Weekend Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: best70

CRISC Certified in Risk and Information Systems Control Questions and Answers

Questions 4

The PRIMARY benefit of conducting a risk workshop using a top-down approach instead of a bottom-up approach is the ability to:

Options:

A.

identify specific project risk.

B.

obtain a holistic view of IT strategy risk.

C.

understand risk associated with complex processes.

D.

incorporate subject matter expertise.

Buy Now
Questions 5

Which of the following situations reflects residual risk?

Options:

A.

Risk that is present before risk acceptance has been finalized

B.

Risk that is removed after a risk acceptance has been finalized

C.

Risk that is present before mitigation controls have been applied

D.

Risk that remains after mitigation controls have been applied

Buy Now
Questions 6

Which of the following is the BEST approach for determining whether a risk action plan is effective?

Options:

A.

Comparing the remediation cost against budget

B.

Assessing changes in residual risk

C.

Assessing the inherent risk

D.

Monitoring changes of key performance indicators(KPIs)

Buy Now
Questions 7

When implementing an IT risk management program, which of the following is the BEST time to evaluate current control effectiveness?

Options:

A.

Before defining a framework

B.

During the risk assessment

C.

When evaluating risk response

D.

When updating the risk register

Buy Now
Questions 8

Which of the following is the GREATEST concern when using artificial intelligence (AI) language models?

Options:

A.

The model could be hacked or exploited.

B.

The model could be used to generate inaccurate content.

C.

Staff could become overly reliant on the model.

D.

It could lead to biased recommendations.

Buy Now
Questions 9

An organization's decision to remain noncompliant with certain laws or regulations is MOST likely influenced by:

Options:

A.

The region in which the organization operates.

B.

Established business culture.

C.

Risk appetite set by senior management.

D.

Identified business process controls.

Buy Now
Questions 10

Within the three lines of defense model, the responsibility for managing risk and controls resides with:

Options:

A.

operational management.

B.

the risk practitioner.

C.

the internal auditor.

D.

executive management.

Buy Now
Questions 11

The MOST important measure of the effectiveness of risk management in project implementation is the percentage of projects:

Options:

A.

introduced into production without high-risk issues.

B.

having the risk register updated regularly.

C.

having key risk indicators (KRIs) established to measure risk.

D.

having an action plan to remediate overdue issues.

Buy Now
Questions 12

Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)?

Options:

A.

Management approval

B.

Annual review

C.

Relevance

D.

Automation

Buy Now
Questions 13

The BEST way for management to validate whether risk response activities have been completed is to review:

Options:

A.

the risk register change log.

B.

evidence of risk acceptance.

C.

control effectiveness test results.

D.

control design documentation.

Buy Now
Questions 14

What is a risk practitioner's BEST approach to monitor and measure how quickly an exposure to a specific risk can affect the organization?

Options:

A.

Create an asset valuation report.

B.

Create key performance indicators (KPls).

C.

Create key risk indicators (KRIs).

D.

Create a risk volatility report.

Buy Now
Questions 15

A risk practitioner wants to identify potential risk events that affect the continuity of a critical business process. Which of the following should the risk practitioner do FIRST?

Options:

A.

Evaluate current risk management alignment with relevant regulations.

B.

Determine if business continuity procedures are reviewed and updated on a regular basis.

C.

Review the methodology used to conduct the business impact analysis (BIA).

D.

Conduct a benchmarking exercise against industry peers.

Buy Now
Questions 16

Which of the following is the PRIMARY purpose for ensuring senior management understands the organization’s risk universe in relation to the IT risk management program?

Options:

A.

To define effective enterprise IT risk appetite and tolerance levels

B.

To execute the IT risk management strategy in support of business objectives

C.

To establish business-aligned IT risk management organizational structures

D.

To assess the capabilities and maturity of the organization’s IT risk management efforts

Buy Now
Questions 17

Which of the following events is MOST likely to trigger the need to conduct a risk assessment?

Options:

A.

An incident resulting in data loss

B.

Introduction of a new product line

C.

Changes in executive management

D.

Updates to the information security policy

Buy Now
Questions 18

WhichT5f the following is the MOST effective way to promote organization-wide awareness of data security in response to an increase in regulatory penalties for data leakage?

Options:

A.

Enforce sanctions for noncompliance with security procedures.

B.

Conduct organization-w>de phishing simulations.

C.

Require training on the data handling policy.

D.

Require regular testing of the data breach response plan.

Buy Now
Questions 19

Which of the following is the BEST control for a large organization to implement to effectively mitigate risk related to fraudulent transactions?

Options:

A.

Segregation of duties

B.

Monetary approval limits

C.

Clear roles and responsibilities

D.

Password policies

Buy Now
Questions 20

An organization plans to implement a new Software as a Service (SaaS) speech-to-text solution Which of the following is MOST important to mitigate risk associated with data privacy?

Options:

A.

Secure encryption protocols are utilized.

B.

Multi-factor authentication is set up for users.

C.

The solution architecture is approved by IT.

D.

A risk transfer clause is included in the contact

Buy Now
Questions 21

Which of the following is the BEST criterion to determine whether higher residual risk ratings in the risk register should be accepted?

Options:

A.

Risk maturity

B.

Risk policy

C.

Risk appetite

D.

Risk culture

Buy Now
Questions 22

Which of the following roles should be assigned accountability for monitoring risk levels?

Options:

A.

Risk practitioner

B.

Business manager

C.

Risk owner

D.

Control owner

Buy Now
Questions 23

Which of the following should be the PRIMARY input to determine risk tolerance?

Options:

A.

Regulatory requirements

B.

Organizational objectives

C.

Annual loss expectancy (ALE)

D.

Risk management costs

Buy Now
Questions 24

Which of the following is the MOST important reason to restrict access to the risk register on a need-to-know basis?

Options:

A.

It contains vulnerabilities and threats.

B.

The risk methodology is intellectual property.

C.

Contents may be used as auditable findings.

D.

Risk scenarios may be misinterpreted.

Buy Now
Questions 25

Which of the following provides the MOST useful information to trace the impact of aggregated risk across an organization's technical environment?

Options:

A.

Business case documentation

B.

Organizational risk appetite statement

C.

Enterprise architecture (EA) documentation

D.

Organizational hierarchy

Buy Now
Questions 26

Which of the following would provide the MOST useful input when evaluating the appropriateness of risk responses?

Options:

A.

Incident reports

B.

Cost-benefit analysis

C.

Risk tolerance

D.

Control objectives

Buy Now
Questions 27

Which of the following scenarios is MOST likely to cause a risk practitioner to request a formal risk acceptance sign-off?

Options:

A.

Residual risk in excess of the risk appetite cannot be mitigated.

B.

Inherent risk is too high, resulting in the cancellation of an initiative.

C.

Risk appetite has changed to align with organizational objectives.

D.

Residual risk remains at the same level over time without further mitigation.

Buy Now
Questions 28

A poster has been displayed in a data center that reads. "Anyone caught taking photographs in the data center may be subject to disciplinary action." Which of the following control types has been implemented?

Options:

A.

Corrective

B.

Detective

C.

Deterrent

D.

Preventative

Buy Now
Questions 29

After an annual risk assessment is completed, which of the following would be MOST important to communicate to stakeholders?

Options:

A.

A decrease in threats

B.

A change in the risk profile

C.

An increase in reported vulnerabilities

D.

An increase in identified risk scenarios

Buy Now
Questions 30

Which of the following is a PRIMARY objective of privacy impact assessments (PIAs)?

Options:

A.

To identify threats introduced by business processes

B.

To identify risk when personal information is collected

C.

To ensure senior management has approved the use of personal information

D.

To ensure compliance with data privacy laws and regulations

Buy Now
Questions 31

A risk practitioner learns that a risk owner has been accepting gifts from a supplier of IT products. Some of these IT products are used to implement controls and to mitigate risk to acceptable levels. Which of the following should the risk practitioner do FIRST?

Options:

A.

Initiate disciplinary action against the risk owner.

B.

Reassess the risk and review the underlying controls.

C.

Review organizational ethics policies.

D.

Report the activity to the supervisor.

Buy Now
Questions 32

Which of the following should be a risk practitioner's NEXT step after learning of an incident that has affected a competitor?

Options:

A.

Activate the incident response plan.

B.

Implement compensating controls.

C.

Update the risk register.

D.

Develop risk scenarios.

Buy Now
Questions 33

A global organization is considering the transfer of its customer information systems to an overseas cloud service provider in the event of a disaster. Which of the following should be the MOST important risk consideration?

Options:

A.

Regulatory restrictions for cross-border data transfer

B.

Service level objectives in the vendor contract

C.

Organizational culture differences between each country

D.

Management practices within each company

Buy Now
Questions 34

A risk practitioner has been asked to evaluate the adoption of a third-party blockchain integration platform based on the value added by the platform and the organization's risk appetite. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Conduct a risk assessment with stakeholders.

B.

Conduct third-party resilience tests.

C.

Update the risk register with the process changes.

D.

Review risk related to standards and regulations.

Buy Now
Questions 35

Which of the following should be the MOST important consideration when determining controls necessary for a highly critical information system?

Options:

A.

The number of threats to the system

B.

The organization's available budget

C.

The number of vulnerabilities to the system

D.

The level of acceptable risk to the organization

Buy Now
Questions 36

Which of the following is the MOST important key performance indicator (KPI) for monitoring the user access management process?

Options:

A.

Proportion of end users having more than one account

B.

Percentage of accounts disabled within the service level agreement (SLA)

C.

Proportion of privileged to non-privileged accounts

D.

Percentage of accounts that have not been activated

Buy Now
Questions 37

An organization has implemented a policy requiring staff members to take a minimum of five consecutive days' leave per year to mitigate the risk of malicious insider activities. Which of the following is the BEST key performance indicator (KPI) of the effectiveness of this policy?

Options:

A.

Percentage of staff turnover following five consecutive days of leave

B.

Average number of consecutive days of leave per staff member

C.

Number of suspected malicious activities reported since policy implementation

D.

Financial loss incurred due to malicious activities since policy implementation

Buy Now
Questions 38

Which of the following is the MOST critical consideration when awarding a project to a third-party service provider whose servers are located offshore?

Options:

A.

Difficulty of monitoring compliance due to geographical distance

B.

Cost implications due to installation of network intrusion detection systems (IDSs)

C.

Delays in incident communication

D.

Potential impact on data governance

Buy Now
Questions 39

When determining risk ownership, the MAIN consideration should be:

Options:

A.

who owns the business process.

B.

the amount of residual risk.

C.

who is responsible for risk mitigation.

D.

the total cost of risk treatment.

Buy Now
Questions 40

It was discovered that a service provider's administrator was accessing sensitive information without the approval of the customer in an Infrastructure as a Service (laaS) model. Which of the following would BEST protect against a future recurrence?

Options:

A.

Data encryption

B.

Intrusion prevention system (IPS)

C.

Two-factor authentication

D.

Contractual requirements

Buy Now
Questions 41

A risk practitioner has been asked to assess the risk associated with a new critical application used by a financial process team that the risk practitioner was a member of two years ago. Which of the following is the GREATEST concern with this request?

Options:

A.

The risk assessment team may be overly confident of its ability to identify issues.

B.

The risk practitioner may be unfamiliar with recent application and process changes.

C.

The risk practitioner may still have access rights to the financial system.

D.

Participation in the risk assessment may constitute a conflict of interest.

Buy Now
Questions 42

The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner s BEST recommendation?

Options:

A.

Perform a root cause analysis

B.

Perform a code review

C.

Implement version control software.

D.

Implement training on coding best practices

Buy Now
Questions 43

Calculation of the recovery time objective (RTO) is necessary to determine the:

Options:

A.

time required to restore files.

B.

point of synchronization

C.

priority of restoration.

D.

annual loss expectancy (ALE).

Buy Now
Questions 44

Which of the following is the BEST metric to demonstrate the effectiveness of an organization's patch management process?

Options:

A.

Average time to implement patches after vendor release

B.

Number of patches tested prior to deployment

C.

Increase in the frequency of patches deployed into production

D.

Percent of patches implemented within established timeframe

Buy Now
Questions 45

Which of the following is MOST critical when designing controls?

Options:

A.

Involvement of internal audit

B.

Involvement of process owner

C.

Quantitative impact of the risk

D.

Identification of key risk indicators

Buy Now
Questions 46

A risk practitioner is involved in a comprehensive overhaul of the organizational risk management program. Which of the following should be reviewed FIRST to help identify relevant IT risk scenarios?

Options:

A.

Technology threats

B.

IT assets

C.

Security vulnerabilities

D.

IT risk register

Buy Now
Questions 47

Which of the following is the BEST key performance indicator (KPI) to measure the maturity of an organization's security incident handling process?

Options:

A.

The number of security incidents escalated to senior management

B.

The number of resolved security incidents

C.

The number of newly identified security incidents

D.

The number of recurring security incidents

Buy Now
Questions 48

Of the following, who should be responsible for determining the inherent risk rating of an application?

Options:

A.

Application owner

B.

Senior management

C.

Risk practitioner

D.

Business process owner

Buy Now
Questions 49

Which of the following would be the result of a significant increase in the motivation of a malicious threat actor?

Options:

A.

Increase in mitigating control costs

B.

Increase in risk event impact

C.

Increase in risk event likelihood

D.

Increase in cybersecurity premium

Buy Now
Questions 50

Which of The following BEST represents the desired risk posture for an organization?

Options:

A.

Inherent risk is lower than risk tolerance.

B.

Operational risk is higher than risk tolerance.

C.

Accepted risk is higher than risk tolerance.

D.

Residual risk is lower than risk tolerance.

Buy Now
Questions 51

Which of the following would BEST help an enterprise prioritize risk scenarios?

Options:

A.

Industry best practices

B.

Placement on the risk map

C.

Degree of variances in the risk

D.

Cost of risk mitigation

Buy Now
Questions 52

Which of the following BEST protects an organization against breaches when using a software as a service (SaaS) application?

Options:

A.

Control self-assessment (CSA)

B.

Security information and event management (SIEM) solutions

C.

Data privacy impact assessment (DPIA)

D.

Data loss prevention (DLP) tools

Buy Now
Questions 53

An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:

Options:

A.

chief risk officer.

B.

project manager.

C.

chief information officer.

D.

business process owner.

Buy Now
Questions 54

A trusted third-party service provider has determined that the risk of a client's systems being hacked is low. Which of the following would be the client's BEST course of action?

Options:

A.

Perform their own risk assessment

B.

Implement additional controls to address the risk.

C.

Accept the risk based on the third party's risk assessment

D.

Perform an independent audit of the third party.

Buy Now
Questions 55

Which of the following will BEST ensure that controls adequately support business goals and objectives?

Options:

A.

Using the risk management process

B.

Enforcing strict disciplinary procedures in case of noncompliance

C.

Reviewing results of the annual company external audit

D.

Adopting internationally accepted controls

Buy Now
Questions 56

Which of the following is the MOST important benefit of key risk indicators (KRIs)'

Options:

A.

Assisting in continually optimizing risk governance

B.

Enabling the documentation and analysis of trends

C.

Ensuring compliance with regulatory requirements

D.

Providing an early warning to take proactive actions

Buy Now
Questions 57

Which of the following is MOST important to review when evaluating the ongoing effectiveness of the IT risk register?

Options:

A.

The costs associated with mitigation options

B.

The status of identified risk scenarios

C.

The cost-benefit analysis of each risk response

D.

The timeframes for risk response actions

Buy Now
Questions 58

A data processing center operates in a jurisdiction where new regulations have significantly increased penalties for data breaches. Which of the following elements of the risk register is MOST important to update to reflect this change?

Options:

A.

Risk impact

B.

Risk trend

C.

Risk appetite

D.

Risk likelihood

Buy Now
Questions 59

An organization practices the principle of least privilege. To ensure access remains appropriate, application owners should be required to review user access rights on a regular basis by obtaining:

Options:

A.

business purpose documentation and software license counts

B.

an access control matrix and approval from the user's manager

C.

documentation indicating the intended users of the application

D.

security logs to determine the cause of invalid login attempts

Buy Now
Questions 60

Which of the following would be the GREATEST challenge when implementing a corporate risk framework for a global organization?

Options:

A.

Privacy risk controls

B.

Business continuity

C.

Risk taxonomy

D.

Management support

Buy Now
Questions 61

Key risk indicators (KRIs) are MOST useful during which of the following risk management phases?

Options:

A.

Monitoring

B.

Analysis

C.

Identification

D.

Response selection

Buy Now
Questions 62

Which of the following should be the FIRST step when a company is made aware of new regulatory requirements impacting IT?

Options:

A.

Perform a gap analysis.

B.

Prioritize impact to the business units.

C.

Perform a risk assessment.

D.

Review the risk tolerance and appetite.

Buy Now
Questions 63

The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for.

Options:

A.

data logging and monitoring

B.

data mining and analytics

C.

data classification and labeling

D.

data retention and destruction

Buy Now
Questions 64

Which risk response strategy could management apply to both positive and negative risk that has been identified?

Options:

A.

Transfer

B.

Accept

C.

Exploit

D.

Mitigate

Buy Now
Questions 65

Which of the following provides the MOST reliable evidence of a control's effectiveness?

Options:

A.

A risk and control self-assessment

B.

Senior management's attestation

C.

A system-generated testing report

D.

detailed process walk-through

Buy Now
Questions 66

An organization recently implemented an automated interface for uploading payment files to its banking system to replace manual processing. Which of the following elements of the risk register is MOST appropriate for the risk practitioner to update to reflect the improved control?

Options:

A.

Risk scenarios

B.

Risk ownership

C.

Risk impact

D.

Risk likelihood

Buy Now
Questions 67

Which of the following is MOST useful when performing a quantitative risk assessment?

Options:

A.

RACI matrix

B.

Financial models

C.

Management support

D.

Industry benchmarking

Buy Now
Questions 68

Which of the following is MOST important requirement to include in a Software as a Service (SaaS) vendor contract to ensure data is protected?

Options:

A.

The vendor must provide periodic independent assurance reports.

B.

The vendor must host data in a specific geographic location.

C.

The vendor must be held liable for regulatory fines for failure to protect data.

D.

The vendor must participate in an annual vendor performance review.

Buy Now
Questions 69

Which of the following is the BEST way to validate whether controls to reduce user device vulnerabilities have been implemented according to management's action plan?

Options:

A.

Survey device owners.

B.

Rescan the user environment.

C.

Require annual end user policy acceptance.

D.

Review awareness training assessment results

Buy Now
Questions 70

Which types of controls are BEST used to minimize the risk associated with a vulnerability?

Options:

A.

Detective

B.

Preventive

C.

Deterrent

D.

Directive

Buy Now
Questions 71

A risk register BEST facilitates which of the following risk management functions?

Options:

A.

Analyzing the organization's risk appetite

B.

Influencing the risk culture of the organization

C.

Reviewing relevant risk scenarios with stakeholders

D.

Articulating senior management's intent

Buy Now
Questions 72

Which of the following would MOST likely cause a risk practitioner to change the likelihood rating in the risk register?

Options:

A.

Risk appetite

B.

Control cost

C.

Control effectiveness

D.

Risk tolerance

Buy Now
Questions 73

Senior management has requested more information regarding the risk associated with introducing a new application into the environment. Which of the following should be done FIRST?

Options:

A.

Perform an audit.

B.

Conduct a risk analysis.

C.

Develop risk scenarios.

D.

Perform a cost-benefit analysis.

Buy Now
Questions 74

Which of the following has the GREATEST positive impact on ethical compliance within the risk management process?

Options:

A.

Senior management demonstrates ethics in their day-to-day decision making.

B.

An independent ethics investigation team has been established.

C.

Employees are required to complete ethics training courses annually.

D.

The risk practitioner is required to consult with the ethics committee.

Buy Now
Questions 75

Which of the following is the BEST key performance indicator (KPI) to measure how effectively risk management practices are embedded in the project management office (PMO)?

Options:

A.

Percentage of projects with key risk accepted by the project steering committee

B.

Reduction in risk policy noncompliance findings

C.

Percentage of projects with developed controls on scope creep

D.

Reduction in audits involving external risk consultants

Buy Now
Questions 76

A risk assessment has revealed that the probability of a successful cybersecurity attack is increasing. The potential loss could exceed the organization's risk appetite. Which of the following ould be the MOST effective course of action?

Options:

A.

Re-evaluate the organization's risk appetite.

B.

Outsource the cybersecurity function.

C.

Purchase cybersecurity insurance.

D.

Review cybersecurity incident response procedures.

Buy Now
Questions 77

In order to determining a risk is under-controlled the risk practitioner will need to

Options:

A.

understand the risk tolerance

B.

monitor and evaluate IT performance

C.

identify risk management best practices

D.

determine the sufficiency of the IT risk budget

Buy Now
Questions 78

In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date?

Options:

A.

Risk questionnaire

B.

Risk register

C.

Management assertion

D.

Compliance manual

Buy Now
Questions 79

Print jobs containing confidential information are sent to a shared network printer located in a secure room. Which of the following is the BEST control to prevent the inappropriate disclosure of confidential information?

Options:

A.

Requiring a printer access code for each user

B.

Using physical controls to access the printer room

C.

Using video surveillance in the printer room

D.

Ensuring printer parameters are properly configured

Buy Now
Questions 80

Participants in a risk workshop have become focused on the financial cost to mitigate risk rather than choosing the most appropriate response. Which of the following is the BEST way to address this type of issue in the long term?

Options:

A.

Perform a return on investment analysis.

B.

Review the risk register and risk scenarios.

C.

Calculate annualized loss expectancy of risk scenarios.

D.

Raise the maturity of organizational risk management.

Buy Now
Questions 81

Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?

Options:

A.

Ongoing availability of data

B.

Ability to aggregate data

C.

Ability to predict trends

D.

Availability of automated reporting systems

Buy Now
Questions 82

To communicate the risk associated with IT in business terms, which of the following MUST be defined?

Options:

A.

Compliance objectives

B.

Risk appetite of the organization

C.

Organizational objectives

D.

Inherent and residual risk

Buy Now
Questions 83

Which of the following is the MOST critical element to maximize the potential for a successful security implementation?

Options:

A.

The organization's knowledge

B.

Ease of implementation

C.

The organization's culture

D.

industry-leading security tools

Buy Now
Questions 84

Which of the following is MOST important when developing risk scenarios?

Options:

A.

Reviewing business impact analysis (BIA)

B.

Collaborating with IT audit

C.

Conducting vulnerability assessments

D.

Obtaining input from key stakeholders

Buy Now
Questions 85

Winch of the following can be concluded by analyzing the latest vulnerability report for the it infrastructure?

Options:

A.

Likelihood of a threat

B.

Impact of technology risk

C.

Impact of operational risk

D.

Control weakness

Buy Now
Questions 86

An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program. Which of the following is MOST useful for this purpose?

Options:

A.

Balanced scorecard

B.

Capability maturity level

C.

Internal audit plan

D.

Control self-assessment (CSA)

Buy Now
Questions 87

Which of the following is a drawback in the use of quantitative risk analysis?

Options:

A.

It assigns numeric values to exposures of assets.

B.

It requires more resources than other methods

C.

It produces the results in numeric form.

D.

It is based on impact analysis of information assets.

Buy Now
Questions 88

Which of the following should be the PRIMARY focus of a risk owner once a decision is made to mitigate a risk?

Options:

A.

Updating the risk register to include the risk mitigation plan

B.

Determining processes for monitoring the effectiveness of the controls

C.

Ensuring that control design reduces risk to an acceptable level

D.

Confirming to management the controls reduce the likelihood of the risk

Buy Now
Questions 89

Which of the following BEST represents a critical threshold value for a key control indicator (KCI)?

Options:

A.

The value at which control effectiveness would fail

B.

Thresholds benchmarked to peer organizations

C.

A typical operational value

D.

A value that represents the intended control state

Buy Now
Questions 90

While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially Which of the following would be the BEST approach for the risk practitioner to take?

Options:

A.

Temporarily suspend emergency changes.

B.

Document the control deficiency in the risk register.

C.

Conduct a root cause analysis.

D.

Continue monitoring change management metrics.

Buy Now
Questions 91

Which of the following would be MOST helpful to an information security management team when allocating resources to mitigate exposures?

Options:

A.

Relevant risk case studies

B.

Internal audit findings

C.

Risk assessment results

D.

Penetration testing results

Buy Now
Questions 92

An organization has recently been experiencing frequent data corruption incidents. Implementing a file corruption detection tool as a risk response strategy will help to:

Options:

A.

reduce the likelihood of future events

B.

restore availability

C.

reduce the impact of future events

D.

address the root cause

Buy Now
Questions 93

Which of the following would BEST enable a risk-based decision when considering the use of an emerging technology for data processing?

Options:

A.

Gap analysis

B.

Threat assessment

C.

Resource skills matrix

D.

Data quality assurance plan

Buy Now
Questions 94

Which of the following is the BEST approach when a risk treatment plan cannot be completed on time?

Options:

A.

Implement compensating controls until the preferred action can be completed.

B.

Develop additional key risk indicators (KRIs) until the preferred action can be completed.

C.

Replace the action owner with a more experienced individual.

D.

Change the risk response strategy of the relevant risk to risk avoidance.

Buy Now
Questions 95

Which of the following should a risk practitioner review FIRST when evaluating risk events associated with the organization's data flow model?

Options:

A.

Results of data classification activities

B.

Recent changes to enterprise architecture (EA)

C.

High-level network diagrams

D.

Notes from interviews with the data owners

Buy Now
Questions 96

Which of the following is the PRIMARY benefit of stakeholder involvement in risk scenario development?

Options:

A.

Ability to determine business impact

B.

Up-to-date knowledge on risk responses

C.

Decision-making authority for risk treatment

D.

Awareness of emerging business threats

Buy Now
Questions 97

An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?

Options:

A.

Develop a compensating control.

B.

Allocate remediation resources.

C.

Perform a cost-benefit analysis.

D.

Identify risk responses

Buy Now
Questions 98

Whether the results of risk analyses should be presented in quantitative or qualitative terms should be based PRIMARILY on the:

Options:

A.

requirements of management.

B.

specific risk analysis framework being used.

C.

organizational risk tolerance

D.

results of the risk assessment.

Buy Now
Questions 99

An organization's Internet-facing server was successfully attacked because the server did not have the latest security patches. The risk associated with poor patch management had been documented in the risk register and accepted. Who should be accountable for any related losses to the organization?

Options:

A.

Risk owner

B.

IT risk manager

C.

Server administrator

D.

Risk practitioner

Buy Now
Questions 100

Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?

Options:

A.

Temporarily mitigate the OS vulnerabilities

B.

Document and implement a patching process

C.

Evaluate permanent fixes such as patches and upgrades

D.

Identify the vulnerabilities and applicable OS patches

Buy Now
Questions 101

Which of the following is the MOST effective way for a large and diversified organization to minimize risk associated with unauthorized software on company devices?

Options:

A.

Scan end points for applications not included in the asset inventory.

B.

Prohibit the use of cloud-based virtual desktop software.

C.

Conduct frequent reviews of software licenses.

D.

Perform frequent internal audits of enterprise IT infrastructure.

Buy Now
Questions 102

Which of the following presents the GREATEST challenge to managing an organization's end-user devices?

Options:

A.

Incomplete end-user device inventory

B.

Unsupported end-user applications

C.

Incompatible end-user devices

D.

Multiple end-user device models

Buy Now
Questions 103

Which of the following has the GREATEST influence on an organization's risk appetite?

Options:

A.

Threats and vulnerabilities

B.

Internal and external risk factors

C.

Business objectives and strategies

D.

Management culture and behavior

Buy Now
Questions 104

Which of the blowing is MOST important when implementing an organization s security policy?

Options:

A.

Obtaining management support

B.

Benchmarking against industry standards

C.

Assessing compliance requirements

D.

Identifying threats and vulnerabilities

Buy Now
Questions 105

Which of the following practices would be MOST effective in protecting personality identifiable information (Ptl) from unauthorized access m a cloud environment?

Options:

A.

Apply data classification policy

B.

Utilize encryption with logical access controls

C.

Require logical separation of company data

D.

Obtain the right to audit

Buy Now
Questions 106

During a risk assessment, a risk practitioner learns that an IT risk factor is adequately mitigated by compensating controls in an associated business process. Which of the following would enable the MOST effective management of the residual risk?

Options:

A.

Schedule periodic reviews of the compensating controls' effectiveness.

B.

Report the use of compensating controls to senior management.

C.

Recommend additional IT controls to further reduce residual risk.

D.

Request that ownership of the compensating controls is reassigned to IT

Buy Now
Questions 107

Which of the following should be done FIRST when a new risk scenario has been identified

Options:

A.

Estimate the residual risk.

B.

Establish key risk indicators (KRIs).

C.

Design control improvements.

D.

Identify the risk owner.

Buy Now
Questions 108

Which of the following is the MOST effective way to incorporate stakeholder concerns when developing risk scenarios?

Options:

A.

Evaluating risk impact

B.

Establishing key performance indicators (KPIs)

C.

Conducting internal audits

D.

Creating quarterly risk reports

Buy Now
Questions 109

Because of a potential data breach, an organization has decided to temporarily shut down its online sales order system until sufficient controls can be implemented. Which risk treatment has been selected?

Options:

A.

Avoidance

B.

Transfer

C.

Mitigation

D.

Acceptance

Buy Now
Questions 110

Which of the following is the MOST important update for keeping the risk register current?

Options:

A.

Modifying organizational structures when lines of business merge

B.

Adding new risk assessment results annually

C.

Retiring risk scenarios that have been avoided

D.

Changing risk owners due to employee turnover

Buy Now
Questions 111

Which of the following BEST mitigates ethical risk?

Options:

A.

Ethics committees

B.

Contingency scenarios

C.

Awareness of consequences for violations

D.

Routine changes in senior management

Buy Now
Questions 112

Which strategy employed by risk management would BEST help to prevent internal fraud?

Options:

A.

Require control owners to conduct an annual control certification.

B.

Conduct regular internal and external audits on the systems supporting financial reporting.

C.

Ensure segregation of duties are implemented within key systems or processes.

D.

Require the information security officer to review unresolved incidents.

Buy Now
Questions 113

The risk to an organization's reputation due to a recent cybersecurity breach is PRIMARILY considered to be:

Options:

A.

financial risk.

B.

data risk.

C.

operational risk.

D.

strategic risk.

Buy Now
Questions 114

The risk associated with an asset before controls are applied can be expressed as:

Options:

A.

a function of the likelihood and impact

B.

the magnitude of an impact

C.

a function of the cost and effectiveness of control.

D.

the likelihood of a given threat

Buy Now
Questions 115

When a risk practitioner is determining a system's criticality. it is MOST helpful to review the associated:

Options:

A.

process flow.

B.

business impact analysis (BIA).

C.

service level agreement (SLA).

D.

system architecture.

Buy Now
Questions 116

Which of the following provides the MOST useful information for developing key risk indicators (KRIs)?

Options:

A.

Business impact analysis (BIA) results

B.

Risk scenario ownership

C.

Risk thresholds

D.

Possible causes of materialized risk

Buy Now
Questions 117

An organization is adopting block chain for a new financial system. Which of the following should be the GREATEST concern for a risk practitioner evaluating the system's production readiness?

Options:

A.

Limited organizational knowledge of the underlying technology

B.

Lack of commercial software support

C.

Varying costs related to implementation and maintenance

D.

Slow adoption of the technology across the financial industry

Buy Now
Questions 118

Which of the following is MOST important when conducting a post-implementation review as part of the system development life cycle (SDLC)?

Options:

A.

Verifying that project objectives are met

B.

Identifying project cost overruns

C.

Leveraging an independent review team

D.

Reviewing the project initiation risk matrix

Buy Now
Questions 119

Which of the following should be the PRIMARY basis for prioritizing risk responses?

Options:

A.

The impact of the risk

B.

The replacement cost of the business asset

C.

The cost of risk mitigation controls

D.

The classification of the business asset

Buy Now
Questions 120

Which of the following is MOST important for senior management to review during an acquisition?

Options:

A.

Risk appetite and tolerance

B.

Risk framework and methodology

C.

Key risk indicator (KRI) thresholds

D.

Risk communication plan

Buy Now
Questions 121

Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board''

Options:

A.

A summary of risk response plans with validation results

B.

A report with control environment assessment results

C.

A dashboard summarizing key risk indicators (KRIs)

D.

A summary of IT risk scenarios with business cases

Buy Now
Questions 122

Which of the following trends would cause the GREATEST concern regarding the effectiveness of an organization's user access control processes? An increase in the:

Options:

A.

ratio of disabled to active user accounts.

B.

percentage of users with multiple user accounts.

C.

average number of access entitlements per user account.

D.

average time between user transfers and access updates.

Buy Now
Questions 123

Which of the following will BEST help to ensure new IT policies address the enterprise's requirements?

Options:

A.

involve IT leadership in the policy development process

B.

Require business users to sign acknowledgment of the poises

C.

involve business owners in the pokey development process

D.

Provide policy owners with greater enforcement authority

Buy Now
Questions 124

Which of the following is the MOST important information to cover a business continuity awareness Ira nine, program for all employees of the organization?

Options:

A.

Recovery time objectives (RTOs)

B.

Segregation of duties

C.

Communication plan

D.

Critical asset inventory

Buy Now
Questions 125

Which of the following should be the FIRST consideration when establishing a new risk governance program?

Options:

A.

Developing an ongoing awareness and training program

B.

Creating policies and standards that are easy to comprehend

C.

Embedding risk management into the organization

D.

Completing annual risk assessments on critical resources

Buy Now
Questions 126

Which of the following is the MOST important consideration when developing risk strategies?

Options:

A.

Organization's industry sector

B.

Long-term organizational goals

C.

Concerns of the business process owners

D.

History of risk events

Buy Now
Questions 127

What is the BEST recommendation to reduce the risk associated with potential system compromise when a vendor stops releasing security patches and updates for a business-critical legacy system?

Options:

A.

Segment the system on its own network.

B.

Ensure regular backups take place.

C.

Virtualize the system in the cloud.

D.

Install antivirus software on the system.

Buy Now
Questions 128

Which stakeholder is MOST important to include when defining a risk profile during me selection process for a new third party application'?

Options:

A.

The third-party risk manager

B.

The application vendor

C.

The business process owner

D.

The information security manager

Buy Now
Questions 129

Which of the following management action will MOST likely change the likelihood rating of a risk scenario related to remote network access?

Options:

A.

Updating the organizational policy for remote access

B.

Creating metrics to track remote connections

C.

Implementing multi-factor authentication

D.

Updating remote desktop software

Buy Now
Questions 130

Who is MOST appropriate to be assigned ownership of a control

Options:

A.

The individual responsible for control operation

B.

The individual informed of the control effectiveness

C.

The individual responsible for resting the control

D.

The individual accountable for monitoring control effectiveness

Buy Now
Questions 131

A recent big data project has resulted in the creation of an application used to support important investment decisions. Which of the following should be of GREATEST concern to the risk practitioner?

Options:

A.

Data quality

B.

Maintenance costs

C.

Data redundancy

D.

System integration

Buy Now
Questions 132

An internal audit report reveals that a legacy system is no longer supported Which of the following is the risk practitioner's MOST important action before recommending a risk response'

Options:

A.

Review historical application down me and frequency

B.

Assess the potential impact and cost of mitigation

C.

identify other legacy systems within the organization

D.

Explore the feasibility of replacing the legacy system

Buy Now
Questions 133

An organization's recovery team is attempting to recover critical data backups following a major flood in its data center. However, key team members do not know exactly what steps should be taken to address this crisis. Which of the following is the MOST likely cause of this situation?

Options:

A.

Failure to test the disaster recovery plan (DRP)

B.

Lack of well-documented business impact analysis (BIA)

C.

Lack of annual updates to the disaster recovery plan (DRP)

D.

Significant changes in management personnel

Buy Now
Questions 134

Which of the following will BEST help to ensure implementation of corrective action plans?

Options:

A.

Establishing employee awareness training

B.

Assigning accountability to risk owners

C.

Selling target dates to complete actions

D.

Contracting to third parties

Buy Now
Questions 135

Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?

Options:

A.

To provide input to the organization's risk appetite

B.

To monitor the vendor's control effectiveness

C.

To verify the vendor's ongoing financial viability

D.

To assess the vendor's risk mitigation plans

Buy Now
Questions 136

Which of the following is the BEST control to minimize the risk associated with scope creep in software development?

Options:

A.

An established process for project change management

B.

Retention of test data and results for review purposes

C.

Business managements review of functional requirements

D.

Segregation between development, test, and production

Buy Now
Questions 137

Which of the following is the MOST important consideration when multiple risk practitioners capture risk scenarios in a single risk register?

Options:

A.

Aligning risk ownership and control ownership

B.

Developing risk escalation and reporting procedures

C.

Maintaining up-to-date risk treatment plans

D.

Using a consistent method for risk assessment

Buy Now
Questions 138

Which of the following would be MOST helpful when estimating the likelihood of negative events?

Options:

A.

Business impact analysis

B.

Threat analysis

C.

Risk response analysis

D.

Cost-benefit analysis

Buy Now
Questions 139

A penetration testing team discovered an ineffectively designed access control. Who is responsible for ensuring the control design gap is remediated?

Options:

A.

Control owner

B.

Risk owner

C.

IT security manager

D.

Control operator

Buy Now
Questions 140

An organization has outsourced its customer management database to an external service provider. Of the following, who should be accountable for ensuring customer data privacy?

Options:

A.

The organization's business process owner

B.

The organization's information security manager

C.

The organization's vendor management officer

D.

The vendor's risk manager

Buy Now
Questions 141

A risk practitioner has identified that the organization's secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?

Options:

A.

Business continuity director

B.

Disaster recovery manager

C.

Business application owner

D.

Data center manager

Buy Now
Questions 142

When an organization’s disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment options is being applied?

Options:

A.

Acceptance

B.

Mitigation

C.

Transfer

D.

Avoidance

Buy Now
Questions 143

When of the following is the BEST key control indicator (KCI) to determine the effectiveness of en intrusion prevention system (IPS)?

Options:

A.

Percentage of system uptime

B.

Percentage of relevant threats mitigated

C.

Total number of threats identified

D.

Reaction time of the system to threats

Buy Now
Questions 144

Which of the following is MOST important to the effective monitoring of key risk indicators (KRIS)?

Options:

A.

Updating the threat inventory with new threats

B.

Automating log data analysis

C.

Preventing the generation of false alerts

D.

Determining threshold levels

Buy Now
Questions 145

Which of the following is MOST helpful in developing key risk indicator (KRl) thresholds?

Options:

A.

Loss expectancy information

B.

Control performance predictions

C.

IT service level agreements (SLAs)

D.

Remediation activity progress

Buy Now
Questions 146

During the initial risk identification process for a business application, it is MOST important to include which of the following stakeholders?

Options:

A.

Business process owners

B.

Business process consumers

C.

Application architecture team

D.

Internal audit

Buy Now
Questions 147

Which of the following would MOST likely result in updates to an IT risk appetite statement?

Options:

A.

External audit findings

B.

Feedback from focus groups

C.

Self-assessment reports

D.

Changes in senior management

Buy Now
Questions 148

Which of the following is the PRIMARY reason to establish the root cause of an IT security incident?

Options:

A.

Prepare a report for senior management.

B.

Assign responsibility and accountability for the incident.

C.

Update the risk register.

D.

Avoid recurrence of the incident.

Buy Now
Questions 149

A department has been granted an exception to bypass the existing approval process for purchase orders. The risk practitioner should verify the exception has been approved by which of the following?

Options:

A.

Internal audit

B.

Control owner

C.

Senior management

D.

Risk manager

Buy Now
Questions 150

The maturity of an IT risk management program is MOST influenced by:

Options:

A.

the organization's risk culture

B.

benchmarking results against similar organizations

C.

industry-specific regulatory requirements

D.

expertise available within the IT department

Buy Now
Questions 151

Which of the following would BEST help identify the owner for each risk scenario in a risk register?

Options:

A.

Determining which departments contribute most to risk

B.

Allocating responsibility for risk factors equally to asset owners

C.

Mapping identified risk factors to specific business processes

D.

Determining resource dependency of assets

Buy Now
Questions 152

Which of the following should be a risk practitioner's NEXT action after identifying a high probability of data loss in a system?

Options:

A.

Enhance the security awareness program.

B.

Increase the frequency of incident reporting.

C.

Purchase cyber insurance from a third party.

D.

Conduct a control assessment.

Buy Now
Questions 153

Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

Options:

A.

a gap analysis

B.

a root cause analysis.

C.

an impact assessment.

D.

a vulnerability assessment.

Buy Now
Questions 154

Which of the following is MOST important to consider when assessing the likelihood that a recently discovered software vulnerability will be exploited?

Options:

A.

The skill level required of a threat actor

B.

The amount of personally identifiable information (PH) disclosed

C.

The ability to detect and trace the threat action

D.

The amount of data that might be exposed by a threat action

Buy Now
Questions 155

A risk assessment has been completed on an application and reported to the application owner. The report includes validated vulnerability findings that require mitigation. Which of the following should be the NEXT step?

Options:

A.

Report the findings to executive management to enable treatment decisions.

B.

Reassess each vulnerability to evaluate the risk profile of the application.

C.

Conduct a penetration test to determine how to mitigate the vulnerabilities.

D.

Prepare a risk response that is aligned to the organization's risk tolerance.

Buy Now
Questions 156

Which of the following information is MOST useful to a risk practitioner for developing IT risk scenarios?

Options:

A.

Published vulnerabilities relevant to the business

B.

Threat actors that can trigger events

C.

Events that could potentially impact the business

D.

IT assets requiring the greatest investment

Buy Now
Questions 157

The cost of maintaining a control has grown to exceed the potential loss. Which of the following BEST describes this situation?

Options:

A.

Insufficient risk tolerance

B.

Optimized control management

C.

Effective risk management

D.

Over-controlled environment

Buy Now
Questions 158

Which of the following is the PRIMARY accountability for a control owner?

Options:

A.

Communicate risk to senior management.

B.

Own the associated risk the control is mitigating.

C.

Ensure the control operates effectively.

D.

Identify and assess control weaknesses.

Buy Now
Questions 159

Who is PRIMARILY accountable for identifying risk on a daily basis and ensuring adherence to the organization's policies?

Options:

A.

Third line of defense

B.

Line of defense subject matter experts

C.

Second line of defense

D.

First line of defense

Buy Now
Questions 160

To implement the MOST effective monitoring of key risk indicators (KRIs), which of the following needs to be in place?

Options:

A.

Threshold definition

B.

Escalation procedures

C.

Automated data feed

D.

Controls monitoring

Buy Now
Questions 161

Which of the following is the GREATEST benefit for an organization with a strong risk awareness culture?

Options:

A.

Reducing the involvement by senior management

B.

Using more risk specialists

C.

Reducing the need for risk policies and guidelines

D.

Discussing and managing risk as a team

Buy Now
Questions 162

When formulating a social media policy lo address information leakage, which of the following is the MOST important concern to address?

Options:

A.

Sharing company information on social media

B.

Sharing personal information on social media

C.

Using social media to maintain contact with business associates

D.

Using social media for personal purposes during working hours

Buy Now
Questions 163

When updating the risk register after a risk assessment, which of the following is MOST important to include?

Options:

A.

Historical losses due to past risk events

B.

Cost to reduce the impact and likelihood

C.

Likelihood and impact of the risk scenario

D.

Actor and threat type of the risk scenario

Buy Now
Questions 164

Which of the following tasks should be completed prior to creating a disaster recovery plan (DRP)?

Options:

A.

Conducting a business impact analysis (BIA)

B.

Identifying the recovery response team

C.

Procuring a recovery site

D.

Assigning sensitivity levels to data

Buy Now
Questions 165

Which of the following BEST indicates whether security awareness training is effective?

Options:

A.

User self-assessment

B.

User behavior after training

C.

Course evaluation

D.

Quality of training materials

Buy Now
Questions 166

Risk acceptance of an exception to a security control would MOST likely be justified when:

Options:

A.

automation cannot be applied to the control

B.

business benefits exceed the loss exposure.

C.

the end-user license agreement has expired.

D.

the control is difficult to enforce in practice.

Buy Now
Questions 167

When of the following provides the MOST tenable evidence that a business process control is effective?

Options:

A.

Demonstration that the control is operating as designed

B.

A successful walk-through of the associated risk assessment

C.

Management attestation that the control is operating effectively

D.

Automated data indicating that risk has been reduced

Buy Now
Questions 168

What is the PRIMARY benefit of risk monitoring?

Options:

A.

It reduces the number of audit findings.

B.

It provides statistical evidence of control efficiency.

C.

It facilitates risk-aware decision making.

D.

It facilitates communication of threat levels.

Buy Now
Questions 169

Which of the following is the MOST common concern associated with outsourcing to a service provider?

Options:

A.

Lack of technical expertise

B.

Combining incompatible duties

C.

Unauthorized data usage

D.

Denial of service attacks

Buy Now
Questions 170

Which of the following is the MOST effective control to maintain the integrity of system configuration files?

Options:

A.

Recording changes to configuration files

B.

Implementing automated vulnerability scanning

C.

Restricting access to configuration documentation

D.

Monitoring against the configuration standard

Buy Now
Questions 171

Which of the following is the GREATEST advantage of implementing a risk management program?

Options:

A.

Enabling risk-aware decisions

B.

Promoting a risk-aware culture

C.

Improving security governance

D.

Reducing residual risk

Buy Now
Questions 172

The PRIMARY objective for requiring an independent review of an organization's IT risk management process should be to:

Options:

A.

assess gaps in IT risk management operations and strategic focus.

B.

confirm that IT risk assessment results are expressed as business impact.

C.

verify implemented controls to reduce the likelihood of threat materialization.

D.

ensure IT risk management is focused on mitigating potential risk.

Buy Now
Questions 173

A highly regulated organization acquired a medical technology startup company that processes sensitive personal information with weak data protection controls. Which of the following is the BEST way for the acquiring company to reduce its risk while still enabling the flexibility needed by the startup company?

Options:

A.

Identify previous data breaches using the startup company’s audit reports.

B.

Have the data privacy officer review the startup company’s data protection policies.

C.

Classify and protect the data according to the parent company's internal standards.

D.

Implement a firewall and isolate the environment from the parent company's network.

Buy Now
Questions 174

Which of the following is the BEST course of action to help reduce the probability of an incident recurring?

Options:

A.

Perform a risk assessment.

B.

Perform root cause analysis.

C.

Initiate disciplinary action.

D.

Update the incident response plan.

Buy Now
Questions 175

Which of the following is the MOST useful information an organization can obtain from external sources about emerging threats?

Options:

A.

Solutions for eradicating emerging threats

B.

Cost to mitigate the risk resulting from threats

C.

Indicators for detecting the presence of threatsl)

D.

Source and identity of attackers

Buy Now
Questions 176

Which of the following should be the FIRST consideration when a business unit wants to use personal information for a purpose other than for which it was originally collected?

Options:

A.

Informed consent

B.

Cross border controls

C.

Business impact analysis (BIA)

D.

Data breach protection

Buy Now
Questions 177

Which of the following observations from a third-party service provider review would be of GREATEST concern to a risk practitioner?

Options:

A.

Service level agreements (SLAs) have not been met over the last quarter.

B.

The service contract is up for renewal in less than thirty days.

C.

Key third-party personnel have recently been replaced.

D.

Monthly service charges are significantly higher than industry norms.

Buy Now
Questions 178

Which of the following would be considered a vulnerability?

Options:

A.

Delayed removal of employee access

B.

Authorized administrative access to HR files

C.

Corruption of files due to malware

D.

Server downtime due to a denial of service (DoS) attack

Buy Now
Questions 179

The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for:

Options:

A.

data classification and labeling.

B.

data logging and monitoring.

C.

data retention and destruction.

D.

data mining and analytics.

Buy Now
Questions 180

An organization has updated its acceptable use policy to mitigate the risk of employees disclosing confidential information. Which of the following is the BEST way to reinforce the effectiveness of this policy?

Options:

A.

Communicate sanctions for policy violations to all staff.

B.

Obtain signed acceptance of the new policy from employees.

C.

Train all staff on relevant information security best practices.

D.

Implement data loss prevention (DLP) within the corporate network.

Buy Now
Questions 181

Which of the following is the GREATEST benefit of centralizing IT systems?

Options:

A.

Risk reporting

B.

Risk classification

C.

Risk monitoring

D.

Risk identification

Buy Now
Questions 182

Which of the following s MOST likely to deter an employee from engaging in inappropriate use of company owned IT systems?

Options:

A.

A centralized computer security response team

B.

Regular performance reviews and management check-ins

C.

Code of ethics training for all employees

D.

Communication of employee activity monitoring

Buy Now
Questions 183

The PRIMARY reason for tracking the status of risk mitigation plans is to ensure:

Options:

A.

the proposed controls are implemented as scheduled.

B.

security controls are tested prior to implementation.

C.

compliance with corporate policies.

D.

the risk response strategy has been decided.

Buy Now
Questions 184

To reduce costs, an organization is combining the second and third tines of defense in a new department that reports to a recently appointed C-level executive. Which of the following is the GREATEST concern with this situation?

Options:

A.

The risk governance approach of the second and third lines of defense may differ.

B.

The independence of the internal third line of defense may be compromised.

C.

Cost reductions may negatively impact the productivity of other departments.

D.

The new structure is not aligned to the organization's internal control framework.

Buy Now
Questions 185

Which of the following should be the risk practitioner's FIRST course of action when an organization plans to adopt a cloud computing strategy?

Options:

A.

Request a budget for implementation

B.

Conduct a threat analysis.

C.

Create a cloud computing policy.

D.

Perform a controls assessment.

Buy Now
Questions 186

Which of the following is the BEST method for assessing control effectiveness against technical vulnerabilities that could be exploited to compromise an information system?

Options:

A.

Vulnerability scanning

B.

Systems log correlation analysis

C.

Penetration testing

D.

Monitoring of intrusion detection system (IDS) alerts

Buy Now
Questions 187

An organization is implementing internet of Things (loT) technology to control temperature and lighting in its headquarters. Which of the following should be of GREATEST concern?

Options:

A.

Insufficient network isolation

B.

impact on network performance

C.

insecure data transmission protocols

D.

Lack of interoperability between sensors

Buy Now
Questions 188

The acceptance of control costs that exceed risk exposure is MOST likely an example of:

Options:

A.

low risk tolerance.

B.

corporate culture misalignment.

C.

corporate culture alignment.

D.

high risk tolerance

Buy Now
Questions 189

Which of the following resources is MOST helpful to a risk practitioner when updating the likelihood rating in the risk register?

Options:

A.

Risk control assessment

B.

Audit reports with risk ratings

C.

Penetration test results

D.

Business impact analysis (BIA)

Buy Now
Questions 190

Which of the following is PRIMARILY a risk management responsibly of the first line of defense?

Options:

A.

Implementing risk treatment plans

B.

Validating the status of risk mitigation efforts

C.

Establishing risk policies and standards

D.

Conducting independent reviews of risk assessment results

Buy Now
Questions 191

Which of the following will help ensure the elective decision-making of an IT risk management committee?

Options:

A.

Key stakeholders are enrolled as members

B.

Approved minutes ate forwarded to senior management

C.

Committee meets at least quarterly

D.

Functional overlap across the business is minimized

Buy Now
Questions 192

Which of the following presents the GREATEST risk to change control in business application development over the complete life cycle?

Options:

A.

Emphasis on multiple application testing cycles

B.

Lack of an integrated development environment (IDE) tool

C.

Introduction of requirements that have not been approved

D.

Bypassing quality requirements before go-live

Buy Now
Questions 193

A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology?

Options:

A.

IT system owner

B.

Chief financial officer

C.

Chief risk officer

D.

Business process owner

Buy Now
Questions 194

Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness?

Options:

A.

To measure business exposure to risk

B.

To identify control vulnerabilities

C.

To monitor the achievement of set objectives

D.

To raise awareness of operational issues

Buy Now
Questions 195

A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:

Options:

A.

updating the risk register

B.

documenting the risk scenarios.

C.

validating the risk scenarios

D.

identifying risk mitigation controls.

Buy Now
Questions 196

A risk practitioner has been asked by executives to explain how existing risk treatment plans would affect risk posture at the end of the year. Which of the following is MOST helpful in responding to this request?

Options:

A.

Assessing risk with no controls in place

B.

Showing projected residual risk

C.

Providing peer benchmarking results

D.

Assessing risk with current controls in place

Buy Now
Questions 197

A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to:

Options:

A.

include detailed deviations from industry benchmarks,

B.

include a summary linking information to stakeholder needs,

C.

include a roadmap to achieve operational excellence,

D.

publish the report on-demand for stakeholders.

Buy Now
Questions 198

The PRIMARY objective of a risk identification process is to:

Options:

A.

evaluate how risk conditions are managed.

B.

determine threats and vulnerabilities.

C.

estimate anticipated financial impact of risk conditions.

D.

establish risk response options.

Buy Now
Questions 199

Which of the following should be the PRIMARY driver for the prioritization of risk responses?

Options:

A.

Residual risk

B.

Risk appetite

C.

Mitigation cost

D.

Inherent risk

Buy Now
Questions 200

Which of the following would provide the MOST reliable evidence of the effectiveness of security controls implemented for a web application?

Options:

A.

Penetration testing

B.

IT general controls audit

C.

Vulnerability assessment

D.

Fault tree analysis

Buy Now
Questions 201

Which of the following is the GREATEST concern associated with the use of artificial intelligence (AI) language models?

Options:

A.

The model could be hacked or exploited.

B.

The model could be used to generate inaccurate content.

C.

Staff could become overly reliant on the model.

D.

It could lead to biased recommendations.

Buy Now
Questions 202

Which of the following factors will have the GREATEST impact on the implementation of a risk mitigation strategy for an organization?

Options:

A.

Cost-benefit analysis

B.

Risk tolerance

C.

Known vulnerabilities

D.

Cyber insurance

Buy Now
Questions 203

Which of the following BEST indicates that an organization has implemented IT performance requirements?

Options:

A.

Service level agreements(SLA)

B.

Vendor references

C.

Benchmarking data

D.

Accountability matrix

Buy Now
Questions 204

Recovery the objectives (RTOs) should be based on

Options:

A.

minimum tolerable downtime

B.

minimum tolerable loss of data.

C.

maximum tolerable downtime.

D.

maximum tolerable loss of data

Buy Now
Questions 205

Which of the following controls BEST enables an organization to ensure a complete and accurate IT asset inventory?

Options:

A.

Prohibiting the use of personal devices for business

B.

Performing network scanning for unknown devices

C.

Requesting an asset list from business owners

D.

Documenting asset configuration baselines

Buy Now
Questions 206

In an organization that allows employee use of social media accounts for work purposes, which of the following is the BEST way to protect company sensitive information from being exposed?

Options:

A.

Educating employees on what needs to be kept confidential

B.

Implementing a data loss prevention (DLP) solution

C.

Taking punitive action against employees who expose confidential data

D.

Requiring employees to sign nondisclosure agreements

Buy Now
Questions 207

While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BES reduce the risk associated with such a data breach?

Options:

A.

Ensuring the vendor does not know the encryption key

B.

Engaging a third party to validate operational controls

C.

Using the same cloud vendor as a competitor

D.

Using field-level encryption with a vendor supplied key

Buy Now
Questions 208

A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:

Options:

A.

conduct a gap analysis against compliance criteria.

B.

identify necessary controls to ensure compliance.

C.

modify internal assurance activities to include control validation.

D.

collaborate with management to meet compliance requirements.

Buy Now
Questions 209

Which of the following controls will BEST detect unauthorized modification of data by a database administrator?

Options:

A.

Reviewing database access rights

B.

Reviewing database activity logs

C.

Comparing data to input records

D.

Reviewing changes to edit checks

Buy Now
Questions 210

A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?

Options:

A.

Implement a tool to create and distribute violation reports

B.

Raise awareness of encryption requirements for sensitive data.

C.

Block unencrypted outgoing emails which contain sensitive data.

D.

Implement a progressive disciplinary process for email violations.

Buy Now
Questions 211

Which of the following describes the relationship between Key risk indicators (KRIs) and key control indicators (KCIS)?

Options:

A.

KCIs are independent from KRIs KRIs.

B.

KCIs and KRIs help in determining risk appetite.

C.

KCIs are defined using data from KRIs.

D.

KCIs provide input for KRIs

Buy Now
Questions 212

Which of the following approaches will BEST help to ensure the effectiveness of risk awareness training?

Options:

A.

Piloting courses with focus groups

B.

Using reputable third-party training programs

C.

Reviewing content with senior management

D.

Creating modules for targeted audiences

Buy Now
Questions 213

Which of the following BEST assists in justifying an investment in automated controls?

Options:

A.

Cost-benefit analysis

B.

Alignment of investment with risk appetite

C.

Elimination of compensating controls

D.

Reduction in personnel costs

Buy Now
Questions 214

When an organization is having new software implemented under contract, which of the following is key to controlling escalating costs?

Options:

A.

Risk management

B.

Change management

C.

Problem management

D.

Quality management

Buy Now
Questions 215

A change management process has recently been updated with new testing procedures. What is the NEXT course of action?

Options:

A.

Monitor processes to ensure recent updates are being followed.

B.

Communicate to those who test and promote changes.

C.

Conduct a cost-benefit analysis to justify the cost of the control.

D.

Assess the maturity of the change management process.

Buy Now
Questions 216

Which of the following is MOST important for a risk practitioner to verify when evaluating the effectiveness of an organization's existing controls?

Options:

A.

Senior management has approved the control design.

B.

Inherent risk has been reduced from original levels.

C.

Residual risk remains within acceptable levels.

D.

Costs for control maintenance are reasonable.

Buy Now
Questions 217

What is the PRIMARY purpose of a business impact analysis (BIA)?

Options:

A.

To determine the likelihood and impact of threats to business operations

B.

To identify important business processes in the organization

C.

To estimate resource requirements for related business processes

D.

To evaluate the priority of business operations in case of disruption

Buy Now
Questions 218

Which of the following is the GREATEST benefit of analyzing logs collected from different systems?

Options:

A.

A record of incidents is maintained.

B.

Forensic investigations are facilitated.

C.

Security violations can be identified.

D.

Developing threats are detected earlier.

Buy Now
Questions 219

Winch of the following is the BEST evidence of an effective risk treatment plan?

Options:

A.

The inherent risk is below the asset residual risk.

B.

Remediation cost is below the asset business value

C.

The risk tolerance threshold s above the asset residual

D.

Remediation is completed within the asset recovery time objective (RTO)

Buy Now
Questions 220

When a high-risk security breach occurs, which of the following would be MOST important to the person responsible for managing the incident?

Options:

A.

An analysis of the security logs that illustrate the sequence of events

B.

An analysis of the impact of similar attacks in other organizations

C.

A business case for implementing stronger logical access controls

D.

A justification of corrective action taken

Buy Now
Questions 221

Which of the following process controls BEST mitigates the risk of an employee issuing fraudulent payments to a vendor?

Options:

A.

Performing credit verification of third-party vendors prior to payment

B.

Conducting system access reviews to ensure least privilege and appropriate access

C.

Performing regular reconciliation of payments to the check registers

D.

Enforcing segregation of duties between the vendor master file and invoicing

Buy Now
Questions 222

The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning process is to:

Options:

A.

obtain the support of executive management.

B.

map the business processes to supporting IT and other corporate resources.

C.

identify critical business processes and the degree of reliance on support services.

D.

document the disaster recovery process.

Buy Now
Questions 223

Which of the following will BEST mitigate the risk associated with IT and business misalignment?

Options:

A.

Establishing business key performance indicators (KPIs)

B.

Introducing an established framework for IT architecture

C.

Establishing key risk indicators (KRIs)

D.

Involving the business process owner in IT strategy

Buy Now
Questions 224

What information is MOST helpful to asset owners when classifying organizational assets for risk assessment?

Options:

A.

Potential loss to tie business due to non-performance of the asset

B.

Known emerging environmental threats

C.

Known vulnerabilities published by the asset developer

D.

Cost of replacing the asset with a new asset providing similar services

Buy Now
Questions 225

Which of the following is the BEST way to ensure adequate resources will be allocated to manage identified risk?

Options:

A.

Prioritizing risk within each business unit

B.

Reviewing risk ranking methodology

C.

Promoting an organizational culture of risk awareness

D.

Assigning risk ownership to appropriate roles

Buy Now
Questions 226

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process?

Options:

A.

Percentage of vulnerabilities remediated within the agreed service level

B.

Number of vulnerabilities identified during the period

C.

Number of vulnerabilities re-opened during the period

D.

Percentage of vulnerabilities escalated to senior management

Buy Now
Questions 227

Which of the following is MOST effective against external threats to an organizations confidential information?

Options:

A.

Single sign-on

B.

Data integrity checking

C.

Strong authentication

D.

Intrusion detection system

Buy Now
Questions 228

Which type of indicators should be developed to measure the effectiveness of an organization's firewall rule set?

Options:

A.

Key risk indicators (KRIs)

B.

Key management indicators (KMIs)

C.

Key performance indicators (KPIs)

D.

Key control indicators (KCIs)

Buy Now
Questions 229

Which of the following provides the MOST useful information when determining if a specific control should be implemented?

Options:

A.

Business impact analysis (BIA)

B.

Cost-benefit analysis

C.

Attribute analysis

D.

Root cause analysis

Buy Now
Questions 230

Which of the following criteria associated with key risk indicators (KRIs) BEST enables effective risk monitoring?

Options:

A.

Approval by senior management

B.

Low cost of development and maintenance

C.

Sensitivity to changes in risk levels

D.

Use of industry risk data sources

Buy Now
Questions 231

An organization is conducting a review of emerging risk. Which of the following is the BEST input for this exercise?

Options:

A.

Audit reports

B.

Industry benchmarks

C.

Financial forecasts

D.

Annual threat reports

Buy Now
Questions 232

Which of the following is the BEST way to manage the risk associated with malicious activities performed by database administrators (DBAs)?

Options:

A.

Activity logging and monitoring

B.

Periodic access review

C.

Two-factor authentication

D.

Awareness training and background checks

Buy Now
Questions 233

A service provider is managing a client’s servers. During an audit of the service, a noncompliant control is discovered that will not be resolved before the next audit because the client cannot afford the downtime required to correct the issue. The service provider’s MOST appropriate action would be to:

Options:

A.

develop a risk remediation plan overriding the client's decision

B.

make a note for this item in the next audit explaining the situation

C.

insist that the remediation occur for the benefit of other customers

D.

ask the client to document the formal risk acceptance for the provider

Buy Now
Questions 234

Which of the following risk management practices BEST facilitates the incorporation of IT risk scenarios into the enterprise-wide risk register?

Options:

A.

Key risk indicators (KRls) are developed for key IT risk scenarios

B.

IT risk scenarios are assessed by the enterprise risk management team

C.

Risk appetites for IT risk scenarios are approved by key business stakeholders.

D.

IT risk scenarios are developed in the context of organizational objectives.

Buy Now
Questions 235

Which of the following is MOST important to have in place to ensure the effectiveness of risk and security metrics reporting?

Options:

A.

Organizational reporting process

B.

Incident reporting procedures

C.

Regularly scheduled audits

D.

Incident management policy

Buy Now
Questions 236

Several newly identified risk scenarios are being integrated into an organization's risk register. The MOST appropriate risk owner would be the individual who:

Options:

A.

is in charge of information security.

B.

is responsible for enterprise risk management (ERM)

C.

can implement remediation action plans.

D.

is accountable for loss if the risk materializes.

Buy Now
Questions 237

Which of the following should be the PRIMARY focus of an IT risk awareness program?

Options:

A.

Ensure compliance with the organization's internal policies

B.

Cultivate long-term behavioral change.

C.

Communicate IT risk policy to the participants.

D.

Demonstrate regulatory compliance.

Buy Now
Questions 238

Which of the following is the GREATEST risk associated with the misclassification of data?

Options:

A.

inadequate resource allocation

B.

Data disruption

C.

Unauthorized access

D.

Inadequate retention schedules

Buy Now
Questions 239

Risk mitigation procedures should include:

Options:

A.

buying an insurance policy.

B.

acceptance of exposures

C.

deployment of counter measures.

D.

enterprise architecture implementation.

Buy Now
Questions 240

The MOST important characteristic of an organization s policies is to reflect the organization's:

Options:

A.

risk assessment methodology.

B.

risk appetite.

C.

capabilities

D.

asset value.

Buy Now
Questions 241

Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization's risk appetite?

Options:

A.

Developing contingency plans for key processes

B.

Implementing key performance indicators (KPIs)

C.

Adding risk triggers to entries in the risk register

D.

Establishing a series of key risk indicators (KRIs)

Buy Now
Questions 242

A risk practitioner discovers several key documents detailing the design of a product currently in development have been posted on the Internet. What should be the risk practitioner's FIRST course of action?

Options:

A.

invoke the established incident response plan.

B.

Inform internal audit.

C.

Perform a root cause analysis

D.

Conduct an immediate risk assessment

Buy Now
Questions 243

Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?

Options:

A.

Perform an m-depth code review with an expert

B.

Validate functionality by running in a test environment

C.

Implement a service level agreement.

D.

Utilize the change management process.

Buy Now
Questions 244

An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:

Options:

A.

validate control process execution.

B.

determine if controls are effective.

C.

identify key process owners.

D.

conduct a baseline assessment.

Buy Now
Questions 245

After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?

Options:

A.

The risk practitioner

B.

The business process owner

C.

The risk owner

D.

The control owner

Buy Now
Questions 246

Which of the following provides the BEST evidence of the effectiveness of an organization's account provisioning process?

Options:

A.

User provisioning

B.

Role-based access controls

C.

Security log monitoring

D.

Entitlement reviews

Buy Now
Questions 247

Which of the following is the PRIMARY reason to perform ongoing risk assessments?

Options:

A.

Emerging risk must be continuously reported to management.

B.

New system vulnerabilities emerge at frequent intervals.

C.

The risk environment is subject to change.

D.

The information security budget must be justified.

Buy Now
Questions 248

Which of the following is the MOST important characteristic of an effective risk management program?

Options:

A.

Risk response plans are documented

B.

Controls are mapped to key risk scenarios.

C.

Key risk indicators are defined.

D.

Risk ownership is assigned

Buy Now
Questions 249

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?

Options:

A.

Number of users that participated in the DRP testing

B.

Number of issues identified during DRP testing

C.

Percentage of applications that met the RTO during DRP testing

D.

Percentage of issues resolved as a result of DRP testing

Buy Now
Questions 250

An effective control environment is BEST indicated by controls that:

Options:

A.

minimize senior management's risk tolerance.

B.

manage risk within the organization's risk appetite.

C.

reduce the thresholds of key risk indicators (KRIs).

D.

are cost-effective to implement

Buy Now
Questions 251

What is the BEST approach for determining the inherent risk of a scenario when the actual likelihood of the risk is unknown?

Options:

A.

Use the severity rating to calculate risk.

B.

Classify the risk scenario as low-probability.

C.

Use the highest likelihood identified by risk management.

D.

Rely on range-based estimates provided by subject-matter experts.

Buy Now
Questions 252

The PRIMARY reason for a risk practitioner to review business processes is to:

Options:

A.

Benchmark against peer organizations.

B.

Identify appropriate controls within business processes.

C.

Assess compliance with global standards.

D.

Identify risk owners related to business processes.

Buy Now
Questions 253

Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?

Options:

A.

impact due to failure of control

B.

Frequency of failure of control

C.

Contingency plan for residual risk

D.

Cost-benefit analysis of automation

Buy Now
Questions 254

An organization's senior management is considering whether to acquire cyber insurance. Which of the following is the BEST way for the risk practitioner to enable management’s decision?

Options:

A.

Perform a cost-benefit analysis.

B.

Conduct a SWOT analysis.

C.

Provide data on the number of risk events from the last year.

D.

Report on recent losses experienced by industry peers.

Buy Now
Questions 255

The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:

Options:

A.

implement uniform controls for common risk scenarios.

B.

ensure business unit risk is uniformly distributed.

C.

build a risk profile for management review.

D.

quantify the organization's risk appetite.

Buy Now
Questions 256

Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?

Options:

A.

Sensitivity analysis

B.

Level of residual risk

C.

Cost-benefit analysis

D.

Risk appetite

Buy Now
Questions 257

Which of the following BEST enables effective risk-based decision making?

Options:

A.

Performing threat modeling to understand the threat landscape

B.

Minimizing the number of risk scenarios for risk assessment

C.

Aggregating risk scenarios across a key business unit

D.

Ensuring the risk register is updated to reflect changes in risk factors

Buy Now
Questions 258

The PRIMARY reason a risk practitioner would be interested in an internal audit report is to:

Options:

A.

plan awareness programs for business managers.

B.

evaluate maturity of the risk management process.

C.

assist in the development of a risk profile.

D.

maintain a risk register based on noncompliance.

Buy Now
Questions 259

Which of the following would be MOST useful when measuring the progress of a risk response action plan?

Options:

A.

Percentage of mitigated risk scenarios

B.

Annual loss expectancy (ALE) changes

C.

Resource expenditure against budget

D.

An up-to-date risk register

Buy Now
Questions 260

An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST.

Options:

A.

The risk owner who also owns the business service enabled by this infrastructure

B.

The data center manager who is also employed under the managed hosting services contract

C.

The site manager who is required to provide annual risk assessments under the contract

D.

The chief information officer (CIO) who is responsible for the hosted services

Buy Now
Questions 261

An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk?

Options:

A.

Perform a risk assessment

B.

Disable user access.

C.

Develop an access control policy.

D.

Perform root cause analysis.

Buy Now
Questions 262

From a business perspective, which of the following is the MOST important objective of a disaster recovery test?

Options:

A.

The organization gains assurance it can recover from a disaster

B.

Errors are discovered in the disaster recovery process.

C.

All business-critical systems are successfully tested.

D.

All critical data is recovered within recovery time objectives (RTOs).

Buy Now
Questions 263

Which of the following is the MAIN reason to continuously monitor IT-related risk?

Options:

A.

To redefine the risk appetite and risk tolerance levels based on changes in risk factors

B.

To update the risk register to reflect changes in levels of identified and new IT-related risk

C.

To ensure risk levels are within acceptable limits of the organization's risk appetite and risk tolerance

D.

To help identify root causes of incidents and recommend suitable long-term solutions

Buy Now
Questions 264

Which of the following is the MOST important outcome of reviewing the risk management process?

Options:

A.

Assuring the risk profile supports the IT objectives

B.

Improving the competencies of employees who performed the review

C.

Determining what changes should be made to IS policies to reduce risk

D.

Determining that procedures used in risk assessment are appropriate

Buy Now
Questions 265

Which of the following is the MOST important key performance indicator (KPI) to establish in the service level agreement (SLA) for an outsourced data center?

Options:

A.

Percentage of systems included in recovery processes

B.

Number of key systems hosted

C.

Average response time to resolve system incidents

D.

Percentage of system availability

Buy Now
Questions 266

Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?

Options:

A.

Risk mitigation budget

B.

Business Impact analysis

C.

Cost-benefit analysis

D.

Return on investment

Buy Now
Questions 267

A rule-based data loss prevention {DLP) tool has recently been implemented to reduce the risk of sensitive data leakage. Which of the following is MOST likely to change as a result of this implementation?

Options:

A.

Risk likelihood

B.

Risk velocity

C.

Risk appetite

D.

Risk impact

Buy Now
Questions 268

A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization. Which of the following components of this review would provide the MOST useful information?

Options:

A.

Risk appetite statement

B.

Enterprise risk management framework

C.

Risk management policies

D.

Risk register

Buy Now
Questions 269

A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?

Options:

A.

Document the finding in the risk register.

B.

Invoke the incident response plan.

C.

Re-evaluate key risk indicators.

D.

Modify the design of the control.

Buy Now
Questions 270

Which of the following is MOST important when developing key performance indicators (KPIs)?

Options:

A.

Alignment to risk responses

B.

Alignment to management reports

C.

Alerts when risk thresholds are reached

D.

Identification of trends

Buy Now
Questions 271

Which of the following is a specific concern related to machine learning algorithms?

Options:

A.

Low software quality

B.

Lack of access controls

C.

Data breaches

D.

Data bias

Buy Now
Questions 272

Risk management strategies are PRIMARILY adopted to:

Options:

A.

take necessary precautions for claims and losses.

B.

achieve acceptable residual risk levels.

C.

avoid risk for business and IT assets.

D.

achieve compliance with legal requirements.

Buy Now
Questions 273

A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

Options:

A.

communication

B.

identification.

C.

treatment.

D.

assessment.

Buy Now
Questions 274

The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:

Options:

A.

align with audit results.

B.

benchmark with competitor s actions.

C.

reference best practice.

D.

focus on the business drivers

Buy Now
Questions 275

The MOST effective way to increase the likelihood that risk responses will be implemented is to:

Options:

A.

create an action plan

B.

assign ownership

C.

review progress reports

D.

perform regular audits.

Buy Now
Questions 276

The PRIMARY objective for selecting risk response options is to:

Options:

A.

reduce risk 10 an acceptable level.

B.

identify compensating controls.

C.

minimize residual risk.

D.

reduce risk factors.

Buy Now
Questions 277

A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?

Options:

A.

Business continuity manager (BCM)

B.

Human resources manager (HRM)

C.

Chief risk officer (CRO)

D.

Chief information officer (CIO)

Buy Now
Questions 278

Which of the following is MOST important to understand when determining an appropriate risk assessment approach?

Options:

A.

Complexity of the IT infrastructure

B.

Value of information assets

C.

Management culture

D.

Threats and vulnerabilities

Buy Now
Questions 279

When using a third party to perform penetration testing, which of the following is the MOST important control to minimize operational impact?

Options:

A.

Perform a background check on the vendor.

B.

Require the vendor to sign a nondisclosure agreement.

C.

Require the vendor to have liability insurance.

D.

Clearly define the project scope

Buy Now
Questions 280

Which of the following tools is MOST effective in identifying trends in the IT risk profile?

Options:

A.

Risk self-assessment

B.

Risk register

C.

Risk dashboard

D.

Risk map

Buy Now
Questions 281

During which phase of the system development life cycle (SDLC) should information security requirements for the implementation of a new IT system be defined?

Options:

A.

Monitoring

B.

Development

C.

Implementation

D.

Initiation

Buy Now
Questions 282

A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?

Options:

A.

An increase in attempted distributed denial of service (DDoS) attacks

B.

An increase in attempted website phishing attacks

C.

A decrease in achievement of service level agreements (SLAs)

D.

A decrease in remediated web security vulnerabilities

Buy Now
Questions 283

Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?

Options:

A.

Changes in control design

B.

A decrease in the number of key controls

C.

Changes in control ownership

D.

An increase in residual risk

Buy Now
Questions 284

A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:

Options:

A.

map findings to objectives.

B.

provide quantified detailed analysis

C.

recommend risk tolerance thresholds.

D.

quantify key risk indicators (KRls).

Buy Now
Questions 285

During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:

Options:

A.

compensating controls are in place.

B.

a control mitigation plan is in place.

C.

risk management is effective.

D.

residual risk is accepted.

Buy Now
Questions 286

Which of the following roles would provide the MOST important input when identifying IT risk scenarios?

Options:

A.

Information security managers

B.

Internal auditors

C.

Business process owners

D.

Operational risk managers

Buy Now
Questions 287

Which of the following is the BEST metric to demonstrate the effectiveness of an organization's change management process?

Options:

A.

Increase in the frequency of changes

B.

Percent of unauthorized changes

C.

Increase in the number of emergency changes

D.

Average time to complete changes

Buy Now
Questions 288

Which of the following would be- MOST helpful to understand the impact of a new technology system on an organization's current risk profile?

Options:

A.

Hire consultants specializing m the new technology.

B.

Review existing risk mitigation controls.

C.

Conduct a gap analysis.

D.

Perform a risk assessment.

Buy Now
Questions 289

In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization's risk profile?

Options:

A.

The control catalog

B.

The asset profile

C.

Business objectives

D.

Key risk indicators (KRls)

Buy Now
Questions 290

During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?

Options:

A.

Describe IT risk scenarios in terms of business risk.

B.

Recommend the formation of an executive risk council to oversee IT risk.

C.

Provide an estimate of IT system downtime if IT risk materializes.

D.

Educate business executives on IT risk concepts.

Buy Now
Questions 291

Which of the following attributes of a key risk indicator (KRI) is MOST important?

Options:

A.

Repeatable

B.

Automated

C.

Quantitative

D.

Qualitative

Buy Now
Questions 292

Which of the following is the BEST method for assessing control effectiveness?

Options:

A.

Ad hoc control reporting

B.

Control self-assessment

C.

Continuous monitoring

D.

Predictive analytics

Buy Now
Questions 293

Which of the following would BEST help to ensure that suspicious network activity is identified?

Options:

A.

Analyzing intrusion detection system (IDS) logs

B.

Analyzing server logs

C.

Using a third-party monitoring provider

D.

Coordinating events with appropriate agencies

Buy Now
Questions 294

Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?

Options:

A.

Vulnerability and threat analysis

B.

Control remediation planning

C.

User acceptance testing (UAT)

D.

Control self-assessment (CSA)

Buy Now
Questions 295

The PRIMARY objective of testing the effectiveness of a new control before implementation is to:

Options:

A.

ensure that risk is mitigated by the control.

B.

measure efficiency of the control process.

C.

confirm control alignment with business objectives.

D.

comply with the organization's policy.

Buy Now
Questions 296

Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register?

Options:

A.

Corporate incident escalation protocols are established.

B.

Exposure is integrated into the organization's risk profile.

C.

Risk appetite cascades to business unit management

D.

The organization-wide control budget is expanded.

Buy Now
Questions 297

Which of the following is MOST helpful when determining whether a system security control is effective?

Options:

A.

Control standard operating procedures

B.

Latest security assessment

C.

Current security threat report

D.

Updated risk register

Buy Now
Questions 298

Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?

Options:

A.

It compares performance levels of IT assets to value delivered.

B.

It facilitates the alignment of strategic IT objectives to business objectives.

C.

It provides input to business managers when preparing a business case for new IT projects.

D.

It helps assess the effects of IT decisions on risk exposure

Buy Now
Questions 299

Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?

Options:

A.

Identify the potential risk.

B.

Monitor employee usage.

C.

Assess the potential risk.

D.

Develop risk awareness training.

Buy Now
Questions 300

Which of the following would be a risk practitioners’ BEST recommendation for preventing cyber intrusion?

Options:

A.

Establish a cyber response plan

B.

Implement data loss prevention (DLP) tools.

C.

Implement network segregation.

D.

Strengthen vulnerability remediation efforts.

Buy Now
Questions 301

Which of the following would BEST help to ensure that identified risk is efficiently managed?

Options:

A.

Reviewing the maturity of the control environment

B.

Regularly monitoring the project plan

C.

Maintaining a key risk indicator for each asset in the risk register

D.

Periodically reviewing controls per the risk treatment plan

Buy Now
Questions 302

Which of the following controls would BEST reduce the risk of account compromise?

Options:

A.

Enforce password changes.

B.

Enforce multi-factor authentication (MFA).

C.

Enforce role-based authentication.

D.

Enforce password encryption.

Buy Now
Questions 303

Which of the following is the PRIMARY reason for sharing risk assessment reports with senior stakeholders?

Options:

A.

To support decision-making for risk response

B.

To hold risk owners accountable for risk action plans

C.

To secure resourcing for risk treatment efforts

D.

To enable senior management to compile a risk profile

Buy Now
Questions 304

Which of the following is the MOST effective way 10 identify an application backdoor prior to implementation'?

Options:

A.

User acceptance testing (UAT)

B.

Database activity monitoring

C.

Source code review

D.

Vulnerability analysis

Buy Now
Questions 305

Which key performance efficiency IKPI) BEST measures the effectiveness of an organization's disaster recovery program?

Options:

A.

Number of service level agreement (SLA) violations

B.

Percentage of recovery issues identified during the exercise

C.

Number of total systems recovered within tie recovery point objective (RPO)

D.

Percentage of critical systems recovered within tie recovery time objective (RTO)

Buy Now
Questions 306

A risk practitioner is reporting on an increasing trend of ransomware attacks in the industry. Which of the following information is MOST important to include to enable an informed response decision by key stakeholders?

Options:

A.

Methods of attack progression

B.

Losses incurred by industry peers

C.

Most recent antivirus scan reports

D.

Potential impact of events

Buy Now
Questions 307

Which of the following should management consider when selecting a risk mitigation option?

Options:

A.

Maturity of the enterprise architecture

B.

Cost of control implementation

C.

Reliability of key performance indicators (KPIs)

D.

Reliability of key risk indicators (KPIs)

Buy Now
Questions 308

A risk practitioner has been notified that an employee sent an email in error containing customers' personally identifiable information (Pll). Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Report it to the chief risk officer.

B.

Advise the employee to forward the email to the phishing team.

C.

follow incident reporting procedures.

D.

Advise the employee to permanently delete the email.

Buy Now
Questions 309

Which of the following is a risk practitioner's BEST course of action upon learning that a control under internal review may no longer be necessary?

Options:

A.

Obtain approval to retire the control.

B.

Update the status of the control as obsolete.

C.

Consult the internal auditor for a second opinion.

D.

Verify the effectiveness of the original mitigation plan.

Buy Now
Questions 310

Which of the following observations would be GREATEST concern to a risk practitioner reviewing the implementation status of management action plans?

Options:

A.

Management has not determined a final implementation date.

B.

Management has not completed an early mitigation milestone.

C.

Management has not secured resources for mitigation activities.

D.

Management has not begun the implementation.

Buy Now
Questions 311

An organization is unable to implement a multi-factor authentication requirement until the next fiscal year due to budget constraints. Consequently, a policy exception must be submitted. Which of the following is MOST important to include in the analysis of the exception?

Options:

A.

Sections of the policy that may justify not implementing the requirement

B.

Risk associated with the inability to implement the requirement

C.

Budget justification to implement the new requirement during the current year

D.

Industry best practices with respect to implementation of the proposed control

Buy Now
Questions 312

Which of the following activities is PRIMARILY the responsibility of senior management?

Options:

A.

Bottom-up identification of emerging risks

B.

Categorization of risk scenarios against a standard taxonomy

C.

Prioritization of risk scenarios based on severity

D.

Review of external loss data

Buy Now
Questions 313

The MAIN purpose of having a documented risk profile is to:

Options:

A.

comply with external and internal requirements.

B.

enable well-informed decision making.

C.

prioritize investment projects.

D.

keep the risk register up-to-date.

Buy Now
Questions 314

An organization has identified that terminated employee accounts are not disabled or deleted within the time required by corporate policy. Unsure of the reason, the organization has decided to monitor the situation for three months to obtain more information. As a result of this decision, the risk has been:

Options:

A.

avoided.

B.

accepted.

C.

mitigated.

D.

transferred.

Buy Now
Questions 315

Which of the following would BEST enable a risk practitioner to embed risk management within the organization?

Options:

A.

Provide risk management feedback to key stakeholders.

B.

Collect and analyze risk data for report generation.

C.

Monitor and prioritize risk data according to the heat map.

D.

Engage key stakeholders in risk management practices.

Buy Now
Questions 316

What are the MOST important criteria to consider when developing a data classification scheme to facilitate risk assessment and the prioritization of risk mitigation activities?

Options:

A.

Mitigation and control value

B.

Volume and scope of data generated daily

C.

Business criticality and sensitivity

D.

Recovery point objective (RPO) and recovery time objective (RTO)

Buy Now
Questions 317

The PRIMARY goal of a risk management program is to:

Options:

A.

facilitate resource availability.

B.

help ensure objectives are met.

C.

safeguard corporate assets.

D.

help prevent operational losses.

Buy Now
Questions 318

To mitigate the risk of using a spreadsheet to analyze financial data, IT has engaged a third-party vendor to deploy a standard application to automate the process. Which of the following parties should own the risk associated with calculation errors?

Options:

A.

business owner

B.

IT department

C.

Risk manager

D.

Third-party provider

Buy Now
Questions 319

When assessing the maturity level of an organization's risk management framework, which of the following deficiencies should be of GREATEST concern to a risk practitioner?

Options:

A.

Unclear organizational risk appetite

B.

Lack of senior management participation

C.

Use of highly customized control frameworks

D.

Reliance on qualitative analysis methods

Buy Now
Questions 320

Which of the following is the BEST way to detect zero-day malware on an end user's workstation?

Options:

A.

An antivirus program

B.

Database activity monitoring

C.

Firewall log monitoring

D.

File integrity monitoring

Buy Now
Questions 321

Which of the following would be the BEST justification to invest in the development of a governance, risk, and compliance (GRC) solution?

Options:

A.

Facilitating risk-aware decision making by stakeholders

B.

Demonstrating management commitment to mitigate risk

C.

Closing audit findings on a timely basis

D.

Ensuring compliance to industry standards

Buy Now
Questions 322

Which of the following would present the GREATEST challenge when assigning accountability for control ownership?

Options:

A.

Weak governance structures

B.

Senior management scrutiny

C.

Complex regulatory environment

D.

Unclear reporting relationships

Buy Now
Questions 323

The MOST important reason to monitor key risk indicators (KRIs) is to help management:

Options:

A.

identity early risk transfer strategies.

B.

lessen the impact of realized risk.

C.

analyze the chain of risk events.

D.

identify the root cause of risk events.

Buy Now
Questions 324

To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:

Options:

A.

risk mitigation approach

B.

cost-benefit analysis.

C.

risk assessment results.

D.

vulnerability assessment results

Buy Now
Questions 325

The MOST essential content to include in an IT risk awareness program is how to:

Options:

A.

populate risk register entries and build a risk profile for management reporting.

B.

prioritize IT-related actions by considering risk appetite and risk tolerance.

C.

define the IT risk framework for the organization.

D.

comply with the organization's IT risk and information security policies.

Buy Now
Questions 326

Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?

Options:

A.

An updated risk register

B.

Risk assessment results

C.

Technical control validation

D.

Control testing results

Buy Now
Questions 327

Which of the following criteria is MOST important when developing a response to an attack that would compromise data?

Options:

A.

The recovery time objective (RTO)

B.

The likelihood of a recurring attack

C.

The organization's risk tolerance

D.

The business significance of the information

Buy Now
Questions 328

Which of the following is the BEST way to determine software license compliance?

Options:

A.

List non-compliant systems in the risk register.

B.

Conduct periodic compliance reviews.

C.

Review whistleblower reports of noncompliance.

D.

Monitor user software download activity.

Buy Now
Questions 329

An organization has opened a subsidiary in a foreign country. Which of the following would be the BEST way to measure the effectiveness of the subsidiary's IT systems controls?

Options:

A.

Implement IT systems in alignment with business objectives.

B.

Review metrics and key performance indicators (KPIs).

C.

Review design documentation of IT systems.

D.

Evaluate compliance with legal and regulatory requirements.

Buy Now
Questions 330

When establishing leading indicators for the information security incident response process it is MOST important to consider the percentage of reported incidents:

Options:

A.

that results in a full root cause analysis.

B.

used for verification within the SLA.

C.

that are verified as actual incidents.

D.

resolved within the SLA.

Buy Now
Questions 331

An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?

Options:

A.

Project Charlie

B.

Project Bravo

C.

Project Alpha

D.

Project Delta

Buy Now
Questions 332

Which of the following should be the MAIN consideration when validating an organization's risk appetite?

Options:

A.

Comparison against regulations

B.

Maturity of the risk culture

C.

Capacity to withstand loss

D.

Cost of risk mitigation options

Buy Now
Questions 333

Which of the following is the GREATEST concern associated with business end users developing their own applications on end user spreadsheets and database programs?

Options:

A.

An IT project manager is not assigned to oversee development.

B.

Controls are not applied to the applications.

C.

There is a lack of technology recovery options.

D.

The applications are not captured in the risk profile.

Buy Now
Questions 334

The PRIMARY reason for periodically monitoring key risk indicators (KRIs) is to:

Options:

A.

rectify errors in results of KRIs.

B.

detect changes in the risk profile.

C.

reduce costs of risk mitigation controls.

D.

continually improve risk assessments.

Buy Now
Questions 335

During an IT department reorganization, the manager of a risk mitigation action plan was replaced. The new manager has begun implementing a new control after identifying a more effective option. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Communicate the decision to the risk owner for approval

B.

Seek approval from the previous action plan manager.

C.

Identify an owner for the new control.

D.

Modify the action plan in the risk register.

Buy Now
Questions 336

The PRIMARY benefit of classifying information assets is that it helps to:

Options:

A.

communicate risk to senior management

B.

assign risk ownership

C.

facilitate internal audit

D.

determine the appropriate level of control

Buy Now
Questions 337

A new policy has been published to forbid copying of data onto removable media. Which type of control has been implemented?

Options:

A.

Preventive

B.

Detective

C.

Directive

D.

Deterrent

Buy Now
Questions 338

What is the MOST important consideration when aligning IT risk management with the enterprise risk management (ERM) framework?

Options:

A.

Risk and control ownership

B.

Senior management participation

C.

Business unit support

D.

Risk nomenclature and taxonomy

Buy Now
Questions 339

Which of the following BEST helps to identify significant events that could impact an organization?

Vulnerability analysis

Options:

A.

Control analysis

B.

Scenario analysis

C.

Heat map analysis

Buy Now
Questions 340

A PRIMARY function of the risk register is to provide supporting information for the development of an organization's risk:

Options:

A.

strategy.

B.

profile.

C.

process.

D.

map.

Buy Now
Questions 341

An organization has completed a project to implement encryption on all databases that host customer data. Which of the following elements of the risk register should be updated the reflect this change?

Options:

A.

Risk likelihood

B.

Inherent risk

C.

Risk appetite

D.

Risk tolerance

Buy Now
Questions 342

An organization has decided to outsource a web application, and customer data will be stored in the vendor's public cloud. To protect customer data, it is MOST important to ensure which of the following?

Options:

A.

The organization's incident response procedures have been updated.

B.

The vendor stores the data in the same jurisdiction.

C.

Administrative access is only held by the vendor.

D.

The vendor's responsibilities are defined in the contract.

Buy Now
Questions 343

Which of the following IT key risk indicators (KRIs) provides management with the BEST feedback on IT capacity?

Options:

A.

Trends in IT resource usage

B.

Trends in IT maintenance costs

C.

Increased resource availability

D.

Increased number of incidents

Buy Now
Questions 344

A risk owner should be the person accountable for:

Options:

A.

the risk management process

B.

managing controls.

C.

implementing actions.

D.

the business process.

Buy Now
Questions 345

Which of the following presents the GREATEST challenge for an IT risk practitioner who wants to report on trends in historical IT risk levels?

Options:

A.

Qualitative measures for potential loss events

B.

Changes in owners for identified IT risk scenarios

C.

Changes in methods used to calculate probability

D.

Frequent use of risk acceptance as a treatment option

Buy Now
Questions 346

When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes

Options:

A.

risk exposure in business terms

B.

a detailed view of individual risk exposures

C.

a summary of incidents that have impacted the organization.

D.

recommendations by an independent risk assessor.

Buy Now
Questions 347

Which of the following is the MOST important outcome of a business impact analysis (BIA)?

Options:

A.

Understanding and prioritization of critical processes

B.

Completion of the business continuity plan (BCP)

C.

Identification of regulatory consequences

D.

Reduction of security and business continuity threats

Buy Now
Questions 348

After the implementation of internal of Things (IoT) devices, new risk scenarios were identified. What is the PRIMARY reason to report this information to risk owners?

Options:

A.

To reevaluate continued use to IoT devices

B.

The add new controls to mitigate the risk

C.

The recommend changes to the IoT policy

D.

To confirm the impact to the risk profile

Buy Now
Questions 349

Which of the following is the BEST method to maintain a common view of IT risk within an organization?

Options:

A.

Collecting data for IT risk assessment

B.

Establishing and communicating the IT risk profile

C.

Utilizing a balanced scorecard

D.

Performing and publishing an IT risk analysis

Buy Now
Questions 350

Which of the following is MOST helpful in providing a high-level overview of current IT risk severity*?

Options:

A.

Risk mitigation plans

B.

heat map

C.

Risk appetite statement

D.

Key risk indicators (KRls)

Buy Now
Questions 351

A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access. Who is responsible for ensuring the control is designed to effectively address risk?

Options:

A.

Risk manager

B.

Control owner

C.

Control tester

D.

Risk owner

Buy Now
Questions 352

Which of the following should be of GREATEST concern when reviewing the results of an independent control assessment to determine the effectiveness of a vendor's control environment?

Options:

A.

The report was provided directly from the vendor.

B.

The risk associated with multiple control gaps was accepted.

C.

The control owners disagreed with the auditor's recommendations.

D.

The controls had recurring noncompliance.

Buy Now
Questions 353

Which of the following is MOST important to promoting a risk-aware culture?

Options:

A.

Regular testing of risk controls

B.

Communication of audit findings

C.

Procedures for security monitoring

D.

Open communication of risk reporting

Buy Now
Questions 354

Which of the following would be the BEST way for a risk practitioner to validate the effectiveness of a patching program?

Options:

A.

Conduct penetration testing.

B.

Interview IT operations personnel.

C.

Conduct vulnerability scans.

D.

Review change control board documentation.

Buy Now
Questions 355

An unauthorized individual has socially engineered entry into an organization's secured physical premises. Which of the following is the BEST way to prevent future occurrences?

Options:

A.

Employ security guards.

B.

Conduct security awareness training.

C.

Install security cameras.

D.

Require security access badges.

Buy Now
Questions 356

Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?

Options:

A.

Maintain and review the classified data inventor.

B.

Implement mandatory encryption on data

C.

Conduct an awareness program for data owners and users.

D.

Define and implement a data classification policy

Buy Now
Questions 357

Which of the following should be a risk practitioner's NEXT step upon learning the impact of an organization's noncompliance with a specific legal regulation?

Options:

A.

Identify risk response options.

B.

Implement compensating controls.

C.

Invoke the incident response plan.

D.

Document the penalties for noncompliance.

Buy Now
Questions 358

Which of the following is MOST important to consider before determining a response to a vulnerability?

Options:

A.

The likelihood and impact of threat events

B.

The cost to implement the risk response

C.

Lack of data to measure threat events

D.

Monetary value of the asset

Buy Now
Questions 359

Which of the following is the BEST method to mitigate the risk of an unauthorized employee viewing confidential data in a database''

Options:

A.

Implement role-based access control

B.

Implement a data masking process

C.

Include sanctions in nondisclosure agreements (NDAs)

D.

Install a data loss prevention (DLP) tool

Buy Now
Questions 360

Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?

Options:

A.

The program has not decreased threat counts.

B.

The program has not considered business impact.

C.

The program has been significantly revised

D.

The program uses non-customized training modules.

Buy Now
Questions 361

An organization is implementing robotic process automation (RPA) to streamline business processes. Given that implementation of this technology is expected to impact existing controls, which of the following is the risk practitioner's BEST course of action?

Options:

A.

Reassess whether mitigating controls address the known risk in the processes.

B.

Update processes to address the new technology.

C.

Update the data governance policy to address the new technology.

D.

Perform a gap analysis of the impacted processes.

Buy Now
Questions 362

Which of the following key performance indicators (KPis) would BEST measure me risk of a service outage when using a Software as a Service (SaaS) vendors

Options:

A.

Frequency of business continuity plan (BCP) lasting

B.

Frequency and number of new software releases

C.

Frequency and duration of unplanned downtime

D.

Number of IT support staff available after business hours

Buy Now
Questions 363

An organization has agreed to a 99% availability for its online services and will not accept availability that falls below 98.5%. This is an example of:

Options:

A.

risk mitigation.

B.

risk evaluation.

C.

risk appetite.

D.

risk tolerance.

Buy Now
Questions 364

An organization retains footage from its data center security camera for 30 days when the policy requires 90-day retention The business owner challenges whether the situation is worth remediating Which of the following is the risk manager s BEST response'

Options:

A.

Identify the regulatory bodies that may highlight this gap

B.

Highlight news articles about data breaches

C.

Evaluate the risk as a measure of probable loss

D.

Verify if competitors comply with a similar policy

Buy Now
Questions 365

Which of the following would MOST effectively reduce the potential for inappropriate exposure of vulnerabilities documented in an organization's risk register?

Options:

A.

Limit access to senior management only.

B.

Encrypt the risk register.

C.

Implement role-based access.

D.

Require users to sign a confidentiality agreement.

Buy Now
Questions 366

The MOST important objective of information security controls is to:

Options:

A.

Identify threats and vulnerability

B.

Ensure alignment with industry standards

C.

Provide measurable risk reduction

D.

Enforce strong security solutions

Buy Now
Questions 367

Which of the following should be the MOST important consideration when performing a vendor risk assessment?

Options:

A.

Results of the last risk assessment of the vendor

B.

Inherent risk of the business process supported by the vendor

C.

Risk tolerance of the vendor

D.

Length of time since the last risk assessment of the vendor

Buy Now
Questions 368

Which of the following should be the GREATEST concern for an organization that uses open source software applications?

Options:

A.

Lack of organizational policy regarding open source software

B.

Lack of reliability associated with the use of open source software

C.

Lack of monitoring over installation of open source software in the organization

D.

Lack of professional support for open source software

Buy Now
Questions 369

Which of the following BEST balances the costs and benefits of managing IT risk*?

Options:

A.

Prioritizing and addressing risk in line with risk appetite. Eliminating risk through preventive and detective controls

B.

Considering risk that can be shared with a third party

C.

Evaluating the probability and impact of risk scenarios

Buy Now
Questions 370

A migration from an in-house developed system to an external cloud-based solution is affecting a previously rated key risk scenario related to payroll processing. Which part of the risk register should be updated FIRST?

Options:

A.

Payroll system risk factors

B.

Payroll system risk mitigation plans

C.

Payroll process owner

D.

Payroll administrative controls

Buy Now
Questions 371

Which of the following is the PRIMARY benefit of using a risk profile?

Options:

A.

It promotes a security-aware culture.

B.

It enables vulnerability analysis.

C.

It enhances internal risk reporting.

D.

It provides risk information to auditors.

Buy Now
Questions 372

Which of the following situations presents the GREATEST challenge to creating a comprehensive IT risk profile of an organization?

Options:

A.

Manual vulnerability scanning processes

B.

Organizational reliance on third-party service providers

C.

Inaccurate documentation of enterprise architecture (EA)

D.

Risk-averse organizational risk appetite

Buy Now
Questions 373

Which of the following would BEST mitigate an identified risk scenario?

Options:

A.

Conducting awareness training

B.

Executing a risk response plan

C.

Establishing an organization's risk tolerance

D.

Performing periodic audits

Buy Now
Questions 374

A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within theorganization of the following, who should review the completed list and select the appropriate KRIs for implementation?

Options:

A.

IT security managers

B.

IT control owners

C.

IT auditors

D.

IT risk owners

Buy Now
Questions 375

An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure manuals for use by the part-time employees. Which of the following BEST describes this situation?

Options:

A.

Threat

B.

Risk

C.

Vulnerability

D.

Policy violation

Buy Now
Questions 376

Which of the following should be used as the PRIMARY basis for evaluating the state of an organization's cloud computing environment against leading practices?

Options:

A.

The cloud environment's capability maturity model

B.

The cloud environment's risk register

C.

The cloud computing architecture

D.

The organization's strategic plans for cloud computing

Buy Now
Questions 377

A recent vulnerability assessment of a web-facing application revealed several weaknesses. Which of the following should be done NEXT to determine the risk exposure?

Options:

A.

Code review

B.

Penetration test

C.

Gap assessment

D.

Business impact analysis (BIA)

Buy Now
Questions 378

Which of the following is the BEST approach for obtaining management buy-in

to implement additional IT controls?

Options:

A.

List requirements based on a commonly accepted IT risk management framework.

B.

Provide information on new governance, risk, and compliance (GRC) platform functionalities.

C.

Describe IT risk impact on organizational processes in monetary terms.

D.

Present new key risk indicators (KRIs) based on industry benchmarks.

Buy Now
Questions 379

Before assigning sensitivity levels to information it is MOST important to:

Options:

A.

define recovery time objectives (RTOs).

B.

define the information classification policy

C.

conduct a sensitivity analyse

D.

Identify information custodians

Buy Now
Questions 380

A MAJOR advantage of using key risk indicators (KRIs) is that they:

Options:

A.

Identify scenarios that exceed defined risk appetite.

B.

Help with internal control assessments concerning risk appetite.

C.

Assess risk scenarios that exceed defined thresholds.

D.

Identify when risk exceeds defined thresholds.

Buy Now
Questions 381

Which of the following is the BEST approach to mitigate the risk associated with a control deficiency?

Options:

A.

Perform a business case analysis

B.

Implement compensating controls.

C.

Conduct a control sell-assessment (CSA)

D.

Build a provision for risk

Buy Now
Questions 382

Which of the following is the MAIN purpose of monitoring risk?

Options:

A.

Communication

B.

Risk analysis

C.

Decision support

D.

Benchmarking

Buy Now
Questions 383

During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition phase?

Options:

A.

Risk management framework adopted by each company

B.

Risk registers of both companies

C.

IT balanced scorecard of each company

D.

Most recent internal audit findings from both companies

Buy Now
Questions 384

Reviewing which of the following BEST helps an organization gam insight into its overall risk profile''

Options:

A.

Risk register

B.

Risk appetite

C.

Threat landscape

D.

Risk metrics

Buy Now
Questions 385

A key risk indicator (KRI) that incorporates data from external open-source threat intelligence sources has shown changes in risk trend data. Which of the following is MOST important to update in the risk register?

Options:

A.

Impact of risk occurrence

B.

Frequency of risk occurrence

C.

Cost of risk response

D.

Legal aspects of risk realization

Buy Now
Questions 386

Of the following, who is BEST suited to assist a risk practitioner in developing a relevant set of risk scenarios?

Options:

A.

Internal auditor

B.

Asset owner

C.

Finance manager

D.

Control owner

Buy Now
Questions 387

An organization has operations in a location that regularly experiences severe weather events. Which of the following would BEST help to mitigate the risk to operations?

Options:

A.

Prepare a cost-benefit analysis to evaluate relocation.

B.

Prepare a disaster recovery plan (DRP).

C.

Conduct a business impact analysis (BIA) for an alternate location.

D.

Develop a business continuity plan (BCP).

Buy Now
Questions 388

When performing a risk assessment of a new service to support a core business process, which of the following should be done FIRST to ensure continuity of operations?

Options:

A.

Define metrics for restoring availability.

B.

Identify conditions that may cause disruptions.

C.

Review incident response procedures.

D.

Evaluate the probability of risk events.

Buy Now
Questions 389

The following is the snapshot of a recently approved IT risk register maintained by an organization's information security department.

After implementing countermeasures listed in ‘’Risk Response Descriptions’’ for each of the Risk IDs, which of the following component of the register MUST change?

Options:

A.

Risk Impact Rating

B.

Risk Owner

C.

Risk Likelihood Rating

D.

Risk Exposure

Buy Now
Questions 390

An organization has decided to commit to a business activity with the knowledge that the risk exposure is higher than the risk appetite. Which of the following is the risk practitioner's MOST important action related to this decision?

Options:

A.

Recommend risk remediation

B.

Change the level of risk appetite

C.

Document formal acceptance of the risk

D.

Reject the business initiative

Buy Now
Questions 391

An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?

Options:

A.

Business benefits of shadow IT

B.

Application-related expresses

C.

Classification of the data

D.

Volume of data

Buy Now
Questions 392

Which of the following is MOST important for successful incident response?

Options:

A.

The quantity of data logged by the attack control tools

B.

Blocking the attack route immediately

C.

The ability to trace the source of the attack

D.

The timeliness of attack recognition

Buy Now
Questions 393

Which of the following will BEST help to ensure key risk indicators (KRIs) provide value to risk owners?

Options:

A.

Ongoing training

B.

Timely notification

C.

Return on investment (ROI)

D.

Cost minimization

Buy Now
Questions 394

Which of the following BEST supports the management of identified risk scenarios?

Options:

A.

Collecting risk event data

B.

Maintaining a risk register

C.

Using key risk indicators (KRIs)

D.

Defining risk parameters

Buy Now
Questions 395

Business management is seeking assurance from the CIO that IT has a plan in place for early identification of potential issues that could impact the delivery of a new application Which of the following is the BEST way to increase the chances of a successful delivery'?

Options:

A.

Implement a release and deployment plan

B.

Conduct comprehensive regression testing.

C.

Develop enterprise-wide key risk indicators (KRls)

D.

Include business management on a weekly risk and issues report

Buy Now
Questions 396

Which of the following is MOST important for mitigating ethical risk when establishing accountability for control ownership?

Options:

A.

Ensuring processes are documented to enable effective control execution

B.

Ensuring regular risk messaging is Included in business communications from leadership

C.

Ensuring schedules and deadlines for control-related deliverables are strictly monitored

D.

Ensuring performance metrics balance business goals with risk appetite

Buy Now
Questions 397

Which of the following is MOST important to update when an organization's risk appetite changes?

Options:

A.

Key risk indicators (KRIs)

B.

Risk reporting methodology

C.

Key performance indicators (KPIs)

D.

Risk taxonomy

Buy Now
Questions 398

Which of the following is the PRIMARY objective of maintaining an information asset inventory?

Options:

A.

To provide input to business impact analyses (BIAs)

B.

To protect information assets

C.

To facilitate risk assessments

D.

To manage information asset licensing

Buy Now
Questions 399

When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:

Options:

A.

information risk assessments with enterprise risk assessments.

B.

key risk indicators (KRIs) with risk appetite of the business.

C.

the control key performance indicators (KPIs) with audit findings.

D.

control performance with risk tolerance of business owners.

Buy Now
Questions 400

Which of the following BEST helps to identify significant events that could impact an organization?

Options:

A.

Control analysis

B.

Vulnerability analysis

C.

Scenario analysis

D.

Heat map analysis

Buy Now
Questions 401

Which of the following sources is MOST relevant to reference when updating security awareness training materials?

Options:

A.

Risk management framework

B.

Risk register

C.

Global security standards

D.

Recent security incidents reported by competitors

Buy Now
Questions 402

A newly incorporated enterprise needs to secure its information assets From a governance perspective which of the following should be done FIRST?

Options:

A.

Define information retention requirements and policies

B.

Provide information security awareness training

C.

Establish security management processes and procedures

D.

Establish an inventory of information assets

Buy Now
Questions 403

Which of the following is MOST helpful to understand the consequences of an IT risk event?

Options:

A.

Fault tree analysis

B.

Historical trend analysis

C.

Root cause analysis

D.

Business impact analysis (BIA)

Buy Now
Questions 404

Which of the following potential scenarios associated with the implementation of a new database technology presents the GREATEST risk to an organization?

Options:

A.

The organization may not have a sufficient number of skilled resources.

B.

Application and data migration cost for backups may exceed budget.

C.

Data may not be recoverable due to system failures.

D.

The database system may not be scalable in the future.

Buy Now
Questions 405

The MAJOR reason to classify information assets is

Options:

A.

maintain a current inventory and catalog of information assets

B.

determine their sensitivity and critical

C.

establish recovery time objectives (RTOs)

D.

categorize data into groups

Buy Now
Questions 406

An organization is subject to a new regulation that requires nearly real-time recovery of its services following a disruption. Which of the following is the BEST way to manage the risk in this situation?

Options:

A.

Move redundant IT infrastructure to a closer location.

B.

Obtain insurance and ensure sufficient funds are available for disaster recovery.

C.

Review the business continuity plan (BCP) and align it with the new business needs.

D.

Outsource disaster recovery services to a third-party IT service provider.

Buy Now
Questions 407

If concurrent update transactions to an account are not processed properly, which of the following will MOST likely be affected?

Options:

A.

Confidentiality

B.

Accountability

C.

Availability

D.

Integrity

Buy Now
Questions 408

An organization operates in an environment where reduced time-to-market for new software products is a top business priority. Which of the following should be the risk practitioner's GREATEST concern?

Options:

A.

Sufficient resources are not assigned to IT development projects.

B.

Customer support help desk staff does not have adequate training.

C.

Email infrastructure does not have proper rollback plans.

D.

The corporate email system does not identify and store phishing emails.

Buy Now
Questions 409

An IT department originally planned to outsource the hosting of its data center at an overseas location to reduce operational expenses. After a risk assessment, the department has decided to keep the data center in-house. How should the risk treatment response be reflected in the risk register?

Options:

A.

Risk mitigation

B.

Risk avoidance

C.

Risk acceptance

D.

Risk transfer

Buy Now
Questions 410

Which of the following BEST supports ethical IT risk management practices?

Options:

A.

Robust organizational communication channels

B.

Mapping of key risk indicators (KRIs) to corporate strategy

C.

Capability maturity models integrated with risk management frameworks

D.

Rigorously enforced operational service level agreements (SLAs)

Buy Now
Questions 411

Which of the following is the PRIMARY risk management responsibility of the second line of defense?

Options:

A.

Monitoring risk responses

B.

Applying risk treatments

C.

Providing assurance of control effectiveness

D.

Implementing internal controls

Buy Now
Questions 412

A risk practitioner has been asked to advise management on developing a log collection and correlation strategy. Which of the following should be the MOST important consideration when developing this strategy?

Options:

A.

Ensuring time synchronization of log sources.

B.

Ensuring the inclusion of external threat intelligence log sources.

C.

Ensuring the inclusion of all computing resources as log sources.

D.

Ensuring read-write access to all log sources

Buy Now
Questions 413

Which of the following will MOST likely change as a result of the decrease in risk appetite due to a new privacy regulation?

Options:

A.

Key risk indicator (KRI) thresholds

B.

Risk trends

C.

Key performance indicators (KPIs)

D.

Risk objectives

Buy Now
Questions 414

Which of the following is MOST important for a risk practitioner to confirm once a risk action plan has been completed?

Options:

A.

The risk register has been updated.

B.

The risk tolerance has been recalibrated.

C.

The risk has been mitigated to the intended level.

D.

The risk owner has reviewed the outcomes.

Buy Now
Questions 415

Which of the following provides the MOST useful input to the development of realistic risk scenarios?

Options:

A.

Balanced scorecard

B.

Risk appetite

C.

Risk map

D.

Risk events

Buy Now
Questions 416

A service organization is preparing to adopt an IT control framework to comply with the contractual requirements of a new client. Which of the following would be MOST helpful to the risk practitioner?

Options:

A.

Negotiating terms of adoption

B.

Understanding the timeframe to implement

C.

Completing a gap analysis

D.

Initiating the conversion

Buy Now
Questions 417

Which of the following is the PRIMARY benefit of consistently recording risk assessment results in the risk register?

Options:

A.

Assessment of organizational risk appetite

B.

Compliance with best practice

C.

Accountability for loss events

D.

Accuracy of risk profiles

Buy Now
Questions 418

Which of the following BEST mitigates the risk of violating privacy laws when transferring personal information lo a supplier?

Options:

A.

Encrypt the data while in transit lo the supplier

B.

Contractually obligate the supplier to follow privacy laws.

C.

Require independent audits of the supplier's control environment

D.

Utilize blockchain during the data transfer

Buy Now
Questions 419

Which of the following BEST enforces access control for an organization that uses multiple cloud technologies?

Options:

A.

Senior management support of cloud adoption strategies

B.

Creation of a cloud access risk management policy

C.

Adoption of a cloud access security broker (CASB) solution

D.

Expansion of security information and event management (SIEM) to cloud services

Buy Now
Questions 420

Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system?

Options:

A.

Data owner

B.

Control owner

C.

Risk owner

D.

System owner

Buy Now
Questions 421

Which of the following would BEST help to address the risk associated with malicious outsiders modifying application data?

Options:

A.

Multi-factor authentication

B.

Role-based access controls

C.

Activation of control audits

D.

Acceptable use policies

Buy Now
Questions 422

Which of the following is the PRIMARY reason to adopt key control indicators (KCIs) in the risk monitoring and reporting process?

Options:

A.

To provide data for establishing the risk profile

B.

To provide assurance of adherence to risk management policies

C.

To provide measurements on the potential for risk to occur

D.

To provide assessments of mitigation effectiveness

Buy Now
Questions 423

A risk practitioner has become aware of production data being used in a test environment. Which of the following should be the practitioner's PRIMARY concern?

Options:

A.

Sensitivity of the data

B.

Readability of test data

C.

Security of the test environment

D.

Availability of data to authorized staff

Buy Now
Questions 424

Which of the following provides the MOST useful information when developing a risk profile for management approval?

Options:

A.

Residual risk and risk appetite

B.

Strength of detective and preventative controls

C.

Effectiveness and efficiency of controls

D.

Inherent risk and risk tolerance

Buy Now
Questions 425

When reporting on the performance of an organization's control environment including which of the following would BEST inform stakeholders risk decision-making?

Options:

A.

The audit plan for the upcoming period

B.

Spend to date on mitigating control implementation

C.

A report of deficiencies noted during controls testing

D.

A status report of control deployment

Buy Now
Questions 426

Real-time monitoring of security cameras implemented within a retail store is an example of which type of control?

Options:

A.

Preventive

B.

Deterrent

C.

Compensating

D.

Detective

Buy Now
Questions 427

Business areas within an organization have engaged various cloud service providers directly without assistance from the IT department. What should the risk practitioner do?

Options:

A.

Recommend the IT department remove access to the cloud services.

B.

Engage with the business area managers to review controls applied.

C.

Escalate to the risk committee.

D.

Recommend a risk assessment be conducted.

Buy Now
Questions 428

Which of the following is MOST important to include in a Software as a Service (SaaS) vendor agreement?

Options:

A.

An annual contract review

B.

A service level agreement (SLA)

C.

A requirement to adopt an established risk management framework

D.

A requirement to provide an independent audit report

Buy Now
Questions 429

Which of the following is MOST important when discussing risk within an organization?

Options:

A.

Adopting a common risk taxonomy

B.

Using key performance indicators (KPIs)

C.

Creating a risk communication policy

D.

Using key risk indicators (KRIs)

Buy Now
Questions 430

Which of the following is the PRIMARY objective for automating controls?

Options:

A.

Improving control process efficiency

B.

Facilitating continuous control monitoring

C.

Complying with functional requirements

D.

Reducing the need for audit reviews

Buy Now
Questions 431

Which of the following is the GREATEST concern associated with the transmission of healthcare data across the internet?

Options:

A.

Unencrypted data

B.

Lack of redundant circuits

C.

Low bandwidth connections

D.

Data integrity

Buy Now
Questions 432

Which of the following should be the risk practitioner s FIRST course of action when an organization has decided to expand into new product areas?

Options:

A.

Identify any new business objectives with stakeholders.

B.

Present a business case for new controls to stakeholders.

C.

Revise the organization's risk and control policy.

D.

Review existing risk scenarios with stakeholders.

Buy Now
Questions 433

The PRIMARY objective of the board of directors periodically reviewing the risk profile is to help ensure:

Options:

A.

the risk strategy is appropriate

B.

KRIs and KPIs are aligned

C.

performance of controls is adequate

D.

the risk monitoring process has been established

Buy Now
Questions 434

Performing a background check on a new employee candidate before hiring is an example of what type of control?

Options:

A.

Detective

B.

Compensating

C.

Corrective

D.

Preventive

Buy Now
Questions 435

Which of the following is the BEST method for identifying vulnerabilities?

Options:

A.

Batch job failure monitoring

B.

Periodic network scanning

C.

Annual penetration testing

D.

Risk assessments

Buy Now
Questions 436

IT disaster recovery point objectives (RPOs) should be based on the:

Options:

A.

maximum tolerable downtime.

B.

maximum tolerable loss of data.

C.

need of each business unit.

D.

type of business.

Buy Now
Questions 437

Which of the following is MOST helpful in determining the effectiveness of an organization's IT risk mitigation efforts?

Options:

A.

Assigning identification dates for risk scenarios in the risk register

B.

Updating impact assessments for risk scenario

C.

Verifying whether risk action plans have been completed

D.

Reviewing key risk indicators (KRIS)

Buy Now
Questions 438

Which of the following is the MOST important reason to revisit a previously accepted risk?

Options:

A.

To update risk ownership

B.

To review the risk acceptance with new stakeholders

C.

To ensure risk levels have not changed

D.

To ensure controls are still operating effectively

Buy Now
Questions 439

Which of the following provides the MOST helpful reference point when communicating the results of a risk assessment to stakeholders?

Options:

A.

Risk tolerance

B.

Risk appetite

C.

Risk awareness

D.

Risk policy

Buy Now
Questions 440

Once a risk owner has decided to implement a control to mitigate risk, it is MOST important to develop:

Options:

A.

a process for measuring and reporting control performance.

B.

an alternate control design in case of failure of the identified control.

C.

a process for bypassing control procedures in case of exceptions.

D.

procedures to ensure the effectiveness of the control.

Buy Now
Questions 441

Which of the following conditions presents the GREATEST risk to an application?

Options:

A.

Application controls are manual.

B.

Application development is outsourced.

C.

Source code is escrowed.

D.

Developers have access to production environment.

Buy Now
Questions 442

The MOST important reason to aggregate results from multiple risk assessments on interdependent information systems is to:

Options:

A.

establish overall impact to the organization

B.

efficiently manage the scope of the assignment

C.

identify critical information systems

D.

facilitate communication to senior management

Buy Now
Questions 443

The PRIMARY basis for selecting a security control is:

Options:

A.

to achieve the desired level of maturity.

B.

the materiality of the risk.

C.

the ability to mitigate risk.

D.

the cost of the control.

Buy Now
Questions 444

A control owner has completed a year-long project To strengthen existing controls. It is MOST important for the risk practitioner to:

Options:

A.

update the risk register to reflect the correct level of residual risk.

B.

ensure risk monitoring for the project is initiated.

C.

conduct and document a business impact analysis (BIA).

D.

verify cost-benefit of the new controls being implemented.

Buy Now
Questions 445

Which of the following is performed after a risk assessment is completed?

Options:

A.

Defining risk taxonomy

B.

Identifying vulnerabilities

C.

Conducting an impact analysis

D.

Defining risk response options

Buy Now
Questions 446

The PRIMARY purpose of vulnerability assessments is to:

Options:

A.

provide clear evidence that the system is sufficiently secure.

B.

determine the impact of potential threats.

C.

test intrusion detection systems (IDS) and response procedures.

D.

detect weaknesses that could lead to system compromise.

Buy Now
Questions 447

Which of the following BEST enables the risk profile to serve as an effective resource to support business objectives?

Options:

A.

Engaging external risk professionals to periodically review the risk

B.

Prioritizing global standards over local requirements in the risk profile

C.

Updating the risk profile with risk assessment results

D.

Assigning quantitative values to qualitative metrics in the risk register

Buy Now
Questions 448

Which of the following BEST helps to balance the costs and benefits of managing IT risk?

Options:

A.

Prioritizing risk responses

B.

Evaluating risk based on frequency and probability

C.

Considering risk factors that can be quantified

D.

Managing the risk by using controls

Buy Now
Questions 449

Which of these documents is MOST important to request from a cloud service

provider during a vendor risk assessment?

Options:

A.

Nondisclosure agreement (NDA)

B.

Independent audit report

C.

Business impact analysis (BIA)

D.

Service level agreement (SLA)

Buy Now
Questions 450

An organization has just implemented changes to close an identified vulnerability that impacted a critical business process. What should be the NEXT course of action?

Options:

A.

Redesign the heat map.

B.

Review the risk tolerance.

C.

Perform a business impact analysis (BIA)

D.

Update the risk register.

Buy Now
Questions 451

A risk practitioner shares the results of a vulnerability assessment for a critical business application with the business manager. Which of the following is the NEXT step?

Options:

A.

Develop a risk action plan to address the findings.

B.

Evaluate the impact of the vulnerabilities to the business application.

C.

Escalate the findings to senior management and internal audit.

D.

Conduct a penetration test to validate the vulnerabilities from the findings.

Buy Now
Questions 452

Who should be responsible for strategic decisions on risk management?

Options:

A.

Chief information officer (CIO)

B.

Executive management team

C.

Audit committee

D.

Business process owner

Buy Now
Questions 453

A risk owner has accepted a high-impact risk because the control was adversely affecting process efficiency. Before updating the risk register, it is MOST important for the risk practitioner to:

Options:

A.

ensure suitable insurance coverage is purchased.

B.

negotiate with the risk owner on control efficiency.

C.

reassess the risk to confirm the impact.

D.

obtain approval from senior management.

Buy Now
Questions 454

Which of the following is the BEST indicator of the effectiveness of a control action plan's implementation?

Options:

A.

Increased number of controls

B.

Reduced risk level

C.

Increased risk appetite

D.

Stakeholder commitment

Buy Now
Questions 455

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an anti-virus program?

Options:

A.

Frequency of anti-virus software updates

B.

Number of alerts generated by the anti-virus software

C.

Number of false positives detected over a period of time

D.

Percentage of IT assets with current malware definitions

Buy Now
Questions 456

Which of the following is MOST helpful to management when determining the resources needed to mitigate a risk?

Options:

A.

An internal audit

B.

A heat map

C.

A business impact analysis (BIA)

D.

A vulnerability report

Buy Now
Questions 457

Which of the following is a KEY outcome of risk ownership?

Options:

A.

Risk responsibilities are addressed.

B.

Risk-related information is communicated.

C.

Risk-oriented tasks are defined.

D.

Business process risk is analyzed.

Buy Now
Questions 458

Within the three lines of defense model, the accountability for the system of internal control resides with:

Options:

A.

the chief information officer (CIO).

B.

the board of directors

C.

enterprise risk management

D.

the risk practitioner

Buy Now
Questions 459

A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges. What is the risk practitioner's BEST course of action?

Options:

A.

Review the design of the machine learning model against control objectives.

B.

Adopt the machine learning model as a replacement for current manual access reviews.

C.

Ensure the model assists in meeting regulatory requirements for access controls.

D.

Discourage the use of emerging technologies in key processes.

Buy Now
Questions 460

Which of the following is a KEY responsibility of the second line of defense?

Options:

A.

Implementing control activities

B.

Monitoring control effectiveness

C.

Conducting control self-assessments

D.

Owning risk scenarios

Buy Now
Questions 461

A recent internal risk review reveals the majority of core IT application recovery time objectives (RTOs) have exceeded the maximum time defined by the business application owners. Which of the following is MOST likely to change as a result?

Options:

A.

Risk forecasting

B.

Risk tolerance

C.

Risk likelihood

D.

Risk appetite

Buy Now
Questions 462

Deviation from a mitigation action plan's completion date should be determined by which of the following?

Options:

A.

Change management as determined by a change control board

B.

Benchmarking analysis with similar completed projects

C.

Project governance criteria as determined by the project office

D.

The risk owner as determined by risk management processes

Buy Now
Questions 463

When communicating changes in the IT risk profile, which of the following should be included to BEST enable stakeholder decision making?

Options:

A.

List of recent incidents affecting industry peers

B.

Results of external attacks and related compensating controls

C.

Gaps between current and desired states of the control environment

D.

Review of leading IT risk management practices within the industry

Buy Now
Questions 464

Which of the following should a risk practitioner do FIRST when an organization decides to use a cloud service?

Options:

A.

Review the vendor selection process and vetting criteria.

B.

Assess whether use of service falls within risk tolerance thresholds.

C.

Establish service level agreements (SLAs) with the vendor.

D.

Check the contract for appropriate security risk and control provisions.

Buy Now
Questions 465

From a risk management perspective, which of the following is the PRIMARY benefit of using automated system configuration validation tools?

Options:

A.

Residual risk is reduced.

B.

Staff costs are reduced.

C.

Operational costs are reduced.

D.

Inherent risk is reduced.

Buy Now
Questions 466

Which of the following should be included in a risk assessment report to BEST facilitate senior management's understanding of the results?

Options:

A.

Benchmarking parameters likely to affect the results

B.

Tools and techniques used by risk owners to perform the assessments

C.

A risk heat map with a summary of risk identified and assessed

D.

The possible impact of internal and external risk factors on the assessment results

Buy Now
Questions 467

Which of the following is a detective control?

Options:

A.

Limit check

B.

Periodic access review

C.

Access control software

D.

Rerun procedures

Buy Now
Questions 468

Which of the following BEST reduces the probability of laptop theft?

Options:

A.

Cable lock

B.

Acceptable use policy

C.

Data encryption

D.

Asset tag with GPS

Buy Now
Questions 469

An organization with a large number of applications wants to establish a security risk assessment program. Which of the following would provide the MOST useful information when determining the frequency of risk assessments?

Options:

A.

Feedback from end users

B.

Results of a benchmark analysis

C.

Recommendations from internal audit

D.

Prioritization from business owners

Buy Now
Questions 470

After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:

Options:

A.

recommend a program that minimizes the concerns of that production system.

B.

inform the development team of the concerns, and together formulate risk reduction measures.

C.

inform the process owner of the concerns and propose measures to reduce them

D.

inform the IT manager of the concerns and propose measures to reduce them.

Buy Now
Questions 471

Which of the following activities should only be performed by the third line of defense?

Options:

A.

Operating controls for risk mitigation

B.

Testing the effectiveness and efficiency of internal controls

C.

Providing assurance on risk management processes

D.

Recommending risk treatment options

Buy Now
Questions 472

Which of the following is MOST important for a risk practitioner to understand about an organization in order to create an effective risk

awareness program?

Options:

A.

Policies and procedures

B.

Structure and culture

C.

Key risk indicators (KRIs) and thresholds

D.

Known threats and vulnerabilities

Buy Now
Exam Code: CRISC
Exam Name: Certified in Risk and Information Systems Control
Last Update: Mar 15, 2025
Questions: 1575

PDF + Testing Engine

$134.99

Testing Engine

$99.99

PDF (Q&A)

$84.99