Winter Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: netbudy65

CRISC Certified in Risk and Information Systems Control Questions and Answers

Questions 4

A risk assessment has identified that departments have installed their own WiFi access points on the enterprise network. Which of the following would be MOST important to include in a report to senior management?

Options:

A.

The network security policy

B.

Potential business impact

C.

The WiFi access point configuration

D.

Planned remediation actions

Buy Now
Questions 5

Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?

Options:

A.

Vulnerability and threat analysis

B.

Control remediation planning

C.

User acceptance testing (UAT)

D.

Control self-assessment (CSA)

Buy Now
Questions 6

Which of the following is the MAIN reason for documenting the performance of controls?

Options:

A.

Obtaining management sign-off

B.

Demonstrating effective risk mitigation

C.

Justifying return on investment

D.

Providing accurate risk reporting

Buy Now
Questions 7

Which of the following attributes of a key risk indicator (KRI) is MOST important?

Options:

A.

Repeatable

B.

Automated

C.

Quantitative

D.

Qualitative

Buy Now
Questions 8

Which of the following is the MOST important foundational element of an effective three lines of defense model for an organization?

Options:

A.

A robust risk aggregation tool set

B.

Clearly defined roles and responsibilities

C.

A well-established risk management committee

D.

Well-documented and communicated escalation procedures

Buy Now
Questions 9

An organization delegates its data processing to the internal IT team to manage information through its applications. Which of the following is the role of the internal IT team in this situation?

Options:

A.

Data controllers

B.

Data processors

C.

Data custodians

D.

Data owners

Buy Now
Questions 10

A key risk indicator (KRI) is reported to senior management on a periodic basis as exceeding thresholds, but each time senior management has decided to take no action to reduce the risk. Which of the following is the MOST likely reason for senior management's response?

Options:

A.

The underlying data source for the KRI is using inaccurate data and needs to be corrected.

B.

The KRI is not providing useful information and should be removed from the KRI inventory.

C.

The KRI threshold needs to be revised to better align with the organization s risk appetite

D.

Senior management does not understand the KRI and should undergo risk training.

Buy Now
Questions 11

A risk practitioner has identified that the organization's secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?

Options:

A.

Business continuity director

B.

Disaster recovery manager

C.

Business application owner

D.

Data center manager

Buy Now
Questions 12

An organization has operations in a location that regularly experiences severe weather events. Which of the following would BEST help to mitigate the risk to operations?

Options:

A.

Prepare a cost-benefit analysis to evaluate relocation.

B.

Prepare a disaster recovery plan (DRP).

C.

Conduct a business impact analysis (BIA) for an alternate location.

D.

Develop a business continuity plan (BCP).

Buy Now
Questions 13

Which of the following is the PRIMARY benefit of using an entry in the risk register to track the aggregate risk associated with server failure?

Options:

A.

It provides a cost-benefit analysis on control options available for implementation.

B.

It provides a view on where controls should be applied to maximize the uptime of servers.

C.

It provides historical information about the impact of individual servers malfunctioning.

D.

It provides a comprehensive view of the impact should the servers simultaneously fail.

Buy Now
Questions 14

Management has required information security awareness training to reduce the risk associated with credential compromise. What is the BEST way to assess the effectiveness of the training?

Options:

A.

Conduct social engineering testing.

B.

Audit security awareness training materials.

C.

Administer an end-of-training quiz.

D.

Perform a vulnerability assessment.

Buy Now
Questions 15

Which of the following should be an element of the risk appetite of an organization?

Options:

A.

The effectiveness of compensating controls

B.

The enterprise's capacity to absorb loss

C.

The residual risk affected by preventive controls

D.

The amount of inherent risk considered appropriate

Buy Now
Questions 16

A risk practitioner discovers several key documents detailing the design of a product currently in development have been posted on the Internet. What should be the risk practitioner's FIRST course of action?

Options:

A.

invoke the established incident response plan.

B.

Inform internal audit.

C.

Perform a root cause analysis

D.

Conduct an immediate risk assessment

Buy Now
Questions 17

Which of the following presents the GREATEST challenge to managing an organization's end-user devices?

Options:

A.

Incomplete end-user device inventory

B.

Unsupported end-user applications

C.

Incompatible end-user devices

D.

Multiple end-user device models

Buy Now
Questions 18

Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?

Options:

A.

It compares performance levels of IT assets to value delivered.

B.

It facilitates the alignment of strategic IT objectives to business objectives.

C.

It provides input to business managers when preparing a business case for new IT projects.

D.

It helps assess the effects of IT decisions on risk exposure

Buy Now
Questions 19

A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?

Options:

A.

Implement a tool to create and distribute violation reports

B.

Raise awareness of encryption requirements for sensitive data.

C.

Block unencrypted outgoing emails which contain sensitive data.

D.

Implement a progressive disciplinary process for email violations.

Buy Now
Questions 20

Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?

Options:

A.

Sensitivity analysis

B.

Level of residual risk

C.

Cost-benefit analysis

D.

Risk appetite

Buy Now
Questions 21

An effective control environment is BEST indicated by controls that:

Options:

A.

minimize senior management's risk tolerance.

B.

manage risk within the organization's risk appetite.

C.

reduce the thresholds of key risk indicators (KRIs).

D.

are cost-effective to implement

Buy Now
Questions 22

Which of the following will BEST quantify the risk associated with malicious users in an organization?

Options:

A.

Business impact analysis

B.

Risk analysis

C.

Threat risk assessment

D.

Vulnerability assessment

Buy Now
Questions 23

Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?

Options:

A.

A control self-assessment

B.

A third-party security assessment report

C.

Internal audit reports from the vendor

D.

Service level agreement monitoring

Buy Now
Questions 24

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?

Options:

A.

Number of users that participated in the DRP testing

B.

Number of issues identified during DRP testing

C.

Percentage of applications that met the RTO during DRP testing

D.

Percentage of issues resolved as a result of DRP testing

Buy Now
Questions 25

Which of the following is the MAIN reason to continuously monitor IT-related risk?

Options:

A.

To redefine the risk appetite and risk tolerance levels based on changes in risk factors

B.

To update the risk register to reflect changes in levels of identified and new IT-related risk

C.

To ensure risk levels are within acceptable limits of the organization's risk appetite and risk tolerance

D.

To help identify root causes of incidents and recommend suitable long-term solutions

Buy Now
Questions 26

An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?

Options:

A.

The third party s management

B.

The organization's management

C.

The control operators at the third party

D.

The organization's vendor management office

Buy Now
Questions 27

Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?

Options:

A.

Risk mitigation budget

B.

Business Impact analysis

C.

Cost-benefit analysis

D.

Return on investment

Buy Now
Questions 28

Which of the following would BEST help to ensure that suspicious network activity is identified?

Options:

A.

Analyzing intrusion detection system (IDS) logs

B.

Analyzing server logs

C.

Using a third-party monitoring provider

D.

Coordinating events with appropriate agencies

Buy Now
Questions 29

Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

Options:

A.

a gap analysis

B.

a root cause analysis.

C.

an impact assessment.

D.

a vulnerability assessment.

Buy Now
Questions 30

Which of the following controls will BEST detect unauthorized modification of data by a database administrator?

Options:

A.

Reviewing database access rights

B.

Reviewing database activity logs

C.

Comparing data to input records

D.

Reviewing changes to edit checks

Buy Now
Questions 31

Which of the following roles would provide the MOST important input when identifying IT risk scenarios?

Options:

A.

Information security managers

B.

Internal auditors

C.

Business process owners

D.

Operational risk managers

Buy Now
Questions 32

Which of the following is MOST important when developing key performance indicators (KPIs)?

Options:

A.

Alignment to risk responses

B.

Alignment to management reports

C.

Alerts when risk thresholds are reached

D.

Identification of trends

Buy Now
Questions 33

Which of the following is MOST important to understand when determining an appropriate risk assessment approach?

Options:

A.

Complexity of the IT infrastructure

B.

Value of information assets

C.

Management culture

D.

Threats and vulnerabilities

Buy Now
Questions 34

Which of the following should be the PRIMARY input when designing IT controls?

Options:

A.

Benchmark of industry standards

B.

Internal and external risk reports

C.

Recommendations from IT risk experts

D.

Outcome of control self-assessments

Buy Now
Questions 35

Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?

Options:

A.

Align business objectives to the risk profile.

B.

Assess risk against business objectives

C.

Implement an organization-specific risk taxonomy.

D.

Explain risk details to management.

Buy Now
Questions 36

The MOST important characteristic of an organization s policies is to reflect the organization's:

Options:

A.

risk assessment methodology.

B.

risk appetite.

C.

capabilities

D.

asset value.

Buy Now
Questions 37

A review of an organization s controls has determined its data loss prevention {DLP) system is currently failing to detect outgoing emails containing credit card data. Which of the following would be MOST impacted?

Options:

A.

Key risk indicators (KRls)

B.

Inherent risk

C.

Residual risk

D.

Risk appetite

Buy Now
Questions 38

Which of the following is the BEST method to identify unnecessary controls?

Options:

A.

Evaluating the impact of removing existing controls

B.

Evaluating existing controls against audit requirements

C.

Reviewing system functionalities associated with business processes

D.

Monitoring existing key risk indicators (KRIs)

Buy Now
Questions 39

The analysis of which of the following will BEST help validate whether suspicious network activity is malicious?

Options:

A.

Logs and system events

B.

Intrusion detection system (IDS) rules

C.

Vulnerability assessment reports

D.

Penetration test reports

Buy Now
Questions 40

A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:

Options:

A.

conduct a gap analysis against compliance criteria.

B.

identify necessary controls to ensure compliance.

C.

modify internal assurance activities to include control validation.

D.

collaborate with management to meet compliance requirements.

Buy Now
Questions 41

Which of the following BEST informs decision-makers about the value of a notice and consent control for the collection of personal information?

Options:

A.

A comparison of the costs of notice and consent control options

B.

Examples of regulatory fines incurred by industry peers for noncompliance

C.

A report of critical controls showing the importance of notice and consent

D.

A cost-benefit analysis of the control versus probable legal action

Buy Now
Questions 42

A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization. Which of the following components of this review would provide the MOST useful information?

Options:

A.

Risk appetite statement

B.

Enterprise risk management framework

C.

Risk management policies

D.

Risk register

Buy Now
Questions 43

An organization has made a decision to purchase a new IT system. During when phase of the system development life cycle (SDLC) will identified risk MOST likely lead to architecture and design trade-offs?

Options:

A.

Acquisition

B.

Implementation

C.

Initiation

D.

Operation and maintenance

Buy Now
Questions 44

Which of the following would BEST mitigate an identified risk scenario?

Options:

A.

Conducting awareness training

B.

Executing a risk response plan

C.

Establishing an organization's risk tolerance

D.

Performing periodic audits

Buy Now
Questions 45

Risk appetite should be PRIMARILY driven by which of the following?

Options:

A.

Enterprise security architecture roadmap

B.

Stakeholder requirements

C.

Legal and regulatory requirements

D.

Business impact analysis (BIA)

Buy Now
Questions 46

A rule-based data loss prevention {DLP) tool has recently been implemented to reduce the risk of sensitive data leakage. Which of the following is MOST likely to change as a result of this implementation?

Options:

A.

Risk likelihood

B.

Risk velocity

C.

Risk appetite

D.

Risk impact

Buy Now
Questions 47

Which of the following resources is MOST helpful to a risk practitioner when updating the likelihood rating in the risk register?

Options:

A.

Risk control assessment

B.

Audit reports with risk ratings

C.

Penetration test results

D.

Business impact analysis (BIA)

Buy Now
Questions 48

Which organization is implementing a project to automate the purchasing process, including the modification of approval controls. Which of the following tasks is lie responsibility of the risk practitioner*?

Options:

A.

Verify that existing controls continue to properly mitigate defined risk

B.

Test approval process controls once the project is completed

C.

Update the existing controls for changes in approval processes from this project

D.

Perform a gap analysis of the impacted control processes

Buy Now
Questions 49

An organization outsources the processing of us payroll data A risk practitioner identifies a control weakness at the third party trial exposes the payroll data. Who should own this risk?

Options:

A.

The third party's IT operations manager

B.

The organization's process owner

C.

The third party's chief risk officer (CRO)

D.

The organization's risk practitioner

Buy Now
Questions 50

Which of the following would BEST help an enterprise define and communicate its risk appetite?

Options:

A.

Gap analysis

B.

Risk assessment

C.

Heat map

D.

Risk register

Buy Now
Questions 51

Which of the following BEST indicates that additional or improved controls ate needed m the environment?

Options:

A.

Management, has decreased organisational risk appetite

B.

The risk register and portfolio do not include all risk scenarios

C.

merging risk scenarios have been identified

D.

Risk events and losses exceed risk tolerance

Buy Now
Questions 52

An organization has recently been experiencing frequent data corruption incidents. Implementing a file corruption detection tool as a risk response strategy will help to:

Options:

A.

reduce the likelihood of future events

B.

restore availability

C.

reduce the impact of future events

D.

address the root cause

Buy Now
Questions 53

Which of the following risk register updates is MOST important for senior management to review?

Options:

A.

Extending the date of a future action plan by two months

B.

Retiring a risk scenario no longer used

C.

Avoiding a risk that was previously accepted

D.

Changing a risk owner

Buy Now
Questions 54

A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:

Options:

A.

a root cause analysis is required

B.

controls are effective for ensuring continuity

C.

hardware needs to be upgraded

D.

no action is required as there was no impact

Buy Now
Questions 55

Which of the following would be- MOST helpful to understand the impact of a new technology system on an organization's current risk profile?

Options:

A.

Hire consultants specializing m the new technology.

B.

Review existing risk mitigation controls.

C.

Conduct a gap analysis.

D.

Perform a risk assessment.

Buy Now
Questions 56

A root because analysis indicates a major service disruption due to a lack of competency of newly hired IT system administrators Who should be accountable for resolving the situation?

Options:

A.

HR training director

B.

Business process owner

C.

HR recruitment manager

D.

Chief information officer (CIO)

Buy Now
Questions 57

The PRIMARY objective of collecting information and reviewing documentation when performing periodic risk analysis should be to:

Options:

A.

Identify new or emerging risk issues.

B.

Satisfy audit requirements.

C.

Survey and analyze historical risk data.

D.

Understand internal and external threat agents.

Buy Now
Questions 58

An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?

Options:

A.

Business benefits of shadow IT

B.

Application-related expresses

C.

Classification of the data

D.

Volume of data

Buy Now
Questions 59

An information security audit identified a risk resulting from the failure of an automated control Who is responsible for ensuring the risk register is updated accordingly?

Options:

A.

The risk practitioner

B.

The risk owner

C.

The control owner

D.

The audit manager

Buy Now
Questions 60

Which of the following is MOST helpful in providing an overview of an organization's risk management program?

Options:

A.

Risk management treatment plan

B.

Risk assessment results

C.

Risk management framework

D.

Risk register

Buy Now
Questions 61

Which of the following would BEST facilitate the implementation of data classification requirements?

Options:

A.

Implementing a data toss prevention (DLP) solution

B.

Assigning a data owner

C.

Scheduling periodic audits

D.

Implementing technical controls over the assets

Buy Now
Questions 62

The MAIN purpose of selecting a risk response is to.

Options:

A.

ensure compliance with local regulatory requirements

B.

demonstrate the effectiveness of risk management practices.

C.

ensure organizational awareness of the risk level

D.

mitigate the residual risk to be within tolerance

Buy Now
Questions 63

Which of the following provides the MOST reliable evidence of a control's effectiveness?

Options:

A.

A risk and control self-assessment

B.

Senior management's attestation

C.

A system-generated testing report

D.

detailed process walk-through

Buy Now
Questions 64

The BEST metric to demonstrate that servers are configured securely is the total number of servers:

Options:

A.

exceeding availability thresholds

B.

experiencing hardware failures

C.

exceeding current patching standards.

D.

meeting the baseline for hardening.

Buy Now
Questions 65

When reviewing the business continuity plan (BCP) of an online sales order system, a risk practitioner notices that the recovery time objective (RTO) has a shorter lime than what is defined in the disaster recovery plan (DRP). Which of the following is the BEST way for the risk practitioner to address this concern?

Options:

A.

Adopt the RTO defined in the BCR

B.

Update the risk register to reflect the discrepancy.

C.

Adopt the RTO defined in the DRP.

D.

Communicate the discrepancy to the DR manager for follow-up.

Buy Now
Questions 66

When performing a risk assessment of a new service to support a core business process, which of the following should be done FIRST to ensure continuity of operations?

Options:

A.

Define metrics for restoring availability.

B.

Identify conditions that may cause disruptions.

C.

Review incident response procedures.

D.

Evaluate the probability of risk events.

Buy Now
Questions 67

Which of the following is a risk practitioner's BEST recommendation upon learning that an employee inadvertently disclosed sensitive data to a vendor?

Options:

A.

Enroll the employee in additional security training.

B.

Invoke the incident response plan.

C.

Conduct an internal audit.

D.

Instruct the vendor to delete the data.

Buy Now
Questions 68

During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition phase?

Options:

A.

Risk management framework adopted by each company

B.

Risk registers of both companies

C.

IT balanced scorecard of each company

D.

Most recent internal audit findings from both companies

Buy Now
Questions 69

Who is the BEST person to the employee personal data?

Options:

A.

Human resources (HR) manager

B.

System administrator

C.

Data privacy manager

D.

Compliance manager

Buy Now
Questions 70

Which of the following is MOST helpful in identifying new risk exposures due to changes in the business environment?

Options:

A.

Standard operating procedures

B.

SWOT analysis

C.

Industry benchmarking

D.

Control gap analysis

Buy Now
Questions 71

Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?

Options:

A.

Completeness of system documentation

B.

Results of end user acceptance testing

C.

Variances between planned and actual cost

D.

availability of in-house resources

Buy Now
Questions 72

Which of the following would be considered a vulnerability?

Options:

A.

Delayed removal of employee access

B.

Authorized administrative access to HR files

C.

Corruption of files due to malware

D.

Server downtime due to a denial of service (DoS) attack

Buy Now
Questions 73

A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:

Options:

A.

map findings to objectives.

B.

provide quantified detailed analysis

C.

recommend risk tolerance thresholds.

D.

quantify key risk indicators (KRls).

Buy Now
Questions 74

From a business perspective, which of the following is the MOST important objective of a disaster recovery test?

Options:

A.

The organization gains assurance it can recover from a disaster

B.

Errors are discovered in the disaster recovery process.

C.

All business-critical systems are successfully tested.

D.

All critical data is recovered within recovery time objectives (RTOs).

Buy Now
Questions 75

Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?

Options:

A.

Performing a benchmark analysis and evaluating gaps

B.

Conducting risk assessments and implementing controls

C.

Communicating components of risk and their acceptable levels

D.

Participating in peer reviews and implementing best practices

Buy Now
Questions 76

A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

Options:

A.

communication

B.

identification.

C.

treatment.

D.

assessment.

Buy Now
Questions 77

Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?

Options:

A.

Digital signatures

B.

Encrypted passwords

C.

One-time passwords

D.

Digital certificates

Buy Now
Questions 78

The PRIMARY reason a risk practitioner would be interested in an internal audit report is to:

Options:

A.

plan awareness programs for business managers.

B.

evaluate maturity of the risk management process.

C.

assist in the development of a risk profile.

D.

maintain a risk register based on noncompliance.

Buy Now
Questions 79

Which of the following is the BEST way to determine the ongoing efficiency of control processes?

Options:

A.

Perform annual risk assessments.

B.

Interview process owners.

C.

Review the risk register.

D.

Analyze key performance indicators (KPIs).

Buy Now
Questions 80

When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:

Options:

A.

information risk assessments with enterprise risk assessments.

B.

key risk indicators (KRIs) with risk appetite of the business.

C.

the control key performance indicators (KPIs) with audit findings.

D.

control performance with risk tolerance of business owners.

Buy Now
Questions 81

Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?

Options:

A.

A high number of approved exceptions exist with compensating controls.

B.

Successive assessments have the same recurring vulnerabilities.

C.

Redundant compensating controls are in place.

D.

Asset custodians are responsible for defining controls instead of asset owners.

Buy Now
Questions 82

While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:

Options:

A.

control is ineffective and should be strengthened

B.

risk is inefficiently controlled.

C.

risk is efficiently controlled.

D.

control is weak and should be removed.

Buy Now
Questions 83

Which of the following is the BEST way to manage the risk associated with malicious activities performed by database administrators (DBAs)?

Options:

A.

Activity logging and monitoring

B.

Periodic access review

C.

Two-factor authentication

D.

Awareness training and background checks

Buy Now
Questions 84

Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

Options:

A.

Implement segregation of duties.

B.

Enforce an internal data access policy.

C.

Enforce the use of digital signatures.

D.

Apply single sign-on for access control.

Buy Now
Questions 85

An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?

Options:

A.

Identify systems that are vulnerable to being exploited by the attack.

B.

Confirm with the antivirus solution vendor whether the next update will detect the attack.

C.

Verify the data backup process and confirm which backups are the most recent ones available.

D.

Obtain approval for funding to purchase a cyber insurance plan.

Buy Now
Questions 86

Which of the following provides the BEST evidence that a selected risk treatment plan is effective?

Options:

A.

Identifying key risk indicators (KRIs)

B.

Evaluating the return on investment (ROI)

C.

Evaluating the residual risk level

D.

Performing a cost-benefit analysis

Buy Now
Questions 87

Which of the following is the BEST Key control indicator KCO to monitor the effectiveness of patch management?

Options:

A.

Percentage of legacy servers out of support

B.

Percentage of severs receiving automata patches

C.

Number of unpremeditated vulnerabilities

D.

Number of intrusion attempts

Buy Now
Questions 88

Which of the following controls are BEST strengthened by a clear organizational code of ethics?

Options:

A.

Detective controls

B.

Administrative controls

C.

Technical controls

D.

Preventive controls

Buy Now
Questions 89

During an internal IT audit, an active network account belonging to a former employee was identified. Which of the following is the BEST way to prevent future occurrences?

Options:

A.

Conduct a comprehensive review of access management processes.

B.

Declare a security incident and engage the incident response team.

C.

Conduct a comprehensive awareness session for system administrators.

D.

Evaluate system administrators' technical skills to identify if training is required.

Buy Now
Questions 90

Several newly identified risk scenarios are being integrated into an organization's risk register. The MOST appropriate risk owner would be the individual who:

Options:

A.

is in charge of information security.

B.

is responsible for enterprise risk management (ERM)

C.

can implement remediation action plans.

D.

is accountable for loss if the risk materializes.

Buy Now
Questions 91

Legal and regulatory risk associated with business conducted over the Internet is driven by:

Options:

A.

the jurisdiction in which an organization has its principal headquarters

B.

international law and a uniform set of regulations.

C.

the laws and regulations of each individual country

D.

international standard-setting bodies.

Buy Now
Questions 92

All business units within an organization have the same risk response plan for creating local disaster recovery plans. In an effort to achieve cost effectiveness, the BEST course of action would be to:

Options:

A.

select a provider to standardize the disaster recovery plans.

B.

outsource disaster recovery to an external provider.

C.

centralize the risk response function at the enterprise level.

D.

evaluate opportunities to combine disaster recovery plans.

Buy Now
Questions 93

Which of the following is an IT business owner's BEST course of action following an unexpected increase in emergency changes?

Options:

A.

Evaluating the impact to control objectives

B.

Conducting a root cause analysis

C.

Validating the adequacy of current processes

D.

Reconfiguring the IT infrastructure

Buy Now
Questions 94

Which of The following should be of GREATEST concern for an organization considering the adoption of a bring your own device (BYOD) initiative?

Options:

A.

Device corruption

B.

Data loss

C.

Malicious users

D.

User support

Buy Now
Questions 95

Which of the following is the BEST way to ensure data is properly sanitized while in cloud storage?

Options:

A.

Deleting the data from the file system

B.

Cryptographically scrambling the data

C.

Formatting the cloud storage at the block level

D.

Degaussing the cloud storage media

Buy Now
Questions 96

What should be the PRIMARY consideration related to data privacy protection when there are plans for a business initiative to make use of personal information?

Options:

A.

Do not collect or retain data that is not needed.

B.

Redact data where possible.

C.

Limit access to the personal data.

D.

Ensure all data is encrypted at rest and during transit.

Buy Now
Questions 97

An organization has an approved bring your own device (BYOD) policy. Which of the following would BEST mitigate the security risk associated with the inappropriate use of enterprise applications on the devices?

Options:

A.

Periodically review application on BYOD devices

B.

Include BYOD in organizational awareness programs

C.

Implement BYOD mobile device management (MDM) controls.

D.

Enable a remote wee capability for BYOD devices

Buy Now
Questions 98

Which of the blowing is MOST important when implementing an organization s security policy?

Options:

A.

Obtaining management support

B.

Benchmarking against industry standards

C.

Assessing compliance requirements

D.

Identifying threats and vulnerabilities

Buy Now
Questions 99

Recovery the objectives (RTOs) should be based on

Options:

A.

minimum tolerable downtime

B.

minimum tolerable loss of data.

C.

maximum tolerable downtime.

D.

maximum tolerable loss of data

Buy Now
Questions 100

Which of the following sources is MOST relevant to reference when updating security awareness training materials?

Options:

A.

Risk management framework

B.

Risk register

C.

Global security standards

D.

Recent security incidents reported by competitors

Buy Now
Questions 101

Which of the following is MOST important to update when an organization's risk appetite changes?

Options:

A.

Key risk indicators (KRIs)

B.

Risk reporting methodology

C.

Key performance indicators (KPIs)

D.

Risk taxonomy

Buy Now
Questions 102

An organization is considering outsourcing user administration controls tor a critical system. The potential vendor has offered to perform quarterly sett-audits of its controls instead of having annual independent audits. Which of the following should be of GREATEST concern to me risk practitioner?

Options:

A.

The controls may not be properly tested

B.

The vendor will not ensure against control failure

C.

The vendor will not achieve best practices

D.

Lack of a risk-based approach to access control

Buy Now
Questions 103

An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure manuals for use by the part-time employees. Which of the following BEST describes this situation?

Options:

A.

Threat

B.

Risk

C.

Vulnerability

D.

Policy violation

Buy Now
Questions 104

An organization's control environment is MOST effective when:

Options:

A.

controls perform as intended.

B.

controls operate efficiently.

C.

controls are implemented consistent

D.

control designs are reviewed periodically

Buy Now
Questions 105

In order to determining a risk is under-controlled the risk practitioner will need to

Options:

A.

understand the risk tolerance

B.

monitor and evaluate IT performance

C.

identify risk management best practices

D.

determine the sufficiency of the IT risk budget

Buy Now
Questions 106

Which of the following has the GREATEST influence on an organization's risk appetite?

Options:

A.

Threats and vulnerabilities

B.

Internal and external risk factors

C.

Business objectives and strategies

D.

Management culture and behavior

Buy Now
Questions 107

Which of the following is the MOST important consideration for effectively maintaining a risk register?

Options:

A.

An IT owner is assigned for each risk scenario.

B.

The register is updated frequently.

C.

The register is shared with executive management.

D.

Compensating controls are identified.

Buy Now
Questions 108

Which of the following will BEST help to ensure implementation of corrective action plans?

Options:

A.

Establishing employee awareness training

B.

Assigning accountability to risk owners

C.

Selling target dates to complete actions

D.

Contracting to third parties

Buy Now
Questions 109

The MAIN reason for prioritizing IT risk responses is to enable an organization to:

Options:

A.

determine the risk appetite.

B.

determine the budget.

C.

define key performance indicators (KPIs).

D.

optimize resource utilization.

Buy Now
Questions 110

An organization is adopting block chain for a new financial system. Which of the following should be the GREATEST concern for a risk practitioner evaluating the system's production readiness?

Options:

A.

Limited organizational knowledge of the underlying technology

B.

Lack of commercial software support

C.

Varying costs related to implementation and maintenance

D.

Slow adoption of the technology across the financial industry

Buy Now
Questions 111

Which of the following is MOST important to consider before determining a response to a vulnerability?

Options:

A.

The likelihood and impact of threat events

B.

The cost to implement the risk response

C.

Lack of data to measure threat events

D.

Monetary value of the asset

Buy Now
Questions 112

Which of the following is MOST important information to review when developing plans for using emerging technologies?

Options:

A.

Existing IT environment

B.

IT strategic plan

C.

Risk register

D.

Organizational strategic plan

Buy Now
Questions 113

Which of the following is the BEST source for identifying key control indicators (KCIs)?

Options:

A.

Privileged user activity monitoring controls

B.

Controls mapped to organizational risk scenarios

C.

Recent audit findings of control weaknesses

D.

A list of critical security processes

Buy Now
Questions 114

Winch of the following can be concluded by analyzing the latest vulnerability report for the it infrastructure?

Options:

A.

Likelihood of a threat

B.

Impact of technology risk

C.

Impact of operational risk

D.

Control weakness

Buy Now
Questions 115

Which of the following is MOST important to include in a risk assessment of an emerging technology?

Options:

A.

Risk response plans

B.

Risk and control ownership

C.

Key controls

D.

Impact and likelihood ratings

Buy Now
Questions 116

Which of the following is the BEST method for assessing control effectiveness against technical vulnerabilities that could be exploited to compromise an information system?

Options:

A.

Vulnerability scanning

B.

Systems log correlation analysis

C.

Penetration testing

D.

Monitoring of intrusion detection system (IDS) alerts

Buy Now
Questions 117

Which of the following is the MOST effective control to maintain the integrity of system configuration files?

Options:

A.

Recording changes to configuration files

B.

Implementing automated vulnerability scanning

C.

Restricting access to configuration documentation

D.

Monitoring against the configuration standard

Buy Now
Questions 118

Which of the following should be management's PRIMARY focus when key risk indicators (KRIs) begin to rapidly approach defined thresholds?

Options:

A.

Designing compensating controls

B.

Determining if KRIs have been updated recently

C.

Assessing the effectiveness of the incident response plan

D.

Determining what has changed in the environment

Buy Now
Questions 119

The MOST important consideration when selecting a control to mitigate an identified risk is whether:

Options:

A.

the cost of control exceeds the mitigation value

B.

there are sufficient internal resources to implement the control

C.

the mitigation measures create compounding effects

D.

the control eliminates the risk

Buy Now
Questions 120

An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program. Which of the following is MOST useful for this purpose?

Options:

A.

Balanced scorecard

B.

Capability maturity level

C.

Internal audit plan

D.

Control self-assessment (CSA)

Buy Now
Questions 121

Which of the following BEST protects an organization against breaches when using a software as a service (SaaS) application?

Options:

A.

Control self-assessment (CSA)

B.

Security information and event management (SIEM) solutions

C.

Data privacy impact assessment (DPIA)

D.

Data loss prevention (DLP) tools

Buy Now
Questions 122

Which of the following should be considered when selecting a risk response?

Options:

A.

Risk scenarios analysis

B.

Risk response costs

C.

Risk factor awareness

D.

Risk factor identification

Buy Now
Questions 123

Which of the following is MOST important for a risk practitioner to verify when evaluating the effectiveness of an organization's existing controls?

Options:

A.

Senior management has approved the control design.

B.

Inherent risk has been reduced from original levels.

C.

Residual risk remains within acceptable levels.

D.

Costs for control maintenance are reasonable.

Buy Now
Questions 124

An organization has decided to commit to a business activity with the knowledge that the risk exposure is higher than the risk appetite. Which of the following is the risk practitioner's MOST important action related to this decision?

Options:

A.

Recommend risk remediation

B.

Change the level of risk appetite

C.

Document formal acceptance of the risk

D.

Reject the business initiative

Buy Now
Questions 125

Which of the following is the GREATEST risk associated with the misclassification of data?

Options:

A.

inadequate resource allocation

B.

Data disruption

C.

Unauthorized access

D.

Inadequate retention schedules

Buy Now
Questions 126

A service provider is managing a client’s servers. During an audit of the service, a noncompliant control is discovered that will not be resolved before the next audit because the client cannot afford the downtime required to correct the issue. The service provider’s MOST appropriate action would be to:

Options:

A.

develop a risk remediation plan overriding the client's decision

B.

make a note for this item in the next audit explaining the situation

C.

insist that the remediation occur for the benefit of other customers

D.

ask the client to document the formal risk acceptance for the provider

Buy Now
Questions 127

Which of the following is MOST important to the successful development of IT risk scenarios?

Options:

A.

Cost-benefit analysis

B.

Internal and external audit reports

C.

Threat and vulnerability analysis

D.

Control effectiveness assessment

Buy Now
Questions 128

A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner's BEST course of action when a compensating control needs to be applied?

Options:

A.

Obtain the risk owner's approval.

B.

Record the risk as accepted in the risk register.

C.

Inform senior management.

D.

update the risk response plan.

Buy Now
Questions 129

Who should be PRIMARILY responsible for establishing an organization's IT risk culture?

Options:

A.

Business process owner

B.

Executive management

C.

Risk management

D.

IT management

Buy Now
Questions 130

Which of the following is the BEST approach when a risk practitioner has been asked by a business unit manager for special consideration during a risk assessment of a system?

Options:

A.

Conduct an abbreviated version of the assessment.

B.

Report the business unit manager for a possible ethics violation.

C.

Perform the assessment as it would normally be done.

D.

Recommend an internal auditor perform the review.

Buy Now
Questions 131

Which of the following is the MOST effective way 10 identify an application backdoor prior to implementation'?

Options:

A.

User acceptance testing (UAT)

B.

Database activity monitoring

C.

Source code review

D.

Vulnerability analysis

Buy Now
Questions 132

Which of the following is MOST helpful in defining an early-warning threshold associated with insufficient network bandwidth’’?

Options:

A.

Average bandwidth usage

B.

Peak bandwidth usage

C.

Total bandwidth usage

D.

Bandwidth used during business hours

Buy Now
Questions 133

When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes

Options:

A.

risk exposure in business terms

B.

a detailed view of individual risk exposures

C.

a summary of incidents that have impacted the organization.

D.

recommendations by an independent risk assessor.

Buy Now
Questions 134

Which of the following is the PRIMARY reason for sharing risk assessment reports with senior stakeholders?

Options:

A.

To support decision-making for risk response

B.

To hold risk owners accountable for risk action plans

C.

To secure resourcing for risk treatment efforts

D.

To enable senior management to compile a risk profile

Buy Now
Questions 135

Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?

Options:

A.

Number of tickets for provisioning new accounts

B.

Average time to provision user accounts

C.

Password reset volume per month

D.

Average account lockout time

Buy Now
Questions 136

Which of the following BEST provides an early warning that network access of terminated employees is not being revoked in accordance with the service level agreement (SLA)?

Options:

A.

Updating multi-factor authentication

B.

Monitoring key access control performance indicators

C.

Analyzing access control logs for suspicious activity

D.

Revising the service level agreement (SLA)

Buy Now
Questions 137

Which of the following is the MOST important characteristic of an effective risk management program?

Options:

A.

Risk response plans are documented

B.

Controls are mapped to key risk scenarios.

C.

Key risk indicators are defined.

D.

Risk ownership is assigned

Buy Now
Questions 138

Establishing and organizational code of conduct is an example of which type of control?

Options:

A.

Preventive

B.

Directive

C.

Detective

D.

Compensating

Buy Now
Questions 139

Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?

Options:

A.

Testing the transmission of credit card numbers

B.

Reviewing logs for unauthorized data transfers

C.

Configuring the DLP control to block credit card numbers

D.

Testing the DLP rule change control process

Buy Now
Questions 140

When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?

Options:

A.

Assess management's risk tolerance.

B.

Recommend management accept the low-risk scenarios.

C.

Propose mitigating controls

D.

Re-evaluate the risk scenarios associated with the control

Buy Now
Questions 141

Who is the MOST appropriate owner for newly identified IT risk?

Options:

A.

The manager responsible for IT operations that will support the risk mitigation efforts

B.

The individual with authority to commit organizational resources to mitigate the risk

C.

A project manager capable of prioritizing the risk remediation efforts

D.

The individual with the most IT risk-related subject matter knowledge

Buy Now
Questions 142

The risk associated with an asset before controls are applied can be expressed as:

Options:

A.

a function of the likelihood and impact

B.

the magnitude of an impact

C.

a function of the cost and effectiveness of control.

D.

the likelihood of a given threat

Buy Now
Questions 143

Which of the following would BEST ensure that identified risk scenarios are addressed?

Options:

A.

Reviewing the implementation of the risk response

B.

Creating a separate risk register for key business units

C.

Performing real-time monitoring of threats

D.

Performing regular risk control self-assessments

Buy Now
Questions 144

A contract associated with a cloud service provider MUST include:

Options:

A.

ownership of responsibilities.

B.

a business recovery plan.

C.

provision for source code escrow.

D.

the providers financial statements.

Buy Now
Questions 145

When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?

Options:

A.

Risk analysis results

B.

Exception handling policy

C.

Vulnerability assessment results

D.

Benchmarking assessments

Buy Now
Questions 146

What is the BEST information to present to business control owners when justifying costs related to controls?

Options:

A.

Loss event frequency and magnitude

B.

The previous year's budget and actuals

C.

Industry benchmarks and standards

D.

Return on IT security-related investments

Buy Now
Questions 147

Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario?

Options:

A.

Assess the vulnerability management process.

B.

Conduct a control serf-assessment.

C.

Conduct a vulnerability assessment.

D.

Reassess the inherent risk of the target.

Buy Now
Questions 148

A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:

Options:

A.

reduces risk to an acceptable level

B.

quantifies risk impact

C.

aligns with business strategy

D.

advances business objectives.

Buy Now
Questions 149

Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?

Options:

A.

Implementing record retention tools and techniques

B.

Establishing e-discovery and data loss prevention (DLP)

C.

Sending notifications when near storage quota

D.

Implementing a bring your own device 1BVOD) policy

Buy Now
Questions 150

Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?

Options:

A.

Continuous monitoring

B.

A control self-assessment

C.

Transaction logging

D.

Benchmarking against peers

Buy Now
Questions 151

Which of the following is the MOST effective key performance indicator (KPI) for change management?

Options:

A.

Percentage of changes with a fallback plan

B.

Number of changes implemented

C.

Percentage of successful changes

D.

Average time required to implement a change

Buy Now
Questions 152

An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?

Options:

A.

Develop a compensating control.

B.

Allocate remediation resources.

C.

Perform a cost-benefit analysis.

D.

Identify risk responses

Buy Now
Questions 153

Which of the following would BEST help to ensure that identified risk is efficiently managed?

Options:

A.

Reviewing the maturity of the control environment

B.

Regularly monitoring the project plan

C.

Maintaining a key risk indicator for each asset in the risk register

D.

Periodically reviewing controls per the risk treatment plan

Buy Now
Questions 154

The PRIMARY objective of testing the effectiveness of a new control before implementation is to:

Options:

A.

ensure that risk is mitigated by the control.

B.

measure efficiency of the control process.

C.

confirm control alignment with business objectives.

D.

comply with the organization's policy.

Buy Now
Questions 155

Which of the following is the MOST important consideration when multiple risk practitioners capture risk scenarios in a single risk register?

Options:

A.

Aligning risk ownership and control ownership

B.

Developing risk escalation and reporting procedures

C.

Maintaining up-to-date risk treatment plans

D.

Using a consistent method for risk assessment

Buy Now
Questions 156

Which of the following is the MOST important requirement for monitoring key risk indicators (KRls) using log analysis?

Options:

A.

Obtaining logs m an easily readable format

B.

Providing accurate logs m a timely manner

C.

Collecting logs from the entire set of IT systems

D.

implementing an automated log analysis tool

Buy Now
Questions 157

An organization has allowed its cyber risk insurance to lapse while seeking a new insurance provider. The risk practitioner should report to management that the risk has been:

Options:

A.

transferred

B.

mitigated.

C.

accepted

D.

avoided

Buy Now
Questions 158

Which of the following is the BEST course of action to reduce risk impact?

Options:

A.

Create an IT security policy.

B.

Implement corrective measures.

C.

Implement detective controls.

D.

Leverage existing technology

Buy Now
Questions 159

Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?

Options:

A.

Perform an m-depth code review with an expert

B.

Validate functionality by running in a test environment

C.

Implement a service level agreement.

D.

Utilize the change management process.

Buy Now
Questions 160

In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date?

Options:

A.

Risk questionnaire

B.

Risk register

C.

Management assertion

D.

Compliance manual

Buy Now
Questions 161

Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?

Options:

A.

Control chart

B.

Sensitivity analysis

C.

Trend analysis

D.

Decision tree

Buy Now
Questions 162

Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

Options:

A.

Risk tolerance is decreased.

B.

Residual risk is increased.

C.

Inherent risk is increased.

D.

Risk appetite is decreased

Buy Now
Questions 163

An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST.

Options:

A.

The risk owner who also owns the business service enabled by this infrastructure

B.

The data center manager who is also employed under the managed hosting services contract

C.

The site manager who is required to provide annual risk assessments under the contract

D.

The chief information officer (CIO) who is responsible for the hosted services

Buy Now
Questions 164

The PRIMARY advantage of implementing an IT risk management framework is the:

Options:

A.

establishment of a reliable basis for risk-aware decision making.

B.

compliance with relevant legal and regulatory requirements.

C.

improvement of controls within the organization and minimized losses.

D.

alignment of business goals with IT objectives.

Buy Now
Questions 165

The MOST effective way to increase the likelihood that risk responses will be implemented is to:

Options:

A.

create an action plan

B.

assign ownership

C.

review progress reports

D.

perform regular audits.

Buy Now
Questions 166

The PRIMARY goal of a risk management program is to:

Options:

A.

facilitate resource availability.

B.

help ensure objectives are met.

C.

safeguard corporate assets.

D.

help prevent operational losses.

Buy Now
Questions 167

Which of the following is MOST important for a risk practitioner to consider when determining the control requirements for data privacy arising from emerging technologies?

Options:

A.

internal audit recommendations

B.

Laws and regulations

C.

Policies and procedures

D.

Standards and frameworks

Buy Now
Questions 168

Which of the following would be MOST helpful to a risk owner when making risk-aware decisions?

Options:

A.

Risk exposure expressed in business terms

B.

Recommendations for risk response options

C.

Resource requirements for risk responses

D.

List of business areas affected by the risk

Buy Now
Questions 169

Which of the following is the BEST approach for performing a business impact analysis (BIA) of a supply-chain management application?

Options:

A.

Reviewing the organization's policies and procedures

B.

Interviewing groups of key stakeholders

C.

Circulating questionnaires to key internal stakeholders

D.

Accepting IT personnel s view of business issues

Buy Now
Questions 170

An organization's financial analysis department uses an in-house forecasting application for business projections. Who is responsible for defining access roles to protect the sensitive data within this application?

Options:

A.

IT risk manager

B.

IT system owner

C.

Information security manager

D.

Business owner

Buy Now
Questions 171

Which of the following provides the BEST evidence that risk responses have been executed according to their risk action plans?

Options:

A.

Risk policy review

B.

Business impact analysis (B1A)

C.

Control catalog

D.

Risk register

Buy Now
Questions 172

An organization has opened a subsidiary in a foreign country. Which of the following would be the BEST way to measure the effectiveness of the subsidiary's IT systems controls?

Options:

A.

Implement IT systems in alignment with business objectives.

B.

Review metrics and key performance indicators (KPIs).

C.

Review design documentation of IT systems.

D.

Evaluate compliance with legal and regulatory requirements.

Buy Now
Questions 173

Which of the following criteria is MOST important when developing a response to an attack that would compromise data?

Options:

A.

The recovery time objective (RTO)

B.

The likelihood of a recurring attack

C.

The organization's risk tolerance

D.

The business significance of the information

Buy Now
Questions 174

Mapping open risk issues to an enterprise risk heat map BEST facilitates:

Options:

A.

risk response.

B.

control monitoring.

C.

risk identification.

D.

risk ownership.

Buy Now
Questions 175

IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:

Options:

A.

the cost associated with each control.

B.

historical risk assessments.

C.

key risk indicators (KRls).

D.

information from the risk register.

Buy Now
Questions 176

Which of the following controls would BEST reduce the likelihood of a successful network attack through social engineering?

Options:

A.

Automated controls

B.

Security awareness training

C.

Multifactor authentication

D.

Employee sanctions

Buy Now
Questions 177

The PRIMARY purpose of vulnerability assessments is to:

Options:

A.

provide clear evidence that the system is sufficiently secure.

B.

determine the impact of potential threats.

C.

test intrusion detection systems (IDS) and response procedures.

D.

detect weaknesses that could lead to system compromise.

Buy Now
Questions 178

An external security audit has reported multiple findings related to control noncompliance. Which of the following would be MOST important for the risk practitioner to communicate to senior management?

Options:

A.

A recommendation for internal audit validation

B.

Plans for mitigating the associated risk

C.

Suggestions for improving risk awareness training

D.

The impact to the organization’s risk profile

Buy Now
Questions 179

What should be the PRIMARY objective for a risk practitioner performing a post-implementation review of an IT risk mitigation project?

Options:

A.

Documenting project lessons learned

B.

Validating the risk mitigation project has been completed

C.

Confirming that the project budget was not exceeded

D.

Verifying that the risk level has been lowered

Buy Now
Questions 180

Who is PRIMARILY accountable for risk treatment decisions?

Options:

A.

Risk owner

B.

Business manager

C.

Data owner

D.

Risk manager

Buy Now
Questions 181

After mapping generic risk scenarios to organizational security policies, the NEXT course of action should be to:

Options:

A.

record risk scenarios in the risk register for analysis.

B.

validate the risk scenarios for business applicability.

C.

reduce the number of risk scenarios to a manageable set.

D.

perform a risk analysis on the risk scenarios.

Buy Now
Questions 182

A key risk indicator (KRI) indicates a reduction in the percentage of appropriately patched servers. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Determine changes in the risk level.

B.

Outsource the vulnerability management process.

C.

Review the patch management process.

D.

Add agenda item to the next risk committee meeting.

Buy Now
Questions 183

Which of the following risk register elements is MOST likely to be updated if the attack surface or exposure of an asset is reduced?

Options:

A.

Likelihood rating

B.

Control effectiveness

C.

Assessment approach

D.

Impact rating

Buy Now
Questions 184

Which stakeholders are PRIMARILY responsible for determining enterprise IT risk appetite?

Options:

A.

Audit and compliance management

B.

The chief information officer (CIO) and the chief financial officer (CFO)

C.

Enterprise risk management and business process owners

D.

Executive management and the board of directors

Buy Now
Questions 185

Reviewing which of the following provides the BEST indication of an organizations risk tolerance?

Options:

A.

Risk sharing strategy

B.

Risk transfer agreements

C.

Risk policies

D.

Risk assessments

Buy Now
Questions 186

Which of the following is the PRIMARY objective for automating controls?

Options:

A.

Improving control process efficiency

B.

Facilitating continuous control monitoring

C.

Complying with functional requirements

D.

Reducing the need for audit reviews

Buy Now
Questions 187

The effectiveness of a control has decreased. What is the MOST likely effect on the associated risk?

Options:

A.

The risk impact changes.

B.

The risk classification changes.

C.

The inherent risk changes.

D.

The residual risk changes.

Buy Now
Questions 188

An organization has implemented a system capable of comprehensive employee monitoring. Which of the following should direct how the system is used?

Options:

A.

Organizational strategy

B.

Employee code of conduct

C.

Industry best practices

D.

Organizational policy

Buy Now
Questions 189

Which of the following should be included in a risk assessment report to BEST facilitate senior management's understanding of the results?

Options:

A.

Benchmarking parameters likely to affect the results

B.

Tools and techniques used by risk owners to perform the assessments

C.

A risk heat map with a summary of risk identified and assessed

D.

The possible impact of internal and external risk factors on the assessment results

Buy Now
Questions 190

Which of the following would provide the MOST objective assessment of the effectiveness of an organization's security controls?

Options:

A.

An internal audit

B.

Security operations center review

C.

Internal penetration testing

D.

A third-party audit

Buy Now
Questions 191

What should a risk practitioner do FIRST upon learning a risk treatment owner has implemented a different control than what was specified in the IT risk action plan?

Options:

A.

Seek approval from the control owner.

B.

Update the action plan in the risk register.

C.

Reassess the risk level associated with the new control.

D.

Validate that the control has an established testing method.

Buy Now
Questions 192

An organization has identified that terminated employee accounts are not disabled or deleted within the time required by corporate policy. Unsure of the reason, the organization has decided to monitor the situation for three months to obtain more information. As a result of this decision, the risk has been:

Options:

A.

avoided.

B.

accepted.

C.

mitigated.

D.

transferred.

Buy Now
Questions 193

Which of the following is the GREATEST concern associated with business end users developing their own applications on end user spreadsheets and database programs?

Options:

A.

An IT project manager is not assigned to oversee development.

B.

Controls are not applied to the applications.

C.

There is a lack of technology recovery options.

D.

The applications are not captured in the risk profile.

Buy Now
Questions 194

Which of the following is MOST helpful in identifying gaps between the current and desired state of the IT risk environment?

Options:

A.

Analyzing risk appetite and tolerance levels

B.

Assessing identified risk and recording results in the risk register

C.

Evaluating risk scenarios and assessing current controls

D.

Reviewing guidance from industry best practices and standards

Buy Now
Questions 195

Which of the following should be a risk practitioner's NEXT action after identifying a high probability of data loss in a system?

Options:

A.

Enhance the security awareness program.

B.

Increase the frequency of incident reporting.

C.

Purchase cyber insurance from a third party.

D.

Conduct a control assessment.

Buy Now
Questions 196

The BEST criteria when selecting a risk response is the:

Options:

A.

capability to implement the response

B.

importance of IT risk within the enterprise

C.

effectiveness of risk response options

D.

alignment of response to industry standards

Buy Now
Questions 197

The GREATEST concern when maintaining a risk register is that:

Options:

A.

impacts are recorded in qualitative terms.

B.

executive management does not perform periodic reviews.

C.

IT risk is not linked with IT assets.

D.

significant changes in risk factors are excluded.

Buy Now
Questions 198

A risk practitioner has just learned about new done FIRST?

Options:

A.

Notify executive management.

B.

Analyze the impact to the organization.

C.

Update the IT risk register.

D.

Design IT risk mitigation plans.

Buy Now
Questions 199

Which of the following is MOST commonly compared against the risk appetite?

Options:

A.

IT risk

B.

Inherent risk

C.

Financial risk

D.

Residual risk

Buy Now
Questions 200

Which of the following will BEST help an organization select a recovery strategy for critical systems?

Options:

A.

Review the business impact analysis.

B.

Create a business continuity plan.

C.

Analyze previous disaster recovery reports.

D.

Conduct a root cause analysis.

Buy Now
Questions 201

Which of the following activities is PRIMARILY the responsibility of senior management?

Options:

A.

Bottom-up identification of emerging risks

B.

Categorization of risk scenarios against a standard taxonomy

C.

Prioritization of risk scenarios based on severity

D.

Review of external loss data

Buy Now
Questions 202

Which of the following provides The MOST useful information when determining a risk management program's maturity level?

Options:

A.

Risk assessment results

B.

A recently reviewed risk register

C.

Key performance indicators (KPIs)

D.

The organization's risk framework

Buy Now
Questions 203

Which of the following is MOST important when developing risk scenarios?

Options:

A.

The scenarios are based on industry best practice.

B.

The scenarios focus on current vulnerabilities.

C.

The scenarios are relevant to the organization.

D.

The scenarios include technical consequences.

Buy Now
Questions 204

Which of the following should be considered FIRST when assessing risk associated with the adoption of emerging technologies?

Options:

A.

Organizational strategy

B.

Cost-benefit analysis

C.

Control self-assessment (CSA)

D.

Business requirements

Buy Now
Questions 205

Which of the following is MOST helpful in developing key risk indicator (KRl) thresholds?

Options:

A.

Loss expectancy information

B.

Control performance predictions

C.

IT service level agreements (SLAs)

D.

Remediation activity progress

Buy Now
Questions 206

Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to a bring your own device (BYOD) program?

Options:

A.

Number of users who have signed a BYOD acceptable use policy

B.

Number of incidents originating from BYOD devices

C.

Budget allocated to the BYOD program security controls

D.

Number of devices enrolled in the BYOD program

Buy Now
Questions 207

Which of the following is MOST important when defining controls?

Options:

A.

Identifying monitoring mechanisms

B.

Including them in the risk register

C.

Aligning them with business objectives

D.

Prototyping compensating controls

Buy Now
Questions 208

An organization is measuring the effectiveness of its change management program to reduce the number of unplanned production changes. Which of the following would be the BEST metric to determine if the program is performing as expected?

Options:

A.

Decrease in the time to move changes to production

B.

Ratio of emergency fixes to total changes

C.

Ratio of system changes to total changes

D.

Decrease in number of changes without a fallback plan

Buy Now
Questions 209

Which of the following is MOST important to review when determining whether a potential IT service provider’s control environment is effective?

Options:

A.

Independent audit report

B.

Control self-assessment

C.

MOST important to update when an

D.

Service level agreements (SLAs)

Buy Now
Questions 210

Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications?

Options:

A.

Identify information security controls in the requirements analysis

B.

Identify key risk indicators (KRIs) as process output.

C.

Design key performance indicators (KPIs) for security in system specifications.

D.

Include information security control specifications in business cases.

Buy Now
Questions 211

Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are:

Options:

A.

accountable for the affected processes.

B.

members of senior management.

C.

authorized to select risk mitigation options.

D.

independent from the business operations.

Buy Now
Questions 212

Which of the following activities should be performed FIRST when establishing IT risk management processes?

Options:

A.

Collect data of past incidents and lessons learned.

B.

Conduct a high-level risk assessment based on the nature of business.

C.

Identify the risk appetite of the organization.

D.

Assess the goals and culture of the organization.

Buy Now
Questions 213

Which of the following will BEST help an organization evaluate the control environment of several third-party vendors?

Options:

A.

Review vendors' internal risk assessments covering key risk and controls.

B.

Obtain independent control reports from high-risk vendors.

C.

Review vendors performance metrics on quality and delivery of processes.

D.

Obtain vendor references from third parties.

Buy Now
Questions 214

When establishing leading indicators for the information security incident response process it is MOST important to consider the percentage of reported incidents:

Options:

A.

that results in a full root cause analysis.

B.

used for verification within the SLA.

C.

that are verified as actual incidents.

D.

resolved within the SLA.

Buy Now
Questions 215

Read" rights to application files in a controlled server environment should be approved by the:

Options:

A.

business process owner.

B.

database administrator.

C.

chief information officer.

D.

systems administrator.

Buy Now
Questions 216

Which of the following is MOST effective in continuous risk management process improvement?

Options:

A.

Periodic assessments

B.

Change management

C.

Awareness training

D.

Policy updates

Buy Now
Questions 217

A new policy has been published to forbid copying of data onto removable media. Which type of control has been implemented?

Options:

A.

Preventive

B.

Detective

C.

Directive

D.

Deterrent

Buy Now
Questions 218

The risk associated with a high-risk vulnerability in an application is owned by the:

Options:

A.

security department.

B.

business unit

C.

vendor.

D.

IT department.

Buy Now
Questions 219

Which of the following should be of GREATEST concern to a risk practitioner when determining the effectiveness of IT controls?

Options:

A.

Configuration updates do not follow formal change control.

B.

Operational staff perform control self-assessments.

C.

Controls are selected without a formal cost-benefit

D.

analysis-Management reviews security policies once every two years.

Buy Now
Questions 220

A key risk indicator (KRI) threshold has reached the alert level, indicating data leakage incidents are highly probable. What should be the risk practitioner's FIRST course of action?

Options:

A.

Update the KRI threshold.

B.

Recommend additional controls.

C.

Review incident handling procedures.

D.

Perform a root cause analysis.

Buy Now
Questions 221

Which of the following is the MOST important input when developing risk scenarios?

Options:

A.

Key performance indicators

B.

Business objectives

C.

The organization's risk framework

D.

Risk appetite

Buy Now
Questions 222

Which of the following is the BEST indicator of the effectiveness of a control action plan's implementation?

Options:

A.

Increased number of controls

B.

Reduced risk level

C.

Increased risk appetite

D.

Stakeholder commitment

Buy Now
Questions 223

Which of the following is MOST important for an organization to have in place when developing a risk management framework?

Options:

A.

A strategic approach to risk including an established risk appetite

B.

A risk-based internal audit plan for the organization

C.

A control function within the risk management team

D.

An organization-wide risk awareness training program

Buy Now
Questions 224

Which of the following is a detective control?

Options:

A.

Limit check

B.

Periodic access review

C.

Access control software

D.

Rerun procedures

Buy Now
Questions 225

A control owner identifies that the organization's shared drive contains personally identifiable information (Pll) that can be accessed by all personnel. Which of the following is the MOST effective risk response?

Options:

A.

Protect sensitive information with access controls.

B.

Implement a data loss prevention (DLP) solution.

C.

Re-communicate the data protection policy.

D.

Implement a data encryption solution.

Buy Now
Questions 226

A risk practitioner is reporting on an increasing trend of ransomware attacks in the industry. Which of the following information is MOST important to include to enable an informed response decision by key stakeholders?

Options:

A.

Methods of attack progression

B.

Losses incurred by industry peers

C.

Most recent antivirus scan reports

D.

Potential impact of events

Buy Now
Questions 227

Which of the following is the BEST way to ensure ongoing control effectiveness?

Options:

A.

Establishing policies and procedures

B.

Periodically reviewing control design

C.

Measuring trends in control performance

D.

Obtaining management control attestations

Buy Now
Questions 228

Which of the following MOST effectively limits the impact of a ransomware attack?

Options:

A.

Cyber insurance

B.

Cryptocurrency reserve

C.

Data backups

D.

End user training

Buy Now
Questions 229

Which of the following will MOST improve stakeholders' understanding of the effect of a potential threat?

Options:

A.

Establishing a risk management committee

B.

Updating the organization's risk register to reflect the new threat

C.

Communicating the results of the threat impact analysis

D.

Establishing metrics to assess the effectiveness of the responses

Buy Now
Questions 230

Which of the following should a risk practitioner do FIRST when an organization decides to use a cloud service?

Options:

A.

Review the vendor selection process and vetting criteria.

B.

Assess whether use of service falls within risk tolerance thresholds.

C.

Establish service level agreements (SLAs) with the vendor.

D.

Check the contract for appropriate security risk and control provisions.

Buy Now
Questions 231

An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?

Options:

A.

Mitigate

B.

Accept

C.

Transfer

D.

Avoid

Buy Now
Questions 232

The FIRST task when developing a business continuity plan should be to:

Options:

A.

determine data backup and recovery availability at an alternate site.

B.

identify critical business functions and resources.

C.

define roles and responsibilities for implementation.

D.

identify recovery time objectives (RTOs) for critical business applications.

Buy Now
Questions 233

Following a review of a third-party vendor, it is MOST important for an organization to ensure:

Options:

A.

results of the review are accurately reported to management.

B.

identified findings are reviewed by the organization.

C.

results of the review are validated by internal audit.

D.

identified findings are approved by the vendor.

Buy Now
Questions 234

Which of the following is the MOST important objective of embedding risk management practices into the initiation phase of the project management life cycle?

Options:

A.

To deliver projects on time and on budget

B.

To assess inherent risk

C.

To include project risk in the enterprise-wide IT risk profit.

D.

To assess risk throughout the project

Buy Now
Questions 235

Controls should be defined during the design phase of system development because:

Options:

A.

it is more cost-effective to determine controls in the early design phase.

B.

structured analysis techniques exclude identification of controls.

C.

structured programming techniques require that controls be designed before coding begins.

D.

technical specifications are defined during this phase.

Buy Now
Questions 236

When reviewing a risk response strategy, senior management's PRIMARY focus should be placed on the:

Options:

A.

cost-benefit analysis.

B.

investment portfolio.

C.

key performance indicators (KPIs).

D.

alignment with risk appetite.

Buy Now
Questions 237

Who should be responsible for strategic decisions on risk management?

Options:

A.

Chief information officer (CIO)

B.

Executive management team

C.

Audit committee

D.

Business process owner

Buy Now
Questions 238

Which of the following would be MOST beneficial as a key risk indicator (KRI)?

Options:

A.

Current capital allocation reserves

B.

Negative security return on investment (ROI)

C.

Project cost variances

D.

Annualized loss projections

Buy Now
Questions 239

A risk owner has accepted a high-impact risk because the control was adversely affecting process efficiency. Before updating the risk register, it is MOST important for the risk practitioner to:

Options:

A.

ensure suitable insurance coverage is purchased.

B.

negotiate with the risk owner on control efficiency.

C.

reassess the risk to confirm the impact.

D.

obtain approval from senior management.

Buy Now
Questions 240

Which of the following should be the PRIMARY focus of an independent review of a risk management process?

Options:

A.

Accuracy of risk tolerance levels

B.

Consistency of risk process results

C.

Participation of stakeholders

D.

Maturity of the process

Buy Now
Questions 241

Which of the following is MOST critical to the design of relevant risk scenarios?

Options:

A.

The scenarios are based on past incidents.

B.

The scenarios are linked to probable organizational situations.

C.

The scenarios are mapped to incident management capabilities.

D.

The scenarios are aligned with risk management capabilities.

Buy Now
Questions 242

An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?

Options:

A.

Identify staff members who have access to the organization's sensitive data.

B.

Identify locations where the organization's sensitive data is stored.

C.

Identify risk scenarios and owners associated with possible data loss vectors.

D.

Identify existing data loss controls and their levels of effectiveness.

Buy Now
Questions 243

An organization is unable to implement a multi-factor authentication requirement until the next fiscal year due to budget constraints. Consequently, a policy exception must be submitted. Which of the following is MOST important to include in the analysis of the exception?

Options:

A.

Sections of the policy that may justify not implementing the requirement

B.

Risk associated with the inability to implement the requirement

C.

Budget justification to implement the new requirement during the current year

D.

Industry best practices with respect to implementation of the proposed control

Buy Now
Questions 244

An organization is considering allowing users to access company data from their personal devices. Which of the following is the MOST important factor when assessing the risk?

Options:

A.

Classification of the data

B.

Type of device

C.

Remote management capabilities

D.

Volume of data

Buy Now
Questions 245

An IT risk practitioner is evaluating an organization's change management controls over the last six months. The GREATEST concern would be an increase in:

Options:

A.

rolled back changes below management's thresholds.

B.

change-related exceptions per month.

C.

the average implementation time for changes.

D.

number of user stories approved for implementation.

Buy Now
Questions 246

Which of the following methods is the BEST way to measure the effectiveness of automated information security controls prior to going live?

Options:

A.

Testing in a non-production environment

B.

Performing a security control review

C.

Reviewing the security audit report

D.

Conducting a risk assessment

Buy Now
Questions 247

A recent audit identified high-risk issues in a business unit though a previous control self-assessment (CSA) had good results. Which of the following is the MOST likely reason for the difference?

Options:

A.

The audit had a broader scope than the CSA.

B.

The CSA was not sample-based.

C.

The CSA did not test control effectiveness.

D.

The CSA was compliance-based, while the audit was risk-based.

Buy Now
Questions 248

An organization has outsourced a critical process involving highly regulated data to a third party with servers located in a foreign country. Who is accountable for the confidentiality of this data?

Options:

A.

Third-party data custodian

B.

Data custodian

C.

Regional office executive

D.

Data owner

Buy Now
Questions 249

Due to a change in business processes, an identified risk scenario no longer requires mitigation. Which of the following is the MOST important reason the risk should remain in the risk register?

Options:

A.

To support regulatory requirements

B.

To prevent the risk scenario in the current environment

C.

To monitor for potential changes to the risk scenario

D.

To track historical risk assessment results

Buy Now
Questions 250

The PRIMARY purpose of using control metrics is to evaluate the:

Options:

A.

amount of risk reduced by compensating controls.

B.

amount of risk present in the organization.

C.

variance against objectives.

D.

number of incidents.

Buy Now
Questions 251

Which of the following BEST enables a proactive approach to minimizing the potential impact of unauthorized data disclosure?

Options:

A.

Key risk indicators (KRIs)

B.

Data backups

C.

Incident response plan

D.

Cyber insurance

Buy Now
Questions 252

The risk appetite for an organization could be derived from which of the following?

Options:

A.

Cost of controls

B.

Annual loss expectancy (ALE)

C.

Inherent risk

D.

Residual risk

Buy Now
Questions 253

Which of the following is the PRIMARY benefit of identifying and communicating with stakeholders at the onset of an IT risk assessment?

Options:

A.

Obtaining funding support

B.

Defining the risk assessment scope

C.

Selecting the risk assessment framework

D.

Establishing inherent risk

Buy Now
Questions 254

When collecting information to identify IT-related risk, a risk practitioner should FIRST focus on IT:

Options:

A.

risk appetite.

B.

security policies

C.

process maps.

D.

risk tolerance level

Buy Now
Questions 255

To communicate the risk associated with IT in business terms, which of the following MUST be defined?

Options:

A.

Compliance objectives

B.

Risk appetite of the organization

C.

Organizational objectives

D.

Inherent and residual risk

Buy Now
Questions 256

A financial institution has identified high risk of fraud in several business applications. Which of the following controls will BEST help reduce the risk of fraudulent internal transactions?

Options:

A.

Periodic user privileges review

B.

Log monitoring

C.

Periodic internal audits

D.

Segregation of duties

Buy Now
Questions 257

Which of the following is MOST important for an organization to update following a change in legislation requiring notification to individuals impacted by data breaches?

Options:

A.

Insurance coverage

B.

Security awareness training

C.

Policies and standards

D.

Risk appetite and tolerance

Buy Now
Questions 258

Which of the following should be determined FIRST when a new security vulnerability is made public?

Options:

A.

Whether the affected technology is used within the organization

B.

Whether the affected technology is Internet-facing

C.

What mitigating controls are currently in place

D.

How pervasive the vulnerability is within the organization

Buy Now
Questions 259

Which of the following BEST supports ethical IT risk management practices?

Options:

A.

Robust organizational communication channels

B.

Mapping of key risk indicators (KRIs) to corporate strategy

C.

Capability maturity models integrated with risk management frameworks

D.

Rigorously enforced operational service level agreements (SLAs)

Buy Now
Questions 260

Which of the following should be of GREATEST concern lo a risk practitioner reviewing the implementation of an emerging technology?

Options:

A.

Lack of alignment to best practices

B.

Lack of risk assessment

C.

Lack of risk and control procedures

D.

Lack of management approval

Buy Now
Questions 261

Which of the following is the FIRST step when conducting a business impact analysis (BIA)?

Options:

A.

Identifying critical information assets

B.

Identifying events impacting continuity of operations;

C.

Creating a data classification scheme

D.

Analyzing previous risk assessment results

Buy Now
Questions 262

Which of the following would provide the MOST useful information to a risk owner when reviewing the progress of risk mitigation?

Options:

A.

Key audit findings

B.

Treatment plan status

C.

Performance indicators

D.

Risk scenario results

Buy Now
Questions 263

Which of the following should be the risk practitioner's FIRST course of action when an organization plans to adopt a cloud computing strategy?

Options:

A.

Request a budget for implementation

B.

Conduct a threat analysis.

C.

Create a cloud computing policy.

D.

Perform a controls assessment.

Buy Now
Questions 264

A department allows multiple users to perform maintenance on a system using a single set of credentials. A risk practitioner determined this practice to be high-risk. Which of the following is the MOST effective way to mitigate this risk?

Options:

A.

Single sign-on

B.

Audit trail review

C.

Multi-factor authentication

D.

Data encryption at rest

Buy Now
Questions 265

Which of the following scenarios presents the GREATEST risk for a global organization when implementing a data classification policy?

Options:

A.

Data encryption has not been applied to all sensitive data across the organization.

B.

There are many data assets across the organization that need to be classified.

C.

Changes to information handling procedures are not documented.

D.

Changes to data sensitivity during the data life cycle have not been considered.

Buy Now
Questions 266

A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:

Options:

A.

updating the risk register

B.

documenting the risk scenarios.

C.

validating the risk scenarios

D.

identifying risk mitigation controls.

Buy Now
Questions 267

An organization automatically approves exceptions to security policies on a recurring basis. This practice is MOST likely the result of:

Options:

A.

a lack of mitigating actions for identified risk

B.

decreased threat levels

C.

ineffective service delivery

D.

ineffective IT governance

Buy Now
Questions 268

Which of the following is the BEST evidence that a user account has been properly authorized?

Options:

A.

An email from the user accepting the account

B.

Notification from human resources that the account is active

C.

User privileges matching the request form

D.

Formal approval of the account by the user's manager

Buy Now
Questions 269

Which of the following is the MOST effective control to ensure user access is maintained on a least-privilege basis?

Options:

A.

User authorization

B.

User recertification

C.

Change log review

D.

Access log monitoring

Buy Now
Questions 270

Which of the following should be the MOST important consideration for senior management when developing a risk response strategy?

Options:

A.

Cost of controls

B.

Risk tolerance

C.

Risk appetite

D.

Probability definition

Buy Now
Questions 271

What is the PRIMARY reason to periodically review key performance indicators (KPIs)?

Options:

A.

Ensure compliance.

B.

Identify trends.

C.

Promote a risk-aware culture.

D.

Optimize resources needed for controls

Buy Now
Questions 272

Which of the following is the BEST indicator of the effectiveness of IT risk management processes?

Options:

A.

Percentage of business users completing risk training

B.

Percentage of high-risk scenarios for which risk action plans have been developed

C.

Number of key risk indicators (KRIs) defined

D.

Time between when IT risk scenarios are identified and the enterprise's response

Buy Now
Questions 273

Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Options:

A.

Including trend analysis of risk metrics

B.

Using an aggregated view of organizational risk

C.

Relying on key risk indicator (KRI) data

D.

Ensuring relevance to organizational goals

Buy Now
Questions 274

Which of the following is the FIRST step in risk assessment?

Options:

A.

Review risk governance

B.

Asset identification

C.

Identify risk factors

D.

Inherent risk identification

Buy Now
Questions 275

Which of the following is the MOST important objective of establishing an enterprise risk management (ERM) function within an organization?

Options:

A.

To have a unified approach to risk management across the organization

B.

To have a standard risk management process for complying with regulations

C.

To optimize risk management resources across the organization

D.

To ensure risk profiles are presented in a consistent format within the organization

Buy Now
Questions 276

The BEST key performance indicator (KPI) to measure the effectiveness of a backup process would be the number of:

Options:

A.

resources to monitor backups

B.

restoration monitoring reports

C.

backup recovery requests

D.

recurring restore failures

Buy Now
Questions 277

Which of the following is the MOST appropriate action when a tolerance threshold is exceeded?

Options:

A.

Communicate potential impact to decision makers.

B.

Research the root cause of similar incidents.

C.

Verify the response plan is adequate.

D.

Increase human resources to respond in the interim.

Buy Now
Questions 278

Which of the following should a risk practitioner recommend FIRST when an increasing trend of risk events and subsequent losses has been identified?

Options:

A.

Conduct root cause analyses for risk events.

B.

Educate personnel on risk mitigation strategies.

C.

Integrate the risk event and incident management processes.

D.

Implement controls to prevent future risk events.

Buy Now
Questions 279

Which of the following will BEST help in communicating strategic risk priorities?

Options:

A.

Heat map

B.

Business impact analysis (BIA)

C.

Balanced Scorecard

D.

Risk register

Buy Now
Questions 280

To help identify high-risk situations, an organization should:

Options:

A.

continuously monitor the environment.

B.

develop key performance indicators (KPIs).

C.

maintain a risk matrix.

D.

maintain a risk register.

Buy Now
Questions 281

Which of the following BEST indicates the effectiveness of anti-malware software?

Options:

A.

Number of staff hours lost due to malware attacks

B.

Number of downtime hours in business critical servers

C.

Number of patches made to anti-malware software

D.

Number of successful attacks by malicious software

Buy Now
Questions 282

Which of the following is the MOST appropriate key risk indicator (KRI) for backup media that is recycled monthly?

Options:

A.

Time required for backup restoration testing

B.

Change in size of data backed up

C.

Successful completion of backup operations

D.

Percentage of failed restore tests

Buy Now
Questions 283

Which of the following practices BEST mitigates risk related to enterprise-wide ethical decision making in a multi-national organization?

Options:

A.

Customized regional training on local laws and regulations

B.

Policies requiring central reporting of potential procedure exceptions

C.

Ongoing awareness training to support a common risk culture

D.

Zero-tolerance policies for risk taking by middle-level managers

Buy Now
Questions 284

An IT department has organized training sessions to improve user awareness of organizational information security policies. Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training?

Options:

A.

Number of training sessions completed

B.

Percentage of staff members who complete the training with a passing score

C.

Percentage of attendees versus total staff

D.

Percentage of staff members who attend the training with positive feedback

Buy Now
Questions 285

Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)?

Options:

A.

Relevance

B.

Annual review

C.

Automation

D.

Management approval

Buy Now
Questions 286

An organization discovers significant vulnerabilities in a recently purchased commercial off-the-shelf software product which will not be corrected until the next release. Which of the following is the risk manager's BEST course of action?

Options:

A.

Review the risk of implementing versus postponing with stakeholders.

B.

Run vulnerability testing tools to independently verify the vulnerabilities.

C.

Review software license to determine the vendor's responsibility regarding vulnerabilities.

D.

Require the vendor to correct significant vulnerabilities prior to installation.

Buy Now
Questions 287

Which of the following should be the MOST important consideration when performing a vendor risk assessment?

Options:

A.

Results of the last risk assessment of the vendor

B.

Inherent risk of the business process supported by the vendor

C.

Risk tolerance of the vendor

D.

Length of time since the last risk assessment of the vendor

Buy Now
Questions 288

Which of the following scenarios represents a threat?

Options:

A.

Connecting a laptop to a free, open, wireless access point (hotspot)

B.

Visitors not signing in as per policy

C.

Storing corporate data in unencrypted form on a laptop

D.

A virus transmitted on a USB thumb drive

Buy Now
Questions 289

Which of the following will be MOST effective in uniquely identifying the originator of electronic transactions?

Options:

A.

Digital signature

B.

Edit checks

C.

Encryption

D.

Multifactor authentication

Buy Now
Questions 290

A PRIMARY advantage of involving business management in evaluating and managing risk is that management:

Options:

A.

better understands the system architecture.

B.

is more objective than risk management.

C.

can balance technical and business risk.

D.

can make better-informed business decisions.

Buy Now
Questions 291

Which of the following is the BEST evidence that risk management is driving business decisions in an organization?

Options:

A.

Compliance breaches are addressed in a timely manner.

B.

Risk ownership is identified and assigned.

C.

Risk treatment options receive adequate funding.

D.

Residual risk is within risk tolerance.

Buy Now
Questions 292

Which of the following is the GREATEST benefit of analyzing logs collected from different systems?

Options:

A.

A record of incidents is maintained.

B.

Forensic investigations are facilitated.

C.

Security violations can be identified.

D.

Developing threats are detected earlier.

Buy Now
Questions 293

An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Report the observation to the chief risk officer (CRO).

B.

Validate the adequacy of the implemented risk mitigation measures.

C.

Update the risk register with the implemented risk mitigation actions.

D.

Revert the implemented mitigation measures until approval is obtained

Buy Now
Questions 294

Accountability for a particular risk is BEST represented in a:

Options:

A.

risk register

B.

risk catalog

C.

risk scenario

D.

RACI matrix

Buy Now
Questions 295

The MOST important objective of information security controls is to:

Options:

A.

Identify threats and vulnerability

B.

Ensure alignment with industry standards

C.

Provide measurable risk reduction

D.

Enforce strong security solutions

Buy Now
Questions 296

A risk practitioner has discovered a deficiency in a critical system that cannot be patched. Which of the following should be the risk practitioner's FIRST course of action?

Options:

A.

Report the issue to internal audit.

B.

Submit a request to change management.

C.

Conduct a risk assessment.

D.

Review the business impact assessment.

Buy Now
Questions 297

The PRIMARY benefit of conducting continuous monitoring of access controls is the ability to identify:

Options:

A.

inconsistencies between security policies and procedures

B.

possible noncompliant activities that lead to data disclosure

C.

leading or lagging key risk indicators (KRIs)

D.

unknown threats to undermine existing access controls

Buy Now
Questions 298

Which of the following approaches will BEST help to ensure the effectiveness of risk awareness training?

Options:

A.

Piloting courses with focus groups

B.

Using reputable third-party training programs

C.

Reviewing content with senior management

D.

Creating modules for targeted audiences

Buy Now
Questions 299

Key risk indicators (KRIs) are MOST useful during which of the following risk management phases?

Options:

A.

Monitoring

B.

Analysis

C.

Identification

D.

Response selection

Buy Now
Questions 300

Which of the following BEST indicates the risk appetite and tolerance level (or the risk associated with business interruption caused by IT system failures?

Options:

A.

Mean time to recover (MTTR)

B.

IT system criticality classification

C.

Incident management service level agreement (SLA)

D.

Recovery time objective (RTO)

Buy Now
Questions 301

Which of the following is the GREATEST advantage of implementing a risk management program?

Options:

A.

Enabling risk-aware decisions

B.

Promoting a risk-aware culture

C.

Improving security governance

D.

Reducing residual risk

Buy Now
Questions 302

In an organization where each division manages risk independently, which of the following would BEST enable management of risk at the enterprise level?

Options:

A.

A standardized risk taxonomy

B.

A list of control deficiencies

C.

An enterprise risk ownership policy

D.

An updated risk tolerance metric

Buy Now
Questions 303

The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning process is to:

Options:

A.

obtain the support of executive management.

B.

map the business processes to supporting IT and other corporate resources.

C.

identify critical business processes and the degree of reliance on support services.

D.

document the disaster recovery process.

Buy Now
Questions 304

Which of the following should be the FIRST consideration when establishing a new risk governance program?

Options:

A.

Developing an ongoing awareness and training program

B.

Creating policies and standards that are easy to comprehend

C.

Embedding risk management into the organization

D.

Completing annual risk assessments on critical resources

Buy Now
Questions 305

The BEST key performance indicator (KPI) for monitoring adherence to an organization's user accounts provisioning practices is the percentage of:

Options:

A.

accounts without documented approval

B.

user accounts with default passwords

C.

active accounts belonging to former personnel

D.

accounts with dormant activity.

Buy Now
Questions 306

If preventive controls cannot be Implemented due to technology limitations, which of the following should be done FIRST to reduce risk7

Options:

A.

Evaluate alternative controls.

B.

Redefine the business process to reduce the risk.

C.

Develop a plan to upgrade technology.

D.

Define a process for monitoring risk.

Buy Now
Questions 307

As pan of business continuity planning, which of the following is MOST important to include m a business impact analysis (BlA)?

Options:

A.

An assessment of threats to the organization

B.

An assessment of recovery scenarios

C.

industry standard framework

D.

Documentation of testing procedures

Buy Now
Questions 308

When developing a response plan to address security incidents regarding sensitive data loss, it is MOST important

Options:

A.

revalidate current key risk indicators (KRIs).

B.

revise risk management procedures.

C.

review the data classification policy.

D.

revalidate existing risk scenarios.

Buy Now
Questions 309

Which of the following BEST enables a risk practitioner to understand management's approach to organizational risk?

Options:

A.

Organizational structure and job descriptions

B.

Risk appetite and risk tolerance

C.

Industry best practices for risk management

D.

Prior year's risk assessment results

Buy Now
Questions 310

Which of the following key performance indicators (KPis) would BEST measure me risk of a service outage when using a Software as a Service (SaaS) vendors

Options:

A.

Frequency of business continuity plan (BCP) lasting

B.

Frequency and number of new software releases

C.

Frequency and duration of unplanned downtime

D.

Number of IT support staff available after business hours

Buy Now
Questions 311

An organization's chief information officer (CIO) has proposed investing in a new. untested technology to take advantage of being first to market Senior management has concerns about the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization's risk:

Options:

A.

capacity.

B.

appetite.

C.

management capability.

D.

treatment strategy.

Buy Now
Questions 312

An organization is concerned that its employees may be unintentionally disclosing data through the use of social media sites. Which of the following will MOST effectively mitigate tins risk?

Options:

A.

Requiring the use of virtual private networks (VPNs)

B.

Establishing a data classification policy

C.

Conducting user awareness training

D.

Requiring employee agreement of the acceptable use policy

Buy Now
Questions 313

Which of the following is MOST important for an organization to consider when developing its IT strategy?

Options:

A.

IT goals and objectives

B.

Organizational goals and objectives

C.

The organization's risk appetite statement

D.

Legal and regulatory requirements

Buy Now
Questions 314

Which of the following is MOST important when conducting a post-implementation review as part of the system development life cycle (SDLC)?

Options:

A.

Verifying that project objectives are met

B.

Identifying project cost overruns

C.

Leveraging an independent review team

D.

Reviewing the project initiation risk matrix

Buy Now
Questions 315

Which of the following is the MOST important reason to validate that risk responses have been executed as outlined in the risk response plan''

Options:

A.

To ensure completion of the risk assessment cycle

B.

To ensure controls arc operating effectively

C.

To ensure residual risk Is at an acceptable level

D.

To ensure control costs do not exceed benefits

Buy Now
Questions 316

Who is MOST appropriate to be assigned ownership of a control

Options:

A.

The individual responsible for control operation

B.

The individual informed of the control effectiveness

C.

The individual responsible for resting the control

D.

The individual accountable for monitoring control effectiveness

Buy Now
Questions 317

Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data?

Options:

A.

The cost associated with incident response activities

The composition and number of records in the information asset

B.

The maximum levels of applicable regulatory fines

C.

The length of time between identification and containment of the incident

Buy Now
Questions 318

A risk practitioner is utilizing a risk heat map during a risk assessment. Risk events that are coded with the same color will have a similar:

Options:

A.

risk score

B.

risk impact

C.

risk response

D.

risk likelihood.

Buy Now
Questions 319

Which of the following is the BEST way to determine whether system settings are in alignment with control baselines?

Options:

A.

Configuration validation

B.

Control attestation

C.

Penetration testing

D.

Internal audit review

Buy Now
Questions 320

Which of the following is the MOST effective way to help ensure accountability for managing risk?

Options:

A.

Assign process owners to key risk areas.

B.

Obtain independent risk assessments.

C.

Assign incident response action plan responsibilities.

D.

Create accurate process narratives.

Buy Now
Questions 321

A company has recently acquired a customer relationship management (CRM) application from a certified software vendor. Which of the following will BE ST help lo prevent technical vulnerabilities from being exploded?

Options:

A.

implement code reviews and Quality assurance on a regular basis

B.

Verity me software agreement indemnifies the company from losses

C.

Review the source coda and error reporting of the application

D.

Update the software with the latest patches and updates

Buy Now
Questions 322

Which of the following BEST reduces the risk associated with the theft of a laptop containing sensitive information?

Options:

A.

Cable lock

B.

Data encryption

C.

Periodic backup

D.

Biometrics access control

Buy Now
Questions 323

Business management is seeking assurance from the CIO that IT has a plan in place for early identification of potential issues that could impact the delivery of a new application Which of the following is the BEST way to increase the chances of a successful delivery'?

Options:

A.

Implement a release and deployment plan

B.

Conduct comprehensive regression testing.

C.

Develop enterprise-wide key risk indicators (KRls)

D.

Include business management on a weekly risk and issues report

Buy Now
Questions 324

It is MOST important that security controls for a new system be documented in:

Options:

A.

testing requirements

B.

the implementation plan.

C.

System requirements

D.

The security policy

Buy Now
Questions 325

An organization has agreed to a 99% availability for its online services and will not accept availability that falls below 98.5%. This is an example of:

Options:

A.

risk mitigation.

B.

risk evaluation.

C.

risk appetite.

D.

risk tolerance.

Buy Now
Questions 326

A risk practitioner has identified that the agreed recovery time objective (RTO) with a Software as a Service (SaaS) provider is longer than the business expectation. Which ot the following is the risk practitioner's BEST course of action?

Options:

A.

Collaborate with the risk owner to determine the risk response plan.

B.

Document the gap in the risk register and report to senior management.

C.

Include a right to audit clause in the service provider contract.

D.

Advise the risk owner to accept the risk.

Buy Now
Questions 327

Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the following would BEST help to prioritize investment efforts?

Options:

A.

Analyzing cyber intelligence reports

B.

Engaging independent cybersecurity consultants

C.

Increasing the frequency of updates to the risk register

D.

Reviewing the outcome of the latest security risk assessment

Buy Now
Questions 328

A recent vulnerability assessment of a web-facing application revealed several weaknesses. Which of the following should be done NEXT to determine the risk exposure?

Options:

A.

Code review

B.

Penetration test

C.

Gap assessment

D.

Business impact analysis (BIA)

Buy Now
Questions 329

Which of the following is the MOST important objective from a cost perspective for considering aggregated risk responses in an organization?

Options:

A.

Prioritize risk response options

B.

Reduce likelihood.

C.

Address more than one risk response

D.

Reduce impact

Buy Now
Questions 330

A global company s business continuity plan (BCP) requires the transfer of its customer information….

event of a disaster. Which of the following should be the MOST important risk consideration?

Options:

A.

The difference In the management practices between each company

B.

The cloud computing environment is shared with another company

C.

The lack of a service level agreement (SLA) in the vendor contract

D.

The organizational culture differences between each country

Buy Now
Questions 331

Which of the following should be the GREATEST concern to a risk practitioner when process documentation is incomplete?

Options:

A.

Inability to allocate resources efficiently

B.

Inability to identify the risk owner

C.

Inability to complete the risk register

D.

Inability to identify process experts

Buy Now
Questions 332

Which of the following is the PRIMARY objective of establishing an organization's risk tolerance and appetite?

Options:

A.

To align with board reporting requirements

B.

To assist management in decision making

C.

To create organization-wide risk awareness

D.

To minimize risk mitigation efforts

Buy Now
Questions 333

When establishing an enterprise IT risk management program, it is MOST important to:

Options:

A.

review alignment with the organizations strategy.

B.

understand the organization's information security policy.

C.

validate the organization's data classification scheme.

D.

report identified IT risk scenarios to senior management.

Buy Now
Questions 334

A risk practitioner recently discovered that personal information from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation?

Options:

A.

Enable data encryption in the test environment.

B.

Prevent the use of production data in the test environment

C.

De-identify data before being transferred to the test environment.

D.

Enforce multi-factor authentication within the test environment.

Buy Now
Questions 335

An organization's recovery team is attempting to recover critical data backups following a major flood in its data center. However, key team members do not know exactly what steps should be taken to address this crisis. Which of the following is the MOST likely cause of this situation?

Options:

A.

Failure to test the disaster recovery plan (DRP)

B.

Lack of well-documented business impact analysis (BIA)

C.

Lack of annual updates to the disaster recovery plan (DRP)

D.

Significant changes in management personnel

Buy Now
Questions 336

Which of the following provides the MOST useful information for developing key risk indicators (KRIs)?

Options:

A.

Business impact analysis (BIA) results

B.

Risk scenario ownership

C.

Risk thresholds

D.

Possible causes of materialized risk

Buy Now
Questions 337

Reviewing which of the following BEST helps an organization gam insight into its overall risk profile''

Options:

A.

Risk register

B.

Risk appetite

C.

Threat landscape

D.

Risk metrics

Buy Now
Questions 338

Which of the following would BEST facilitate the implementation of data classification requirements?

Options:

A.

Assigning a data owner

B.

Implementing technical control over the assets

C.

Implementing a data loss prevention (DLP) solution

D.

Scheduling periodic audits

Buy Now
Questions 339

Of the following, who is responsible for approval when a change in an application system is ready for release to production?

Options:

A.

Information security officer

B.

IT risk manager

C.

Business owner

D.

Chief risk officer (CRO)

Buy Now
Questions 340

An organization maintains independent departmental risk registers that are not automatically aggregated. Which of the following is the GREATEST concern?

Options:

A.

Management may be unable to accurately evaluate the risk profile.

B.

Resources may be inefficiently allocated.

C.

The same risk factor may be identified in multiple areas.

D.

Multiple risk treatment efforts may be initiated to treat a given risk.

Buy Now
Questions 341

Which of the following would provide the MOST helpful input to develop risk scenarios associated with hosting an organization's key IT applications in a cloud environment?

Options:

A.

Reviewing the results of independent audits

B.

Performing a site visit to the cloud provider's data center

C.

Performing a due diligence review

D.

Conducting a risk workshop with key stakeholders

Buy Now
Questions 342

When is the BEST to identify risk associated with major project to determine a mitigation plan?

Options:

A.

Project execution phase

B.

Project initiation phase

C.

Project closing phase

D.

Project planning phase

Buy Now
Questions 343

Using key risk indicators (KRIs) to illustrate changes in the risk profile PRIMARILY helps to:

Options:

A.

communicate risk trends to stakeholders.

B.

assign ownership of emerging risk scenarios.

C.

highlight noncompliance with the risk policy

D.

identify threats to emerging technologies.

Buy Now
Questions 344

Which of the following is MOST important for senior management to review during an acquisition?

Options:

A.

Risk appetite and tolerance

B.

Risk framework and methodology

C.

Key risk indicator (KRI) thresholds

D.

Risk communication plan

Buy Now
Questions 345

Which of the following is the GREATEST benefit of centralizing IT systems?

Options:

A.

Risk reporting

B.

Risk classification

C.

Risk monitoring

D.

Risk identification

Buy Now
Questions 346

Which of the following is MOST important for maintaining the effectiveness of an IT risk register?

Options:

A.

Removing entries from the register after the risk has been treated

B.

Recording and tracking the status of risk response plans within the register

C.

Communicating the register to key stakeholders

D.

Performing regular reviews and updates to the register

Buy Now
Questions 347

Which of the following would provide the BEST evidence of an effective internal control environment/?

Options:

A.

Risk assessment results

B.

Adherence to governing policies

C.

Regular stakeholder briefings

D.

Independent audit results

Buy Now
Questions 348

Senior management is deciding whether to share confidential data with the organization's business partners. The BEST course of action for a risk practitioner would be to submit a report to senior management containing the:

Options:

A.

possible risk and suggested mitigation plans.

B.

design of controls to encrypt the data to be shared.

C.

project plan for classification of the data.

D.

summary of data protection and privacy legislation.

Buy Now
Questions 349

An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?

Options:

A.

Invoke the disaster recovery plan during an incident.

B.

Prepare a cost-benefit analysis of alternatives available

C.

Implement redundant infrastructure for the application.

D.

Reduce the recovery time by strengthening the response team.

Buy Now
Questions 350

During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?

Options:

A.

Describe IT risk scenarios in terms of business risk.

B.

Recommend the formation of an executive risk council to oversee IT risk.

C.

Provide an estimate of IT system downtime if IT risk materializes.

D.

Educate business executives on IT risk concepts.

Buy Now
Questions 351

An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:

Options:

A.

validate control process execution.

B.

determine if controls are effective.

C.

identify key process owners.

D.

conduct a baseline assessment.

Buy Now
Questions 352

A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?

Options:

A.

Document the finding in the risk register.

B.

Invoke the incident response plan.

C.

Re-evaluate key risk indicators.

D.

Modify the design of the control.

Buy Now
Questions 353

Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?

Options:

A.

Derive scenarios from IT risk policies and standards.

B.

Map scenarios to a recognized risk management framework.

C.

Gather scenarios from senior management.

D.

Benchmark scenarios against industry peers.

Buy Now
Questions 354

Which of the following will BEST mitigate the risk associated with IT and business misalignment?

Options:

A.

Establishing business key performance indicators (KPIs)

B.

Introducing an established framework for IT architecture

C.

Establishing key risk indicators (KRIs)

D.

Involving the business process owner in IT strategy

Buy Now
Questions 355

Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?

Options:

A.

Identify the potential risk.

B.

Monitor employee usage.

C.

Assess the potential risk.

D.

Develop risk awareness training.

Buy Now
Questions 356

Which of the following is MOST effective against external threats to an organizations confidential information?

Options:

A.

Single sign-on

B.

Data integrity checking

C.

Strong authentication

D.

Intrusion detection system

Buy Now
Questions 357

Which of the following risk activities is BEST facilitated by enterprise architecture (EA)?

Options:

A.

Aligning business unit risk responses to organizational priorities

B.

Determining attack likelihood per business unit

C.

Adjusting business unit risk tolerances

D.

Customizing incident response plans for each business unit

Buy Now
Questions 358

An insurance company handling sensitive and personal information from its customers receives a large volume of telephone requests and electronic communications daily. Which of the following

is MOST important to include in a risk awareness training session for the customer service department?

Options:

A.

Archiving sensitive information

B.

Understanding the incident management process

C.

Identifying social engineering attacks

D.

Understanding the importance of using a secure password

Buy Now
Questions 359

Well-developed, data-driven risk measurements should be:

Options:

A.

reflective of the lowest organizational level.

B.

a data feed taken directly from operational production systems.

C.

reported to management the same day data is collected.

D.

focused on providing a forward-looking view.

Buy Now
Questions 360

Within the three lines of defense model, the responsibility for managing risk and controls resides with:

Options:

A.

operational management.

B.

the risk practitioner.

C.

the internal auditor.

D.

executive management.

Buy Now
Questions 361

Which of the following is the GREATEST risk associated with inappropriate classification of data?

Options:

A.

Inaccurate record management data

B.

Inaccurate recovery time objectives (RTOs)

C.

Lack of accountability for data ownership

D.

Users having unauthorized access to data

Buy Now
Questions 362

A risk practitioner has been asked to evaluate the adoption of a third-party blockchain integration platform based on the value added by the platform and the organization's risk appetite. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Conduct a risk assessment with stakeholders.

B.

Conduct third-party resilience tests.

C.

Update the risk register with the process changes.

D.

Review risk related to standards and regulations.

Buy Now
Questions 363

Which of the following should be a risk practitioner's NEXT step after learning of an incident that has affected a competitor?

Options:

A.

Activate the incident response plan.

B.

Implement compensating controls.

C.

Update the risk register.

D.

Develop risk scenarios.

Buy Now
Questions 364

An organization is outsourcing a key database to be hosted by an external service provider. Who is BEST suited to assess the impact of potential data loss?

Options:

A.

Database manager

B.

Public relations manager

C.

Data privacy manager

D.

Business manager

Buy Now
Questions 365

Which of the following is the BEST approach for obtaining management buy-in

to implement additional IT controls?

Options:

A.

List requirements based on a commonly accepted IT risk management framework.

B.

Provide information on new governance, risk, and compliance (GRC) platform functionalities.

C.

Describe IT risk impact on organizational processes in monetary terms.

D.

Present new key risk indicators (KRIs) based on industry benchmarks.

Buy Now
Questions 366

An organization has identified the need to implement an asset tiering model to establish the appropriate level of impact. Which of the following is the MOST effective risk assessment methodology for a risk practitioner to use for this initiative?

Options:

A.

Qualitative method

B.

Industry calibration method

C.

Threat-based method

D.

Quantitative method

Buy Now
Questions 367

Which of the following risk impacts should be the PRIMARY consideration for determining recovery priorities in a disaster recovery situation?

Options:

A.

Data security

B.

Recovery costs

C.

Business disruption

D.

Recovery resource availability

Buy Now
Questions 368

Which of the following is the MOST important consideration when selecting digital signature software?

Options:

A.

Availability

B.

Nonrepudiation

C.

Accuracy

D.

Completeness

Buy Now
Questions 369

Who should be accountable for authorizing information system access to internal users?

Options:

A.

Information security officer

B.

Information security manager

C.

Information custodian

D.

Information owner

Buy Now
Questions 370

A robotic process automation (RPA) project has implemented new robots to enhance the efficiency of a sales business process. Which of the following provides the BEST evidence that the new controls have been implemented successfully?

Options:

A.

A post-implementation review has been conducted by key personnel.

B.

A qualified independent party assessed the new controls as effective.

C.

Senior management has signed off on the design of the controls.

D.

Robots have operated without human interference on a daily basis.

Buy Now
Questions 371

Which of the following is the BEST approach when a risk treatment plan cannot be completed on time?

Options:

A.

Replace the action owner with a more experienced individual.

B.

Implement compensating controls until the preferred action can be completed.

C.

Change the risk response strategy of the relevant risk to risk avoidance.

D.

Develop additional key risk indicators (KRIs) until the preferred action can be completed.

Buy Now
Questions 372

A risk practitioner has been asked to assess the risk associated with a new critical application used by a financial process team that the risk practitioner was a member of two years ago. Which of the following is the GREATEST concern with this request?

Options:

A.

The risk assessment team may be overly confident of its ability to identify issues.

B.

The risk practitioner may be unfamiliar with recent application and process changes.

C.

The risk practitioner may still have access rights to the financial system.

D.

Participation in the risk assessment may constitute a conflict of interest.

Buy Now
Questions 373

What should a risk practitioner do FIRST when a shadow IT application is identified in a business owner's business impact analysis (BIA)?

Options:

A.

Include the application in the business continuity plan (BCP).

B.

Determine the business purpose of the application.

C.

Segregate the application from the network.

D.

Report the finding to management.

Buy Now
Questions 374

A risk practitioner has reviewed new international regulations and realizes the new regulations will affect the organization. Which of the following should be the risk practitioner's NEXT course of

action?

Options:

A.

Conduct a peer response assessment.

B.

Update risk scenarios in the risk register.

C.

Reevaluate the risk management program.

D.

Ensure applications are compliant.

Buy Now
Questions 375

The BEST way for management to validate whether risk response activities have been completed is to review:

Options:

A.

the risk register change log.

B.

evidence of risk acceptance.

C.

control effectiveness test results.

D.

control design documentation.

Buy Now
Questions 376

Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

Options:

A.

Risk appetite is decreased.

B.

Inherent risk is increased.

C.

Risk tolerance is decreased.

D.

Residual risk is increased.

Buy Now
Questions 377

Which of the following is the PRIMARY objective of a risk awareness program?

Options:

A.

To demonstrate senior management support

B.

To enhance organizational risk culture

C.

To increase awareness of risk mitigation controls

D.

To clearly define ownership of risk

Buy Now
Questions 378

Which of the following should be the PRIMARY basis for deciding whether to disclose information related to risk events that impact external stakeholders?

Options:

A.

Stakeholder preferences

B.

Contractual requirements

C.

Regulatory requirements

D.

Management assertions

Buy Now
Questions 379

Which of the following BEST enables a risk practitioner to identify the consequences of losing critical resources due to a disaster?

Options:

A.

Risk management action plans

B.

Business impact analysis (BIA)

C.

What-if technique

D.

Tabletop exercise results

Buy Now
Questions 380

When confirming whether implemented controls are operating effectively, which of the following is MOST important to review?

Options:

A.

Results of benchmarking studies

B.

Results of risk assessments

C.

Number of emergency change requests

D.

Maturity model

Buy Now
Questions 381

Which of the following scenarios presents the GREATEST risk of noncompliance with data privacy best practices?

Options:

A.

Making data available to a larger audience of customers

B.

Data not being disposed according to the retention policy

C.

Personal data not being de-identified properly

D.

Data being used for purposes the data subjects have not opted into

Buy Now
Questions 382

Which of the following is the MOST important characteristic of a key risk indicator (KRI) to enable decision-making?

Options:

A.

Monitoring the risk until the exposure is reduced

B.

Setting minimum sample sizes to ensure accuracy

C.

Listing alternative causes for risk events

D.

Illustrating changes in risk trends

Buy Now
Questions 383

When creating a separate IT risk register for a large organization, which of the following is MOST important to consider with regard to the existing corporate risk 'register?

Options:

A.

Leveraging business risk professionals

B.

Relying on generic IT risk scenarios

C.

Describing IT risk in business terms

D.

Using a common risk taxonomy

Buy Now
Questions 384

The percentage of unpatched systems is a:

Options:

A.

threat vector.

B.

critical success factor (CSF).

C.

key performance indicator (KPI).

D.

key risk indicator (KRI).

Buy Now
Questions 385

Which of the following would BEST prevent an unscheduled application of a patch?

Options:

A.

Network-based access controls

B.

Compensating controls

C.

Segregation of duties

D.

Change management

Buy Now
Questions 386

Which of the following should be the FIRST course of action if the risk associated with a new technology is found to be increasing?

Options:

A.

Re-evaluate current controls.

B.

Revise the current risk action plan.

C.

Escalate the risk to senior management.

D.

Implement additional controls.

Buy Now
Questions 387

Which of the following would present the GREATEST challenge for a risk practitioner during a merger of two organizations?

Options:

A.

Variances between organizational risk appetites

B.

Different taxonomies to categorize risk scenarios

C.

Disparate platforms for governance, risk, and compliance (GRC) systems

D.

Dissimilar organizational risk acceptance protocols

Buy Now
Questions 388

Which of the following will BEST help to improve an organization's risk culture?

Options:

A.

Maintaining a documented risk register

B.

Establishing a risk awareness program

C.

Rewarding employees for reporting security incidents

D.

Allocating resources for risk remediation

Buy Now
Questions 389

A risk practitioner's BEST guidance to help an organization develop relevant risk scenarios is to ensure the scenarios are:

Options:

A.

based on industry trends.

B.

mapped to incident response plans.

C.

related to probable events.

D.

aligned with risk management capabilities.

Buy Now
Questions 390

Which of the following should be accountable for ensuring that media containing financial information are adequately destroyed per an organization's data disposal policy?

Options:

A.

Compliance manager

B.

Data architect

C.

Data owner

D.

Chief information officer (CIO)

Buy Now
Questions 391

A risk practitioner wants to identify potential risk events that affect the continuity of a critical business process. Which of the following should the risk practitioner do FIRST?

Options:

A.

Evaluate current risk management alignment with relevant regulations.

B.

Determine if business continuity procedures are reviewed and updated on a regular basis.

C.

Review the methodology used to conduct the business impact analysis (BIA).

D.

Conduct a benchmarking exercise against industry peers.

Buy Now
Questions 392

Which of the following activities is a responsibility of the second line of defense?

Options:

A.

Challenging risk decision making

B.

Developing controls to manage risk scenarios

C.

Implementing risk response plans

D.

Establishing organizational risk appetite

Buy Now
Questions 393

Which of the following is the MOST important criteria for selecting key risk indicators (KRIs)?

Options:

A.

Historical data availability

B.

Implementation and reporting effort

C.

Ability to display trends

D.

Sensitivity and reliability

Buy Now
Questions 394

Which of the following is the MOST useful information an organization can obtain from external sources about emerging threats?

Options:

A.

Solutions for eradicating emerging threats

B.

Cost to mitigate the risk resulting from threats

C.

Indicators for detecting the presence of threatsl)

D.

Source and identity of attackers

Buy Now
Questions 395

Which of the following is the GREATEST benefit of having a mature enterprise architecture (EA) in place?

Options:

A.

Standards-based policies

B.

Audit readiness

C.

Efficient operations

D.

Regulatory compliance

Buy Now
Questions 396

Which of the following is the PRIMARY accountability for a control owner?

Options:

A.

Communicate risk to senior management.

B.

Own the associated risk the control is mitigating.

C.

Ensure the control operates effectively.

D.

Identify and assess control weaknesses.

Buy Now
Questions 397

Which of the following should be done FIRST upon learning that the organization will be affected by a new regulation in its industry?

Options:

A.

Transfer the risk.

B.

Perform a gap analysis.

C.

Determine risk appetite for the new regulation.

D.

Implement specific monitoring controls.

Buy Now
Questions 398

Which of the following BEST mitigates reputational risk associated with disinformation campaigns against an organization?

Options:

A.

Monitoring digital platforms that disseminate inaccurate or misleading news stories

B.

Engaging public relations personnel to debunk false stories and publications

C.

Restricting the use of social media on corporate networks during specific hours

D.

Providing awareness training to understand and manage these types of attacks

Buy Now
Questions 399

Which of the following is the BEST way to prevent the loss of highly sensitive data when disposing of storage media?

Options:

A.

Physical destruction

B.

Degaussing

C.

Data anonymization

D.

Data deletion

Buy Now
Questions 400

Who is MOST important lo include in the assessment of existing IT risk scenarios?

Options:

A.

Technology subject matter experts

B.

Business process owners

C.

Business users of IT systems

D.

Risk management consultants

Buy Now
Questions 401

A risk practitioner is defining metrics for security threats that were not identified by antivirus software. Which type of metric is being developed?

Options:

A.

Key control indicator (KCI)

B.

Key risk indicator (KRI)

C.

Operational level agreement (OLA)

D.

Service level agreement (SLA)

Buy Now
Questions 402

Which of the following should be the starting point when performing a risk analysis for an asset?

Options:

A.

Assess risk scenarios.

B.

Update the risk register.

C.

Evaluate threats.

D.

Assess controls.

Buy Now
Questions 403

Reviewing which of the following BEST helps an organization gain insight into its overall risk profile?

Options:

A.

Threat landscape

B.

Risk appetite

C.

Risk register

D.

Risk metrics

Buy Now
Questions 404

Which of the following BEST enables the development of a successful IT strategy focused on business risk mitigation?

Options:

A.

Providing risk awareness training for business units

B.

Obtaining input from business management

C.

Understanding the business controls currently in place

D.

Conducting a business impact analysis (BIA)

Buy Now
Questions 405

An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following should be the risk practitioner's NEXT course of action?

Options:

A.

Remove the associated risk from the register.

B.

Validate control effectiveness and update the risk register.

C.

Review the contract and service level agreements (SLAs).

D.

Obtain an assurance report from the third-party provider.

Buy Now
Questions 406

When reporting to senior management on changes in trends related to IT risk, which of the following is MOST important?

Options:

A.

Materiality

B.

Confidentiality

C.

Maturity

D.

Transparency

Buy Now
Questions 407

When implementing an IT risk management program, which of the following is the BEST time to evaluate current control effectiveness?

Options:

A.

Before defining a framework

B.

During the risk assessment

C.

When evaluating risk response

D.

When updating the risk register

Buy Now
Questions 408

Which of the following is the BEST indicator of the effectiveness of a control?

Options:

A.

Scope of the control coverage

B.

The number of exceptions granted

C.

Number of steps necessary to operate process

D.

Number of control deviations detected

Buy Now
Questions 409

Which of the following provides the BEST evidence that robust risk management practices are in place within an organization?

Options:

A.

A management-approved risk dashboard

B.

A current control framework

C.

A regularly updated risk register

D.

Regularly updated risk management procedures

Buy Now
Questions 410

Which of the following is MOST important to ensure when reviewing an organization's risk register?

Options:

A.

Risk ownership is recorded.

B.

Vulnerabilities have separate entries.

C.

Control ownership is recorded.

D.

Residual risk is less than inherent risk.

Buy Now
Questions 411

Which of the following is the MOST important document regarding the treatment of sensitive data?

Options:

A.

Encryption policy

B.

Organization risk profile

C.

Digital rights management policy

D.

Information classification policy

Buy Now
Questions 412

Which of the following should be the MOST important consideration when determining controls necessary for a highly critical information system?

Options:

A.

The number of threats to the system

B.

The organization's available budget

C.

The number of vulnerabilities to the system

D.

The level of acceptable risk to the organization

Buy Now
Questions 413

A business impact analysis (BIA) enables an organization to determine appropriate IT risk mitigation actions by:

Options:

A.

validating whether critical IT risk has been addressed.

B.

assigning accountability for IT risk to business functions.

C.

identifying IT assets that support key business processes.

D.

defining the requirements for an IT risk-aware culture

Buy Now
Questions 414

Which of the following events is MOST likely to trigger the need to conduct a risk assessment?

Options:

A.

An incident resulting in data loss

B.

Changes in executive management

C.

Updates to the information security policy

D.

Introduction of a new product line

Buy Now
Questions 415

Which of the following is the BEST recommendation of a risk practitioner for an organization that recently changed its organizational structure?

Options:

A.

Communicate the new risk profile.

B.

Implement a new risk assessment process.

C.

Revalidate the corporate risk appetite.

D.

Review and adjust key risk indicators (KRIs).

Buy Now
Questions 416

Which of the following is the BEST key performance indicator (KPI) to measure how effectively risk management practices are embedded in the project management office (PMO)?

Options:

A.

Percentage of projects with key risk accepted by the project steering committee

B.

Reduction in risk policy noncompliance findings

C.

Percentage of projects with developed controls on scope creep

D.

Reduction in audits involving external risk consultants

Buy Now
Questions 417

Which of the following is the PRIMARY reason to ensure policies and standards are properly documented within the risk management process?

Options:

A.

It facilitates the use of a framework for risk management.

B.

It establishes a means for senior management to formally approve risk practices.

C.

It encourages risk-based decision making for stakeholders.

D.

It provides a basis for benchmarking against industry standards.

Buy Now
Questions 418

The BEST way to validate that a risk treatment plan has been implemented effectively is by reviewing:

Options:

A.

results of a business impact analysis (BIA).

B.

the original risk response plan.

C.

training program and user awareness documentation.

D.

a post-implementation risk and control self-assessment (RCSA).

Buy Now
Questions 419

Which of the following is MOST important for the organization to consider before implementing a new in-house developed artificial intelligence (Al) solution?

Options:

A.

Industry trends in Al

B.

Expected algorithm outputs

C.

Data feeds

D.

Alert functionality

Buy Now
Questions 420

Which of the following BEST enables an organization to address risk associated with technical complexity?

Options:

A.

Documenting system hardening requirements

B.

Minimizing dependency on technology

C.

Aligning with a security architecture

D.

Establishing configuration guidelines

Buy Now
Questions 421

A failed IT system upgrade project has resulted in the corruption of an organization's asset inventory database. Which of the following controls BEST mitigates the impact of this incident?

Options:

A.

Encryption

B.

Authentication

C.

Configuration

D.

Backups

Buy Now
Questions 422

Warning banners on login screens for laptops provided by an organization to its employees are an example of which type of control?

Options:

A.

Corrective

B.

Preventive

C.

Detective

D.

Deterrent

Buy Now
Questions 423

The PRIMARY focus of an ongoing risk awareness program should be to:

Options:

A.

enable better risk-based decisions.

B.

define appropriate controls to mitigate risk.

C.

determine impact of risk scenarios.

D.

expand understanding of risk indicators.

Buy Now
Questions 424

Which of the following is MOST important when identifying an organization's risk exposure associated with Internet of Things (loT) devices?

Options:

A.

Defined remediation plans

B.

Management sign-off on the scope

C.

Manual testing of device vulnerabilities

D.

Visibility into all networked devices

Buy Now
Questions 425

Which of the following is the MOST likely reason an organization would engage an independent reviewer to assess its IT risk management program?

Options:

A.

To ensure IT risk management is focused on mitigating emerging risk

B.

To confirm that IT risk assessment results are expressed in quantitative terms

C.

To evaluate threats to the organization's operations and strategy

D.

To identify gaps in the alignment of IT risk management processes and strategy

Buy Now
Questions 426

Which of the following provides the MOST useful information to trace the impact of aggregated risk across an organization's technical environment?

Options:

A.

Business case documentation

B.

Organizational risk appetite statement

C.

Enterprise architecture (EA) documentation

D.

Organizational hierarchy

Buy Now
Questions 427

Which of the following is BEST used to aggregate data from multiple systems to identify abnormal behavior?

Options:

A.

Cyber threat intelligence

B.

Anti-malware software

C.

Endpoint detection and response (EDR)

D.

SIEM systems

Buy Now
Questions 428

Which of the following is MOST important when determining risk appetite?

Options:

A.

Assessing regulatory requirements

B.

Benchmarking against industry standards

C.

Gaining management consensus

D.

Identifying risk tolerance

Buy Now
Questions 429

A failure in an organization s IT system build process has resulted in several computers on the network missing the corporate endpoint detection and response (EDR) software. Which of the following should be the risk practitioner’s IMMEDIATE concern?

Options:

A.

Multiple corporate build images exist.

B.

The process documentation was not updated.

C.

The IT build process was not followed.

D.

Threats are not being detected.

Buy Now
Questions 430

Which of the following is the BEST key performance indicator (KPI) to measure the ability to deliver uninterrupted IT services?

Options:

A.

Mean time between failures (MTBF)

B.

Mean time to recover (MTTR)

C.

Planned downtime

D.

Unplanned downtime

Buy Now
Questions 431

Which of the following is the MOST important course of action to foster an ethical, risk-aware culture?

Options:

A.

Implement a fraud detection and prevention framework.

B.

Ensure the alignment of the organization's policies and standards to the defined risk appetite.

C.

Establish an enterprise-wide ethics training and awareness program.

D.

Perform a comprehensive review of all applicable legislative frameworks and requirements.

Buy Now
Questions 432

A key risk indicator (KRI) that incorporates data from external open-source threat intelligence sources has shown changes in risk trend data. Which of the following is MOST important to update in the risk register?

Options:

A.

Impact of risk occurrence

B.

Frequency of risk occurrence

C.

Cost of risk response

D.

Legal aspects of risk realization

Buy Now
Questions 433

When outsourcing a business process to a cloud service provider, it is MOST important to understand that:

Options:

A.

insurance could be acquired for the risk associated with the outsourced process.

B.

service accountability remains with the cloud service provider.

C.

a risk owner must be designated within the cloud service provider.

D.

accountability for the risk will remain with the organization.

Buy Now
Questions 434

An application development team has a backlog of user requirements for a new system that will process insurance claim payments for customers. Which of the following should be the MOST important consideration for a risk-based review of the user requirements?

Options:

A.

Number of claims affected by the user requirements

B.

Number of customers impacted

C.

Impact to the accuracy of claim calculation

D.

Level of resources required to implement the user requirements

Buy Now
Questions 435

Which of the following is MOST important to ensure risk management practices are effective at all levels within the organization?

Options:

A.

Communicating risk awareness materials regularly

B.

Establishing key risk indicators (KRIs) to monitor risk management processes

C.

Ensuring that business activities minimize inherent risk

D.

Embedding risk management in business activities

Buy Now
Questions 436

Of the following, whose input is ESSENTIAL when developing risk scenarios for the implementation of a third-party mobile application that stores customer data?

Options:

A.

Information security manager

B.

IT vendor manager

C.

Business process owner

D.

IT compliance manager

Buy Now
Questions 437

An organization has been experiencing an increasing number of spear phishing attacks Which of the following would be the MOST effective way to mitigate the risk associated with these attacks?

Options:

A.

Update firewall configuration

B.

Require strong password complexity

C.

implement a security awareness program

D.

Implement two-factor authentication

Buy Now
Questions 438

Which of the following is the PRIMARY benefit of integrating risk and security requirements in an organization's enterprise architecture (EA)?

Options:

A.

Adherence to legal and compliance requirements

B.

Reduction in the number of test cases in the acceptance phase

C.

Establishment of digital forensic architectures

D.

Consistent management of information assets

Buy Now
Questions 439

Which of the following is the GREATEST concern if user acceptance testing (UAT) is not conducted when implementing a new application?

Options:

A.

The probability of application defects will increase

B.

Data confidentiality could be compromised

C.

Increase in the use of redundant processes

D.

The application could fail to meet defined business requirements

Buy Now
Questions 440

Which of the following should be done FIRST when a new risk scenario has been identified

Options:

A.

Estimate the residual risk.

B.

Establish key risk indicators (KRIs).

C.

Design control improvements.

D.

Identify the risk owner.

Buy Now
Questions 441

An organization is moving its critical assets to the cloud. Which of the following is the MOST important key performance indicator (KPI) to include in the service level agreement (SLA)?

Options:

A.

Percentage of standard supplier uptime

B.

Average time to respond to incidents

C.

Number of assets included in recovery processes

D.

Number of key applications hosted

Buy Now
Questions 442

An organization recently implemented new technologies that enable the use of robotic process automation. Which of the following is MOST important to reassess?

Options:

A.

Risk profile

B.

Risk tolerance

C.

Risk capacity

D.

Risk appetite

Buy Now
Questions 443

A risk practitioner notices a risk scenario associated with data loss at the organization's cloud provider is assigned to the provider who should the risk scenario be reassigned to.

Options:

A.

Senior management

B.

Chief risk officer (CRO)

C.

Vendor manager

D.

Data owner

Buy Now
Questions 444

An organizational policy requires critical security patches to be deployed in production within three weeks of patch availability. Which of the following is the BEST metric to verify adherence to the policy?

Options:

A.

Maximum time gap between patch availability and deployment

B.

Percentage of critical patches deployed within three weeks

C.

Minimum time gap between patch availability and deployment

D.

Number of critical patches deployed within three weeks

Buy Now
Exam Code: CRISC
Exam Name: Certified in Risk and Information Systems Control
Last Update: Nov 21, 2024
Questions: 1480

PDF + Testing Engine

$130

Testing Engine

$95

PDF (Q&A)

$80