PDF Only
$35.00 Free Updates Upto 90 Days
- CRISC Dumps PDF
- 1197 Questions
- Updated On April 15, 2024
PDF + Test Engine
$60.00 Free Updates Upto 90 Days
- CRISC Question Answers
- 1197 Questions
- Updated On April 15, 2024
Test Engine
$50.00 Free Updates Upto 90 Days
- CRISC Practice Questions
- 1197 Questions
- Updated On April 15, 2024
How to pass Isaca CRISC exam with the help of dumps?
DumpsPool provides you the finest quality resources you’ve been looking for to no avail. So, it's due time you stop stressing and get ready for the exam. Our Online Test Engine provides you with the guidance you need to pass the certification exam. We guarantee top-grade results because we know we’ve covered each topic in a precise and understandable manner. Our expert team prepared the latest Isaca CRISC Dumps to satisfy your need for training. Plus, they are in two different formats: Dumps PDF and Online Test Engine.
How Do I Know Isaca CRISC Dumps are Worth it?
Did we mention our latest CRISC Dumps PDF is also available as Online Test Engine? And that’s just the point where things start to take root. Of all the amazing features you are offered here at DumpsPool, the money-back guarantee has to be the best one. Now that you know you don’t have to worry about the payments. Let us explore all other reasons you would want to buy from us. Other than affordable Real Exam Dumps, you are offered three-month free updates.
You can easily scroll through our large catalog of certification exams. And, pick any exam to start your training. That’s right, DumpsPool isn’t limited to just Isaca Exams. We trust our customers need the support of an authentic and reliable resource. So, we made sure there is never any outdated content in our study resources. Our expert team makes sure everything is up to the mark by keeping an eye on every single update. Our main concern and focus are that you understand the real exam format. So, you can pass the exam in an easier way!
IT Students Are Using our Certified in Risk and Information Systems Control Dumps Worldwide!
It is a well-established fact that certification exams can’t be conquered without some help from experts. The point of using Certified in Risk and Information Systems Control Practice Question Answers is exactly that. You are constantly surrounded by IT experts who’ve been through you are about to and know better. The 24/7 customer service of DumpsPool ensures you are in touch with these experts whenever needed. Our 100% success rate and validity around the world, make us the most trusted resource candidates use. The updated Dumps PDF helps you pass the exam on the first attempt. And, with the money-back guarantee, you feel safe buying from us. You can claim your return on not passing the exam.
How to Get CRISC Real Exam Dumps?
Getting access to the real exam dumps is as easy as pressing a button, literally! There are various resources available online, but the majority of them sell scams or copied content. So, if you are going to attempt the CRISC exam, you need to be sure you are buying the right kind of Dumps. All the Dumps PDF available on DumpsPool are as unique and the latest as they can be. Plus, our Practice Question Answers are tested and approved by professionals. Making it the top authentic resource available on the internet. Our expert has made sure the Online Test Engine is free from outdated & fake content, repeated questions, and false plus indefinite information, etc. We make every penny count, and you leave our platform fully satisfied!
Question # 1
Which of the following will BEST help to ensure key risk indicators (KRIs) provide value to risk owners?
A. Ongoing training
B. Timely notification
C. Return on investment (ROI)
D. Cost minimization
Question # 2
An organization is participating in an industry benchmarking study that involves providing customer transaction records for analysis Which of the following is the MOST importantcontrol to ensure the privacy of customer information?
A. Nondisclosure agreements (NDAs)
B. Data anonymization
C. Data cleansing
D. Data encryption
Question # 3
Which of the following approaches to bring your own device (BYOD) service delivery provides the BEST protection from data loss?
A. Enable data wipe capabilities
B. Penetration testing and session timeouts
C. Implement remote monitoring
D. Enforce strong passwords and data encryption
Question # 4
An organization wants to launch a campaign to advertise a new product Using data analytics, the campaign can be targeted to reach potential customers. Which of the following should be of GREATEST concern to the risk practitioner?
A. Data minimization
B. Accountability
C. Accuracy
D. Purpose limitation
Question # 5
An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented inprocedure manuals for use by the part-time employees. Which of the following BEST describes this situation?
A. Threat
B. Risk
C. Vulnerability
D. Policy violation
Question # 6
A recent vulnerability assessment of a web-facing application revealed several weaknesses. Which of the following should be done NEXT to determine the risk exposure?
A. Code review
B. Penetration test
C. Gap assessment
D. Business impact analysis (BIA)
Question # 7
Which of the following is the MOST effective way to reduce potential losses due to ongoing expense fraud?
A. Implement user access controls
B. Perform regular internal audits
C. Develop and communicate fraud prevention policies
D. Conduct fraud prevention awareness training.
Question # 8
Which of the following is the GREATEST benefit of identifying appropriate risk owners?
A. Accountability is established for risk treatment decisions
B. Stakeholders are consulted about risk treatment options
C. Risk owners are informed of risk treatment options
D. Responsibility is established for risk treatment decisions.
Question # 9
Which of the following is MOST important for senior management to review during an acquisition?
A. Risk appetite and tolerance
B. Risk framework and methodology
C. Key risk indicator (KRI) thresholds
D. Risk communication plan
Question # 10
Which of the following is the MOST important objective from a cost perspective for considering aggregated risk responses in an organization?
A. Prioritize risk response options
B. Reduce likelihood.
C. Address more than one risk response
D. Reduce impact
Question # 11
Which of the following is MOST important to update when an organization's risk appetite changes?
A. Key risk indicators (KRIs)
B. Risk reporting methodology
C. Key performance indicators (KPIs)
D. Risk taxonomy
Question # 12
Which of the following is the BEST indicator of executive management's support for IT risk mitigation efforts?
A. The number of stakeholders involved in IT risk identification workshops
B. The percentage of corporate budget allocated to IT risk activities
C. The percentage of incidents presented to the board
D. The number of executives attending IT security awareness training
Question # 13
When a risk practitioner is determining a system's criticality. it is MOST helpful to review the associated:
A. process flow.
B. business impact analysis (BIA).
C. service level agreement (SLA).
D. system architecture.
Question # 14
Which of the following is the MOST important consideration when communicating the risk associated with technology end-of-life to business owners?
A. Cost and benefit
B. Security and availability
C. Maintainability and reliability
D. Performance and productivity
Question # 15
Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?
A. Temporarily mitigate the OS vulnerabilities
B. Document and implement a patching process
C. Evaluate permanent fixes such as patches and upgrades
D. Identify the vulnerabilities and applicable OS patches
Question # 16
Which of the following is the MOST important concern when assigning multiple risk owners for an identified risk?
A. Accountability may not be clearly defined.
B. Risk ratings may be inconsistently applied.
C. Different risk taxonomies may be used.
D. Mitigation efforts may be duplicated.
Question # 17
Which of the following BEST enables risk-based decision making in support of a business continuity plan (BCP)?
A. Impact analysis
B. Control analysis
C. Root cause analysis
D. Threat analysis
Question # 18
Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?
A. The program has not decreased threat counts.
B. The program has not considered business impact.
C. The program has been significantly revised
D. The program uses non-customized training modules.
Question # 19
Effective risk communication BEST benefits an organization by:
A. helping personnel make better-informed decisions
B. assisting the development of a risk register.
C. improving the effectiveness of IT controls.
D. increasing participation in the risk assessment process.
Question # 20
Following an acquisition, the acquiring company's risk practitioner has been asked to update the organization's IT risk profile What is the MOST important information to review from the acquired company to facilitate this task?
A. Internal and external audit reports
B. Risk disclosures in financial statements
C. Risk assessment and risk register
D. Business objectives and strategies
Question # 21
Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board''
A. A summary of risk response plans with validation results
B. A report with control environment assessment results
C. A dashboard summarizing key risk indicators (KRIs)
D. A summary of IT risk scenarios with business cases
Question # 22
During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition phase?
A. Risk management framework adopted by each company
B. Risk registers of both companies
C. IT balanced scorecard of each company
D. Most recent internal audit findings from both companies
Question # 23
Which of the following is MOST important when conducting a post-implementation review as part of the system development life cycle (SDLC)?
A. Verifying that project objectives are met
B. Identifying project cost overruns
C. Leveraging an independent review team
D. Reviewing the project initiation risk matrix
Question # 24
Which of the following should be of GREATEST concern when reviewing the results of an independent control assessment to determine the effectiveness of a vendor's control environment?
A. The report was provided directly from the vendor.
B. The risk associated with multiple control gaps was accepted.
C. The control owners disagreed with the auditor's recommendations.
D. The controls had recurring noncompliance.
Question # 25
The BEST key performance indicator (KPI) to measure the effectiveness of the security patching process is the percentage of patches installed:
A. by the security administration team.
B. successfully within the expected time frame.
C. successfully during the first attempt.
D. without causing an unplanned system outage.
Question # 26
When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes
A. risk exposure in business terms
B. a detailed view of individual risk exposures
C. a summary of incidents that have impacted the organization.
D. recommendations by an independent risk assessor.
Question # 27
A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner's NEXT step?
A. Develop a mechanism for monitoring residual risk.
B. Update the risk register with the results.
C. Prepare a business case for the response options.
D. Identify resources for implementing responses.
Question # 28
Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?
A. To provide input to the organization's risk appetite
B. To monitor the vendor's control effectiveness
C. To verify the vendor's ongoing financial viability
D. To assess the vendor's risk mitigation plans
Question # 29
Which of the following is the BEST control to minimize the risk associated with scope creep in software development?
A. An established process for project change management
B. Retention of test data and results for review purposes
C. Business managements review of functional requirements
D. Segregation between development, test, and production
Question # 30
An organization has experienced several incidents of extended network outages that have exceeded tolerance. Which of the following should be the risk practitioner's FIRST step toaddress this situation?
A. Recommend additional controls to address the risk.
B. Update the risk tolerance level to acceptable thresholds.
C. Update the incident-related risk trend in the risk register.
D. Recommend a root cause analysis of the incidents.
Question # 31
The objective of aligning mitigating controls to risk appetite is to ensure that:
A. exposures are reduced to the fullest extent
B. exposures are reduced only for critical business systems
C. insurance costs are minimized
D. the cost of controls does not exceed the expected loss.
Question # 32
Which of the following is the MAIN purpose of monitoring risk?
A. Communication
B. Risk analysis
C. Decision support
D. Benchmarking
Question # 33
A risk practitioner is utilizing a risk heat map during a risk assessment. Risk events that are coded with the same color will have a similar:
A. risk score
B. risk impact
C. risk response
D. risk likelihood.
Question # 34
When evaluating a number of potential controls for treating risk, it is MOST important to consider:
A. risk appetite and control efficiency.
B. inherent risk and control effectiveness.
C. residual risk and cost of control.
D. risk tolerance and control complexity.
Question # 35
Which of the following is MOST important to promoting a risk-aware culture?
A. Regular testing of risk controls
B. Communication of audit findings
C. Procedures for security monitoring
D. Open communication of risk reporting
Question # 36
An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the riskassociated with these new entries has been;
A. mitigated
B. deferred
C. accepted.
D. transferred
Question # 37
After implementing countermeasures listed in ‘’Risk Response Descriptions’’ for each of the Risk IDs, which of the following component of the register MUST change?
A. Risk Impact Rating
B. Risk Owner
C. Risk Likelihood Rating
D. Risk Exposure
Question # 38
An organization's control environment is MOST effective when:
A. controls perform as intended.
B. controls operate efficiently.
C. controls are implemented consistent
D. control designs are reviewed periodically
Question # 39
Which of the following is the MOST important step to ensure regulatory requirements are adequately addressed within an organization?
A. Obtain necessary resources to address regulatory requirements
B. Develop a policy framework that addresses regulatory requirements
C. Perform a gap analysis against regulatory requirements.
D. Employ IT solutions that meet regulatory requirements.
Question # 40
When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:
A. information risk assessments with enterprise risk assessments.
B. key risk indicators (KRIs) with risk appetite of the business.
C. the control key performance indicators (KPIs) with audit findings.
D. control performance with risk tolerance of business owners.
Question # 41
Which of the following is the MOST important key performance indicator (KPI) to monitor the effectiveness of disaster recovery processes?
A. Percentage of IT systems recovered within the mean time to restore (MTTR) during the disaster recovery test
B. Percentage of issues arising from the disaster recovery test resolved on time
C. Percentage of IT systems included in the disaster recovery test scope
D. Percentage of IT systems meeting the recovery time objective (RTO) during the disaster recovery test
Question # 42
A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within theorganization Of the following, who should review the completed list and select the appropriate KRIs for implementation?
A. IT security managers
B. IT control owners
C. IT auditors
D. IT risk owners
Question # 43
Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the followingwould BEST help to prioritize investment efforts?
A. Analyzing cyber intelligence reports
B. Engaging independent cybersecurity consultants
C. Increasing the frequency of updates to the risk register
D. Reviewing the outcome of the latest security risk assessment
Question # 44
An organization's chief information officer (CIO) has proposed investing in a new. untested technology to take advantage of being first to market Senior management has concernsabout the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization's risk:
A. capacity.
B. appetite.
C. management capability.
D. treatment strategy.
Question # 45
Which of the following is MOST helpful in providing an overview of an organization's risk management program?
A. Risk management treatment plan
B. Risk assessment results
C. Risk management framework
D. Risk register
Question # 46
An organization is implementing encryption for data at rest to reduce the risk associatedwith unauthorized access. Which of the following MUST be considered to assess theresidual risk?
A. Data retention requirements
B. Data destruction requirements
C. Cloud storage architecture
D. Key management
Question # 47
Which of the following is a risk practitioner's BEST recommendation to address anorganization's need to secure multiple systems with limited IT resources?
A. Apply available security patches.
B. Schedule a penetration test.
C. Conduct a business impact analysis (BIA)
D. Perform a vulnerability analysis.
Question # 48
The PRIMARY advantage of involving end users in continuity planning is that they:
A. have a better understanding of specific business needs
B. can balance the overall technical and business concerns
C. can see the overall impact to the business
D. are more objective than information security management.
Question # 49
A bank recently incorporated Blockchain technology with the potential to impact known riskwithin the organization. Which of the following is the risk practitioner’s BEST course ofaction?
A. Determine whether risk responses are still adequate.
B. Analyze and update control assessments with the new processes.
C. Analyze the risk and update the risk register as needed.
D. Conduct testing of the control that mitigate the existing risk.
Question # 50
A financial institution has identified high risk of fraud in several business applications.Which of the following controls will BEST help reduce the risk of fraudulent internaltransactions?
A. Periodic user privileges review
B. Log monitoring
C. Periodic internal audits
D. Segregation of duties
Question # 51
Which of the following would be the GREATEST challenge when implementing a corporaterisk framework for a global organization?
A. Privacy risk controls
B. Business continuity
C. Risk taxonomy
D. Management support
Question # 52
After the implementation of internal of Things (IoT) devices, new risk scenarios wereidentified. What is the PRIMARY reason to report this information to risk owners?
A. To reevaluate continued use to IoT devices
B. The add new controls to mitigate the risk
C. The recommend changes to the IoT policy
D. To confirm the impact to the risk profile
Question # 53
Which of the following is MOST helpful in preventing risk events from materializing?
A. Prioritizing and tracking issues
B. Establishing key risk indicators (KRIs)
C. Reviewing and analyzing security incidents
D. Maintaining the risk register
Question # 54
Which of the following is a risk practitioner's MOST important responsibility in managingrisk acceptance that exceeds risk tolerance?
A. Verify authorization by senior management.
B. Increase the risk appetite to align with the current risk level
C. Ensure the acceptance is set to expire over lime
D. Update the risk response in the risk register.
Question # 55
Which of the following would be a risk practitioner's BEST course of action when a projectteam has accepted a risk outside the established risk appetite?
A. Reject the risk acceptance and require mitigating controls.
B. Monitor the residual risk level of the accepted risk.
C. Escalate the risk decision to the project sponsor for review.
D. Document the risk decision in the project risk register.
Question # 56
A. Risk Impact Rating
B. Risk Owner
C. Risk Likelihood Rating
D. Risk Exposure
Question # 57
A multinational organization is considering implementing standard background checks to'all new employees A KEY concern regarding this approach
A. fail to identity all relevant issues.
B. be too costly
C. violate laws in other countries
D. be too line consuming
Question # 58
When developing a risk awareness training program, which of the following training topicswould BEST facilitate a thorough understanding of risk scenarios?
A. Mapping threats to organizational objectives
B. Reviewing past audits
C. Analyzing key risk indicators (KRIs)
D. Identifying potential sources of risk
Question # 59
Which of the following stakeholders are typically included as part of a line of defense withinthe three lines of defense model?
A. Board of directors
B. Vendors
C. Regulators
D. Legal team
Question # 60
Which of the following should be the PRIMARY goal of developing information securitymetrics?
A. Raising security awareness
B. Enabling continuous improvement
C. Identifying security threats
D. Ensuring regulatory compliance
Question # 61
Which of the following will BEST help to ensure new IT policies address the enterprise'srequirements?
A. involve IT leadership in the policy development process
B. Require business users to sign acknowledgment of the poises
C. involve business owners in the pokey development process
D. Provide policy owners with greater enforcement authority
Question # 62
A risk practitioner has just learned about new malware that has severely impacted industrypeers worldwide data loss?
A. Customer database manager
B. Customer data custodian
C. Data privacy officer
D. Audit committee
Question # 63
it was determined that replication of a critical database used by two business units failed.Which of the following should be of GREATEST concern1?
A. The underutilization of the replicated Iink
B. The cost of recovering the data
C. The lack of integrity of data
D. The loss of data confidentiality
Question # 64
The BEST way to mitigate the high cost of retrieving electronic evidence associated withpotential litigation is to implement policies and procedures for.
A. data logging and monitoring
B. data mining and analytics
C. data classification and labeling
D. data retention and destruction
Question # 65
Which type of indicators should be developed to measure the effectiveness of anorganization's firewall rule set?
A. Key risk indicators (KRIs)
B. Key management indicators (KMIs)
C. Key performance indicators (KPIs)
D. Key control indicators (KCIs)
Question # 66
Which of the following is MOST important to the effectiveness of key performanceindicators (KPIs)?
A. Relevance
B. Annual review
C. Automation
D. Management approval
Question # 67
Who should be PRIMARILY responsible for establishing an organization's IT risk culture?
A. Business process owner
B. Executive management
C. Risk management
D. IT management
Question # 68
The PRIMARY benefit of using a maturity model is that it helps to evaluate the:
A. capability to implement new processes
B. evolution of process improvements
C. degree of compliance with policies and procedures
D. control requirements.
Question # 69
Which of the following is the PRIMARY reason to adopt key control indicators (KCIs) in therisk monitoring and reporting process?
A. To provide data for establishing the risk profile
B. To provide assurance of adherence to risk management policies
C. To provide measurements on the potential for risk to occur
D. To provide assessments of mitigation effectiveness
Question # 70
Of the following, who is BEST suited to assist a risk practitioner in developing a relevant setof risk scenarios?
A. Internal auditor
B. Asset owner
C. Finance manager
D. Control owner
Question # 71
Which of the following would be the result of a significant increase in the motivation of amalicious threat actor?
A. Increase in mitigating control costs
B. Increase in risk event impact
C. Increase in risk event likelihood
D. Increase in cybersecurity premium
Question # 72
Which of the following is the BEST indicator of an effective IT security awareness program?
A. Decreased success rate of internal phishing tests
B. Decreased number of reported security incidents
C. Number of disciplinary actions issued for security violations
D. Number of employees that complete security training
Question # 73
Which of the following is the MOST effective way to incorporate stakeholder concernswhen developing risk scenarios?
A. Evaluating risk impact
B. Establishing key performance indicators (KPIs)
C. Conducting internal audits
D. Creating quarterly risk reports
Question # 74
Which of the following would BEST facilitate the implementation of data classificationrequirements?
A. Assigning a data owner
B. Implementing technical control over the assets
C. Implementing a data loss prevention (DLP) solution
D. Scheduling periodic audits
Question # 75
An organization is conducting a review of emerging risk. Which of the following is the BESTinput for this exercise?
A. Audit reports
B. Industry benchmarks
C. Financial forecasts
D. Annual threat reports
Question # 76
An organization moved its payroll system to a Software as a Service (SaaS) application. Anew data privacy regulation stipulates that data can only be processed within the countrywhere it is collected. Which of the following should be done FIRST when addressing thissituation?
A. Analyze data protection methods.
B. Understand data flows.
C. Include a right-to-audit clause.
D. Implement strong access controls.
Question # 77
Recovery the objectives (RTOs) should be based on
A. minimum tolerable downtime
B. minimum tolerable loss of data.
C. maximum tolerable downtime.
D. maximum tolerable loss of data
Question # 78
Which of the following contributes MOST to the effective implementation of risk responses?
A. Clear understanding of the risk
B. Comparable industry risk trends
C. Appropriate resources
D. Detailed standards and procedures
Question # 79
An employee lost a personal mobile device that may contain sensitive corporateinformation. What should be the risk practitioner's recommendation?
A. Conduct a risk analysis.
B. Initiate a remote data wipe.
C. Invoke the incident response plan
D. Disable the user account.
Question # 80
Which of the following is MOST helpful to understand the consequences of an IT riskevent?
A. Fault tree analysis
B. Historical trend analysis
C. Root cause analysis
D. Business impact analysis (BIA)
Question # 81
A company has recently acquired a customer relationship management (CRM) applicationfrom a certified software vendor. Which of the following will BE ST help lo prevent technicalvulnerabilities from being exploded?
A. implement code reviews and Quality assurance on a regular basis
B. Verity me software agreement indemnifies the company from losses
C. Review the source coda and error reporting of the application
D. Update the software with the latest patches and updates
Question # 82
Which of the following should be the PRIMARY focus of an IT risk awareness program?
A. Ensure compliance with the organization's internal policies
B. Cultivate long-term behavioral change.
C. Communicate IT risk policy to the participants.
D. Demonstrate regulatory compliance.
Question # 83
Which of the following would be the GREATEST concern for an IT risk practitioner when anemployees.....
A. The organization's structure has not been updated
B. Unnecessary access permissions have not been removed.
C. Company equipment has not been retained by IT
D. Job knowledge was not transferred to employees m the former department
Question # 84
Which of the following is the FIRST step when conducting a business impact analysis(BIA)?
A. Identifying critical information assets
B. Identifying events impacting continuity of operations;
C. Creating a data classification scheme
D. Analyzing previous risk assessment results
Question # 85
Which of the following would BEST mitigate an identified risk scenario?
A. Conducting awareness training
B. Executing a risk response plan
C. Establishing an organization's risk tolerance
D. Performing periodic audits
Question # 86
Which of the following is the BEST way to help ensure risk will be managed properly after abusiness process has been re-engineered?
A. Reassessing control effectiveness of the process
B. Conducting a post-implementation review to determine lessons learned
C. Reporting key performance indicators (KPIs) for core processes
D. Establishing escalation procedures for anomaly events
Question # 87
Which of the following should be management's PRIMARY focus when key risk indicators(KRIs) begin to rapidly approach defined thresholds?
A. Designing compensating controls
B. Determining if KRIs have been updated recently
C. Assessing the effectiveness of the incident response plan
D. Determining what has changed in the environment
Question # 88
Senior management has asked the risk practitioner for the overall residual risk level for aprocess that contains numerous risk scenarios. Which of the following should be provided?
A. The sum of residual risk levels for each scenario
B. The loss expectancy for aggregated risk scenarios
C. The highest loss expectancy among the risk scenarios
D. The average of anticipated residual risk levels
Question # 89
Legal and regulatory risk associated with business conducted over the Internet is driven by:
A. the jurisdiction in which an organization has its principal headquarters
B. international law and a uniform set of regulations.
C. the laws and regulations of each individual country
D. international standard-setting bodies.
Question # 90
An organization is considering outsourcing user administration controls tor a critical system.The potential vendor has offered to perform quarterly sett-audits of its controls instead ofhaving annual independent audits. Which of the following should be of GREATESTconcern to me risk practitioner?
A. The controls may not be properly tested
B. The vendor will not ensure against control failure
C. The vendor will not achieve best practices
D. Lack of a risk-based approach to access control
Question # 91
An organization has an approved bring your own device (BYOD) policy. Which of thefollowing would BEST mitigate the security risk associated with the inappropriate use ofenterprise applications on the devices?
A. Periodically review application on BYOD devices
B. Include BYOD in organizational awareness programs
C. Implement BYOD mobile device management (MDM) controls.
D. Enable a remote wee capability for BYOD devices
Question # 92
To reduce costs, an organization is combining the second and third tines of defense in anew department that reports to a recently appointed C-level executive. Which of thefollowing is the GREATEST concern with this situation?
A. The risk governance approach of the second and third lines of defense may differ.
B. The independence of the internal third line of defense may be compromised.
C. Cost reductions may negatively impact the productivity of other departments.
D. The new structure is not aligned to the organization's internal control framework.
Question # 93
When documenting a risk response, which of the following provides the STRONGESTevidence to support the decision?
A. Verbal majority acceptance of risk by committee
B. List of compensating controls
C. IT audit follow-up responses
D. A memo indicating risk acceptance
Question # 94
An organization maintains independent departmental risk registers that are notautomatically aggregated. Which of the following is the GREATEST concern?
A. Management may be unable to accurately evaluate the risk profile.
B. Resources may be inefficiently allocated.
C. The same risk factor may be identified in multiple areas.
D. Multiple risk treatment efforts may be initiated to treat a given risk.
Question # 95
Which of the following is MOST important for an organization to update following a changein legislation requiring notification to individuals impacted by data breaches?
A. Insurance coverage
B. Security awareness training
C. Policies and standards
D. Risk appetite and tolerance
Question # 96
A risk practitioner is preparing a report to communicate changes in the risk and controlenvironment. The BEST way to engage stakeholder attention is to:
A. include detailed deviations from industry benchmarks,
B. include a summary linking information to stakeholder needs,
C. include a roadmap to achieve operational excellence,
D. publish the report on-demand for stakeholders.
Question # 97
A risk practitioner identifies a database application that has been developed andimplemented by the business independently of IT. Which of the following is the BESTcourse of action?
A. Escalate the concern to senior management.
B. Document the reasons for the exception.
C. Include the application in IT risk assessments.
D. Propose that the application be transferred to IT.
Question # 98
Which of the following practices would be MOST effective in protecting personalityidentifiable information (Ptl) from unauthorized access m a cloud environment?
A. Apply data classification policy
B. Utilize encryption with logical access controls
C. Require logical separation of company data
D. Obtain the right to audit
Question # 99
Which of the following would MOST likely require a risk practitioner to update the riskregister?
A. An alert being reported by the security operations center.
B. Development of a project schedule for implementing a risk response
C. Completion of a project for implementing a new control
D. Engagement of a third party to conduct a vulnerability scan
Question # 100
Which of the following is the BEST way to determine the potential organizational impact ofemerging privacy regulations?
A. Evaluate the security architecture maturity.
B. Map the new requirements to the existing control framework.
C. Charter a privacy steering committee.
D. Conduct a privacy impact assessment (PIA).
Question # 101
Which of the following is the MOST comprehensive resource for prioritizing theimplementation of information systems controls?
A. Data classification policy
B. Emerging technology trends
C. The IT strategic plan
D. The risk register
Question # 102
An organization discovers significant vulnerabilities in a recently purchased commercial offthe-shelf software product which will not be corrected until the next release. Which of thefollowing is the risk manager's BEST course of action?
A. Review the risk of implementing versus postponing with stakeholders.
B. Run vulnerability testing tools to independently verify the vulnerabilities.
C. Review software license to determine the vendor's responsibility regardingvulnerabilities.
D. Require the vendor to correct significant vulnerabilities prior to installation.
Question # 103
Which of the following would present the MOST significant risk to an organization whenupdating the incident response plan?
A. Obsolete response documentation
B. Increased stakeholder turnover
C. Failure to audit third-party providers
D. Undefined assignment of responsibility
Question # 104
Which of the blowing is MOST important when implementing an organization s securitypolicy?
A. Obtaining management support
B. Benchmarking against industry standards
C. Assessing compliance requirements
D. Identifying threats and vulnerabilities
Question # 105
Which of the following would BEST indicate to senior management that IT processes areimproving?
A. Changes in the number of intrusions detected
B. Changes in the number of security exceptions
C. Changes in the position in the maturity model
D. Changes to the structure of the risk register
Question # 106
Which of the following is the BEST way to quantify the likelihood of risk materialization?
A. Balanced scorecard
B. Threat and vulnerability assessment
C. Compliance assessments
D. Business impact analysis (BIA)
Question # 107
An organization has decided to commit to a business activity with the knowledge that therisk exposure is higher than the risk appetite. Which of the following is the risk practitioner'sMOST important action related to this decision?
A. Recommend risk remediation
B. Change the level of risk appetite
C. Document formal acceptance of the risk
D. Reject the business initiative
Question # 108
Which of the following should be the risk practitioner's FIRST course of action when anorganization plans to adopt a cloud computing strategy?
A. Request a budget for implementation
B. Conduct a threat analysis.
C. Create a cloud computing policy.
D. Perform a controls assessment.
Question # 109
Which of the following should be determined FIRST when a new security vulnerability ismade public?
A. Whether the affected technology is used within the organization
B. Whether the affected technology is Internet-facing
C. What mitigating controls are currently in place
D. How pervasive the vulnerability is within the organization
Question # 110
Who should be responsible (of evaluating the residual risk after a compensating control hasbeen
A. Compliance manager
B. Risk owner
C. Control owner
D. Risk practitioner
Question # 111
Which of the following is the BEST method of creating risk awareness in an organization?
A. Marking the risk register available to project stakeholders
B. Ensuring senior management commitment to risk training
C. Providing regular communication to risk managers
D. Appointing the risk manager from the business units
Question # 112
What is the PRIMARY reason an organization should include background checks on roleswith elevated access to production as part of its hiring process?
A. Reduce internal threats
B. Reduce exposure to vulnerabilities
C. Eliminate risk associated with personnel
D. Ensure new hires have the required skills
Question # 113
Who is BEST suited to provide objective input when updating residual risk to reflect theresults of control effectiveness?
A. Control owner
B. Risk owner
C. Internal auditor
D. Compliance manager
Question # 114
The PRIMARY objective of collecting information and reviewing documentation whenperforming periodic risk analysis should be to:
A. Identify new or emerging risk issues.
B. Satisfy audit requirements.
C. Survey and analyze historical risk data.
D. Understand internal and external threat agents.
Question # 115
Which of the following practices MOST effectively safeguards the processing of personaldata?
A. Personal data attributed to a specific data subject is tokenized.
B. Data protection impact assessments are performed on a regular basis.
C. Personal data certifications are performed to prevent excessive data collection.
D. Data retention guidelines are documented, established, and enforced.
Question # 116
When is the BEST to identify risk associated with major project to determine a mitigationplan?
A. Project execution phase
B. Project initiation phase
C. Project closing phase
D. Project planning phase
Question # 117
For a large software development project, risk assessments are MOST effective whenperformed:
A. before system development begins.
B. at system development.
C. at each stage of the system development life cycle (SDLC).
D. during the development of the business case.
Question # 118
The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overallcontinuity planning process is to:
A. obtain the support of executive management.
B. map the business processes to supporting IT and other corporate resources.
C. identify critical business processes and the degree of reliance on support services.
D. document the disaster recovery process.
Question # 119
An organization control environment is MOST effective when:
A. control designs are reviewed periodically
B. controls perform as intended.
C. controls are implemented consistently.
D. controls operate efficiently
Question # 120
Which of the following would BEST help to address the risk associated with maliciousoutsiders modifying application data?
A. Multi-factor authentication
B. Role-based access controls
C. Activation of control audits
D. Acceptable use policies
Question # 121
The BEST way to improve a risk register is to ensure the register:
A. is updated based upon significant events.
B. documents possible countermeasures.
C. contains the risk assessment completion date.
D. is regularly audited.
Question # 122
Which of the following is the BEST key performance indicator (KPI) to measure theeffectiveness of a disaster recovery test of critical business processes?
A. Percentage of job failures identified and resolved during the recovery process
B. Percentage of processes recovered within the recovery time and point objectives
C. Number of current test plans and procedures
D. Number of issues and action items resolved during the recovery test
Question # 123
Print jobs containing confidential information are sent to a shared network printer located ina secure room. Which of the following is the BEST control to prevent the inappropriatedisclosure of confidential information?
A. Requiring a printer access code for each user
B. Using physical controls to access the printer room
C. Using video surveillance in the printer room
D. Ensuring printer parameters are properly configured
Question # 124
While reviewing the risk register, a risk practitioner notices that different business unitshave significant variances in inherent risk for the same risk scenario. Which of the followingis the BEST course of action?
A. Update the risk register with the average of residual risk for both business units.
B. Review the assumptions of both risk scenarios to determine whether the variance is reasonable.
C. Update the risk register to ensure both risk scenarios have the highest residual risk.
D. Request that both business units conduct another review of the risk.
Question # 125
Which of the following would BEST enable a risk-based decision when considering the useof an emerging technology for data processing?
A. Gap analysis
B. Threat assessment
C. Resource skills matrix
D. Data quality assurance plan
Question # 126
n an organization that allows employee use of social media accounts for work purposes,which of the following is the BEST way to protect company sensitive information from beingexposed?
A. Educating employees on what needs to be kept confidential
B. Implementing a data loss prevention (DLP) solution
C. Taking punitive action against employees who expose confidential data
D. Requiring employees to sign nondisclosure agreements
Question # 127
Which of the following would provide the BEST evidence of an effective internal controlenvironment/?
A. Risk assessment results
B. Adherence to governing policies
C. Regular stakeholder briefings
D. Independent audit results
Question # 128
Which of the following management action will MOST likely change the likelihood rating ofa risk scenario related to remote network access?
A. Updating the organizational policy for remote access
B. Creating metrics to track remote connections
C. Implementing multi-factor authentication
D. Updating remote desktop software
Question # 129
Risk acceptance of an exception to a security control would MOST likely be justified when:
A. automation cannot be applied to the control
B. business benefits exceed the loss exposure.
C. the end-user license agreement has expired.
D. the control is difficult to enforce in practice.
Question # 130
An organization's control environment is MOST effective when
A. controls perform as intended.
B. controls operate efficiently.
C. controls are implemented consistent
D. control designs are reviewed periodically
Question # 131
An IT department originally planned to outsource the hosting of its data center at anoverseas location to reduce operational expenses. After a risk assessment, the departmenthas decided to keep the data center in-house. How should the risk treatment response bereflected in the risk register?
A. Risk mitigation
B. Risk avoidance
C. Risk acceptance
D. Risk transfer
Question # 132
Which of the following should be of GREATEST concern lo a risk practitioner reviewing theimplementation of an emerging technology?
A. Lack of alignment to best practices
B. Lack of risk assessment
C. Lack of risk and control procedures
D. Lack of management approval
Question # 133
A cote data center went offline abruptly for several hours affecting many transactionsacross multiple locations. Which of the to" owing would provide the MOST usefulinformation to determine mitigating controls?
A. Forensic analysis
B. Risk assessment
C. Root cause analysis
D. Business impact analysis (BlA)
Question # 134
A cote data center went offline abruptly for several hours affecting many transactionsacross multiple locations. Which of the to" owing would provide the MOST usefulinformation to determine mitigating controls?
A. Forensic analysis
B. Risk assessment
C. Root cause analysis
D. Business impact analysis (BlA)
Question # 135
When formulating a social media policy lo address information leakage, which of thefollowing is the MOST important concern to address?
A. Sharing company information on social media
B. Sharing personal information on social media
C. Using social media to maintain contact with business associates
D. Using social media for personal purposes during working hours
Question # 136
Before assigning sensitivity levels to information it is MOST important to:
A. define recovery time objectives (RTOs).
B. define the information classification policy
C. conduct a sensitivity analyse
D. Identify information custodians
Question # 137
An organization has completed a risk assessment of one of its service providers. Whoshould be accountable for ensuring that risk responses are implemented?
A. IT risk practitioner
B. Third -partf3ecurity team
C. The relationship owner
D. Legal representation of the business
Question # 138
Which of the following BEST indicates the risk appetite and tolerance level (or the riskassociated with business interruption caused by IT system failures?
A. Mean time to recover (MTTR)
B. IT system criticality classification
C. Incident management service level agreement (SLA)
D. Recovery time objective (RTO)
Question # 139
An organization is considering the adoption of an aggressive business strategy to achievedesired growth From a risk management perspective what should the risk practitioner doNEXT?
A. Identify new threats resorting from the new business strategy
B. Update risk awareness training to reflect current levels of risk appetite and tolerance
C. Inform the board of potential risk scenarios associated with aggressive businessstrategies
D. Increase the scale for measuring impact due to threat materialization
Question # 140
An IT department has organized training sessions to improve user awareness oforganizational information security policies. Which of the following is the BEST keyperformance indicator (KPI) to reflect effectiveness of the training?
A. Number of training sessions completed
B. Percentage of staff members who complete the training with a passing score
C. Percentage of attendees versus total staff
D. Percentage of staff members who attend the training with positive feedback
Question # 141
Which of the following will be the GREATEST concern when assessing the risk profile of anorganization?
A. The risk profile was not updated after a recent incident
B. The risk profile was developed without using industry standards.
C. The risk profile was last reviewed two years ago.
D. The risk profile does not contain historical loss data.
Question # 142
An organization is analyzing the risk of shadow IT usage. Which of the following is theMOST important input into the assessment?
A. Business benefits of shadow IT
B. Application-related expresses
C. Classification of the data
D. Volume of data
Question # 143
When of the following standard operating procedure (SOP) statements BEST illustratesappropriate risk register maintenance?
A. Remove risk that has been mitigated by third-party transfer
B. Remove risk that management has decided to accept
C. Remove risk only following a significant change in the risk environment
D. Remove risk when mitigation results in residual risk within tolerance levels
Question # 144
Which of the following would be MOST helpful when communicating roles associated withthe IT risk management process?
A. Skills matrix
B. Job descriptions
C. RACI chart
D. Organizational chart
Question # 145
Which of the following is MOST important to include in a risk assessment of an emergingtechnology?
A. Risk response plans
B. Risk and control ownership
C. Key controls
D. Impact and likelihood ratings
Question # 146
Which of the following is MOST important information to review when developing plans forusing emerging technologies?
A. Existing IT environment
B. IT strategic plan
C. Risk register
D. Organizational strategic plan
Question # 147
Which of the following is MOST important to the effectiveness of key performanceindicators (KPIs)?
A. Management approval
B. Annual review
C. Relevance
D. Automation
Question # 148
Which of the following is the MOST important consideration when developing riskstrategies?
A. Organization's industry sector
B. Long-term organizational goals
C. Concerns of the business process owners
D. History of risk events
Question # 149
Which of the following would BEST facilitate the implementation of data classificationrequirements?
A. Implementing a data toss prevention (DLP) solution
B. Assigning a data owner
C. Scheduling periodic audits
D. Implementing technical controls over the assets
Question # 150
Which of the following provides the BEST evidence that a selected risk treatment plan iseffective?
A. Identifying key risk indicators (KRIs)
B. Evaluating the return on investment (ROI)
C. Evaluating the residual risk level
D. Performing a cost-benefit analysis
Question # 151
Which of the following will BEST help to ensure the continued effectiveness of the IT riskmanagement function within an organization experiencing high employee turnover?
A. Well documented policies and procedures
B. Risk and issue tracking
C. An IT strategy committee
D. Change and release management
Question # 152
Which of the following would MOST effectively reduce risk associated with an increase ofonline transactions on a retailer website?
A. Scalable infrastructure
B. A hot backup site
C. Transaction limits
D. Website activity monitoring
Question # 153
As pan of business continuity planning, which of the following is MOST important to includem a business impact analysis (BlA)?
A. An assessment of threats to the organization
B. An assessment of recovery scenarios
C. industry standard framework
D. Documentation of testing procedures
Question # 154
Which of the following would be a risk practitioner’s BEST recommendation upon learningof an updated cybersecurity regulation that could impact the organization?
A. Perform a gap analysis
B. Conduct system testing
C. Implement compensating controls
D. Update security policies
Question # 155
The PRIMARY reason for prioritizing risk scenarios is to:
A. provide an enterprise-wide view of risk
B. support risk response tracking
C. assign risk ownership
D. facilitate risk response decisions.
Question # 156
In order to determining a risk is under-controlled the risk practitioner will need to
A. understand the risk tolerance
B. monitor and evaluate IT performance
C. identify risk management best practices
D. determine the sufficiency of the IT risk budget
Question # 157
Which of the following is the BEST indication that key risk indicators (KRls) should berevised?
A. A decrease in the number of critical assets covered by risk thresholds
B. An Increase In the number of risk threshold exceptions
C. An increase in the number of change events pending management review
D. A decrease In the number of key performance indicators (KPls)
Question # 158
An organization has decided to use an external auditor to review the control environment ofan outsourced service provider. The BEST control criteria to evaluate the provider would bebased on:
A. a recognized industry control framework
B. guidance provided by the external auditor
C. the service provider's existing controls
D. The organization's specific control requirements
Question # 159
An organization is planning to move its application infrastructure from on-premises to thecloud. Which of the following is the BEST course of the actin to address the risk associatedwith data transfer if the relationship is terminated with the vendor?
A. Meet with the business leaders to ensure the classification of their transferred data is inplace
B. Ensure the language in the contract explicitly states who is accountable for each step ofthe data transfer process
C. Collect requirements for the environment to ensure the infrastructure as a service (IaaS)is configured appropriately.
D. Work closely with the information security officer to ensure the company has the propersecurity controls in place.
Question # 160
A risk practitioner observed Vial a high number of pokey exceptions were approved bysenior management. Which of the following is the risk practitioner’s BEST course of actionto determine root cause?
A. Review the risk profile
B. Review pokey change history
C. interview the control owner
D. Perform control testing
Question # 161
Who should have the authority to approve an exception to a control?
A. information security manager
B. Control owner
C. Risk owner
D. Risk manager
Question # 162
An organization wants to grant remote access to a system containing sensitive data to anoverseas third party. Which of the following should be of GREATEST concern tomanagement?
A. Transborder data transfer restrictions
B. Differences in regional standards
C. Lack of monitoring over vendor activities
D. Lack of after-hours incident management support
Question # 163
Which of the following issues found during the review of a newly created disaster recoveryplan (DRP) should be of MOST concern?
A. Some critical business applications are not included in the plan
B. Several recovery activities will be outsourced
C. The plan is not based on an internationally recognized framework
D. The chief information security officer (CISO) has not approved the plan
Question # 164
Which key performance efficiency IKPI) BEST measures the effectiveness of anorganization's disaster recovery program?
A. Number of service level agreement (SLA) violations
B. Percentage of recovery issues identified during the exercise
C. Number of total systems recovered within tie recovery point objective (RPO)
D. Percentage of critical systems recovered within tie recovery time objective (RTO)
Question # 165
Which of the following is PRIMARILY a risk management responsibly of the first line ofdefense?
A. Implementing risk treatment plans
B. Validating the status of risk mitigation efforts
C. Establishing risk policies and standards
D. Conducting independent reviews of risk assessment results
Question # 166
An organization has provided legal text explaining the rights and expected behavior of users accessing a system from geographic locations that have strong privacy regulations.Which of the following control types has been applied?
A. Detective
B. Directive
C. Preventive
D. Compensating
Question # 167
A global company s business continuity plan (BCP) requires the transfer of its customerinformation….event of a disaster. Which of the following should be the MOST important riskconsideration?
A. The difference In the management practices between each company
B. The cloud computing environment is shared with another company
C. The lack of a service level agreement (SLA) in the vendor contract
D. The organizational culture differences between each country
Question # 168
Which of The following is the MOST comprehensive input to the risk assessment processspecific to the effects of system downtime?
A. Business continuity plan (BCP) testing results
B. Recovery lime objective (RTO)
C. Business impact analysis (BIA)
D. results Recovery point objective (RPO)
Question # 169
Which of the following is MOST important for mitigating ethical risk when establishingaccountability for control ownership?
A. Ensuring processes are documented to enable effective control execution
B. Ensuring regular risk messaging is Included in business communications fromleadership
C. Ensuring schedules and deadlines for control-related deliverables are strictly monitored
D. Ensuring performance metrics balance business goals with risk appetiie
Question # 170
Which of the following is MOST important for maintaining the effectiveness of an IT riskregister?
A. Removing entries from the register after the risk has been treated
B. Recording and tracking the status of risk response plans within the register
C. Communicating the register to key stakeholders
D. Performing regular reviews and updates to the register
Question # 171
It is MOST important that security controls for a new system be documented in:
A. testing requirements
B. the implementation plan.
C. System requirements
D. The security policy
Question # 172
Which of the following is MOST helpful in defining an early-warning threshold associatedwith insufficient network bandwidth''
A. Average bandwidth usage
B. Peak bandwidth usage
C. Total bandwidth usage
D. Bandwidth used during business hours
Question # 173
An organization is concerned that its employees may be unintentionally disclosing datathrough the use of social media sites. Which of the following will MOST effectively mitigatetins risk?
A. Requiring the use of virtual private networks (VPNs)
B. Establishing a data classification policy
C. Conducting user awareness training
D. Requiring employee agreement of the acceptable use policy
Question # 174
An organization has made a decision to purchase a new IT system. During when phase ofthe system development life cycle (SDLC) will identified risk MOST likely lead toarchitecture and design trade-offs?
A. Acquisition
B. Implementation
C. Initiation
D. Operation and maintenance
Question # 175
The PRIMARY purpose of using a fra mework for risk analysis is to:
A. improve accountability
B. improve consistency
C. help define risk tolerance
D. help develop risk scenarios.
Question # 176
When developing risk scenario using a list of generic scenarios based on industry bestpractices, it is MOST imported to:
A. Assess generic risk scenarios with business users.
B. Validate the generic risk scenarios for relevance.
C. Select the maximum possible risk scenarios from the list.
D. Identify common threats causing generic risk scenarios
Question # 177
Which element of an organization's risk register is MOST important to update following thecommissioning of a new financial reporting system?
A. Key risk indicators (KRIs)
B. The owner of the financial reporting process
C. The risk rating of affected financial processes
D. The list of relevant financial controls
Question # 178
Which element of an organization's risk register is MOST important to update following thecommissioning of a new financial reporting system?
A. Key risk indicators (KRIs)
B. The owner of the financial reporting process
C. The risk rating of affected financial processes
D. The list of relevant financial controls
Question # 179
Which of the following is the BEST approach to mitigate the risk associated with a controldeficiency?
A. Perform a business case analysis
B. Implement compensating controls.
C. Conduct a control sell-assessment (CSA)
D. Build a provision for risk
Question # 180
A maturity model is MOST useful to an organization when it:
A. benchmarks against other organizations
B. defines a qualitative measure of risk
C. provides a reference for progress
D. provides risk metrics.
Question # 181
Which of the following should be of MOST concern to a risk practitioner reviewing anorganization risk register after the completion of a series of risk assessments?
A. Several risk action plans have missed target completion dates.
B. Senior management has accepted more risk than usual.
C. Risk associated with many assets is only expressed in qualitative terms.
D. Many risk scenarios are owned by the same senior manager.
Question # 182
Which of the following sources is MOST relevant to reference when updating securityawareness training materials?
A. Risk management framework
B. Risk register
C. Global security standards
D. Recent security incidents reported by competitors
Question # 183
Which of the following will BEST help to ensure implementation of corrective action plans?
A. Establishing employee awareness training
B. Assigning accountability to risk owners
C. Selling target dates to complete actions
D. Contracting to third parties
Question # 184
An organization has used generic risk scenarios to populate its risk register. Which of thefollowing presents the GREATEST challenge to assigning of the associated risk entries?
A. The volume of risk scenarios is too large
B. Risk aggregation has not been completed
C. Risk scenarios are not applicable
D. The risk analysts for each scenario is incomplete
Question # 185
A risk practitioner has discovered a deficiency in a critical system that cannot be patched.Which of the following should be the risk practitioner's FIRST course of action?
A. Report the issue to internal audit.
B. Submit a request to change management.
C. Conduct a risk assessment.
D. Review the business impact assessment.
Question # 186
When reviewing the business continuity plan (BCP) of an online sales order system, a riskpractitioner notices that the recovery time objective (RTO) has a shorter lime than what isdefined in the disaster recovery plan (DRP). Which of the following is the BEST way for therisk practitioner to address this concern?
A. Adopt the RTO defined in the BCR
B. Update the risk register to reflect the discrepancy.
C. Adopt the RTO defined in the DRP.
D. Communicate the discrepancy to the DR manager for follow-up.
Question # 187
Which of the following is the PRIMARY benefit of stakeholder involvement in risk scenariodevelopment?
A. Ability to determine business impact
B. Up-to-date knowledge on risk responses
C. Decision-making authority for risk treatment
D. Awareness of emerging business threats
Question # 188
Which of the following is the MOST appropriate action when a tolerance threshold isexceeded?
A. Communicate potential impact to decision makers.
B. Research the root cause of similar incidents.
C. Verify the response plan is adequate.
D. Increase human resources to respond in the interim.
Question # 189
Which of the following is the PRIMARY risk management responsibility of the second lineof defense?
A. Monitoring risk responses
B. Applying risk treatments
C. Providing assurance of control effectiveness
D. Implementing internal controls
Question # 190
Which of the following is a drawback in the use of quantitative risk analysis?
A. It assigns numeric values to exposures of assets.
B. It requires more resources than other methods
C. It produces the results in numeric form.
D. It is based on impact analysis of information assets.
Question # 191
When evaluating enterprise IT risk management it is MOST important to:
A. create new control processes to reduce identified IT risk scenarios
B. confirm the organization’s risk appetite and tolerance
C. report identified IT risk scenarios to senior management
D. review alignment with the organization's investment plan
Question # 192
Which of the following is the BEST reason to use qualitative measures to express residual risk levels related to emerging threats?
A. Qualitative measures require less ongoing monitoring.
B. Qualitative measures are better aligned to regulatory requirements.
C. Qualitative measures are better able to incorporate expert judgment.
D. Qualitative measures are easier to update.
Question # 193
Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment?
A. Improved senior management communication
B. Optimized risk treatment decisions
C. Enhanced awareness of risk management
D. Improved collaboration among risk professionals
Question # 194
What is the PRIMARY benefit of risk monitoring?
A. It reduces the number of audit findings.
B. It provides statistical evidence of control efficiency.
C. It facilitates risk-aware decision making.
D. It facilitates communication of threat levels.
Question # 195
Several network user accounts were recently created without the required management approvals. Which of the following would be the risk practitioner's BEST recommendation to address this situation?
A. Conduct a comprehensive compliance review.
B. Develop incident response procedures for noncompliance.
C. Investigate the root cause of noncompliance.
D. Declare a security breach and Inform management.
Question # 196
The BEST reason to classify IT assets during a risk assessment is to determine the:
A. priority in the risk register.
B. business process owner.
C. enterprise risk profile.
D. appropriate level of protection.
Question # 197
Which of the following is the MOST critical element to maximize the potential for a successful security implementation?
A. The organization's knowledge
B. Ease of implementation
C. The organization's culture
D. industry-leading security tools
Question # 198
Which of the following BEST facilities the alignment of IT risk management with enterprise risk management (ERM)?
A. Adopting qualitative enterprise risk assessment methods
B. Linking IT risk scenarios to technology objectives
C. linking IT risk scenarios to enterprise strategy
D. Adopting quantitative enterprise risk assessment methods
Question # 199
Which of the following roles is BEST suited to help a risk practitioner understand the impact of IT-related events on business objectives?
A. IT management
B. Internal audit
C. Process owners
D. Senior management
Question # 200
Which of the following is the MOST important technology control to reduce the likelihood of fraudulent payments committed internally?
A. Automated access revocation
B. Daily transaction reconciliation
C. Rule-based data analytics
D. Role-based user access model
Question # 201
Which of the following is the BEST evidence that a user account has been properly authorized?
A. An email from the user accepting the account
B. Notification from human resources that the account is active
C. User privileges matching the request form
D. Formal approval of the account by the user's manager
Question # 202
A chief information officer (CIO) has identified risk associated with shadow systems being maintained by business units to address specific functionality gaps in the organization's enterprise resource planning (ERP) system. What is the BEST way to reduce this risk going forward?
A. Align applications to business processes.
B. Implement an enterprise architecture (EA).
C. Define the software development life cycle (SDLC).
D. Define enterprise-wide system procurement requirements.
Question # 203
An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern?
A. Potential increase in regulatory scrutiny
B. Potential system downtime
C. Potential theft of personal information
D. Potential legal risk
Question # 204
To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:
A. require the vendor to sign a nondisclosure agreement
B. clearly define the project scope.
C. perform background checks on the vendor.
D. notify network administrators before testing
Question # 205
Which of the following is the BEST indicator of the effectiveness of IT risk management processes?
A. Percentage of business users completing risk training
B. Percentage of high-risk scenarios for which risk action plans have been developed
C. Number of key risk indicators (KRIs) defined
D. Time between when IT risk scenarios are identified and the enterprise's response
Question # 206
During implementation of an intrusion detection system (IDS) to monitor network traffic, a high number of alerts is reported. The risk practitioner should recommend to:
A. reset the alert threshold based on peak traffic
B. analyze the traffic to minimize the false negatives
C. analyze the alerts to minimize the false positives
D. sniff the traffic using a network analyzer
Question # 207
Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?
A. Occurrences of specific events
B. A performance measurement
C. The risk tolerance level
D. Risk scenarios
Question # 208
An internal audit report reveals that not all IT application databases have encryption in place. Which of the following information would be MOST important for assessing the risk impact?
A. The number of users who can access sensitive data
B. A list of unencrypted databases which contain sensitive data
C. The reason some databases have not been encrypted
D. The cost required to enforce encryption
Question # 209
Which of the following is the MOST important topic to cover in a risk awareness training program for all staff?
A. Internal and external information security incidents
B. The risk department's roles and responsibilities
C. Policy compliance requirements and exceptions process
D. The organization's information security risk profile
Question # 210
Which of the following scenarios represents a threat?
A. Connecting a laptop to a free, open, wireless access point (hotspot)
B. Visitors not signing in as per policy
C. Storing corporate data in unencrypted form on a laptop
D. A virus transmitted on a USB thumb drive
Question # 211
An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan. Which of the following is the risk practitioner's BEST course of action?
A. Report the observation to the chief risk officer (CRO).
B. Validate the adequacy of the implemented risk mitigation measures.
C. Update the risk register with the implemented risk mitigation actions.
D. Revert the implemented mitigation measures until approval is obtained
Question # 212
Which of the following is the PRIMARY objective of providing an aggregated view of IT risk to business management?
A. To enable consistent data on risk to be obtained
B. To allow for proper review of risk tolerance
C. To identify dependencies for reporting risk
D. To provide consistent and clear terminology
Question # 213
Which of the following is the BEST control to detect an advanced persistent threat (APT)?
A. Utilizing antivirus systems and firewalls
B. Conducting regular penetration tests
C. Monitoring social media activities
D. Implementing automated log monitoring
Question # 214
Which of the following is the BEST source for identifying key control indicators (KCIs)?
A. Privileged user activity monitoring controls
B. Controls mapped to organizational risk scenarios
C. Recent audit findings of control weaknesses
D. A list of critical security processes
Question # 215
Which of the following is the GREATEST risk associated with an environment that lacks documentation of the architecture?
A. Unknown vulnerabilities
B. Legacy technology systems
C. Network isolation
D. Overlapping threats
Question # 216
Which of the following is the GREATEST benefit for an organization with a strong risk awareness culture?
A. Reducing the involvement by senior management
B. Using more risk specialists
C. Reducing the need for risk policies and guidelines
D. Discussing and managing risk as a team
Question # 217
When of the following 15 MOST important when developing a business case for a proposed security investment?
A. identification of control requirements
B. Alignment to business objectives
C. Consideration of new business strategies
D. inclusion of strategy for regulatory compliance
Question # 218
Which of the following is the MOST effective control to ensure user access is maintained on a least-privilege basis?
A. User authorization
B. User recertification
C. Change log review
D. Access log monitoring
Question # 219
Which of the following is the MOST important component in a risk treatment plan?
A. Technical details
B. Target completion date
C. Treatment plan ownership
D. Treatment plan justification
Question # 220
In an organization where each division manages risk independently, which of the following would BEST enable management of risk at the enterprise level?
A. A standardized risk taxonomy
B. A list of control deficiencies
C. An enterprise risk ownership policy
D. An updated risk tolerance metric
Question # 221
Which of the following describes the relationship between Key risk indicators (KRIs) and key control indicators (KCIS)?
A. KCIs are independent from KRIs KRIs.
B. KCIs and KRIs help in determining risk appetite.
C. KCIs are defined using data from KRIs.
D. KCIs provide input for KRIs
Question # 222
Which of the following BEST indicates the effectiveness of anti-malware software?
A. Number of staff hours lost due to malware attacks
B. Number of downtime hours in business critical servers
C. Number of patches made to anti-malware software
D. Number of successful attacks by malicious software
Question # 223
An organization recently received an independent security audit report of its cloud service provider that indicates significant control weaknesses. What should be done NEXT in response to this report?
A. Migrate all data to another compliant service provider.
B. Analyze the impact of the provider's control weaknesses to the business.
C. Conduct a follow-up audit to verify the provider's control weaknesses.
D. Review the contract to determine if penalties should be levied against the provider.
Question # 224
While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:
A. control is ineffective and should be strengthened
B. risk is inefficiently controlled.
C. risk is efficiently controlled.
D. control is weak and should be removed.
Question # 225
Which of the following would be MOST helpful to a risk practitioner when ensuring that mitigated risk remains within acceptable limits?
A. Building an organizational risk profile after updating the risk register
B. Ensuring risk owners participate in a periodic control testing process
C. Designing a process for risk owners to periodically review identified risk
D. Implementing a process for ongoing monitoring of control effectiveness
Question # 226
Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents:
A. a threat.
B. a vulnerability.
C. an impact
D. a control.
Question # 227
A management team is on an aggressive mission to launch a new product to penetrate new markets and overlooks IT risk factors, threats, and vulnerabilities. This scenario BEST demonstrates an organization's risk:
A. management.
B. tolerance.
C. culture.
D. analysis.Answer: C
Question # 228
A business unit is implementing a data analytics platform to enhance its customer relationship management (CRM) system primarily to process data that has been provided by its customers. Which of the following presents the GREATEST risk to the organization's reputation?
A. Third-party software is used for data analytics.
B. Data usage exceeds individual consent.
C. Revenue generated is not disclosed to customers.
D. Use of a data analytics system is not disclosed to customers.
Question # 229
Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?
A. A high number of approved exceptions exist with compensating controls.
B. Successive assessments have the same recurring vulnerabilities.
C. Redundant compensating controls are in place.
D. Asset custodians are responsible for defining controls instead of asset owners.
Question # 230
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an antivirus program?
A. Percentage of IT assets with current malware definitions
B. Number of false positives defected over a period of time
C. Number of alerts generated by the anti-virus software
D. Frequency of anti-vinjs software updates
Question # 231
The MAIN purpose of reviewing a control after implementation is to validate that the control:
A. operates as intended.
B. is being monitored.
C. meets regulatory requirements.
D. operates efficiently.
Question # 232
Which of the following is an IT business owner's BEST course of action following an unexpected increase in emergency changes?
A. Evaluating the impact to control objectives
B. Conducting a root cause analysis
C. Validating the adequacy of current processes
D. Reconfiguring the IT infrastructure
Question # 233
An organization outsources the processing of us payroll data A risk practitioner identifies a control weakness at the third party trial exposes the payroll data. Who should own this risk?
A. The third party's IT operations manager
B. The organization's process owner
C. The third party's chief risk officer (CRO)
D. The organization's risk practitioner
Question # 234
An organization has recently been experiencing frequent data corruption incidents. Implementing a file corruption detection tool as a risk response strategy will help to:
A. reduce the likelihood of future events
B. restore availability
C. reduce the impact of future events
D. address the root cause
Question # 235
Which of the following is the MOST important objective of establishing an enterprise risk management (ERM) function within an organization?
A. To have a unified approach to risk management across the organization
B. To have a standard risk management process for complying with regulations
C. To optimize risk management resources across the organization
D. To ensure risk profiles are presented in a consistent format within the organization
Question # 236
An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?
A. Identify systems that are vulnerable to being exploited by the attack.
B. Confirm with the antivirus solution vendor whether the next update will detect the attack.
C. Verify the data backup process and confirm which backups are the most recent ones available.
D. Obtain approval for funding to purchase a cyber insurance plan.
Question # 237
Which of the following provides the BEST measurement of an organization's risk management maturity level?
A. Level of residual risk
B. The results of a gap analysis
C. IT alignment to business objectives
D. Key risk indicators (KRIs)
Question # 238
Winch of the following can be concluded by analyzing the latest vulnerability report for the it infrastructure?
A. Likelihood of a threat
B. Impact of technology risk
C. Impact of operational risk
D. Control weakness
Question # 239
Which of the following will be MOST effective in uniquely identifying the originator of electronic transactions?
A. Digital signature
B. Edit checks
C. Encryption
D. Multifactor authentication
