question # 132

Which of the following BEST indicates the efficiency of a process for granting access privileges?

A.

Average time to grant access privileges

B.

Number of changes in access granted to users

C.

Average number of access privilege exceptions

D.

Number and type of locked obsolete accounts

Full Access
Question # 133

Management has required information security awareness training to reduce the risk associated with credential compromise. What is the BEST way to assess the effectiveness of the training?

A.

Conduct social engineering testing.

B.

Audit security awareness training materials.

C.

Administer an end-of-training quiz.

D.

Perform a vulnerability assessment.

Full Access
Question # 134

Which of the following is the BEST way to determine the potential organizational impact of emerging privacy regulations?

A.

Evaluate the security architecture maturity.

B.

Map the new requirements to the existing control framework.

C.

Charter a privacy steering committee.

D.

Conduct a privacy impact assessment (PIA).

Full Access
Question # 135

A financial institution has identified high risk of fraud in several business applications. Which of the following controls will BEST help reduce the risk of fraudulent internal transactions?

A.

Periodic user privileges review

B.

Log monitoring

C.

Periodic internal audits

D.

Segregation of duties

Full Access
Question # 136

Which of the following provides the MOST up-to-date information about the effectiveness of an organization's overall IT control environment?

A.

Key performance indicators (KPIs)

B.

Risk heat maps

C.

Internal audit findings

D.

Periodic penetration testing

Full Access
Question # 137

Prudent business practice requires that risk appetite not exceed:

A.

inherent risk.

B.

risk tolerance.

C.

risk capacity.

D.

residual risk.

Full Access
Question # 138

Accountability for a particular risk is BEST represented in a:

A.

risk register

B.

risk catalog

C.

risk scenario

D.

RACI matrix

Full Access
Question # 139

When reviewing the business continuity plan (BCP) of an online sales order system, a risk practitioner notices that the recovery time objective (RTO) has a shorter lime than what is defined in the disaster recovery plan (DRP). Which of the following is the BEST way for the risk practitioner to address this concern?

A.

Adopt the RTO defined in the BCR

B.

Update the risk register to reflect the discrepancy.

C.

Adopt the RTO defined in the DRP.

D.

Communicate the discrepancy to the DR manager for follow-up.

Full Access
Question # 140

A risk practitioner has been asked to advise management on developing a log collection and correlation strategy. Which of the following should be the MOST important consideration when developing this strategy?

A.

Ensuring time synchronization of log sources.

B.

Ensuring the inclusion of external threat intelligence log sources.

C.

Ensuring the inclusion of all computing resources as log sources.

D.

Ensuring read-write access to all log sources

Full Access