CRISC Topic 1
Question #: 607
Topic #: 1
Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?
A. A quantitative presentation of risk assessment results
B. A qualitative presentation of risk assessment results
C. A comparison of risk assessment results to the desired state
D. An assessment of organizational maturity levels and readiness
Selected Answer: A
Question #: 1691
Topic #: 1
Which of me following groups would provide the MOST relevant perspective when reporting loss exposure based on a risk analysis exercise?
A. Process owners
B. Senior management
C. Internal auditors
D. Independent risk consultants
Selected Answer: B
Question #: 1608
Topic #: 1
Which of the following is the BEST key performance indicator (KPI) to measure the ability to deliver uninterrupted IT services?
A. Mean time to recover (MTTR)
B. Mean time between failures (MTBF)
C. Planned downtime
D. Unplanned downtime
Selected Answer: D
Question #: 1594
Topic #: 1
An organization has been made aware of a newly discovered critical vulnerability in a regulatory reporting system. Which of the following is the risk practitioner’s BEST course of action?
A. Perform an impact assessment.
B. Perform a penetration test.
C. Request an external audit.
D. Escalate the risk to senior management.
Selected Answer: A
Question #: 1051
Topic #: 1
Which element of an organization’s risk register is MOST important to update following the commissioning of a new financial reporting system?
A. The owner of the financial reporting process
B. The list of relevant financial controls
C. Key risk indicators (KRIs)
D. The risk rating of affected financial processes
Selected Answer: A
Question #: 607
Topic #: 1
Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?
A. A quantitative presentation of risk assessment results
B. A qualitative presentation of risk assessment results
C. A comparison of risk assessment results to the desired state
D. An assessment of organizational maturity levels and readiness
Selected Answer: A
Question #: 1419
Topic #: 1
Which of the following should be the PRIMARY area of focus when reporting changes to an organization’s risk profile to executive management?
A. Risk tolerance
B. Risk management resources
C. Risk trends
D. Cyberattack threats
Selected Answer: C
Question #: 1
Topic #: 1
Which of the following is the MOST important reason to maintain key risk indicators (KRIs)?
A. In order to avoid risk
B. Complex metrics require fine-tuning
C. Risk reports need to be timely
D. Threats and vulnerabilities change over time
Selected Answer: D
Question #: 54
Topic #: 1
Which among the following acts as a trigger for risk response process?
A. Risk level increases above risk appetite
B. Risk level increase above risk tolerance
C. Risk level equates risk appetite
D. Risk level equates the risk tolerance
Selected Answer: A
Question #: 1733
Topic #: 1
An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following should be the risk practitioner’s NEXT course of action?
A. Remove the associated risk from the register.
B. Validate control effectiveness and update the risk register.
C. Review the contract and service level agreements (SLAs).
D. Obtain an assurance report from the third-party provider.
Selected Answer: C
Question #: 1722
Topic #: 1
A risk practitioner has implemented a key risk indicator (KRI) that triggers a warning when the number of untreated IT control deficiencies exceeds a given threshold. Which of the following should be the GREATEST concern regarding the design of this KRI?
A. Setting unrealistic targets for compliance
B. Ignoring the significance of the control deficiencies
C. Generating a large number of false-positive warnings
D. Failing to attract sufficient management support
Selected Answer: A
Question #: 1688
Topic #: 1
Which of the following is MOST important for management to consider when deciding whether to invest in an IT initiative that exceeds management’s risk appetite?
A. Risk management budget
B. Risk tolerance
C. Risk capacity
D. Risk management industry trends
Selected Answer: B
Question #: 1684
Topic #: 1
Which of the following BEST demonstrates that an implemented control is effective in mitigating the intended risk?
A. Successful outcome of an external audit
B. Accurate reporting of control test results to management
C. Successful completion of risk action plans related to the control
D. Appropriate assignment of control ownership to mitigate risk
Selected Answer: B
Question #: 1765
Topic #: 1
An organization is in the process of reviewing its risk appetite statement and re-defining the risk tolerance threshold. Which of the following elements of the risk register is MOST likely to change as a result of this review?
A. Risk impact
B. Risk response
C. Risk likelihood
D. Risk ownership
Selected Answer: B
Question #: 1795
Topic #: 1
Which of the following situations would cause the GREATEST concern around the integrity of application logs?
A. Lack of a security information and event management (SIEM) system
B. Lack of data classification policies
C. Use of hashing algorithms
D. Weak privileged access management controls
Selected Answer: D
Question #: 1471
Topic #: 1
Which of the following presents the GREATEST risk to an organization with a large number of Internet of Things (IoT) devices within its network?
A. Network connectivity issues with IoT devices
B. Increased instability and failure of IoT devices
C. Insufficient IoT policies and procedures
D. Interoperability between IoT devices
Selected Answer: B
Question #: 1440
Topic #: 1
A risk practitioner has been asked to mark an identified control deficiency as remediated, despite concerns that the risk level is still too high. Which of the following is the BEST way to address this concern?
A. Recommend implementation of additional compensating controls.
B. Review the organization’s risk appetite and tolerance.
C. Assess the residual risk against the organization’s risk appetite.
D. Prepare a risk acceptance proposal for senior management’s consideration
Selected Answer: A
Question #: 1407
Topic #: 1
Which of the following should be the PRIMARY basis for deciding whether to disclose information related to risk events that impact external stakeholders?
A. Management assertions
B. Contractual requirements
C. Regulatory requirements
D. Stakeholder preferences
Selected Answer: B
Question #: 1391
Topic #: 1
Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?
A. The program has not decreased threat counts.
B. The program uses non-customized training modules.
C. The program has not considered business impact.
D. The program has been significantly revised.
Selected Answer: B
Question #: 494
Topic #: 1
An organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard. Which risk treatment was adopted by the organization?
A. Acceptance
B. Transfer
C. Mitigation
D. Avoidance
Selected Answer: B
Question #: 436
Topic #: 1
The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner’s BEST recommendation?
A. Implement training on coding best practices
B. Perform a code review
C. Perform a root cause analysis
D. Implement version control software
Selected Answer: C
Question #: 434
Topic #: 1
Which of the following is MOST important to understand when determining an appropriate risk assessment approach?
A. Threats and vulnerabilities
B. Value of information assets
C. Complexity of the IT infrastructure
D. Management culture
Selected Answer: B
Question #: 431
Topic #: 1
A program manager has completed an unsuccessful disaster recovery test. Which of the following should the risk practitioner recommend as the NEXT course of action?
A. Identify what additional controls are needed
B. Update the business impact analysis (BIA)
C. Prioritize issues noted during the testing window
D. Communicate test results to management
Selected Answer: C
Question #: 426
Topic #: 1
Which of the following would require updates to an organization’s IT risk register?
A. Discovery of an ineffectively designed key IT control
B. Management review of key risk indicators (KRIs)
C. Changes to the team responsible for maintaining the register
D. Completion of the latest internal audit
Selected Answer: A
Question #: 439
Topic #: 1
Which of the following provides an organization with the MOST insight with regard to operational readiness associated with risk?
A. Capability maturity assessment results
B. Minutes of the enterprise risk committee meetings
C. Benchmarking against industry standards
D. Self-assessment of capabilities
Selected Answer: A
Question #: 438
Topic #: 1
An organization has raised the risk appetite for technology risk. The MOST likely result would be:
A. lower risk management cost
B. decreased residual risk
C. higher risk management cost
D. increased inherent risk
Selected Answer: A
Question #: 427
Topic #: 1
IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:
A. historical risk assessments
B. key risk indicators (KRIs)
C. the cost associated with each control
D. information from the risk register
Selected Answer: D
Question #: 417
Topic #: 1
Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment?
A. Improved senior management communication
B. Enhanced awareness of risk management
C. Optimized risk treatment decisions
D. Improved collaboration among risk professionals
Selected Answer: C
Question #: 391
Topic #: 1
Which of the following methods involves the use of predictive or diagnostic analytical tool for exposing risk factors?
A. Scenario analysis
B. Sensitivity analysis
C. Fault tree analysis
D. Cause and effect analysis
Selected Answer: C
Question #: 395
Topic #: 1
Which of the following is MOST important when developing key performance indicators (KPIs)?
A. Alignment to management reports
B. Alignment to risk responses
C. Alerts when risk thresholds are reached
D. Identification of trends
Selected Answer: A
Question #: 305
Topic #: 1
Your project has several risks that may cause serious financial impact if they occur. You have studied the risk events and made some potential risk responses for the risk events but management wants you to do more. They’d like you to create some type of a chart that identified the risk probability and impact with a financial amount for each risk event. What is the likely outcome of creating this type of chart?
A. Risk response plan
B. Contingency reserve
C. Risk response
D. Quantitative analysis
Selected Answer: C
Question #: 307
Topic #: 1
What is the FIRST phase of IS monitoring and maintenance process?
A. Report result
B. Prioritizing risks
C. Implement monitoring
D. Identifying controls
Selected Answer: D
Question #: 304
Topic #: 1
You are the project manager of GRT project. You discovered that by bringing on more qualified resources or by providing even better quality than originally planned, could result in reducing the amount of time required to complete the project. If your organization seizes this opportunity, it would be an example of what risk response?
A. Enhance
B. Exploit
C. Accept
D. Share
Selected Answer: C
Question #: 320
Topic #: 1
You are the project manager of GHT project. You have identified a risk event on your current project that could save $670,000 in project costs if it occurs. Your organization is considering hiring a vendor to help establish proper project management techniques in order to assure it realizes these savings. Which of the following statements is TRUE for this risk event?
A. This risk event should be accepted because the rewards outweigh the threat to the project.
B. This risk event should be mitigated to take advantage of the savings.
C. This risk event is an opportunity to the project and should be exploited.
D. This is a risk event that should be shared to take full advantage of the potential savings.
Selected Answer: C
Question #: 338
Topic #: 1
You are the project manager in your enterprise. You have identified occurrence of risk event in your enterprise. You have pre-planned risk responses. You have monitored the risks that had occurred. What is the immediate step after this monitoring process that has to be followed in response to risk events?
A. Initiate incident response
B. Update the risk register
C. Eliminate the risk completely
D. Communicate lessons learned from risk events
Selected Answer: A
Question #: 278
Topic #: 1
You are the project manager of the PFO project. You are working with your project team members and two subject matter experts to assess the identified risk events in the project. Which of the following approaches is the best to assess the risk events in the project?
A. Interviews or meetings
B. Determination of the true cost of the risk event
C. Probability and Impact Matrix
D. Root cause analysis
Selected Answer: C
Question #: 283
Topic #: 1
You have identified several risks in your project. You have opted for risk mitigation in order to respond to identified risk. Which of the following ensures that risk mitigation method that you have chosen is effective?
A. Reduction in the frequency of a threat
B. Minimization of inherent risk
C. Reduction in the impact of a threat
D. Minimization of residual risk
Selected Answer: D
Question #: 340
Topic #: 1
You have been assigned as the Project Manager for a new project that involves building of a new roadway between the city airport to a designated point within the city. However, you notice that the transportation permit issuing authority is taking longer than the planned time to issue the permit to begin construction. What would you classify this as?
A. Project Risk
B. Status Update
C. Risk Update
D. Project Issue
Selected Answer: B
Question #: 251
Topic #: 1
You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won’t affect your project much if they happen. What should you do with these identified risk events?
A. These risks can be dismissed.
B. These risks can be accepted.
C. These risks can be added to a low priority risk watch list.
D. All risks must have a valid, documented risk response.
Selected Answer: B
Question #: 1030
Topic #: 1
Due to a change in business processes, an identified risk scenario no longer requires mitigation. Which of the following is the MOST important reason the risk should remain in the risk register?
A. To track historical risk assessment results
B. To prevent the risk scenario in the current environment
C. To monitor for potential changes to the risk scenario
D. To support regulatory requirements
Selected Answer: C
Question #: 1018
Topic #: 1
Which of the following is the BEST way to ensure ongoing control effectiveness?
A. Periodically reviewing control design
B. Establishing policies and procedures
C. Measuring trends in control performance
D. Obtaining management control attestations
Selected Answer: C
Question #: 995
Topic #: 1
A key risk indicator (KRI) flags an exception for exceeding a threshold but remains within risk appetite. Which of the following should be done NEXT?
A. Adjust the risk threshold level to match risk appetite.
B. Review the risk appetite level to ensure it is appropriate.
C. Review the trend to determine whether action is needed.
D. Document that the KRI is within risk appetite.
Selected Answer: C
Question #: 14
Topic #: 1
You are the project manager in your enterprise. You have identified risk that is noticeable failure threatening the success of certain goals of your enterprise. In which of the following levels do this identified risk exists?
A. Moderate risk
B. High risk
C. Extremely high risk
D. Low risk
Selected Answer: B
Question #: 1798
Topic #: 1
Which of the following is the MOST significant risk factor associated with the use of blockchain in legacy systems?
A. Lack of transaction traceability
B. Decentralized data processing
C. Cross-system incompatibility
D. Increased implementation costs
Selected Answer: C
Question #: 478
Topic #: 1
When reviewing a business continuity plan (BCP), which of the following would be the MOST significant deficiency?
A. BCP is often tested using the walkthrough method
B. BCP testing is not in conjunction with the disaster recovery plan (DRP)
C. Each business location has separate, inconsistent BCPs
D. Recovery time objectives (RTOs) do not meet business requirements
Selected Answer: D
Question #: 83
Topic #: 1
You work as a project manager for BlueWell Inc. Management has asked you to work with the key project stakeholder to analyze the risk events you have identified in the project. They would like you to analyze the project risks with a goal of improving the project’s performance as a whole. What approach can you use to achieve this goal of improving the project’s performance through risk analysis with your project stakeholders?
A. Involve subject matter experts in the risk analysis activities
B. Involve the stakeholders for risk identification only in the phases where the project directly affects them
C. Use qualitative risk analysis to quickly assess the probability and impact of risk events
D. Focus on the high-priority risks through qualitative risk analysis
Selected Answer: C
Question #: 84
Topic #: 1
You are a project manager for your organization and you’re working with four of your key stakeholders. One of the stakeholders is confused as to why you’re not discussing the current problem in the project during the risk identification meeting. Which one of the following statements best addresses when a project risk actually happens?
A. Project risks are uncertain as to when they will happen.
B. Risks can happen at any time in the project.
C. Project risks are always in the future.
D. Risk triggers are warning signs of when the risks will happen.
Selected Answer: A
Question #: 31
Topic #: 1
Which of the following is true for Cost Performance Index (CPI)?
A. If the CPI > 1, it indicates better than expected performance of project
B. CPI = Earned Value (EV) * Actual Cost (AC)
C. It is used to measure performance of schedule
D. If the CPI = 1, it indicates poor performance of project
Selected Answer: C
Question #: 12
Topic #: 1
Which of the following BEST describes the utility of a risk?
A. The finance incentive behind the risk
B. The potential opportunity of the risk
C. The mechanics of how a risk works
D. The usefulness of the risk to individuals or groups
Selected Answer: B
Question #: 559
Topic #: 1
Which of the following is the BEST method to ensure a terminated employee’s access to IT systems is revoked upon departure from the organization?
A. Login attempts are reconciled to a list of terminated employees
B. A process to remove employee access during the exit interview is implemented
C. The human resources (HR) system automatically revokes system access
D. A list of terminated employees is generated for reconciliation against current IT access
Selected Answer: C
Question #: 410
Topic #: 1
When an organization’s disaster recovery plan has a reciprocal agreement, which of the following risk treatment options is being applied?
A. Transfer
B. Avoidance
C. Acceptance
D. Mitigation
Selected Answer: A
Question #: 1800
Topic #: 1
Who should be accountable for authorizing information system access to internal users?
A. Information security manager
B. Information owner
C. Information custodian
D. Information security officer
Selected Answer: B
Question #: 1799
Topic #: 1
Which of the following should be the starting point when performing a risk analysis for an asset?
A. Assess controls.
B. Assess risk scenarios.
C. Evaluate threats.
D. Update the risk register.
Selected Answer: C
Question #: 1792
Topic #: 1
When outsourcing a business process to a cloud service provider, it is MOST important to understand that:
A. insurance could be acquired for the risk associated with the outsourced process.
B. service accountability remains with the cloud service provider.
C. a risk owner must be designated within the cloud service provider.
D. accountability for the risk will remain with the organization.
Selected Answer: D
Question #: 1787
Topic #: 1
Management has implemented additional administrative and technical controls to reduce the likelihood of a high-impact risk in a key information system. What is the BEST way to validate the effectiveness of the control implementation?
A. Perform a vulnerability scan.
B. Perform an audit.
C. Perform a penetration test.
D. Perform a risk assessment.
Selected Answer: C
Question #: 1775
Topic #: 1
Information that is no longer required to support business objectives should be:
A. securely deleted according to the disposal policy.
B. transferred and archived to an enterprise data vault.
C. managed according to the retention policy.
D. recoverable according to the business impact analysis (BIA).
Selected Answer: C
Question #: 1737
Topic #: 1
Which of the following is the PRIMARY purpose of developing a risk register?
A. To provide a means to identify risk scenarios requiring mitigation
B. To provide a means to respond to risk as it arises
C. To provide a means to identify relevant threat actors
D. To provide a means to track risk as it is identified
Selected Answer: D
Question #: 1041
Topic #: 1
A global company’s business continuity plan (BCP) requires the transfer of its customer information systems to an overseas cloud service provider in the event of a disaster. Which of the following should be the MOST important risk consideration?
A. The lack of a service level agreement (SLA) in the vendor contract
B. The cloud computing environment is shared with another company
C. The organizational culture differences between each country
D. The difference in the management practices between each company
Selected Answer: A
Question #: 316
Topic #: 1
You are elected as the project manager of GHT project. You have to initiate the project. Your Project request document has been approved, and now you have to start working on the project. What is the FIRST step you should take to initialize the project?
A. Conduct a feasibility study
B. Acquire software
C. Define requirements of project
D. Plan project management
Selected Answer: D
Question #: 24
Topic #: 1
Which section of the Sarbanes-Oxley Act specifies “Periodic financial reports must be certified by CEO and CFO”?
A. Section 302
B. Section 404
C. Section 203
D. Section 409
Selected Answer: C
Question #: 30
Topic #: 1
For which of the following risk management capability maturity levels do the statement given below is true? “Real-time monitoring of risk events and control exceptions exists, as does automation of policy management”
A. Level 3
B. Level 0
C. Level 5
D. Level 2
Selected Answer: C
Question #: 29
Topic #: 1
Which of the following is prepared by the business and serves as a starting point for producing the IT Service Continuity Strategy?
A. Business Continuity Strategy
B. Index of Disaster-Relevant Information
C. Disaster Invocation Guideline
D. Availability/ ITSCM/ Security Testing Schedule
Selected Answer: A
Question #: 27
Topic #: 1
David is the project manager of the HRC Project. He has identified a risk in the project, which could cause the delay in the project. David does not want this risk event to happen so he takes few actions to ensure that the risk event will not happen. These extra steps, however, cost the project an additional $10,000. What type of risk response has David adopted?
A. Avoidance
B. Mitigation
C. Acceptance
D. Transfer
Selected Answer: B
Question #: 1788
Topic #: 1
The MAIN reason to use the risk register to monitor aggregated risk is to provide:
A. insight on control gaps.
B. a basis for risk management resource allocation.
C. a comprehensive view of risk impact.
D. historical information about risk impact.
Selected Answer: C
Question #: 1786
Topic #: 1
Which of the following is MOST critical to the successful adoption of an enterprise architecture (EA) program?
A. Adequate funding
B. Skilled resources
C. A mature governance plan
D. Stakeholder support
Selected Answer: D
Question #: 1636
Topic #: 1
A multinational company needs to implement a new centralized security system. The risk practitioner has identified a conflict between the organization’s data-handling policy and local privacy regulations. Which of the following would be the BEST recommendation?
A. Request a policy exception from senior management.
B. Request an exception from the local regulatory agency.
C. Comply with the organizational policy.
D. Report the noncompliance to the local regulatory agency.
Selected Answer: A
Question #: 1527
Topic #: 1
Which of the following has the GREATEST impact on backup policies for a system supporting a critical process?
A. Impact of threats to the process
B. Recovery time objective (RTO)
C. Resource requirements of the process
D. Recovery point objective (RPO)
Selected Answer: D
Question #: 1493
Topic #: 1
An organization has established workflows in its service desk to support employee reports of security-related concerns. Which of the following is the MOST efficient approach to analyze these concerns?
A. Sort concerns by likelihood.
B. Align concerns to key vendors.
C. Prioritize concerns based on frequency of reports.
D. Map concerns to organizational assets.
Selected Answer: D
Question #: 1449
Topic #: 1
Where should a risk practitioner document the current state and desired future state of organizational risk?
A. Business continuity plan (BCP)
B. Risk management strategy
C. Risk action plan
D. Risk register
Selected Answer: B
Question #: 584
Topic #: 1
Following a significant change to a business process, a risk practitioner believes the associated risk has been reduced. The risk practitioner should advise the risk owner to FIRST:
A. reallocate risk response resources
B. review the key risk indicators
C. conduct a risk analysis
D. update the risk register
Selected Answer: C
Question #: 826
Topic #: 1
Which of the following conditions presents the GREATEST risk to an application?
A. Application development is outsourced.
B. Developers have access to production environment.
C. Source code is escrowed.
D. Application controls are manual.
Selected Answer: B
Question #: 821
Topic #: 1
Which of the following is MOST important to ensure when continuously monitoring the performance of a client-facing application?
A. Performance information in the log is encrypted.
B. Control owners approve control changes.
C. Objectives are confirmed with the business owner.
D. End-user acceptance testing has been conducted.
Selected Answer: C
Question #: 809
Topic #: 1
Which of the following would MOST likely require a risk practitioner to update the risk register?
A. An alert being reported by the security operations center.
B. Development of a project schedule for implementing a risk response.
C. Engagement of a third party to conduct a vulnerability scan.
D. Completion of a project for implementing a new control.
Selected Answer: D
Question #: 996
Topic #: 1
An organization’s capability to implement a risk management framework is PRIMARILY influenced by the:
A. guidance of the risk practitioner
B. approval of senior management
C. competence of the staff involved
D. maturity of its risk culture
Selected Answer: D
Question #: 686
Topic #: 1
Calculation of the recovery time objective (RTO) is necessary to determine the:
A. annual loss expectancy (ALE).
B. priority of restoration.
C. point of synchronization.
D. time required to restore files.
Selected Answer: B
Question #: 509
Topic #: 1
An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk?
A. Perform a risk assessment
B. Disable user access
C. Perform root cause analysis
D. Develop an access control policy
Selected Answer: B
Question #: 396
Topic #: 1
The PRIMARY benefit associated with key risk indicators (KRIs) is that they:
A. identify trends in the organization’s vulnerabilities
B. provide ongoing monitoring of emerging risk
C. help an organization identify emerging threats
D. benchmark the organization’s risk profile
Selected Answer: B
Question #: 730
Topic #: 1
Whether the results of risk analysis should be presented in quantitative or qualitative terms should be based PRIMARILY on the:
A. specific risk analysis framework being used.
B. results of the risk assessment.
C. requirements of management.
D. organizational risk tolerance.
Selected Answer: C
Question #: 646
Topic #: 1
Which of the following is the MOST important consideration when multiple risk practitioners capture risk scenarios in a single risk register?
A. Using a consistent method for risk assessment
B. Developing risk escalation and reporting procedures
C. Maintaining up-to-date risk treatment plans
D. Aligning risk ownership and control ownership
Selected Answer: A
Question #: 636
Topic #: 1
Which of the following is the MOST relevant input to an organization’s risk profile?
A. External audit’s risk assessment
B. Management’s risk self-assessment
C. Internal audit’s risk assessment
D. Information security’s vulnerability assessment
Selected Answer: C
Question #: 32
Topic #: 1
Which of the following do NOT indirect information?
A. Information about the propriety of cutoff
B. Reports that show orders that were rejected for credit limitations.
C. Reports that provide information about any unusual deviations and individual product margins.
D. The lack of any significant differences between perpetual levels and actual levels of goods.
Selected Answer: D
Question #: 43
Topic #: 1
Which of the following is an administrative control?
A. Water detection
B. Reasonableness check
C. Data loss prevention program
D. Session timeout
Selected Answer: C
Question #: 459
Topic #: 1
Which of the following is MOST important for successful incident response?
A. The quantity of data logged by the attack control tools
B. The ability to trace the source of the attack
C. The timeliness of attack recognition
D. Blocking the attack route immediately
Selected Answer: A
Question #: 46
Topic #: 1
A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk response is this?
A. Transference
B. Mitigation
C. Avoidance
D. Exploit
Selected Answer: A
Question #: 7
Topic #: 1
Which of the following role carriers will decide the Key Risk Indicator of the enterprise?
Each correct answer represents a part of the solution. Choose two.
A. Business leaders
B. Senior management
C. Human resource
D. Chief financial officer
Selected Answer: AB
Question #: 1096
Topic #: 1
Which of the following is the BEST indicator of executive management’s support for IT risk mitigation efforts?
A. The number of executives attending IT security awareness training
B. The percentage of incidents presented to the board
C. The percentage of corporate budget allocated to IT risk activities
D. The number of stakeholders involved in IT risk identification workshops
Selected Answer: C
Question #: 1033
Topic #: 1
When developing a risk awareness training program, which of the following training topics would BEST facilitate a thorough understanding of risk scenarios?
A. Mapping threats to organizational objectives
B. Reviewing past audits
C. Analyzing key risk indicators (KRIs)
D. Identifying potential sources of risk
Selected Answer: D
Question #: 1611
Topic #: 1
The PRIMARY focus of an ongoing risk awareness program should be to:
A. enable better risk-based decisions.
B. expand understanding of risk indicators.
C. define appropriate controls to mitigate risk.
D. determine impact of risk scenarios.
Selected Answer: A
Question #: 1610
Topic #: 1
Which of the following is the PRIMARY benefit of consistently recording risk assessment results in the risk register?
A. Accuracy of risk profiles
B. Compliance with best practice
C. Assessment of organizational risk appetite
D. Accountability for loss events
Selected Answer: A
Question #: 1609
Topic #: 1
Before selecting a final risk response option for a given risk scenario, management should FIRST:
A. determine the remediation timeline.
B. evaluate the risk response of similar sized organizations.
C. determine control ownership.
D. evaluate the organization’s ability to implement the solution.
Selected Answer: D
Question #: 1607
Topic #: 1
Which of the following BEST enables the accurate assessment of potential impact to a particular business area?
A. Risk classification
B. Control self-assessments (CSAs)
C. Risk scenarios
D. Business continuity testing
Selected Answer: C
Question #: 1606
Topic #: 1
The software version of an enterprise’s critical business application has reached end-of-life and is no longer supported by the vendor. IT has decided to develop an in-house replacement application. Which of the following should be the PRIMARY concern?
A. The business process owner is not an active participant.
B. The board of directors has not approved the decision.
C. The system documentation is not available.
D. Enterprise risk management (ERM) has not approved the decision.
Selected Answer: A
Question #: 1605
Topic #: 1
After automated controls have been implemented and tested, which of the following is MOST useful to perform?
A. Continuous control monitoring
B. Internal audit review
C. Control self-assessment (CSA)
D. Cost-benefit analysis
Selected Answer: A
Question #: 1604
Topic #: 1
Which of the following is the MOST important course of action to foster an ethical, risk-aware culture?
A. Establish an enterprise-wide ethics training and awareness program.
B. Ensure the alignment of the organization’s policies and standards to the defined risk appetite.
C. Implement a fraud detection and prevention framework.
D. Perform a comprehensive review of all applicable legislative frameworks and requirements.
Selected Answer: A
Question #: 1603
Topic #: 1
Which of the following is the MOST important responsibility of a business process owner to enable effective IT risk management?
A. Prioritizing risk for appropriate response
B. Escalating risk to senior management
C. Collecting and analyzing risk data
D. Delivering risk reports in a timely manner
Selected Answer: A
Question #: 1602
Topic #: 1
Which of the following BEST protects organizational data within a production cloud environment?
A. Right to audit
B. Data encryption
C. Data obfuscation
D. Continuous log monitoring
Selected Answer: B
Question #: 1601
Topic #: 1
Which of the following is the BEST recommendation when a key risk indicator (KRI) is generating an excessive volume of events?
A. Reevaluate the design of the KRIs.
B. Develop a corresponding key performance indicator (KPI).
C. Monitor KRIs within a specific timeframe.
D. Activate the incident response plan.
Selected Answer: A
Question #: 1600
Topic #: 1
An organization allows programmers to change production systems in emergency situations. Which of the following is the BEST control?
A. Implementing an emergency change authorization process
B. Periodically reviewing operator logs
C. Limiting the number of super users
D. Reviewing the programmers’ emergency change reports
Selected Answer: A
Question #: 1709
Topic #: 1
Which of the following would MOST likely cause senior management to lower the risk tolerance level?
A. Organizational restructuring
B. Increase in penalties for unauthorized data disclosure
C. Outsourcing of in-house software development
D. Decrease in budget allocated for risk mitigation activities
Selected Answer: B
Question #: 1697
Topic #: 1
A risk assessment has revealed that the probability of a successful cybersecurity attack is increasing. The potential loss could exceed the organization’s risk appetite. Which of the following would be the MOST effective course of action?
A. Purchase cybersecurity insurance
B. Re-evaluate the organization’s risk appetite
C. Outsource the cybersecurity function
D. Review cybersecurity incident response procedures
Selected Answer: A
Question #: 1201
Topic #: 1
To obtain support from senior management for an increase in the risk mitigation budget, it is BEST to prioritize risk scenarios in the risk register based on:
A. open audit issues.
B. residual risk.
C. risk owner seniority.
D. inherent risk.
Selected Answer: D
Question #: 1475
Topic #: 1
Which of the following is the GREATEST benefit of a risk-aware culture?
A. Cost of controls is reduced over time.
B. The organization is more resilient to threats.
C. The number of audit findings is reduced over time.
D. Relevant risk is reported in a timely manner.
Selected Answer: D
Question #: 470
Topic #: 1
A risk practitioner has populated the risk register with industry-based generic risk scenarios to be further assessed by risk owners. Which of the following is the
GREATEST concern with this approach?
A. Risk scenarios in the generic list may not help in building risk awareness
B. Risk scenarios that are not relevant to the organization may be assessed
C. Developing complex risk scenarios using the generic list will be difficult
D. Relevant risk scenarios that do not appear in the generic list may not be assessed
Selected Answer: D
Question #: 1774
Topic #: 1
Which of the following is a PRIMARY benefit of using facilitated workshops to develop IT risk scenarios?
A. Enhancing the risk culture within the organization
B. Expressing IT risk scenarios in business terms
C. Building consensus regarding risk priorities
D. Developing an efficient process to identify risk
Selected Answer: C
Question #: 887
Topic #: 1
Upon learning that the number of failed back-up attempts continually exceeds the current risk threshold, the risk practitioner should:
A. keep monitoring the situation as there is evidence that this is normal.
B. adjust the risk threshold to better reflect actual performance.
C. inquire about the status of any planned corrective actions.
D. initiate corrective action to address the known deficiency.
Selected Answer: D
Question #: 745
Topic #: 1
In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization’s risk profile?
A. The asset profile
B. Business objectives
C. The control catalog
D. Key risk indicators (KRIs)
Selected Answer: B
Question #: 701
Topic #: 1
A risk practitioner recently discovered that sensitive data from the production environment is required for testing purposes in non-production environments. Which
of the following is the BEST
recommendation to address this situation?
A. Mask data before being transferred to the test environment.
B. Implement equivalent security in the test environment.
C. Enable data encryption in the test environment.
D. Prevent the use of production data for test purposes.
Selected Answer: A
Question #: 564
Topic #: 1
Which of the following attributes of a key risk indicator (KRI) is MOST important?
A. Repeatable
B. Qualitative
C. Automated
D. Quantitative
Selected Answer: D
Question #: 170
Topic #: 1
You are working as a project manager in Bluewell Inc. You are nearing the final stages of project execution and looking towards the final risk monitoring and controlling activities. For your project archives, which one of the following is an output of risk monitoring and control?
A. Qualitative risk analysis
B. Risk audits
C. Quantitative risk analysis
D. Requested changes
Selected Answer: B
Question #: 1331
Topic #: 1
What is senior management’s role in the RACI model when tasked with reviewing monthly status reports provided by risk owners?
A. Accountable
B. Consulted
C. Responsible
D. Informed
Selected Answer: D
Question #: 1513
Topic #: 1
Which of the following should be of GREATEST concern to an organization planning to migrate its customer data warehouse to an offshore operation?
A. Cross-border flow of information
B. Inadequate vendor risk management
C. Time zone differences and implications
D. Increased business continuity costs
Selected Answer: A
Question #: 1512
Topic #: 1
An organization recently implemented an extensive risk awareness program after a cybersecurity incident. Which of the following is MOST likely to be affected by the implementation of the program?
A. Risk appetite
B. Threat landscape
C. Inherent risk
D. Residual risk
Selected Answer: D
Question #: 1497
Topic #: 1
A significant issue has occurred while moving an upgraded core business application to the production environment. The specific cause is unknown, and the outage window is about to expire. Which of the following is the risk practitioner’s BEST recommendation to the business owner?
A. Cut over to production despite the issue.
B. Determine the root cause of the issue.
C. Initiate a rollback to the last version.
D. Extend the outage window.
Selected Answer: C
Question #: 1317
Topic #: 1
Which of the following is the GREATEST benefit of centralizing IT systems?
A. Risk reporting
B. Risk identification
C. Risk monitoring
D. Risk classification
Selected Answer: C
Question #: 1281
Topic #: 1
A risk practitioner implemented a process to notify management of emergency changes that may not be approved. Which of the following is the BEST way to provide this information to management?
A. Change logs
B. Key control indicators (KCIs)
C. Key risk indicators (KRIs)
D. Change management meeting minutes
Selected Answer: A
Question #: 1748
Topic #: 1
Which of the following is an example of risk sharing?
A. Rejecting a high-risk project
B. Outsourcing the hosting of a critical system
C. Investing in fault-tolerant technology
D. Engaging in a code escrow agreement
Selected Answer: D
Question #: 1715
Topic #: 1
A Software as a Service (SaaS) company wants to use aggregated data from its clients to improve its services via a machine learning model. However, its contracts do not clearly allow this use of aggregated data. What should the organization do NEXT?
A. Update the organization’s data processing agreement template
B. Request internal risk acceptance from senior management.
C. Request formal consent from clients to use their data.
D. Update the organization’s privacy policy to reflect the use of aggregated data.
Selected Answer: D
Question #: 1704
Topic #: 1
Who should be responsible for approving the cost of controls to be :mplemented for mitigating risk?
A. Risk owner
B. Control implementer
C. Control owner
D. Risk practitioner
Selected Answer: C
Question #: 1703
Topic #: 1
Which of the following should be the FIRST course of action if the risk associated with a new technology is found to be increasing?
A. Implement additional controls
B. Re-evaluate current controls
C. Revise the current risk action plan
D. Escalate the risk to senior management
Selected Answer: D
Question #: 1702
Topic #: 1
A data privacy regulation has been revised to incorporate more stringent requirements on personal data protection. Which of the following will provide the MOST important input to help ensure compliance with the revised regulation?
A. Gap analysts
B. Risk profile update
C. Business impact analysis (BIA)
D. Current control attestation
Selected Answer: C
Question #: 1779
Topic #: 1
Which of the following would be MOST helpful in assessing the risk associated with data loss due to human vulnerabilities?
A. Reviewing password change history
B. Reviewing the results of security awareness surveys
C. Conducting social engineering exercises
D. Performing periodic access recertifications
Selected Answer: B
Question #: 1753
Topic #: 1
Which of the following is the MOST effective way to help ensure a risk treatment plan remains on track?
A. Documenting risk treatment procedures for relevant stakeholders
B. Adopting an agile project management approach
C. Requiring approval by the second line of defense
D. Assigning sufficient resources to implement the plan
Selected Answer: D
