CRISC Topic 2
Question #: 1749
Topic #: 1
Which of the following is MOST important to identify when developing top-down risk scenarios?
A. Hypothetical scenarios
B. Key procedure control gaps
C. Senior management’s risk appetite
D. Business objectives
Selected Answer: D
Question #: 1730
Topic #: 1
Which of the following would be MOST effective in promoting a risk-aware culture within an organization?
A. Allocating budget for IT initiatives based on IT risk assessment results
B. Appointing a risk committee to prioritize identified and assessed risk
C. Issuing penalties to those who do not attend the risk awareness program
D. Using risk scenarios to inform organizational strategy
Selected Answer: D
Question #: 1721
Topic #: 1
Which of the following will be MOST effective in helping to ensure control failures are appropriately managed?
A. Peer review
B. Compensating controls
C. Control ownership
D. Control procedures
Selected Answer: D
Question #: 1705
Topic #: 1
Which of the following should be of MOST concern to a risk practitioner reviewing the system development life cycle (SDLC)?
A. Segregation of duties controls are overridden during user testing phases
B. Testing is completed by IT support users without input from end users
C. Data anonymization is used during all cycles of end user testing
D. Testing is completed in phases with user testing scheduled as the final phase
Selected Answer: B
Question #: 1701
Topic #: 1
Which of the following is the MOST important criteria for selecting key risk indicators (KRIs)?
A. Historical data availability
B. Sensitivity and reliability
C. Ability to display trends
D. Implementation and reporting effort
Selected Answer: B
Question #: 1700
Topic #: 1
Which of the following is the PRIMARY reason to obtain independent reviews of risk assessment and response mechanisms?
A. To minimize the subjectivity of risk assessment results
B. To correct errors in the risk assessment process
C. To ensure risk thresholds are properly defined
D. To validate impact and probability ratings
Selected Answer: B
Question #: 1460
Topic #: 1
Which of the following BEST enables a risk practitioner to determine the appropriate risk treatment for a materialized event?
A. Incident trend analysis
B. Likelihood analysis
C. Root cause analysis
D. Impact analysis
Selected Answer: D
Question #: 1615
Topic #: 1
Which of the following deficiencies identified during a review of an organization’s cybersecurity policy should be of MOST concern?
A. The policy has gaps against relevant cybersecurity standards and frameworks.
B. The policy lacks specifics on how to secure the organization’s systems from cyberattacks.
C. The policy has not been reviewed by the cybersecurity team in over a year.
D. The policy has not been approved by the organization’s board.
Selected Answer: D
Question #: 816
Topic #: 1
Which of the following is the PRIMARY purpose of analyzing log data collected from systems?
A. To identify risk that may materialize.
B. To facilitate incident investigation.
C. To detect changes in risk ownership.
D. To prevent incidents caused by materialized risk.
Selected Answer: A
Question #: 1546
Topic #: 1
A risk practitioner discovers that a data center’s air conditioning system cannot provide sufficient cooling. What else is MOST important to consider when predicting the probability of adverse business impact from this issue?
A. Maintenance history
B. Compensating controls
C. Replacement cost
D. Applicable threats
Selected Answer: B
Question #: 332
Topic #: 1
A teaming agreement is an example of what type of risk response?
A. Acceptance
B. Mitigation
C. Transfer
D. Share
Selected Answer: B
Question #: 676
Topic #: 1
Which of the following should be the risk practitioner’s PRIMARY focus when determining whether controls are adequate to mitigate risk?
A. Cost-benefit analysis
B. Sensitivity analysis
C. Level of residual risk
D. Risk appetite
Selected Answer: A
Question #: 224
Topic #: 1
Billy is the project manager of the HAR Project and is in month six of the project. The project is scheduled to last for 18 months.
Management asks Billy how often the project team is participating in risk reassessment in this project. What should Billy tell management if he’s following the best practices for risk management?
A. Project risk management has been concluded with the project planning.
B. Project risk management happens at every milestone.
C. Project risk management is scheduled for every month in the 18-month project.
D. At every status meeting the project team project risk management is an agenda item.
Selected Answer: C
Question #: 521
Topic #: 1
Which of the following approaches to bring your own device (BYOD) service delivery provides the BEST protection from data loss?
A. Implement penetration testing and session timeouts
B. Implement remote monitoring
C. Enforce strong passwords and data encryption
D. Enable data wipe capabilities
Selected Answer: C
Question #: 518
Topic #: 1
Which of the following is the BEST method to identify unnecessary controls?
A. Evaluating existing controls against audit requirements
B. Reviewing system functionalities associated with business processes
C. Monitoring existing key risk indicators (KRIs)
D. Evaluating the impact of removing existing controls
Selected Answer: B
Question #: 216
Topic #: 1
How residual risk can be determined?
A. By determining remaining vulnerabilities after countermeasures are in place.
B. By transferring all risks.
C. By threat analysis
D. By risk assessment
Selected Answer: A
Question #: 1299
Topic #: 1
Which of the following is the BEST approach for selecting controls to minimize risk?
A. Industry best practice review
B. Cost-benefit analysis
C. Risk assessment
D. Control-effectiveness evaluation
Selected Answer: D
Question #: 394
Topic #: 1
During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?
A. Authentication
B. Identification
C. Data validation
D. Data integrity
Selected Answer: A
Question #: 393
Topic #: 1
When developing a business continuity plan (BCP), it is MOST important to:
A. develop a multi-channel communication plan
B. prioritize critical services to be restored
C. identify a geographically dispersed disaster recovery site
D. identify an alternative location to host operations
Selected Answer: B
Question #: 1304
Topic #: 1
Which of the following BEST facilitates the identification of appropriate key performance indicators (KPIs) for a risk management program?
A. Consulting risk owners
B. Evaluating KPIs in accordance with risk appetite
C. Aligning with industry best practices
D. Reviewing control objectives
Selected Answer: B
Question #: 1540
Topic #: 1
Which of the following would present the GREATEST risk when outsourcing the data processing of personally identifiable information (PII) to a vendor with subcontractors?
A. The vendor’s service level agreements (SLAs) are not defined.
B. There have been no recent onsite visits to the vendor.
C. The vendor does not have a third-party risk management program.
D. The contract lacks a right-to-audit clause.
Selected Answer: D
Question #: 610
Topic #: 1
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an anti-virus program?
A. Frequency of anti-virus software updates
B. Number of alerts generated by the anti-virus software
C. Percentage of IT assets with current malware definitions
D. Number of false positives detected over a period of time
Selected Answer: D
Question #: 3
Topic #: 1
You are the project manager of GHT project. You have identified a risk event on your project that could save $100,000 in project costs if it occurs. Which of the following statements BEST describes this risk event?
A. This risk event should be mitigated to take advantage of the savings.
B. This is a risk event that should be accepted because the rewards outweigh the threat to the project.
C. This risk event should be avoided to take full advantage of the potential savings.
D. This risk event is an opportunity to the project and should be exploited.
Selected Answer: D
Question #: 1199
Topic #: 1
Which of the following BEST promotes alignment between IT risk management and enterprise risk management?
A. Using the same risk ranking methodology across IT and the business
B. Obtaining senior management approval for IT policies and procedures
C. Including IT risk scenarios in the organization’s risk register
D. Expressing risk treatment initiatives in financial terms
Selected Answer: C
Question #: 1170
Topic #: 1
An organization wants to launch a campaign to advertise a new product. Using data analytics, the campaign can be targeted to reach potential customers. Which of the following should be of GREATEST concern to the risk practitioner?
A. Purpose limitation
B. Data minimization
C. Accuracy
D. Accountability
Selected Answer: B
Question #: 741
Topic #: 1
Which of the following BEST –
describes the role of the IT risk profile in strategic IT-related decisions?
A. It compares performance levels of IT assets to value delivered.
B. It provides input to business managers when preparing a business case for new IT projects.
C. It facilitates the alignment of strategic IT objectives to business objectives.
D. It helps assess the effects of IT decisions on risk exposure.
Selected Answer: D
Question #: 598
Topic #: 1
Who should be accountable for ensuring effective cybersecurity controls are established?
A. Security management function
B. Enterprise risk function
C. Risk owner
D. IT management
Selected Answer: A
Question #: 5
Topic #: 1
You are the risk official in Bluewell Inc. You are supposed to prioritize several risks. A risk has a rating for occurrence, severity, and detection as 4, 5, and 6, respectively. What Risk Priority Number (RPN) you would give to it?
A. 120
B. 100
C. 15
D. 30
Selected Answer: A
Question #: 1616
Topic #: 1
Which of the following is the BEST way to help ensure risk will be managed properly after a business process has been re-engineered?
A. Reassessing control effectiveness of the process
B. Reporting key performance indicators (KPIs) for core processes
C. Conducting a post-implementation review to determine lessons learned
D. Establishing escalation procedures for anomaly events
Selected Answer: C
Question #: 1620
Topic #: 1
Which of the following should be of GREATEST concern to a risk practitioner reviewing the implementation of an emerging technology?
A. Lack of management approval
B. Lack of risk and control procedures
C. Lack of risk assessment
D. Lack of alignment to best practices
Selected Answer: B
Question #: 1626
Topic #: 1
It was discovered that a service provider’s administrator was accessing sensitive information without the approval of the customer in an Infrastructure as a Service (IaaS) model. Which of the following would BEST protect against a future recurrence?
A. Intrusion prevention system (IPS)
B. Contractual requirements
C. Data encryption
D. Two-factor authentication
Selected Answer: C
Question #: 1632
Topic #: 1
Which of the following sources is MOST relevant to reference when updating security awareness training materials?
A. Global security standards
B. Risk management framework
C. Recent security incidents reported by competitors
D. Risk register
Selected Answer: C
Question #: 1634
Topic #: 1
Which of the following should be the PRIMARY consideration when identifying and assigning ownership of IT-related risk?
A. Accountability for control operation
B. Accountability for losses due to impact
C. Ability to design controls to mitigate the risk
D. Span of control within the organization
Selected Answer: B
Question #: 1635
Topic #: 1
An organization’s risk profile indicates that residual risk levels have fallen significantly below management’s risk appetite. Which of the following is the BEST course of action?
A. Add more risk scenarios to the risk register.
B. Decrease monitoring of residual risk levels.
C. Optimize controls.
D. Increase risk appetite.
Selected Answer: C
Question #: 1639
Topic #: 1
Which of the following BEST enables an organization to mitigate ethical risk?
A. Reorganization of business processes to deter unethical activities
B. Ethics training for staff during onboarding
C. A culture of ethical integrity from the top down
D. Senior leadership communication of ethics policies
Selected Answer: D
Question #: 1640
Topic #: 1
A risk practitioner is performing a risk assessment of recent external advancements in quantum computing. Which of the following would pose the GREATEST concern for the risk practitioner?
A. The organization has not reviewed its encryption standards.
B. The organization has not adopted Infrastructure as a Service (IaaS) for its operations.
C. The organization has implemented heuristics on its network firewall.
D. The organization has incorporated blockchain technology in its operations.
Selected Answer: A
Question #: 1642
Topic #: 1
Which of the following is MOST important for developing effective key risk indicators (KRIs)?
A. Including input from risk and business unit management
B. Engaging sponsorship by senior management
C. Utilizing data and resources internal to the organization
D. Developing in collaboration with internal audit
Selected Answer: C
Question #: 1651
Topic #: 1
Which of the following practices MOST effectively safeguards the processing of personal data?
A. Personal data attributed to a specific data subject is tokenized.
B. Data protection impact assessments are performed on a regular basis.
C. Personal data certifications are performed to prevent excessive data collection.
D. Data retention guidelines are documented, established, and enforced.
Selected Answer: A
Question #: 1661
Topic #: 1
Which of the following should be the PRIMARY consideration when assessing tools for automated control monitoring?
A. Cost-benefit analysis
B. Continuity plan
C. Enterprise architecture (EA)
D. Risk register
Selected Answer: C
Question #: 1675
Topic #: 1
When reporting to senior management on changes in trends related to IT risk, which of the following is MOST important?
A. Maturity
B. Materiality
C. Confidentiality
D. Transparency
Selected Answer: D
Question #: 495
Topic #: 1
Which of the following is the BEST method to maintain a common view of IT risk within an organization?
A. Establishing and communicating the IT risk profile
B. Performing and publishing an IT risk analysis
C. Collecting data for IT risk assessment
D. Utilizing a balanced scorecard
Selected Answer: A
Question #: 1692
Topic #: 1
When a risk practitioner is developing a set of risk scenarios, the scenarios MUST include information about:
A. control efficiency
B. threat impact analysis results
C. the relevant threat agents
D. the severity of occurrences
Selected Answer: C
Question #: 1568
Topic #: 1
Which of the following is MOST helpful in reducing the likelihood of inaccurate risk assessment results?
A. Having internal audit validate control effectiveness
B. Updating organizational risk tolerance levels
C. Reviewing the applicable risk assessment methodologies
D. Involving relevant stakeholders in the risk assessment process
Selected Answer: C
Question #: 1532
Topic #: 1
Which of the following is MOST helpful in identifying appropriate business stakeholders to construct and assess IT risk scenarios?
A. Reviewing the organization’s business RACI charts
B. Mapping each risk event to related business processes
C. Consulting senior management for likely business candidates
D. Conducting risk and business impact analyses
Selected Answer: B
Question #: 1008
Topic #: 1
Print jobs containing confidential information are sent to a shared network printer located in a secure room. Which of the following is the BEST control to prevent the inappropriate disclosure of confidential information?
A. Ensuring printer parameters are properly configured
B. Using video surveillance in the printer room
C. Using physical controls to access the printer room
D. Requiring a printer access code for each user
Selected Answer: D
Question #: 1004
Topic #: 1
An organization has initiated a project to launch an IT-based service to customers and take advantage of being the first to market. Which of the following should be of GREATEST concern to senior management?
A. The project is likely to deliver the product late.
B. More time has been allotted for testing.
C. A new project manager is handling the project.
D. The cost of the project will exceed the allotted budget.
Selected Answer: D
Question #: 203
Topic #: 1
Who is at the BEST authority to develop the priorities and identify what risks and impacts would occur if there were loss of the organization’s private information?
A. External regulatory agencies
B. Internal auditor
C. Business process owners
D. Security management
Selected Answer: C
Question #: 569
Topic #: 1
Establishing an organizational code of conduct is an example of which type of control?
A. Directive
B. Preventive
C. Detective
D. Compensating
Selected Answer: B
Question #: 568
Topic #: 1
Which of the following is MOST helpful in aligning IT risk with business objectives?
A. Performing a business impact analysis (BIA)
B. Integrating the results of top-down risk scenario analyses
C. Introducing an approved IT governance framework
D. Implementing a risk classification system
Selected Answer: A
Question #: 534
Topic #: 1
What is the BEST information to present to business control owners when justifying costs related to controls?
A. Return on IT security-related investments
B. The previous year’s budget and actuals
C. Industry benchmarks and standards
D. Loss event frequency and magnitude
Selected Answer: D
Question #: 522
Topic #: 1
Which of the following is the MOST effective way to incorporate stakeholder concerns when developing risk scenarios?
A. Evaluating risk impact
B. Creating quarterly risk reports
C. Establishing key performance indicators (KPIs)
D. Conducting internal audits
Selected Answer: A
Question #: 510
Topic #: 1
Which of the following is a detective control?
A. Limit check
B. Access control software
C. Periodic access review
D. Rerun procedures
Selected Answer: C
Question #: 9
Topic #: 1
You work as the project manager for Bluewell Inc. Your project has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks?
A. Resource Management Plan
B. Risk Management Plan
C. Stakeholder management strategy
D. Communications Management Plan
Selected Answer: A
Question #: 1389
Topic #: 1
Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data?
A. The cost associated with incident response activities
B. The maximum levels of applicable regulatory fines
C. The composition and number of records in the information asset
D. The length of time between identification and containment of the incident
Selected Answer: C
Question #: 58
Topic #: 1
Which of the following statements are true for enterprise’s risk management capability maturity level 3?
A. Workflow tools are used to accelerate risk issues and track decisions
B. The business knows how IT fits in the enterprise risk universe and the risk portfolio view
C. The enterprise formally requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals
D. Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized
Selected Answer: D
Question #: 209
Topic #: 1
You are the risk professional of your enterprise. You have performed cost and benefit analysis of control that you have adopted. What are all the benefits of performing cost and benefit analysis of control? Each correct answer represents a complete solution. (Choose three.)
A. It helps in determination of the cost of protecting what is important
B. It helps in taking risk response decisions
C. It helps in providing a monetary impact view of risk
D. It helps making smart choices based on potential risk mitigation costs and losses
Selected Answer: C
Question #: 52
Topic #: 1
You are the project manager of your enterprise. You have introduced an intrusion detection system for the control. You have identified a warning of violation of security policies of your enterprise. What type of control is an intrusion detection system (IDS)?
A. Detective
B. Corrective
C. Preventative
D. Recovery
Selected Answer: A
Question #: 223
Topic #: 1
Which of the following control audit is performed to assess the efficiency of the productivity in the operations environment?
A. Operational
B. Financial
C. Administrative
D. Specialized
Selected Answer: A
Question #: 205
Topic #: 1
You work as a project manager for BlueWell Inc. You are about to complete the quantitative risk analysis process for your project. You can use three available tools and techniques to complete this process. Which one of the following is NOT a tool or technique that is appropriate for the quantitative risk analysis process?
A. Data gathering and representation techniques
B. Expert judgment
C. Quantitative risk analysis and modeling techniques
D. Organizational process assets
Selected Answer: D
Question #: 153
Topic #: 1
You are completing the qualitative risk analysis process with your project team and are relying on the risk management plan to help you determine the budget, schedule for risk management, and risk categories. You discover that the risk categories have not been created. When the risk categories should have been created?
A. Define scope process
B. Risk identification process
C. Plan risk management process
D. Create work breakdown structure process
Selected Answer: D
Question #: 95
Topic #: 1
There are five inputs to the quantitative risk analysis process. Which one of the following is NOT an input to quantitative risk analysis process?
A. Risk management plan
B. Enterprise environmental factors
C. Cost management plan
D. Risk register
Selected Answer: C
Question #: 75
Topic #: 1
What are the responsibilities of the CRO?
Each correct answer represents a complete solution. (Choose three.)
A. Managing the risk assessment process
B. Implement corrective actions
C. Advising Board of Directors
D. Managing the supporting risk management function
Selected Answer: ACD
Question #: 1637
Topic #: 1
In addition to the risk exposure, which of the following is MOST important for senior management to understand prior to approving the use of artificial intelligence (AI) solutions?
A. Changes to existing infrastructure to support AI solutions
B. Potential benefits from use of AI solutions
C. Monitoring techniques required for AI solutions
D. Skills required to support AI solutions
Selected Answer: B
Question #: 1631
Topic #: 1
Which of the following metrics would be MOST helpful to management in understanding the effectiveness of the organization’s security awareness controls?
A. Number of false positive alerts in a given time frame
B. Number of employees who have not completed training
C. Number of data exfiltration attempts
D. Number of malware incidents identified on a system
Selected Answer: B
Question #: 1597
Topic #: 1
An organization’s IT team has proposed the adoption of cloud computing as a cost-saving measure for the business. Which of the following should be of GREATEST concern to the risk practitioner?
A. Due diligence for the recommended cloud vendor has not been performed.
B. The business can introduce new Software as a Service (SaaS) solutions without IT approval.
C. The maintenance of IT infrastructure has been outsourced to an Infrastructure as a Service (IaaS) provider.
D. Architecture responsibilities may not be clearly defined.
Selected Answer: A
Question #: 1595
Topic #: 1
Which of the following should be the PRIMARY driver for an organization on a multi-year cloud implementation to publish a cloud security policy?
A. Evaluating gaps in the on-premise and cloud security profiles
B. Establishing minimum cloud security requirements
C. Enforcing compliance with cloud security parameters
D. Educating IT staff on variances between on-premise and cloud security
Selected Answer: B
Question #: 1591
Topic #: 1
Which of the following is the MOST appropriate key performance indicator (KPI) to measure change management performance?
A. Percentage of rejected change requests
B. Percentage of changes implemented successfully
C. Number of after-hours emergency changes
D. Number of change control requests
Selected Answer: B
Question #: 1589
Topic #: 1
Which of the following would be MOST helpful when selecting appropriate protection for data?
A. Data classification
B. Data access requirements
C. Risk tolerance level
D. Business objectives
Selected Answer: A
Question #: 1588
Topic #: 1
An operations manager has requested risk acceptance after the execution of a mitigation plan has failed. Which of the following is the risk practitioner’s BEST response?
A. Ask the risk owner to review the request.
B. Document the risk acceptance in the risk register.
C. Reassess the risk scenario associated with the action plan.
D. Adjust the organization’s risk profile by the amount of risk accepted.
Selected Answer: C
Question #: 1586
Topic #: 1
An organization expects to continually deal with severe distributed denial of service (DDoS) attacks from hacktivist groups. Which of the following is the BEST recommendation to help address this threat?
A. Implement Internet service provider (ISP) redundancy.
B. Implement an intrusion prevention system (IPS).
C. Develop an incident response plan.
D. Plan data center redundancy.
Selected Answer: A
Question #: 1575
Topic #: 1
An organization recently experienced multiple breaches that were detected months later. Which of the following would be MOST useful for timely monitoring and analysis going forward?
A. Threat intelligence information
B. Security information and event management (SIEM)
C. Security incident and problem reports
D. External information security reviews
Selected Answer: B
Question #: 1574
Topic #: 1
From an IT risk perspective, which of the following has the GREATEST impact on organizational strategy?
A. Changes in IT risk tolerance
B. Methodology for IT risk identification
C. Complexity of recovery plans
D. Complexity of IT architecture
Selected Answer: A
Question #: 1571
Topic #: 1
Which of the following is the PRIMARY focus of enterprise architecture (EA)?
A. To facilitate the alignment of IT with business strategy
B. To facilitate organization-wide risk assessments
C. To reduce the number of platform components
D. To integrate secure coding practices into development operations
Selected Answer: A
Question #: 1570
Topic #: 1
Which of the following is the GREATEST benefit of establishing a program to design, report, and monitor key control indicators (KCIs) as part of the risk management process?
A. Reducing overall total cost of managing controls
B. Reducing the amount of audit effort
C. Providing reference data for key performance indicators (KPIs)
D. Detecting early signs of potential control failure
Selected Answer: D
Question #: 1569
Topic #: 1
Which of the following is a risk practitioner’s BEST recommendation to management when testing results indicate the organization’s recovery time objective (RTO) cannot be met?
A. Engage IT and the business to re-evaluate the RTO.
B. Engage business users to develop and document alternative procedures.
C. Adjust the recovery point objectives (RPOs) to align with the RTO.
D. Revise the RTO in the business impact analysis (BIA).
Selected Answer: A
Question #: 1563
Topic #: 1
An organization recently completed a major restructuring project to reduce overhead costs by streamlining the approval hierarchy. Which of the following should be done FIRST by the control owner?
A. Evaluate effectiveness of risk responses.
B. Revise risk classifications.
C. Execute control test plans.
D. Analyze the control assessments.
Selected Answer: B
Question #: 1553
Topic #: 1
An organization has modified its disaster recovery plan (DRP) to reflect recent changes in its IT environment. Which of the following is the PRIMARY reason to test the new plan?
A. To ensure all assets have been identified
B. To ensure the risk assessment is validated
C. To ensure the plan is comprehensive
D. To ensure staff is sufficiently trained on the plan
Selected Answer: D
Question #: 1547
Topic #: 1
A risk practitioner observes that the network team responsible for maintaining the network infrastructure is severely understaffed, which could lead to operational losses. Which of the following is MOST directly affected by the risk practitioner’s observation?
A. Inherent risk
B. Impact rating
C. Likelihood rating
D. Control risk
Selected Answer: C
Question #: 1537
Topic #: 1
As part of its risk strategy, an organization decided to transition its financial system from a cloud-based provider to an internally managed system. Which of the following should the risk practitioner do FIRST?
A. Evaluate existing control test plans of the system for potential changes.
B. Analyze the risk register to identify potential updates and changes.
C. Reassess whether the risk responses properly address known risk and vulnerabilities.
D. Update the processes within impacted financial control assessments.
Selected Answer: C
Question #: 1533
Topic #: 1
Which of the following scenarios is MOST important to communicate to senior management?
A. Risk scenarios that have been shared with vendors and third parties
B. Accepted risk scenarios with detailed plans for monitoring
C. Risk scenarios that have been identified, assessed, and responded to by the risk owners
D. Accepted risk scenarios with impact exceeding the risk tolerance
Selected Answer: D
Question #: 501
Topic #: 1
Which of the following controls would BEST decrease exposure if a password is compromised?
A. Passwords have format restrictions
B. Passwords are masked
C. Password changes are mandated
D. Passwords are encrypted
Selected Answer: D
Question #: 390
Topic #: 1
In which of the following conditions business units tend to point the finger at IT when projects are not delivered on time?
A. Threat identification in project
B. System failure
C. Misalignment between real risk appetite and translation into policies
D. Existence of a blame culture
Selected Answer: C
Question #: 413
Topic #: 1
Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?
A. Implement segregation of duties
B. Enforce an internal data access policy
C. Enforce the use of digital signatures
D. Apply single sign-on for access control
Selected Answer: B
Question #: 231
Topic #: 1
Mike is the project manager of the NNP Project for his organization. He is working with his project team to plan the risk responses for the NNP Project. Mike would like the project team to work together on establishing risk thresholds in the project. What is the purpose of establishing risk threshold?
A. It is a study of the organization’s risk tolerance.
B. It is a warning sign that a risk event is going to happen.
C. It is a limit of the funds that can be assigned to risk events.
D. It helps to identify those risks for which specific responses are needed.
Selected Answer: D
Question #: 25
Topic #: 1
What is the PRIMARY need for effectively assessing controls?
A. Control’s alignment with operating environment
B. Control’s design effectiveness
C. Control’s objective achievement
D. Control’s operating effectiveness
Selected Answer: B
Question #: 1086
Topic #: 1
Which of the following would present the MOST significant risk to an organization when updating the incident response plan?
A. Undefined assignment of responsibility
B. Obsolete response documentation
C. Increased stakeholder turnover
D. Failure to audit third-party providers
Selected Answer: A
Question #: 15
Topic #: 1
Courtney is the project manager for her organization. She is working with the project team to complete the qualitative risk analysis for her project. During the analysis Courtney encourages the project team to begin the grouping of identified risks by common causes. What is the primary advantage to group risks by common causes during qualitative risk analysis?
A. It helps the project team realize the areas of the project most laden with risks.
B. It assist in developing effective risk responses.
C. It saves time by collecting the related resources, such as project team members, to analyze the risk events.
D. It can lead to the creation of risk categories unique to each project.
Selected Answer: B
Question #: 13
Topic #: 1
Which of the following aspect of monitoring tool ensures that the monitoring tool has the ability to keep up with the growth of an enterprise?
A. Scalability
B. Customizability
C. Sustainability
D. Impact on performance
Selected Answer: A
Question #: 419
Topic #: 1
A change management process has recently been updated with new testing procedures. The NEXT course of action is to:
A. communicate to those who test and promote changes
B. assess the maturity of the change management process
C. conduct a cost-benefit analysis to justify the cost of the control
D. monitor processes to ensure recent updates are being followed
Selected Answer: A
Question #: 418
Topic #: 1
After a high-profile systems breach at an organization’s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor’s control environment?
A. External audit
B. Internal audit
C. Vendor performance scorecard
D. Regulatory examination
Selected Answer: A
Question #: 407
Topic #: 1
Which of the following provides the BEST measurement of an organization’s risk management maturity level?
A. IT alignment to business objectives
B. Level of residual risk
C. Key risk indicators (KRIs)
D. The results of a gap analysis
Selected Answer: D
Question #: 405
Topic #: 1
Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?
A. A decrease in the number of key controls
B. Changes in control design
C. An increase in residual risk
D. Changes in control ownership
Selected Answer: C
Question #: 402
Topic #: 1
The analysis of which of the following will BEST help validate whether suspicious network activity is malicious?
A. Intrusion detection system (IDS) rules
B. Penetration test reports
C. Vulnerability assessment reports
D. Logs and system events
Selected Answer: D
Question #: 277
Topic #: 1
Suppose you are working in Company Inc. and you are using risk scenarios for estimating the likelihood and impact of the significant risks on this organization.
Which of the following assessment are you doing?
A. IT security assessment
B. IT audit
C. Threat and vulnerability assessment
D. Risk assessment
Selected Answer: D
Question #: 1565
Topic #: 1
Which of the following is the MOST important information for determining inherent risk?
A. The effectiveness of controls in place to prevent the risk
B. Loss the risk has historically caused
C. The IT risk manager’s view of emerging risk
D. The maturity of the control environment
Selected Answer: B
Question #: 1564
Topic #: 1
A risk practitioner wants to identify potential risk events that affect the continuity of a critical business process. Which of the following should the risk practitioner do FIRST?
A. Evaluate current risk management alignment with relevant regulations.
B. Conduct a benchmarking exercise against industry peers.
C. Determine if business continuity procedures are reviewed and updated on a regular basis.
D. Review the methodology used to conduct the business impact analysis (BIA).
Selected Answer: D
Question #: 1562
Topic #: 1
Which of the following is MOST important to include in an IT risk management policy?
A. Risk treatment types
B. Risk ownership requirements
C. Risk assessment requirements
D. Risk scoring methodology
Selected Answer: C
Question #: 1561
Topic #: 1
Which of the following BEST enables an organization to increase the likelihood of identifying risk associated with unethical employee behavior?
A. Conduct background checks for new employees.
B. Establish a channel to anonymously report unethical behavior.
C. Require a signed agreement by employees to comply with ethics policies.
D. Implement mandatory ethics training for employees.
Selected Answer: B
Question #: 1560
Topic #: 1
Which of the following should be a risk practitioner’s PRIMARY consideration when evaluating the possible impact of an adverse event affecting corporate information assets?
A. Authentication and authorization requirements for personnel accessing the assets
B. Potential regulatory fines as a result of the adverse event
C. The amount of data processed by the assets
D. Criticality classification of the assets needed for normal business operations
Selected Answer: D
Question #: 1559
Topic #: 1
While participating in a scenario analysis exercise, a risk practitioner was asked to determine the reputational impact of a system outage. Which of the following would be the BEST approach?
A. Determine the likelihood of negative media coverage and social media response.
B. Calculate impact from third-party concerns about contractual obligations related to the outage.
C. Report the value as high because cyber reputational impacts are significant.
D. Work with the business to estimate the number and value of lost customers.
Selected Answer: D
Question #: 1558
Topic #: 1
Which of the following provides the BEST assurance that an organization will be able to defend against cyber attacks?
A. Penetration testing
B. Preparedness testing
C. Vulnerability testing
D. Compliance testing
Selected Answer: A
Question #: 1557
Topic #: 1
A large organization plans to take advantage of cloud computing to reduce costs; however, there are data-use restrictions that require certain data to remain on premise. Which cloud model should the risk practitioner recommend for this deployment?
A. Community cloud
B. Private cloud
C. Hybrid cloud
D. Public cloud
Selected Answer: C
Question #: 1556
Topic #: 1
What is the MOST important information provided by key performance indicators (KPIs) in a risk management program?
A. Effectiveness of internal controls
B. Effectiveness of risk ownership
C. Performance of data loss controls
D. Level of inherent business risk
Selected Answer: A
Question #: 1555
Topic #: 1
An organization has sustained significant losses from a series of cyber events. Which of the following control types would MOST likely help reduce further losses?
A. Preventive controls
B. Recovery controls
C. Detective controls
D. Directive controls
Selected Answer: A
Question #: 1554
Topic #: 1
Which of the following should be the MOST important consideration for prioritizing the development of risk scenarios?
A. Potential impact
B. Risk trend
C. Likelihood of occurrence
D. Data classification
Selected Answer: A
Question #: 1552
Topic #: 1
An organizational code of ethics is MOST useful as a:
A. detective control.
B. recovery control.
C. corrective control.
D. directive control.
Selected Answer: D
Question #: 1551
Topic #: 1
Which of the following is a risk factor associated with migrating to an Infrastructure as a Service (IaaS) public cloud service provider?
A. Reduced availability
B. Reduced storage capacity
C. Reduced elasticity of the infrastructure
D. Reduced control of the infrastructure
Selected Answer: D
Question #: 1550
Topic #: 1
Which of the following is the PRIMARY advantage of aligning generic risk scenarios with business objectives?
A. It ensures relevance to the organization.
B. It provides better estimates of the impact of current threats.
C. It establishes where controls should be implemented.
D. It quantifies the materiality of any losses that may occur.
Selected Answer: B
Question #: 1549
Topic #: 1
Which of the following should be the PRIMARY role of the data owner in a risk management program?
A. Maintaining data syntax rules
B. Establishing enterprise system security levels
C. Applying data classification policy
D. Specifying retention requirements
Selected Answer: C
Question #: 1548
Topic #: 1
Which of the following BEST enables the development of a successful IT strategy focused on business risk mitigation?
A. Providing risk awareness training for business units
B. Conducting a business impact analysis (BIA)
C. Obtaining input from business management
D. Understanding the business controls currently in place
Selected Answer: A
Question #: 1545
Topic #: 1
An organization moved one of its applications to a public cloud, but after migration decided to move it back on-premise after an issue caused the application to be down for one day. What does this scenario indicate?
A. The organization has high risk tolerance.
B. The organization has low risk tolerance.
C. The organization has high risk appetite.
D. The organization has low risk appetite.
Selected Answer: B
Question #: 1544
Topic #: 1
Which of the following information in a risk monitoring report will provide the MOST insight to stakeholders regarding risk status?
A. Heat map
B. Mitigation plans
C. Risk ownership
D. Independent verification
Selected Answer: A
Question #: 1543
Topic #: 1
Which of the following BEST indicates that risk management is embedded into the responsibilities of all employees?
A. The number of incidents has decreased over time.
B. Risk management practices are incorporated into business processes.
C. Industry benchmarking is performed on an annual basis.
D. Risk management practices are audited on an annual basis.
Selected Answer: B
Question #: 1542
Topic #: 1
Which of the following is the MOST important benefit of implementing a data classification program?
A. Reduction in processing times
B. Identification of appropriate controls
C. Reduction in data complexity
D. Identification of appropriate ownership
Selected Answer: C
Question #: 1541
Topic #: 1
Which of the following BEST facilitates the development of effective IT risk scenarios?
A. Validation by senior management
B. Utilization of a cross-functional team
C. Participation by IT subject matter experts
D. Integration of contingency planning
Selected Answer: B
Question #: 1539
Topic #: 1
Which of the following is MOST important to ensure before using risk reports in decision making?
A. Real-time risk information is provided.
B. Risk analysis results are validated.
C. Root cause analysis is included.
D. Quantitative risk data is provided.
Selected Answer: B
Question #: 1538
Topic #: 1
Which of the following would BEST support the integrity of online financial transactions?
A. Implementing blockchain technology
B. Developing an integrated audit facility
C. Deploying multi-factor authentication
D. Implementing audit trail logs
Selected Answer: A
Question #: 1536
Topic #: 1
Which of the following is the MOST important attribute of a risk owner?
A. Expertise in risk management
B. Detailed knowledge of the business process
C. Long tenure with the organization
D. Detailed knowledge of controls
Selected Answer: B
Question #: 1535
Topic #: 1
Which of the following provides the BEST assurance of the effectiveness of internal controls?
A. Balanced scorecard review
B. Control self-assessments (CSAs)
C. Compliance training metrics
D. Continuous monitoring
Selected Answer: D
Question #: 1534
Topic #: 1
A risk practitioner has observed an increasing trend of phishing attempts directed at employees. Which of the following is the MOST important action to help mitigate the situation?
A. Report phishing attempt data to appropriate regulatory agencies.
B. Subscribe to cyber intelligence services.
C. Implement a targeted security awareness campaign.
D. Ensure anti-malware applications are up to date.
Selected Answer: C
Question #: 1531
Topic #: 1
The results of a risk assessment reveal risk scenarios with high impact and low likelihood of occurrence. Which of the following would be the BEST action to address these scenarios?
A. Create a disaster recovery plan (DRP).
B. Assemble an incident response team.
C. Develop a risk response plan.
D. Initiate a business impact analysis (BIA).
Selected Answer: C
Question #: 1505
Topic #: 1
A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner’s GREATEST concern?
A. Vulnerabilities are not being mitigated.
B. Security policies are being reviewed infrequently.
C. Controls are not operating efficiently.
D. Aggregate risk is approaching the tolerance threshold.
Selected Answer: D
Question #: 1530
Topic #: 1
To enable effective integration of IT risk scenarios and enterprise risk management (ERM), it is MOST important to have a consistent approach to reporting:
A. key risk indicators (KRIs).
B. risk velocity.
C. risk impact and likelihood.
D. risk response plans and owners.
Selected Answer: C
Question #: 1529
Topic #: 1
An organization has engaged an external consultant to assess its cybersecurity program. Which of the following findings would be MOST important to address?
A. Lack of a cyber risk profile
B. Lack of cyber risk awareness training
C. Lack of a dedicated cybersecurity team
D. Lack of accountability
Selected Answer: D
