• support@dumpspool.com

PDF Only

$35.00 Free Updates Upto 90 Days

  • CRISC Dumps PDF
  • 1197 Questions
  • Updated On April 15, 2024

PDF + Test Engine

$60.00 Free Updates Upto 90 Days

  • CRISC Question Answers
  • 1197 Questions
  • Updated On April 15, 2024

Test Engine

$50.00 Free Updates Upto 90 Days

  • CRISC Practice Questions
  • 1197 Questions
  • Updated On April 15, 2024
Check Our Free Isaca CRISC Online Test Engine Demo.

How to pass Isaca CRISC exam with the help of dumps?

DumpsPool provides you the finest quality resources you’ve been looking for to no avail. So, it's due time you stop stressing and get ready for the exam. Our Online Test Engine provides you with the guidance you need to pass the certification exam. We guarantee top-grade results because we know we’ve covered each topic in a precise and understandable manner. Our expert team prepared the latest Isaca CRISC Dumps to satisfy your need for training. Plus, they are in two different formats: Dumps PDF and Online Test Engine.

How Do I Know Isaca CRISC Dumps are Worth it?

Did we mention our latest CRISC Dumps PDF is also available as Online Test Engine? And that’s just the point where things start to take root. Of all the amazing features you are offered here at DumpsPool, the money-back guarantee has to be the best one. Now that you know you don’t have to worry about the payments. Let us explore all other reasons you would want to buy from us. Other than affordable Real Exam Dumps, you are offered three-month free updates.

You can easily scroll through our large catalog of certification exams. And, pick any exam to start your training. That’s right, DumpsPool isn’t limited to just Isaca Exams. We trust our customers need the support of an authentic and reliable resource. So, we made sure there is never any outdated content in our study resources. Our expert team makes sure everything is up to the mark by keeping an eye on every single update. Our main concern and focus are that you understand the real exam format. So, you can pass the exam in an easier way!

IT Students Are Using our Certified in Risk and Information Systems Control Dumps Worldwide!

It is a well-established fact that certification exams can’t be conquered without some help from experts. The point of using Certified in Risk and Information Systems Control Practice Question Answers is exactly that. You are constantly surrounded by IT experts who’ve been through you are about to and know better. The 24/7 customer service of DumpsPool ensures you are in touch with these experts whenever needed. Our 100% success rate and validity around the world, make us the most trusted resource candidates use. The updated Dumps PDF helps you pass the exam on the first attempt. And, with the money-back guarantee, you feel safe buying from us. You can claim your return on not passing the exam.

How to Get CRISC Real Exam Dumps?

Getting access to the real exam dumps is as easy as pressing a button, literally! There are various resources available online, but the majority of them sell scams or copied content. So, if you are going to attempt the CRISC exam, you need to be sure you are buying the right kind of Dumps. All the Dumps PDF available on DumpsPool are as unique and the latest as they can be. Plus, our Practice Question Answers are tested and approved by professionals. Making it the top authentic resource available on the internet. Our expert has made sure the Online Test Engine is free from outdated & fake content, repeated questions, and false plus indefinite information, etc. We make every penny count, and you leave our platform fully satisfied!

Isaca CRISC Sample Question Answers

Question # 1

Which of the following will BEST help to ensure key risk indicators (KRIs) provide value to  risk owners?

A. Ongoing training
B. Timely notification 
C. Return on investment (ROI)
D. Cost minimization

Question # 2

An organization is participating in an industry benchmarking study that involves providing customer transaction records for analysis Which of the following is the MOST importantcontrol to ensure the privacy of customer information?

A. Nondisclosure agreements (NDAs) 
B. Data anonymization 
C. Data cleansing 
D. Data encryption

Question # 3

Which of the following approaches to bring your own device (BYOD) service delivery provides the BEST protection from data loss?

A. Enable data wipe capabilities
B. Penetration testing and session timeouts
C. Implement remote monitoring
D. Enforce strong passwords and data encryption

Question # 4

An organization wants to launch a campaign to advertise a new product Using data analytics, the campaign can be targeted to reach potential customers. Which of the following should be of GREATEST concern to the risk practitioner?

A. Data minimization
B. Accountability 
C. Accuracy 
D. Purpose limitation

Question # 5

An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented inprocedure manuals for use by the part-time employees. Which of the following BEST describes this situation?

A. Threat 
B. Risk
C. Vulnerability
D. Policy violation

Question # 6

A recent vulnerability assessment of a web-facing application revealed several weaknesses. Which of the following should be done NEXT to determine the risk exposure?

A. Code review 
B. Penetration test
C. Gap assessment
D. Business impact analysis (BIA)

Question # 7

Which of the following is the MOST effective way to reduce potential losses due to ongoing expense fraud?

A. Implement user access controls
B. Perform regular internal audits 
C. Develop and communicate fraud prevention policies 
D. Conduct fraud prevention awareness training.

Question # 8

Which of the following is the GREATEST benefit of identifying appropriate risk owners?

A. Accountability is established for risk treatment decisions
B. Stakeholders are consulted about risk treatment options 
C. Risk owners are informed of risk treatment options 
D. Responsibility is established for risk treatment decisions.

Question # 9

Which of the following is MOST important for senior management to review during an acquisition?

A. Risk appetite and tolerance 
B. Risk framework and methodology
C. Key risk indicator (KRI) thresholds
D. Risk communication plan

Question # 10

Which of the following is the MOST important objective from a cost perspective for considering aggregated risk responses in an organization?

A. Prioritize risk response options
B. Reduce likelihood.
C. Address more than one risk response
D. Reduce impact

Question # 11

Which of the following is MOST important to update when an organization's risk appetite changes?

A. Key risk indicators (KRIs) 
B. Risk reporting methodology
C. Key performance indicators (KPIs) 
D. Risk taxonomy

Question # 12

Which of the following is the BEST indicator of executive management's support for IT risk mitigation efforts?

A. The number of stakeholders involved in IT risk identification workshops 
B. The percentage of corporate budget allocated to IT risk activities
C. The percentage of incidents presented to the board 
D. The number of executives attending IT security awareness training

Question # 13

When a risk practitioner is determining a system's criticality. it is MOST helpful to review the associated:

A. process flow.
B. business impact analysis (BIA). 
C. service level agreement (SLA).
D. system architecture.

Question # 14

Which of the following is the MOST important consideration when communicating the risk associated with technology end-of-life to business owners?

A. Cost and benefit 
B. Security and availability 
C. Maintainability and reliability
D. Performance and productivity

Question # 15

Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?

A. Temporarily mitigate the OS vulnerabilities
B. Document and implement a patching process
C. Evaluate permanent fixes such as patches and upgrades
D. Identify the vulnerabilities and applicable OS patches

Question # 16

Which of the following is the MOST important concern when assigning multiple risk owners for an identified risk?

A. Accountability may not be clearly defined.
B. Risk ratings may be inconsistently applied.
C. Different risk taxonomies may be used.
D. Mitigation efforts may be duplicated.

Question # 17

Which of the following BEST enables risk-based decision making in support of a business continuity plan (BCP)?

A. Impact analysis
B. Control analysis
C. Root cause analysis 
D. Threat analysis

Question # 18

Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?

A. The program has not decreased threat counts.
B. The program has not considered business impact.
C. The program has been significantly revised
D. The program uses non-customized training modules.

Question # 19

Effective risk communication BEST benefits an organization by:

A. helping personnel make better-informed decisions
B. assisting the development of a risk register.
C. improving the effectiveness of IT controls.
D. increasing participation in the risk assessment process.

Question # 20

Following an acquisition, the acquiring company's risk practitioner has been asked to update the organization's IT risk profile What is the MOST important information to review from the acquired company to facilitate this task?

A. Internal and external audit reports 
B. Risk disclosures in financial statements
C. Risk assessment and risk register
D. Business objectives and strategies

Question # 21

Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board''

A. A summary of risk response plans with validation results
B. A report with control environment assessment results
C. A dashboard summarizing key risk indicators (KRIs)
D. A summary of IT risk scenarios with business cases

Question # 22

During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition phase?

A. Risk management framework adopted by each company 
B. Risk registers of both companies 
C. IT balanced scorecard of each company
D. Most recent internal audit findings from both companies

Question # 23

Which of the following is MOST important when conducting a post-implementation review as part of the system development life cycle (SDLC)?

A. Verifying that project objectives are met
B. Identifying project cost overruns
C. Leveraging an independent review team
D. Reviewing the project initiation risk matrix

Question # 24

Which of the following should be of GREATEST concern when reviewing the results of an independent control assessment to determine the effectiveness of a vendor's control environment?

A. The report was provided directly from the vendor.
B. The risk associated with multiple control gaps was accepted. 
C. The control owners disagreed with the auditor's recommendations.
D. The controls had recurring noncompliance.

Question # 25

The BEST key performance indicator (KPI) to measure the effectiveness of the security patching process is the percentage of patches installed:

A. by the security administration team.
B. successfully within the expected time frame.
C. successfully during the first attempt. 
D. without causing an unplanned system outage.

Question # 26

When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes

A. risk exposure in business terms
B. a detailed view of individual risk exposures
C. a summary of incidents that have impacted the organization.
D. recommendations by an independent risk assessor.

Question # 27

A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner's NEXT step?

A. Develop a mechanism for monitoring residual risk.
B. Update the risk register with the results. 
C. Prepare a business case for the response options. 
D. Identify resources for implementing responses.

Question # 28

Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?

A. To provide input to the organization's risk appetite 
B. To monitor the vendor's control effectiveness 
C. To verify the vendor's ongoing financial viability
D. To assess the vendor's risk mitigation plans

Question # 29

Which of the following is the BEST control to minimize the risk associated with scope creep in software development?

A. An established process for project change management
B. Retention of test data and results for review purposes 
C. Business managements review of functional requirements 
D. Segregation between development, test, and production

Question # 30

An organization has experienced several incidents of extended network outages that have exceeded tolerance. Which of the following should be the risk practitioner's FIRST step toaddress this situation?

A. Recommend additional controls to address the risk.
B. Update the risk tolerance level to acceptable thresholds.
C. Update the incident-related risk trend in the risk register.
D. Recommend a root cause analysis of the incidents.

Question # 31

The objective of aligning mitigating controls to risk appetite is to ensure that:

A. exposures are reduced to the fullest extent
B. exposures are reduced only for critical business systems
C. insurance costs are minimized 
D. the cost of controls does not exceed the expected loss.

Question # 32

Which of the following is the MAIN purpose of monitoring risk?

A. Communication 
B. Risk analysis 
C. Decision support 
D. Benchmarking

Question # 33

A risk practitioner is utilizing a risk heat map during a risk assessment. Risk events that are coded with the same color will have a similar:

A. risk score 
B. risk impact 
C. risk response 
D. risk likelihood.

Question # 34

When evaluating a number of potential controls for treating risk, it is MOST important to consider:

A. risk appetite and control efficiency.
B. inherent risk and control effectiveness.
C. residual risk and cost of control.
D. risk tolerance and control complexity.

Question # 35

Which of the following is MOST important to promoting a risk-aware culture?

A. Regular testing of risk controls
B. Communication of audit findings
C. Procedures for security monitoring 
D. Open communication of risk reporting

Question # 36

An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the riskassociated with these new entries has been;

A. mitigated
B. deferred
C. accepted.
D. transferred

Question # 37

After implementing countermeasures listed in ‘’Risk Response Descriptions’’ for each of the Risk IDs, which of the following component of the register MUST change?

A. Risk Impact Rating
B. Risk Owner
C. Risk Likelihood Rating
D. Risk Exposure

Question # 38

An organization's control environment is MOST effective when:

A. controls perform as intended.
B. controls operate efficiently.
C. controls are implemented consistent
D. control designs are reviewed periodically

Question # 39

Which of the following is the MOST important step to ensure regulatory requirements are adequately addressed within an organization?

A. Obtain necessary resources to address regulatory requirements 
B. Develop a policy framework that addresses regulatory requirements
C. Perform a gap analysis against regulatory requirements.
D. Employ IT solutions that meet regulatory requirements.

Question # 40

When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:

A. information risk assessments with enterprise risk assessments.
B. key risk indicators (KRIs) with risk appetite of the business.
C. the control key performance indicators (KPIs) with audit findings.
D. control performance with risk tolerance of business owners.

Question # 41

Which of the following is the MOST important key performance indicator (KPI) to monitor the effectiveness of disaster recovery processes?

A. Percentage of IT systems recovered within the mean time to restore (MTTR) during the disaster recovery test
B. Percentage of issues arising from the disaster recovery test resolved on time 
C. Percentage of IT systems included in the disaster recovery test scope 
D. Percentage of IT systems meeting the recovery time objective (RTO) during the disaster recovery test

Question # 42

A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within theorganization Of the following, who should review the completed list and select the appropriate KRIs for implementation?

A. IT security managers
B. IT control owners 
C. IT auditors
D. IT risk owners

Question # 43

Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the followingwould BEST help to prioritize investment efforts?

A. Analyzing cyber intelligence reports 
B. Engaging independent cybersecurity consultants
C. Increasing the frequency of updates to the risk register
D. Reviewing the outcome of the latest security risk assessment

Question # 44

An organization's chief information officer (CIO) has proposed investing in a new. untested technology to take advantage of being first to market Senior management has concernsabout the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization's risk:

A. capacity. 
B. appetite.
C. management capability. 
D. treatment strategy.

Question # 45

Which of the following is MOST helpful in providing an overview of an organization's risk management program?

A. Risk management treatment plan
B. Risk assessment results
C. Risk management framework
D. Risk register

Question # 46

An organization is implementing encryption for data at rest to reduce the risk associatedwith unauthorized access. Which of the following MUST be considered to assess theresidual risk?

A. Data retention requirements 
B. Data destruction requirements 
C. Cloud storage architecture 
D. Key management 

Question # 47

Which of the following is a risk practitioner's BEST recommendation to address anorganization's need to secure multiple systems with limited IT resources?

A. Apply available security patches. 
B. Schedule a penetration test. 
C. Conduct a business impact analysis (BIA) 
D. Perform a vulnerability analysis. 

Question # 48

The PRIMARY advantage of involving end users in continuity planning is that they:

A. have a better understanding of specific business needs 
B. can balance the overall technical and business concerns 
C. can see the overall impact to the business 
D. are more objective than information security management. 

Question # 49

A bank recently incorporated Blockchain technology with the potential to impact known riskwithin the organization. Which of the following is the risk practitioner’s BEST course ofaction?

A. Determine whether risk responses are still adequate. 
B. Analyze and update control assessments with the new processes. 
C. Analyze the risk and update the risk register as needed. 
D. Conduct testing of the control that mitigate the existing risk. 

Question # 50

A financial institution has identified high risk of fraud in several business applications.Which of the following controls will BEST help reduce the risk of fraudulent internaltransactions?

A. Periodic user privileges review 
B. Log monitoring 
C. Periodic internal audits 
D. Segregation of duties 

Question # 51

Which of the following would be the GREATEST challenge when implementing a corporaterisk framework for a global organization?

A. Privacy risk controls 
B. Business continuity 
C. Risk taxonomy 
D. Management support 

Question # 52

After the implementation of internal of Things (IoT) devices, new risk scenarios wereidentified. What is the PRIMARY reason to report this information to risk owners?

A. To reevaluate continued use to IoT devices 
B. The add new controls to mitigate the risk 
C. The recommend changes to the IoT policy 
D. To confirm the impact to the risk profile 

Question # 53

Which of the following is MOST helpful in preventing risk events from materializing?

A. Prioritizing and tracking issues 
B. Establishing key risk indicators (KRIs) 
C. Reviewing and analyzing security incidents 
D. Maintaining the risk register 

Question # 54

Which of the following is a risk practitioner's MOST important responsibility in managingrisk acceptance that exceeds risk tolerance?

A. Verify authorization by senior management. 
B. Increase the risk appetite to align with the current risk level 
C. Ensure the acceptance is set to expire over lime 
D. Update the risk response in the risk register. 

Question # 55

Which of the following would be a risk practitioner's BEST course of action when a projectteam has accepted a risk outside the established risk appetite?

A. Reject the risk acceptance and require mitigating controls. 
B. Monitor the residual risk level of the accepted risk. 
C. Escalate the risk decision to the project sponsor for review. 
D. Document the risk decision in the project risk register. 

Question # 56

A. Risk Impact Rating 
B. Risk Owner 
C. Risk Likelihood Rating 
D. Risk Exposure 

Question # 57

A multinational organization is considering implementing standard background checks to'all new employees A KEY concern regarding this approach

A. fail to identity all relevant issues. 
B. be too costly 
C. violate laws in other countries 
D. be too line consuming 

Question # 58

When developing a risk awareness training program, which of the following training topicswould BEST facilitate a thorough understanding of risk scenarios?

A. Mapping threats to organizational objectives 
B. Reviewing past audits 
C. Analyzing key risk indicators (KRIs) 
D. Identifying potential sources of risk 

Question # 59

Which of the following stakeholders are typically included as part of a line of defense withinthe three lines of defense model?

A. Board of directors 
B. Vendors 
C. Regulators 
D. Legal team 

Question # 60

Which of the following should be the PRIMARY goal of developing information securitymetrics?

A. Raising security awareness 
B. Enabling continuous improvement 
C. Identifying security threats 
D. Ensuring regulatory compliance 

Question # 61

Which of the following will BEST help to ensure new IT policies address the enterprise'srequirements?

A. involve IT leadership in the policy development process 
B. Require business users to sign acknowledgment of the poises 
C. involve business owners in the pokey development process 
D. Provide policy owners with greater enforcement authority 

Question # 62

A risk practitioner has just learned about new malware that has severely impacted industrypeers worldwide data loss?

A. Customer database manager 
B. Customer data custodian 
C. Data privacy officer 
D. Audit committee 

Question # 63

it was determined that replication of a critical database used by two business units failed.Which of the following should be of GREATEST concern1?

A. The underutilization of the replicated Iink 
B. The cost of recovering the data 
C. The lack of integrity of data 
D. The loss of data confidentiality 

Question # 64

The BEST way to mitigate the high cost of retrieving electronic evidence associated withpotential litigation is to implement policies and procedures for.

A. data logging and monitoring 
B. data mining and analytics 
C. data classification and labeling 
D. data retention and destruction 

Question # 65

Which type of indicators should be developed to measure the effectiveness of anorganization's firewall rule set?

A. Key risk indicators (KRIs) 
B. Key management indicators (KMIs) 
C. Key performance indicators (KPIs) 
D. Key control indicators (KCIs) 

Question # 66

Which of the following is MOST important to the effectiveness of key performanceindicators (KPIs)?

A. Relevance 
B. Annual review 
C. Automation 
D. Management approval 

Question # 67

Who should be PRIMARILY responsible for establishing an organization's IT risk culture?

A. Business process owner 
B. Executive management 
C. Risk management 
D. IT management 

Question # 68

The PRIMARY benefit of using a maturity model is that it helps to evaluate the:

A. capability to implement new processes 
B. evolution of process improvements 
C. degree of compliance with policies and procedures 
D. control requirements. 

Question # 69

Which of the following is the PRIMARY reason to adopt key control indicators (KCIs) in therisk monitoring and reporting process?

A. To provide data for establishing the risk profile 
B. To provide assurance of adherence to risk management policies 
C. To provide measurements on the potential for risk to occur 
D. To provide assessments of mitigation effectiveness 

Question # 70

Of the following, who is BEST suited to assist a risk practitioner in developing a relevant setof risk scenarios?

A. Internal auditor 
B. Asset owner 
C. Finance manager 
D. Control owner 

Question # 71

Which of the following would be the result of a significant increase in the motivation of amalicious threat actor?

A. Increase in mitigating control costs 
B. Increase in risk event impact 
C. Increase in risk event likelihood 
D. Increase in cybersecurity premium 

Question # 72

Which of the following is the BEST indicator of an effective IT security awareness program?

A. Decreased success rate of internal phishing tests 
B. Decreased number of reported security incidents 
C. Number of disciplinary actions issued for security violations 
D. Number of employees that complete security training

Question # 73

Which of the following is the MOST effective way to incorporate stakeholder concernswhen developing risk scenarios?

A. Evaluating risk impact 
B. Establishing key performance indicators (KPIs) 
C. Conducting internal audits 
D. Creating quarterly risk reports 

Question # 74

Which of the following would BEST facilitate the implementation of data classificationrequirements?

A. Assigning a data owner 
B. Implementing technical control over the assets 
C. Implementing a data loss prevention (DLP) solution 
D. Scheduling periodic audits 

Question # 75

An organization is conducting a review of emerging risk. Which of the following is the BESTinput for this exercise?

A. Audit reports 
B. Industry benchmarks 
C. Financial forecasts 
D. Annual threat reports 

Question # 76

An organization moved its payroll system to a Software as a Service (SaaS) application. Anew data privacy regulation stipulates that data can only be processed within the countrywhere it is collected. Which of the following should be done FIRST when addressing thissituation?

A. Analyze data protection methods. 
B. Understand data flows. 
C. Include a right-to-audit clause. 
D. Implement strong access controls. 

Question # 77

Recovery the objectives (RTOs) should be based on

A. minimum tolerable downtime 
B. minimum tolerable loss of data. 
C. maximum tolerable downtime. 
D. maximum tolerable loss of data 

Question # 78

Which of the following contributes MOST to the effective implementation of risk responses?

A. Clear understanding of the risk 
B. Comparable industry risk trends 
C. Appropriate resources 
D. Detailed standards and procedures 

Question # 79

An employee lost a personal mobile device that may contain sensitive corporateinformation. What should be the risk practitioner's recommendation?

A. Conduct a risk analysis. 
B. Initiate a remote data wipe. 
C. Invoke the incident response plan 
D. Disable the user account. 

Question # 80

Which of the following is MOST helpful to understand the consequences of an IT riskevent?

A. Fault tree analysis 
B. Historical trend analysis 
C. Root cause analysis 
D. Business impact analysis (BIA) 

Question # 81

A company has recently acquired a customer relationship management (CRM) applicationfrom a certified software vendor. Which of the following will BE ST help lo prevent technicalvulnerabilities from being exploded?

A. implement code reviews and Quality assurance on a regular basis 
B. Verity me software agreement indemnifies the company from losses 
C. Review the source coda and error reporting of the application 
D. Update the software with the latest patches and updates 

Question # 82

Which of the following should be the PRIMARY focus of an IT risk awareness program?

A. Ensure compliance with the organization's internal policies 
B. Cultivate long-term behavioral change. 
C. Communicate IT risk policy to the participants. 
D. Demonstrate regulatory compliance. 

Question # 83

Which of the following would be the GREATEST concern for an IT risk practitioner when anemployees.....

A. The organization's structure has not been updated 
B. Unnecessary access permissions have not been removed.
C. Company equipment has not been retained by IT 
D. Job knowledge was not transferred to employees m the former department 

Question # 84

Which of the following is the FIRST step when conducting a business impact analysis(BIA)?

A. Identifying critical information assets 
B. Identifying events impacting continuity of operations; 
C. Creating a data classification scheme 
D. Analyzing previous risk assessment results

Question # 85

Which of the following would BEST mitigate an identified risk scenario?

A. Conducting awareness training 
B. Executing a risk response plan 
C. Establishing an organization's risk tolerance 
D. Performing periodic audits 

Question # 86

Which of the following is the BEST way to help ensure risk will be managed properly after abusiness process has been re-engineered?

A. Reassessing control effectiveness of the process 
B. Conducting a post-implementation review to determine lessons learned 
C. Reporting key performance indicators (KPIs) for core processes 
D. Establishing escalation procedures for anomaly events 

Question # 87

Which of the following should be management's PRIMARY focus when key risk indicators(KRIs) begin to rapidly approach defined thresholds?

A. Designing compensating controls 
B. Determining if KRIs have been updated recently 
C. Assessing the effectiveness of the incident response plan 
D. Determining what has changed in the environment 

Question # 88

Senior management has asked the risk practitioner for the overall residual risk level for aprocess that contains numerous risk scenarios. Which of the following should be provided?

A. The sum of residual risk levels for each scenario 
B. The loss expectancy for aggregated risk scenarios 
C. The highest loss expectancy among the risk scenarios 
D. The average of anticipated residual risk levels 

Question # 89

Legal and regulatory risk associated with business conducted over the Internet is driven by:

A. the jurisdiction in which an organization has its principal headquarters 
B. international law and a uniform set of regulations. 
C. the laws and regulations of each individual country 
D. international standard-setting bodies. 

Question # 90

An organization is considering outsourcing user administration controls tor a critical system.The potential vendor has offered to perform quarterly sett-audits of its controls instead ofhaving annual independent audits. Which of the following should be of GREATESTconcern to me risk practitioner?

A. The controls may not be properly tested 
B. The vendor will not ensure against control failure 
C. The vendor will not achieve best practices 
D. Lack of a risk-based approach to access control 

Question # 91

An organization has an approved bring your own device (BYOD) policy. Which of thefollowing would BEST mitigate the security risk associated with the inappropriate use ofenterprise applications on the devices?

A. Periodically review application on BYOD devices 
B. Include BYOD in organizational awareness programs 
C. Implement BYOD mobile device management (MDM) controls. 
D. Enable a remote wee capability for BYOD devices 

Question # 92

To reduce costs, an organization is combining the second and third tines of defense in anew department that reports to a recently appointed C-level executive. Which of thefollowing is the GREATEST concern with this situation?

A. The risk governance approach of the second and third lines of defense may differ. 
B. The independence of the internal third line of defense may be compromised. 
C. Cost reductions may negatively impact the productivity of other departments. 
D. The new structure is not aligned to the organization's internal control framework. 

Question # 93

When documenting a risk response, which of the following provides the STRONGESTevidence to support the decision?

A. Verbal majority acceptance of risk by committee 
B. List of compensating controls 
C. IT audit follow-up responses 
D. A memo indicating risk acceptance 

Question # 94

An organization maintains independent departmental risk registers that are notautomatically aggregated. Which of the following is the GREATEST concern?

A. Management may be unable to accurately evaluate the risk profile. 
B. Resources may be inefficiently allocated. 
C. The same risk factor may be identified in multiple areas. 
D. Multiple risk treatment efforts may be initiated to treat a given risk. 

Question # 95

Which of the following is MOST important for an organization to update following a changein legislation requiring notification to individuals impacted by data breaches?

A. Insurance coverage 
B. Security awareness training 
C. Policies and standards 
D. Risk appetite and tolerance 

Question # 96

A risk practitioner is preparing a report to communicate changes in the risk and controlenvironment. The BEST way to engage stakeholder attention is to:

A. include detailed deviations from industry benchmarks, 
B. include a summary linking information to stakeholder needs, 
C. include a roadmap to achieve operational excellence, 
D. publish the report on-demand for stakeholders. 

Question # 97

A risk practitioner identifies a database application that has been developed andimplemented by the business independently of IT. Which of the following is the BESTcourse of action?

A. Escalate the concern to senior management. 
B. Document the reasons for the exception. 
C. Include the application in IT risk assessments. 
D. Propose that the application be transferred to IT. 

Question # 98

Which of the following practices would be MOST effective in protecting personalityidentifiable information (Ptl) from unauthorized access m a cloud environment?

A. Apply data classification policy
B. Utilize encryption with logical access controls 
C. Require logical separation of company data 
D. Obtain the right to audit 

Question # 99

Which of the following would MOST likely require a risk practitioner to update the riskregister?

A. An alert being reported by the security operations center. 
B. Development of a project schedule for implementing a risk response 
C. Completion of a project for implementing a new control 
D. Engagement of a third party to conduct a vulnerability scan 

Question # 100

Which of the following is the BEST way to determine the potential organizational impact ofemerging privacy regulations?

A. Evaluate the security architecture maturity. 
B. Map the new requirements to the existing control framework. 
C. Charter a privacy steering committee. 
D. Conduct a privacy impact assessment (PIA). 

Question # 101

Which of the following is the MOST comprehensive resource for prioritizing theimplementation of information systems controls?

A. Data classification policy 
B. Emerging technology trends 
C. The IT strategic plan 
D. The risk register 

Question # 102

An organization discovers significant vulnerabilities in a recently purchased commercial offthe-shelf software product which will not be corrected until the next release. Which of thefollowing is the risk manager's BEST course of action?

A. Review the risk of implementing versus postponing with stakeholders. 
B. Run vulnerability testing tools to independently verify the vulnerabilities. 
C. Review software license to determine the vendor's responsibility regardingvulnerabilities. 
D. Require the vendor to correct significant vulnerabilities prior to installation. 

Question # 103

Which of the following would present the MOST significant risk to an organization whenupdating the incident response plan?

A. Obsolete response documentation 
B. Increased stakeholder turnover 
C. Failure to audit third-party providers 
D. Undefined assignment of responsibility 

Question # 104

Which of the blowing is MOST important when implementing an organization s securitypolicy?

A. Obtaining management support 
B. Benchmarking against industry standards 
C. Assessing compliance requirements 
D. Identifying threats and vulnerabilities 

Question # 105

Which of the following would BEST indicate to senior management that IT processes areimproving?

A. Changes in the number of intrusions detected 
B. Changes in the number of security exceptions 
C. Changes in the position in the maturity model 
D. Changes to the structure of the risk register 

Question # 106

Which of the following is the BEST way to quantify the likelihood of risk materialization?

A. Balanced scorecard 
B. Threat and vulnerability assessment 
C. Compliance assessments 
D. Business impact analysis (BIA) 

Question # 107

An organization has decided to commit to a business activity with the knowledge that therisk exposure is higher than the risk appetite. Which of the following is the risk practitioner'sMOST important action related to this decision?

A. Recommend risk remediation 
B. Change the level of risk appetite 
C. Document formal acceptance of the risk 
D. Reject the business initiative 

Question # 108

Which of the following should be the risk practitioner's FIRST course of action when anorganization plans to adopt a cloud computing strategy?

A. Request a budget for implementation 
B. Conduct a threat analysis. 
C. Create a cloud computing policy. 
D. Perform a controls assessment. 

Question # 109

Which of the following should be determined FIRST when a new security vulnerability ismade public?

A. Whether the affected technology is used within the organization 
B. Whether the affected technology is Internet-facing 
C. What mitigating controls are currently in place 
D. How pervasive the vulnerability is within the organization 

Question # 110

Who should be responsible (of evaluating the residual risk after a compensating control hasbeen

A. Compliance manager 
B. Risk owner 
C. Control owner 
D. Risk practitioner 

Question # 111

Which of the following is the BEST method of creating risk awareness in an organization?

A. Marking the risk register available to project stakeholders 
B. Ensuring senior management commitment to risk training 
C. Providing regular communication to risk managers
D. Appointing the risk manager from the business units 

Question # 112

What is the PRIMARY reason an organization should include background checks on roleswith elevated access to production as part of its hiring process?

A. Reduce internal threats 
B. Reduce exposure to vulnerabilities 
C. Eliminate risk associated with personnel 
D. Ensure new hires have the required skills 

Question # 113

Who is BEST suited to provide objective input when updating residual risk to reflect theresults of control effectiveness?

A. Control owner 
B. Risk owner 
C. Internal auditor 
D. Compliance manager 

Question # 114

The PRIMARY objective of collecting information and reviewing documentation whenperforming periodic risk analysis should be to:

A. Identify new or emerging risk issues. 
B. Satisfy audit requirements. 
C. Survey and analyze historical risk data. 
D. Understand internal and external threat agents. 

Question # 115

Which of the following practices MOST effectively safeguards the processing of personaldata?

A. Personal data attributed to a specific data subject is tokenized. 
B. Data protection impact assessments are performed on a regular basis. 
C. Personal data certifications are performed to prevent excessive data collection. 
D. Data retention guidelines are documented, established, and enforced. 

Question # 116

When is the BEST to identify risk associated with major project to determine a mitigationplan?

A. Project execution phase
B. Project initiation phase 
C. Project closing phase 
D. Project planning phase 

Question # 117

For a large software development project, risk assessments are MOST effective whenperformed:

A. before system development begins. 
B. at system development. 
C. at each stage of the system development life cycle (SDLC). 
D. during the development of the business case. 

Question # 118

The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overallcontinuity planning process is to:

A. obtain the support of executive management. 
B. map the business processes to supporting IT and other corporate resources. 
C. identify critical business processes and the degree of reliance on support services. 
D. document the disaster recovery process. 

Question # 119

An organization control environment is MOST effective when:

A. control designs are reviewed periodically 
B. controls perform as intended. 
C. controls are implemented consistently. 
D. controls operate efficiently 

Question # 120

Which of the following would BEST help to address the risk associated with maliciousoutsiders modifying application data?

A. Multi-factor authentication 
B. Role-based access controls 
C. Activation of control audits 
D. Acceptable use policies 

Question # 121

The BEST way to improve a risk register is to ensure the register:

A. is updated based upon significant events. 
B. documents possible countermeasures. 
C. contains the risk assessment completion date. 
D. is regularly audited. 

Question # 122

Which of the following is the BEST key performance indicator (KPI) to measure theeffectiveness of a disaster recovery test of critical business processes?

A. Percentage of job failures identified and resolved during the recovery process 
B. Percentage of processes recovered within the recovery time and point objectives
C. Number of current test plans and procedures 
D. Number of issues and action items resolved during the recovery test 

Question # 123

Print jobs containing confidential information are sent to a shared network printer located ina secure room. Which of the following is the BEST control to prevent the inappropriatedisclosure of confidential information?

A. Requiring a printer access code for each user 
B. Using physical controls to access the printer room 
C. Using video surveillance in the printer room 
D. Ensuring printer parameters are properly configured 

Question # 124

While reviewing the risk register, a risk practitioner notices that different business unitshave significant variances in inherent risk for the same risk scenario. Which of the followingis the BEST course of action?

A. Update the risk register with the average of residual risk for both business units. 
B. Review the assumptions of both risk scenarios to determine whether the variance is reasonable. 
C. Update the risk register to ensure both risk scenarios have the highest residual risk. 
D. Request that both business units conduct another review of the risk. 

Question # 125

Which of the following would BEST enable a risk-based decision when considering the useof an emerging technology for data processing?

A. Gap analysis 
B. Threat assessment 
C. Resource skills matrix 
D. Data quality assurance plan 

Question # 126

n an organization that allows employee use of social media accounts for work purposes,which of the following is the BEST way to protect company sensitive information from beingexposed?

A. Educating employees on what needs to be kept confidential 
B. Implementing a data loss prevention (DLP) solution 
C. Taking punitive action against employees who expose confidential data 
D. Requiring employees to sign nondisclosure agreements 

Question # 127

Which of the following would provide the BEST evidence of an effective internal controlenvironment/?

A. Risk assessment results 
B. Adherence to governing policies 
C. Regular stakeholder briefings 
D. Independent audit results 

Question # 128

Which of the following management action will MOST likely change the likelihood rating ofa risk scenario related to remote network access?

A. Updating the organizational policy for remote access 
B. Creating metrics to track remote connections 
C. Implementing multi-factor authentication 
D. Updating remote desktop software 

Question # 129

Risk acceptance of an exception to a security control would MOST likely be justified when:

A. automation cannot be applied to the control 
B. business benefits exceed the loss exposure. 
C. the end-user license agreement has expired. 
D. the control is difficult to enforce in practice. 

Question # 130

An organization's control environment is MOST effective when

A. controls perform as intended. 
B. controls operate efficiently. 
C. controls are implemented consistent 
D. control designs are reviewed periodically 

Question # 131

An IT department originally planned to outsource the hosting of its data center at anoverseas location to reduce operational expenses. After a risk assessment, the departmenthas decided to keep the data center in-house. How should the risk treatment response bereflected in the risk register?

A. Risk mitigation 
B. Risk avoidance 
C. Risk acceptance 
D. Risk transfer 

Question # 132

Which of the following should be of GREATEST concern lo a risk practitioner reviewing theimplementation of an emerging technology?

A. Lack of alignment to best practices 
B. Lack of risk assessment 
C. Lack of risk and control procedures 
D. Lack of management approval 

Question # 133

A cote data center went offline abruptly for several hours affecting many transactionsacross multiple locations. Which of the to" owing would provide the MOST usefulinformation to determine mitigating controls?

A. Forensic analysis 
B. Risk assessment 
C. Root cause analysis 
D. Business impact analysis (BlA) 

Question # 134

A cote data center went offline abruptly for several hours affecting many transactionsacross multiple locations. Which of the to" owing would provide the MOST usefulinformation to determine mitigating controls?

A. Forensic analysis 
B. Risk assessment 
C. Root cause analysis 
D. Business impact analysis (BlA) 

Question # 135

When formulating a social media policy lo address information leakage, which of thefollowing is the MOST important concern to address?

A. Sharing company information on social media 
B. Sharing personal information on social media 
C. Using social media to maintain contact with business associates
D. Using social media for personal purposes during working hours 

Question # 136

Before assigning sensitivity levels to information it is MOST important to:

A. define recovery time objectives (RTOs). 
B. define the information classification policy 
C. conduct a sensitivity analyse 
D. Identify information custodians 

Question # 137

An organization has completed a risk assessment of one of its service providers. Whoshould be accountable for ensuring that risk responses are implemented?

A. IT risk practitioner 
B. Third -partf3ecurity team 
C. The relationship owner 
D. Legal representation of the business 

Question # 138

Which of the following BEST indicates the risk appetite and tolerance level (or the riskassociated with business interruption caused by IT system failures?

A. Mean time to recover (MTTR) 
B. IT system criticality classification 
C. Incident management service level agreement (SLA) 
D. Recovery time objective (RTO) 

Question # 139

An organization is considering the adoption of an aggressive business strategy to achievedesired growth From a risk management perspective what should the risk practitioner doNEXT?

A. Identify new threats resorting from the new business strategy 
B. Update risk awareness training to reflect current levels of risk appetite and tolerance 
C. Inform the board of potential risk scenarios associated with aggressive businessstrategies 
D. Increase the scale for measuring impact due to threat materialization 

Question # 140

An IT department has organized training sessions to improve user awareness oforganizational information security policies. Which of the following is the BEST keyperformance indicator (KPI) to reflect effectiveness of the training?

A. Number of training sessions completed 
B. Percentage of staff members who complete the training with a passing score 
C. Percentage of attendees versus total staff 
D. Percentage of staff members who attend the training with positive feedback 

Question # 141

Which of the following will be the GREATEST concern when assessing the risk profile of anorganization?

A. The risk profile was not updated after a recent incident 
B. The risk profile was developed without using industry standards. 
C. The risk profile was last reviewed two years ago. 
D. The risk profile does not contain historical loss data. 

Question # 142

An organization is analyzing the risk of shadow IT usage. Which of the following is theMOST important input into the assessment?

A. Business benefits of shadow IT 
B. Application-related expresses 
C. Classification of the data 
D. Volume of data 

Question # 143

When of the following standard operating procedure (SOP) statements BEST illustratesappropriate risk register maintenance?

A. Remove risk that has been mitigated by third-party transfer 
B. Remove risk that management has decided to accept 
C. Remove risk only following a significant change in the risk environment 
D. Remove risk when mitigation results in residual risk within tolerance levels 

Question # 144

Which of the following would be MOST helpful when communicating roles associated withthe IT risk management process?

A. Skills matrix 
B. Job descriptions 
C. RACI chart 
D. Organizational chart 

Question # 145

Which of the following is MOST important to include in a risk assessment of an emergingtechnology?

A. Risk response plans 
B. Risk and control ownership 
C. Key controls 
D. Impact and likelihood ratings

Question # 146

Which of the following is MOST important information to review when developing plans forusing emerging technologies?

A. Existing IT environment 
B. IT strategic plan 
C. Risk register 
D. Organizational strategic plan 

Question # 147

Which of the following is MOST important to the effectiveness of key performanceindicators (KPIs)?

A. Management approval 
B. Annual review
C. Relevance 
D. Automation 

Question # 148

Which of the following is the MOST important consideration when developing riskstrategies?

A. Organization's industry sector 
B. Long-term organizational goals 
C. Concerns of the business process owners 
D. History of risk events 

Question # 149

Which of the following would BEST facilitate the implementation of data classificationrequirements?

A. Implementing a data toss prevention (DLP) solution
B. Assigning a data owner 
C. Scheduling periodic audits 
D. Implementing technical controls over the assets 

Question # 150

Which of the following provides the BEST evidence that a selected risk treatment plan iseffective?

A. Identifying key risk indicators (KRIs) 
B. Evaluating the return on investment (ROI) 
C. Evaluating the residual risk level 
D. Performing a cost-benefit analysis

Question # 151

Which of the following will BEST help to ensure the continued effectiveness of the IT riskmanagement function within an organization experiencing high employee turnover?

A. Well documented policies and procedures 
B. Risk and issue tracking 
C. An IT strategy committee 
D. Change and release management 

Question # 152

Which of the following would MOST effectively reduce risk associated with an increase ofonline transactions on a retailer website?

A. Scalable infrastructure 
B. A hot backup site 
C. Transaction limits 
D. Website activity monitoring 

Question # 153

As pan of business continuity planning, which of the following is MOST important to includem a business impact analysis (BlA)?

A. An assessment of threats to the organization 
B. An assessment of recovery scenarios 
C. industry standard framework 
D. Documentation of testing procedures 

Question # 154

Which of the following would be a risk practitioner’s BEST recommendation upon learningof an updated cybersecurity regulation that could impact the organization?

A. Perform a gap analysis 
B. Conduct system testing 
C. Implement compensating controls 
D. Update security policies 

Question # 155

The PRIMARY reason for prioritizing risk scenarios is to:

A. provide an enterprise-wide view of risk 
B. support risk response tracking 
C. assign risk ownership 
D. facilitate risk response decisions. 

Question # 156

In order to determining a risk is under-controlled the risk practitioner will need to

A. understand the risk tolerance
B. monitor and evaluate IT performance 
C. identify risk management best practices 
D. determine the sufficiency of the IT risk budget 

Question # 157

Which of the following is the BEST indication that key risk indicators (KRls) should berevised?

A. A decrease in the number of critical assets covered by risk thresholds 
B. An Increase In the number of risk threshold exceptions 
C. An increase in the number of change events pending management review 
D. A decrease In the number of key performance indicators (KPls) 

Question # 158

An organization has decided to use an external auditor to review the control environment ofan outsourced service provider. The BEST control criteria to evaluate the provider would bebased on:

A. a recognized industry control framework 
B. guidance provided by the external auditor 
C. the service provider's existing controls 
D. The organization's specific control requirements 

Question # 159

An organization is planning to move its application infrastructure from on-premises to thecloud. Which of the following is the BEST course of the actin to address the risk associatedwith data transfer if the relationship is terminated with the vendor?

A. Meet with the business leaders to ensure the classification of their transferred data is inplace 
B. Ensure the language in the contract explicitly states who is accountable for each step ofthe data transfer process 
C. Collect requirements for the environment to ensure the infrastructure as a service (IaaS)is configured appropriately. 
D. Work closely with the information security officer to ensure the company has the propersecurity controls in place. 

Question # 160

A risk practitioner observed Vial a high number of pokey exceptions were approved bysenior management. Which of the following is the risk practitioner’s BEST course of actionto determine root cause?

A. Review the risk profile 
B. Review pokey change history 
C. interview the control owner 
D. Perform control testing 

Question # 161

Who should have the authority to approve an exception to a control?

A. information security manager 
B. Control owner 
C. Risk owner 
D. Risk manager 

Question # 162

An organization wants to grant remote access to a system containing sensitive data to anoverseas third party. Which of the following should be of GREATEST concern tomanagement?

A. Transborder data transfer restrictions 
B. Differences in regional standards 
C. Lack of monitoring over vendor activities 
D. Lack of after-hours incident management support 

Question # 163

Which of the following issues found during the review of a newly created disaster recoveryplan (DRP) should be of MOST concern?

A. Some critical business applications are not included in the plan 
B. Several recovery activities will be outsourced 
C. The plan is not based on an internationally recognized framework 
D. The chief information security officer (CISO) has not approved the plan 

Question # 164

Which key performance efficiency IKPI) BEST measures the effectiveness of anorganization's disaster recovery program?

A. Number of service level agreement (SLA) violations 
B. Percentage of recovery issues identified during the exercise 
C. Number of total systems recovered within tie recovery point objective (RPO) 
D. Percentage of critical systems recovered within tie recovery time objective (RTO) 

Question # 165

Which of the following is PRIMARILY a risk management responsibly of the first line ofdefense?

A. Implementing risk treatment plans 
B. Validating the status of risk mitigation efforts 
C. Establishing risk policies and standards 
D. Conducting independent reviews of risk assessment results 

Question # 166

An organization has provided legal text explaining the rights and expected behavior of users accessing a system from geographic locations that have strong privacy regulations.Which of the following control types has been applied?

A. Detective 
B. Directive 
C. Preventive 
D. Compensating 

Question # 167

A global company s business continuity plan (BCP) requires the transfer of its customerinformation….event of a disaster. Which of the following should be the MOST important riskconsideration?

A. The difference In the management practices between each company 
B. The cloud computing environment is shared with another company 
C. The lack of a service level agreement (SLA) in the vendor contract 
D. The organizational culture differences between each country 

Question # 168

Which of The following is the MOST comprehensive input to the risk assessment processspecific to the effects of system downtime?

A. Business continuity plan (BCP) testing results 
B. Recovery lime objective (RTO) 
C. Business impact analysis (BIA) 
D. results Recovery point objective (RPO) 

Question # 169

Which of the following is MOST important for mitigating ethical risk when establishingaccountability for control ownership?

A. Ensuring processes are documented to enable effective control execution 
B. Ensuring regular risk messaging is Included in business communications fromleadership 
C. Ensuring schedules and deadlines for control-related deliverables are strictly monitored 
D. Ensuring performance metrics balance business goals with risk appetiie 

Question # 170

Which of the following is MOST important for maintaining the effectiveness of an IT riskregister?

A. Removing entries from the register after the risk has been treated 
B. Recording and tracking the status of risk response plans within the register 
C. Communicating the register to key stakeholders 
D. Performing regular reviews and updates to the register 

Question # 171

It is MOST important that security controls for a new system be documented in:

A. testing requirements
B. the implementation plan.
C. System requirements
D. The security policy

Question # 172

Which of the following is MOST helpful in defining an early-warning threshold associatedwith insufficient network bandwidth''

A. Average bandwidth usage 
B. Peak bandwidth usage 
C. Total bandwidth usage 
D. Bandwidth used during business hours 

Question # 173

An organization is concerned that its employees may be unintentionally disclosing datathrough the use of social media sites. Which of the following will MOST effectively mitigatetins risk?

A. Requiring the use of virtual private networks (VPNs) 
B. Establishing a data classification policy 
C. Conducting user awareness training 
D. Requiring employee agreement of the acceptable use policy 

Question # 174

An organization has made a decision to purchase a new IT system. During when phase ofthe system development life cycle (SDLC) will identified risk MOST likely lead toarchitecture and design trade-offs?

A. Acquisition 
B. Implementation 
C. Initiation 
D. Operation and maintenance 

Question # 175

The PRIMARY purpose of using a fra mework for risk analysis is to:

A. improve accountability 
B. improve consistency 
C. help define risk tolerance 
D. help develop risk scenarios. 

Question # 176

When developing risk scenario using a list of generic scenarios based on industry bestpractices, it is MOST imported to:

A. Assess generic risk scenarios with business users. 
B. Validate the generic risk scenarios for relevance. 
C. Select the maximum possible risk scenarios from the list. 
D. Identify common threats causing generic risk scenarios 

Question # 177

Which element of an organization's risk register is MOST important to update following thecommissioning of a new financial reporting system?

A. Key risk indicators (KRIs) 
B. The owner of the financial reporting process 
C. The risk rating of affected financial processes 
D. The list of relevant financial controls 

Question # 178

Which element of an organization's risk register is MOST important to update following thecommissioning of a new financial reporting system?

A. Key risk indicators (KRIs) 
B. The owner of the financial reporting process 
C. The risk rating of affected financial processes 
D. The list of relevant financial controls 

Question # 179

Which of the following is the BEST approach to mitigate the risk associated with a controldeficiency?

A. Perform a business case analysis 
B. Implement compensating controls. 
C. Conduct a control sell-assessment (CSA) 
D. Build a provision for risk 

Question # 180

A maturity model is MOST useful to an organization when it:

A. benchmarks against other organizations 
B. defines a qualitative measure of risk 
C. provides a reference for progress 
D. provides risk metrics. 

Question # 181

Which of the following should be of MOST concern to a risk practitioner reviewing anorganization risk register after the completion of a series of risk assessments?

A. Several risk action plans have missed target completion dates. 
B. Senior management has accepted more risk than usual. 
C. Risk associated with many assets is only expressed in qualitative terms. 
D. Many risk scenarios are owned by the same senior manager. 

Question # 182

Which of the following sources is MOST relevant to reference when updating securityawareness training materials?

A. Risk management framework 
B. Risk register 
C. Global security standards 
D. Recent security incidents reported by competitors 

Question # 183

Which of the following will BEST help to ensure implementation of corrective action plans?

A. Establishing employee awareness training 
B. Assigning accountability to risk owners 
C. Selling target dates to complete actions 
D. Contracting to third parties 

Question # 184

An organization has used generic risk scenarios to populate its risk register. Which of thefollowing presents the GREATEST challenge to assigning of the associated risk entries?

A. The volume of risk scenarios is too large 
B. Risk aggregation has not been completed 
C. Risk scenarios are not applicable
D. The risk analysts for each scenario is incomplete 

Question # 185

A risk practitioner has discovered a deficiency in a critical system that cannot be patched.Which of the following should be the risk practitioner's FIRST course of action?

A. Report the issue to internal audit. 
B. Submit a request to change management. 
C. Conduct a risk assessment. 
D. Review the business impact assessment. 

Question # 186

When reviewing the business continuity plan (BCP) of an online sales order system, a riskpractitioner notices that the recovery time objective (RTO) has a shorter lime than what isdefined in the disaster recovery plan (DRP). Which of the following is the BEST way for therisk practitioner to address this concern?

A. Adopt the RTO defined in the BCR 
B. Update the risk register to reflect the discrepancy. 
C. Adopt the RTO defined in the DRP. 
D. Communicate the discrepancy to the DR manager for follow-up. 

Question # 187

Which of the following is the PRIMARY benefit of stakeholder involvement in risk scenariodevelopment?

A. Ability to determine business impact 
B. Up-to-date knowledge on risk responses 
C. Decision-making authority for risk treatment 
D. Awareness of emerging business threats 

Question # 188

Which of the following is the MOST appropriate action when a tolerance threshold isexceeded?

A. Communicate potential impact to decision makers. 
B. Research the root cause of similar incidents. 
C. Verify the response plan is adequate. 
D. Increase human resources to respond in the interim. 

Question # 189

Which of the following is the PRIMARY risk management responsibility of the second lineof defense?

A. Monitoring risk responses 
B. Applying risk treatments 
C. Providing assurance of control effectiveness 
D. Implementing internal controls 

Question # 190

Which of the following is a drawback in the use of quantitative risk analysis?

A. It assigns numeric values to exposures of assets. 
B. It requires more resources than other methods 
C. It produces the results in numeric form. 
D. It is based on impact analysis of information assets. 

Question # 191

When evaluating enterprise IT risk management it is MOST important to:

A. create new control processes to reduce identified IT risk scenarios
B. confirm the organization’s risk appetite and tolerance
C. report identified IT risk scenarios to senior management
D. review alignment with the organization's investment plan

Question # 192

Which of the following is the BEST reason to use qualitative measures to express residual risk levels related to emerging threats?

A. Qualitative measures require less ongoing monitoring.
B. Qualitative measures are better aligned to regulatory requirements.
C. Qualitative measures are better able to incorporate expert judgment.
D. Qualitative measures are easier to update.

Question # 193

Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment?

A. Improved senior management communication
B. Optimized risk treatment decisions 
C. Enhanced awareness of risk management
D. Improved collaboration among risk professionals

Question # 194

What is the PRIMARY benefit of risk monitoring?

A. It reduces the number of audit findings.
B. It provides statistical evidence of control efficiency.
C. It facilitates risk-aware decision making.
D. It facilitates communication of threat levels.

Question # 195

Several network user accounts were recently created without the required management approvals. Which of the following would be the risk practitioner's BEST recommendation to address this situation?

A. Conduct a comprehensive compliance review.
B. Develop incident response procedures for noncompliance.
C. Investigate the root cause of noncompliance.
D. Declare a security breach and Inform management.

Question # 196

The BEST reason to classify IT assets during a risk assessment is to determine the:

A. priority in the risk register.
B. business process owner.
C. enterprise risk profile.
D. appropriate level of protection.

Question # 197

Which of the following is the MOST critical element to maximize the potential for a successful security implementation? 

A. The organization's knowledge
B. Ease of implementation
C. The organization's culture
D. industry-leading security tools

Question # 198

Which of the following BEST facilities the alignment of IT risk management with enterprise risk management (ERM)?

A. Adopting qualitative enterprise risk assessment methods
B. Linking IT risk scenarios to technology objectives
C. linking IT risk scenarios to enterprise strategy
D. Adopting quantitative enterprise risk assessment methods

Question # 199

Which of the following roles is BEST suited to help a risk practitioner understand the impact of IT-related events on business objectives?

A. IT management
B. Internal audit
C. Process owners
D. Senior management

Question # 200

Which of the following is the MOST important technology control to reduce the likelihood of fraudulent payments committed internally?

A. Automated access revocation
B. Daily transaction reconciliation
C. Rule-based data analytics
D. Role-based user access model

Question # 201

Which of the following is the BEST evidence that a user account has been properly authorized?

A. An email from the user accepting the account
B. Notification from human resources that the account is active
C. User privileges matching the request form
D. Formal approval of the account by the user's manager

Question # 202

A chief information officer (CIO) has identified risk associated with shadow systems being maintained by business units to address specific functionality gaps in the organization's enterprise resource planning (ERP) system. What is the BEST way to reduce this risk going forward?

A. Align applications to business processes.
B. Implement an enterprise architecture (EA).
C. Define the software development life cycle (SDLC).
D. Define enterprise-wide system procurement requirements.

Question # 203

An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern? 

A. Potential increase in regulatory scrutiny
B. Potential system downtime
C. Potential theft of personal information
D. Potential legal risk 

Question # 204

To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to: 

A. require the vendor to sign a nondisclosure agreement
B. clearly define the project scope.
C. perform background checks on the vendor.
D. notify network administrators before testing

Question # 205

Which of the following is the BEST indicator of the effectiveness of IT risk management processes? 

A. Percentage of business users completing risk training
B. Percentage of high-risk scenarios for which risk action plans have been developed
C. Number of key risk indicators (KRIs) defined
D. Time between when IT risk scenarios are identified and the enterprise's response

Question # 206

During implementation of an intrusion detection system (IDS) to monitor network traffic, a high number of alerts is reported. The risk practitioner should recommend to: 

A. reset the alert threshold based on peak traffic  
B. analyze the traffic to minimize the false negatives  
C. analyze the alerts to minimize the false positives
D. sniff the traffic using a network analyzer

Question # 207

Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?

A. Occurrences of specific events
B. A performance measurement
C. The risk tolerance level
D. Risk scenarios

Question # 208

An internal audit report reveals that not all IT application databases have encryption in place. Which of the following information would be MOST important for assessing the risk impact? 

A. The number of users who can access sensitive data
B. A list of unencrypted databases which contain sensitive data
C. The reason some databases have not been encrypted
D. The cost required to enforce encryption

Question # 209

Which of the following is the MOST important topic to cover in a risk awareness training program for all staff?

A. Internal and external information security incidents
B. The risk department's roles and responsibilities
C. Policy compliance requirements and exceptions process
D. The organization's information security risk profile

Question # 210

Which of the following scenarios represents a threat?

A. Connecting a laptop to a free, open, wireless access point (hotspot)
B. Visitors not signing in as per policy
C. Storing corporate data in unencrypted form on a laptop
D. A virus transmitted on a USB thumb drive

Question # 211

An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan. Which of the following is the risk practitioner's BEST course of action? 

A. Report the observation to the chief risk officer (CRO).
B. Validate the adequacy of the implemented risk mitigation measures.
C. Update the risk register with the implemented risk mitigation actions.
D. Revert the implemented mitigation measures until approval is obtained

Question # 212

Which of the following is the PRIMARY objective of providing an aggregated view of IT risk to business management?

A. To enable consistent data on risk to be obtained
B. To allow for proper review of risk tolerance
C. To identify dependencies for reporting risk
D. To provide consistent and clear terminology

Question # 213

Which of the following is the BEST control to detect an advanced persistent threat (APT)?

A. Utilizing antivirus systems and firewalls
B. Conducting regular penetration tests
C. Monitoring social media activities
D. Implementing automated log monitoring

Question # 214

Which of the following is the BEST source for identifying key control indicators (KCIs)?

A. Privileged user activity monitoring controls
B. Controls mapped to organizational risk scenarios
C. Recent audit findings of control weaknesses
D. A list of critical security processes

Question # 215

Which of the following is the GREATEST risk associated with an environment that lacks documentation of the architecture?

A. Unknown vulnerabilities
B. Legacy technology systems
C. Network isolation
D. Overlapping threats

Question # 216

Which of the following is the GREATEST benefit for an organization with a strong risk awareness culture?

A. Reducing the involvement by senior management
B. Using more risk specialists
C. Reducing the need for risk policies and guidelines 
D. Discussing and managing risk as a team

Question # 217

When of the following 15 MOST important when developing a business case for a proposed security investment?

A. identification of control requirements
B. Alignment to business objectives
C. Consideration of new business strategies
D. inclusion of strategy for regulatory compliance

Question # 218

Which of the following is the MOST effective control to ensure user access is maintained on a least-privilege basis?

A. User authorization
B. User recertification
C. Change log review
D. Access log monitoring

Question # 219

Which of the following is the MOST important component in a risk treatment plan? 

A. Technical details
B. Target completion date
C. Treatment plan ownership
D. Treatment plan justification

Question # 220

In an organization where each division manages risk independently, which of the following would BEST enable management of risk at the enterprise level?

A. A standardized risk taxonomy
B. A list of control deficiencies
C. An enterprise risk ownership policy
D. An updated risk tolerance metric

Question # 221

Which of the following describes the relationship between Key risk indicators (KRIs) and key control indicators (KCIS)? 

A. KCIs are independent from KRIs KRIs.
B. KCIs and KRIs help in determining risk appetite.
C. KCIs are defined using data from KRIs.
D. KCIs provide input for KRIs

Question # 222

Which of the following BEST indicates the effectiveness of anti-malware software?

A. Number of staff hours lost due to malware attacks
B. Number of downtime hours in business critical servers
C. Number of patches made to anti-malware software
D. Number of successful attacks by malicious software

Question # 223

An organization recently received an independent security audit report of its cloud service provider that indicates significant control weaknesses. What should be done NEXT in response to this report?

A. Migrate all data to another compliant service provider.
B. Analyze the impact of the provider's control weaknesses to the business.
C. Conduct a follow-up audit to verify the provider's control weaknesses.
D. Review the contract to determine if penalties should be levied against the provider.

Question # 224

While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the: 

A. control is ineffective and should be strengthened
B. risk is inefficiently controlled.
C. risk is efficiently controlled.
D. control is weak and should be removed.

Question # 225

Which of the following would be MOST helpful to a risk practitioner when ensuring that mitigated risk remains within acceptable limits?

A. Building an organizational risk profile after updating the risk register
B. Ensuring risk owners participate in a periodic control testing process
C. Designing a process for risk owners to periodically review identified risk
D. Implementing a process for ongoing monitoring of control effectiveness

Question # 226

Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents:

A. a threat.
B. a vulnerability.
C. an impact
D. a control. 

Question # 227

A management team is on an aggressive mission to launch a new product to penetrate new markets and overlooks IT risk factors, threats, and vulnerabilities. This scenario BEST demonstrates an organization's risk:

A. management.
B. tolerance.
C. culture.
D. analysis.Answer: C

Question # 228

A business unit is implementing a data analytics platform to enhance its customer relationship management (CRM) system primarily to process data that has been provided by its customers. Which of the following presents the GREATEST risk to the organization's reputation?

A. Third-party software is used for data analytics.
B. Data usage exceeds individual consent.
C. Revenue generated is not disclosed to customers.
D. Use of a data analytics system is not disclosed to customers.

Question # 229

Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?

A. A high number of approved exceptions exist with compensating controls.
B. Successive assessments have the same recurring vulnerabilities.
C. Redundant compensating controls are in place.
D. Asset custodians are responsible for defining controls instead of asset owners. 

Question # 230

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an antivirus program?

A. Percentage of IT assets with current malware definitions
B. Number of false positives defected over a period of time
C. Number of alerts generated by the anti-virus software
D. Frequency of anti-vinjs software updates

Question # 231

The MAIN purpose of reviewing a control after implementation is to validate that the control: 

A. operates as intended.
B. is being monitored.
C. meets regulatory requirements.
D. operates efficiently.

Question # 232

Which of the following is an IT business owner's BEST course of action following an unexpected increase in emergency changes? 

A. Evaluating the impact to control objectives  
B. Conducting a root cause analysis
C. Validating the adequacy of current processes
D. Reconfiguring the IT infrastructure

Question # 233

An organization outsources the processing of us payroll data A risk practitioner identifies a control weakness at the third party trial exposes the payroll data. Who should own this risk?

A. The third party's IT operations manager
B. The organization's process owner
C. The third party's chief risk officer (CRO)
D. The organization's risk practitioner

Question # 234

An organization has recently been experiencing frequent data corruption incidents. Implementing a file corruption detection tool as a risk response strategy will help to:

A. reduce the likelihood of future events
B. restore availability
C. reduce the impact of future events
D. address the root cause

Question # 235

Which of the following is the MOST important objective of establishing an enterprise risk management (ERM) function within an organization? 

A. To have a unified approach to risk management across the organization
B. To have a standard risk management process for complying with regulations
C. To optimize risk management resources across the organization
D. To ensure risk profiles are presented in a consistent format within the organization

Question # 236

An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?

A. Identify systems that are vulnerable to being exploited by the attack.
B. Confirm with the antivirus solution vendor whether the next update will detect the attack.
C. Verify the data backup process and confirm which backups are the most recent ones available.
D. Obtain approval for funding to purchase a cyber insurance plan.

Question # 237

Which of the following provides the BEST measurement of an organization's risk management maturity level?

A. Level of residual risk
B. The results of a gap analysis
C. IT alignment to business objectives
D. Key risk indicators (KRIs)

Question # 238

Winch of the following can be concluded by analyzing the latest vulnerability report for the it infrastructure?

A. Likelihood of a threat
B. Impact of technology risk
C. Impact of operational risk
D. Control weakness

Question # 239

Which of the following will be MOST effective in uniquely identifying the originator of electronic transactions? 

A. Digital signature
B. Edit checks
C. Encryption
D. Multifactor authentication