CRISC Topic 3
Question #: 1528
Topic #: 1
Which of the following provides the BEST indication that existing controls are effective?
A. Control logging
B. Control design
C. Control testing
D. Control documentation
Selected Answer: C
Question #: 1526
Topic #: 1
Which of the following aspects of risk can be transferred to a third party?
A. Reputation impact
B. Ownership
C. Accountability
D. Financial impact
Selected Answer: D
Question #: 1525
Topic #: 1
Which of the following is the BEST way to ensure key risk indicators (KRIs) continue to help management make informed decisions?
A. Develop repeatable and easily measurable KRIs.
B. Implement a real-time dashboard for monitoring KRIs.
C. Align KRIs to risk events identified in the risk register.
D. Define a mix of leading and lagging KRIs.
Selected Answer: D
Question #: 1524
Topic #: 1
Continuous monitoring of key risk indicators (KRIs) will:
A. ensure that risk tolerance and risk appetite are aligned.
B. provide an early warning so that proactive action can be taken.
C. ensure that risk will not exceed the defined risk appetite of the organization.
D. provide a snapshot of the risk profile.
Selected Answer: B
Question #: 1523
Topic #: 1
Which of the following is the PRIMARY purpose of periodically updating an organization’s risk profile?
A. Inform senior management of changes in the risk environment.
B. Provide a risk-based audit program.
C. Identify gaps between policies and procedures.
D. Prioritize management-initiated reviews.
Selected Answer: C
Question #: 1435
Topic #: 1
In an organization that allows employee use of social media accounts for work purposes, which of the following is the BEST way to protect company sensitive information from being exposed?
A. Taking punitive action against employees who expose confidential data
B. Requiring employees to sign nondisclosure agreements (NDAs)
C. Implementing a data loss prevention (DLP) solution
D. Educating employees on what needs to be kept confidential
Selected Answer: D
Question #: 1522
Topic #: 1
Which of the following BEST reduces the likelihood of employees unintentionally disclosing sensitive information to outside parties?
A. Regular employee security awareness training
B. Anti-malware controls on endpoint devices
C. Sensitive information classification and handling policies
D. An egress intrusion detection system (IDS)
Selected Answer: A
Question #: 1521
Topic #: 1
During an after-hours compliance review, a risk practitioner discovers sensitive documents on an employee’s desk in violation of company policy. Which of the following should the risk practitioner’s do NEXT?
A. Securely dispose of the documents.
B. Recommend provision of secure document storage.
C. Request an exception to the clear desk policy.
D. Provide the employee with refresher training.
Selected Answer: B
Question #: 1520
Topic #: 1
Which of the following is the PRIMARY reason to periodically assess risk management capabilities?
A. To determine changes in risk profile
B. To monitor risk factors
C. To measure return on control investments
D. To determine opportunities for improvement
Selected Answer: D
Question #: 1519
Topic #: 1
When developing a risk awareness training program, which of the following is the BEST way to promote a risk-aware culture?
A. Challenge the effectiveness of business processes.
B. Illustrate methods to identify threats and vulnerabilities.
C. Emphasize individual responsibility for managing risk.
D. Communicate incident escalation procedures.
Selected Answer: C
Question #: 1518
Topic #: 1
Which of the following is the PRIMARY objective of the risk identification process?
A. To expand organizational awareness and knowledge of identified risk scenarios
B. To reduce risk faced by the organization to an acceptable level
C. To ensure control objectives align with business objectives
D. To determine possible risk events that could jeopardize business objectives
Selected Answer: D
Question #: 1517
Topic #: 1
Which of the following is the BEST way to maintain a current list of organizational risk scenarios?
A. Conduct periodic risk reviews with stakeholders.
B. Perform regular reviews of key controls.
C. Conduct compliance reviews.
D. Automate workflow for risk status updates.
Selected Answer: A
Question #: 1516
Topic #: 1
Static code analysis has been consistently finding a significant number of critical security issues throughout an organization’s internally developed applications. The risk practitioner’s BEST recommendation would be to:
A. provide training on secure programming practices.
B. conduct penetration tests before code implementation.
C. outsource software development.
D. conduct security design reviews.
Selected Answer: A
Question #: 1515
Topic #: 1
Which of the following is the MOST valuable data source to support the optimization of an existing key risk indicator (KRI)?
A. Historical losses and incidents
B. Organizational policies
C. Industry benchmarks
D. Frameworks and standards
Selected Answer: A
Question #: 1514
Topic #: 1
Which of the following should be the PRIMARY consideration when quantifying the risk associated with regulatory noncompliance?
A. Time requirements and cost of remediation
B. Cost of continuous compliance activities
C. Historical noncompliance events
D. Value of punitive penalties and fines
Selected Answer: D
Question #: 1511
Topic #: 1
Which of the following is MOST important when creating a program to reduce ethical risk?
A. Obtaining senior management commitment
B. Developing an organizational communication plan
C. Conducting a gap analysis
D. Defining strict policies
Selected Answer: A
Question #: 1510
Topic #: 1
The implementation of automated controls is taking longer than expected. The risk owner is concerned about the materialization of risk before full implementation of the automated controls. As a result, the risk owner has established interim manual controls. Which of the following actions is MOST important for the risk practitioner to perform?
A. Update the risk register to reflect the change in residual risk level.
B. Perform a cost-benefit analysis of the manual controls.
C. Ensure the same key risk indicators (KRIs) are used for both manual and automated controls.
D. Assess the risk associated with changes in the effectiveness of the manual and automated controls.
Selected Answer: D
Question #: 1509
Topic #: 1
Which of the following is MOST important for a risk practitioner to confirm when reviewing the disaster recovery plan (DRP)?
A. The DRP covers relevant scenarios.
B. The business continuity plan (BCP) has been documented.
C. Senior management has approved the DRP.
D. The DRP has been tested by an independent third party.
Selected Answer: A
Question #: 1508
Topic #: 1
Which of the following BEST mitigates the risk associated with sensitive data loss due to theft of an organization’s removable media?
A. Data encryption
B. Asset management policy
C. Code of conduct policy
D. Data loss prevention (DLP) system
Selected Answer: A
Question #: 1507
Topic #: 1
An online retailer has decided to store its customer database with a cloud provider in an Infrastructure as a Service (IaaS) configuration. During an initial review of preliminary risk scenarios, a risk practitioner identifies instances where sensitive customer information is stored unencrypted. Who is accountable for ensuring this encryption?
A. The data owner
B. The chief information officer (CIO)
C. The retailer’s IT department
D. The cloud provider
Selected Answer: A
Question #: 1506
Topic #: 1
An organization is concerned with the use of personally identifiable information (PII) in a test database. Which of the following would BEST address this concern?
A. Privacy impact assessments
B. Consent to collect
C. Data use agreements
D. Data anonymization
Selected Answer: D
Question #: 1503
Topic #: 1
The MOST important reason to periodically review key risk indicators (KRIs) is to:
A. satisfy audit requirements.
B. comply with risk-related laws and regulations.
C. identify deviations from organizational tolerance.
D. align with industry benchmarks.
Selected Answer: C
Question #: 1502
Topic #: 1
Which of the following is the BEST reason to incorporate risk scenarios associated with a bring your own device (BYOD) policy into the enterprise-wide risk profile?
A. High cost of mobile device management (MDM) implementation
B. Increased exposure to sensitive data leakage
C. Increased trend of organizations within the industry adopting BYOD policies
D. Lack of internal expertise to monitor personal mobile devices
Selected Answer: B
Question #: 1501
Topic #: 1
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of IT policies? The number of:
A. senior management approvals.
B. processes covered by IT policies.
C. IT policy exceptions granted.
D. key technology controls covered by IT policies.
Selected Answer: C
Question #: 1500
Topic #: 1
Which of the following is the MOST important outcome of a business impact analysis (BIA)?
A. Determining availability requirements for systems used by the business
B. Identifying sensitive data within business processes and applications
C. Documenting the order and timing of restoration for critical systems
D. Prioritizing critical business processes and applications
Selected Answer: D
Question #: 1499
Topic #: 1
Which of the following provides the MOST reliable evidence to support conclusions after completing an information systems controls assessment?
A. Information generated by the systems
B. Confirmation from industry peers
C. Control environment narratives
D. Risk and control self-assessment (CSA) reports
Selected Answer: A
Question #: 1498
Topic #: 1
A risk practitioner identifies several servers that have not been updated with patches in over a year because the operating systems are no longer supported. Given these servers still run mission-critical applications, which of the following should be done FIRST?
A. Accept the risk for the legacy servers.
B. Upgrade the operating systems to a supported version.
C. Inform key stakeholders about the increased risk.
D. Advise the cyber team to isolate the servers.
Selected Answer: C
Question #: 1496
Topic #: 1
A risk practitioner has been asked to evaluate a new cloud-based service to enhance an organization’s access management capabilities. When is the BEST time for the risk practitioner to provide opinions on control strength?
A. After the initial design
B. After a few weeks in use
C. Before production rollout
D. Before end-user testing
Selected Answer: C
Question #: 1495
Topic #: 1
An organization’s Internet-facing server was successfully attacked because the server did not have the latest security patches. The risk associated with poor patch management had been documented in the risk register and accepted. Who should be accountable for any related losses to the organization?
A. IT risk manager
B. Risk practitioner
C. Server administrator
D. Risk owner
Selected Answer: D
Question #: 1494
Topic #: 1
Which of the following is MOST important for a risk practitioner to review during an IT risk assessment?
A. Information system control weaknesses and audit findings
B. Information system assets and associated threats
C. The organization’s historical threats and monetary loss
D. Published records of loss from peer organizations
Selected Answer: B
Question #: 1492
Topic #: 1
A risk practitioner notes that the number of unauthorized disclosures of confidential data has been increasing. Which of the following is MOST important to examine for determining the root cause?
A. The volume of data loss prevention (DLP) alerts
B. Completeness of data classification schema
C. Scope of security awareness training
D. Updated regulations related to data protection
Selected Answer: B
Question #: 1491
Topic #: 1
Which of the following would be MOST helpful when determining the resources needed to mitigate risk identified as a result of a risk assessment?
A. Cost-benefit analysis
B. Root cause analysis
C. Risk analysis
D. Business impact analysis (BIA)
Selected Answer: A
Question #: 1490
Topic #: 1
Which of the following should be a risk practitioner’s GREATEST concern upon learning of failures in a data migration activity?
A. Integrity of data
B. System performance
C. Cost overruns
D. Availability of test data
Selected Answer: A
Question #: 1489
Topic #: 1
Which of the following would be the GREATEST risk associated with conducting a parallel run during the replacement of a legacy system?
A. Loss of skills associated with the legacy system
B. Undetected data inconsistency
C. Lack of change management for new requirements
D. Insufficient resource availability
Selected Answer: B
Question #: 1488
Topic #: 1
Which of the following is the MOST important action for a risk practitioner when a recovery test indicates control gaps?
A. Verify test specifications.
B. Review the recovery test report.
C. Perform a root cause analysis.
D. Develop an action plan.
Selected Answer: D
Question #: 1487
Topic #: 1
Which of the following is the GREATEST concern if the recovery time objective (RTO) is not achieved during a disaster recovery test?
A. Potential loss of revenue
B. Lack of network redundancy
C. Inadequate system availability
D. Lack of clear roles and responsibilities
Selected Answer: A
Question #: 1486
Topic #: 1
Which of the following is the MOST important consideration for a risk owner when deciding whether to accept IT-related risk?
A. Industry risk standards
B. Opinion of external audit
C. The likelihood that the risk will materialize
D. The organization’s risk appetite
Selected Answer: D
Question #: 1485
Topic #: 1
Which of the following should be given the HIGHEST priority when developing a response plan for risk assessment results?
A. Risk that has been untreated
B. Items with the highest likelihood of occurrence
C. Items with a high inherent risk
D. Risk that exceeds risk appetite
Selected Answer: D
Question #: 1484
Topic #: 1
Which of the following is the BEST way to assess the effectiveness of an access management process?
A. Reviewing for compliance with acceptable use policy
B. Reviewing access logs for user activity
C. Comparing the actual process with the documented process
D. Reconciling a list of accounts belonging to terminated employees
Selected Answer: C
Question #: 1483
Topic #: 1
Risk mitigation is MOST effective when which of the following is optimized?
A. Inherent risk
B. Residual risk
C. Operational risk
D. Regulatory risk
Selected Answer: B
Question #: 1481
Topic #: 1
Which of the following is a PRIMARY benefit to an organization adopting a three lines of defense model?
A. It establishes clear communication among stakeholders.
B. It outlines a control layering approach.
C. It provides a risk governance structure.
D. It enforces a strong risk culture.
Selected Answer: C
Question #: 1480
Topic #: 1
A control owner has decided to implement a compensating control instead of the control selected in the risk action plan. Which of the following is the risk practitioner’s MOST important action after reassessing the risk?
A. Notify senior management of the control owner’s decision.
B. Seek approval of the change from the risk owner.
C. Update control ownership in the risk register.
D. Update policies relevant to the risk.
Selected Answer: B
Question #: 1479
Topic #: 1
Which of the following attributes of data provided to an automated log analysis tool is MOST important for effective risk monitoring?
A. Retention
B. Confidentiality
C. Relevancy
D. Scalability
Selected Answer: C
Question #: 1478
Topic #: 1
Which of the following would be MOST helpful to review when prioritizing the implementation of multiple IT-related initiatives?
A. Risk policy
B. Risk profile
C. Risk assessment results
D. Risk awareness program objectives
Selected Answer: C
Question #: 1477
Topic #: 1
Which of the following presents the GREATEST risk associated with the use of emerging technologies?
A. Obsolete security policies and procedures
B. Irrelevant skill sets and job descriptions
C. Disposal and replacement of IT equipment
D. Introduction of known and unknown security vulnerabilities
Selected Answer: D
Question #: 1476
Topic #: 1
An organization has outsourced its backup and recovery procedures to a cloud service provider. The provider’s controls are inadequate for the organization’s level of risk tolerance. As a result, the organization has internally implemented additional backup and recovery controls. Which risk response has been adopted?
A. Acceptance
B. Transfer
C. Avoidance
D. Mitigation
Selected Answer: D
Question #: 1474
Topic #: 1
Who is ULTIMATELY accountable for the confidentiality of data in the event of a data breach within a Software as a Service (SaaS) environment?
A. Vendor’s application owner
B. Vendor’s information security officer
C. Customer’s data owner
D. Customer’s data privacy officer
Selected Answer: C
Question #: 1472
Topic #: 1
An organization’s IT department wants to complete a proof of concept (POC) for a security tool. The project lead has asked for approval to use the production data for testing purposes as it will yield the best results. Which of the following is the risk practitioner’s BEST recommendation?
A. Accept the risk of using the production data to ensure accurate results.
B. Deny the request, as production data should not be used for testing purposes.
C. Benchmark against what peer organizations are doing with POC testing environments.
D. Assess the risk of using production data for testing before making a decision.
Selected Answer: D
Question #: 1470
Topic #: 1
Which of the following is the MOST effective way to help ensure senior management is informed about the organization’s risk environment?
A. Recommend risk treatments to senior management to address risk.
B. Implement a top-down approach to control implementation.
C. Create a risk program that includes a bottom-up approach.
D. Provide guidance to senior management on risk acceptance.
Selected Answer: C
Question #: 1469
Topic #: 1
An organization has recently corrected its machine-learning model that had been producing automated decisions that had adverse impact on its customers. Which of the following is the BEST course of action?
A. Discontinue use of machine learning for customer-related decision making.
B. Report the adverse impact to regulatory authorities.
C. Request risk acceptance from senior management.
D. Implement appropriate data governance to monitor decision-making outcomes.
Selected Answer: D
Question #: 1468
Topic #: 1
An organization is outsourcing data processing to a third-party data center facility to reduce costs. Who is responsible for the performance of data retention controls?
A. The organization’s control owner
B. The third-party senior management
C. The third-party control owner
D. The organization’s internal audit team
Selected Answer: C
Question #: 1467
Topic #: 1
Which of the following is the MOST effective in mitigating the risk of rogue Internet of Things (IoT) devices in an organization’s network?
A. Intrusion prevention system (IPS)
B. Real-time network traffic monitoring
C. Using a connection-oriented protocol
D. Documentation of network architecture
Selected Answer: A
Question #: 1466
Topic #: 1
Which of the following is the BEST indication of a potential threat?
A. Excessive activity in system logs
B. Increase in identified system vulnerabilities
C. Excessive policy and standard exceptions
D. Ineffective risk treatment plans
Selected Answer: A
Question #: 1465
Topic #: 1
Which of the following is the BEST approach to resolve a disagreement between stakeholders regarding the impact of a potential risk scenario?
A. Calculate the historical impact of risk occurring at industry peers.
B. Use the highest value of potential impact suggested by the stakeholders.
C. Identify data that could be used to help quantify the risk.
D. Modify the risk scenario to address stakeholder concerns.
Selected Answer: A
Question #: 1464
Topic #: 1
An insurance company handling sensitive and personal information from its customers receives a large volume of telephone requests and electronic communications daily. Which of the following is MOST important to include in a risk awareness training session for the customer service department?
A. Identifying social engineering attacks
B. Archiving sensitive information
C. Understanding the importance of using a secure password
D. Understanding the incident management process
Selected Answer: A
Question #: 1463
Topic #: 1
Which of the following provides a risk practitioner with the MOST reliable evidence of a third-party’s ability to protect the confidentiality of sensitive corporate information?
A. External audit reports
B. Internal audit reports
C. Control self-assessment (CSA) results
D. A signed nondisclosure agreement (NDA)
Selected Answer: A
Question #: 1462
Topic #: 1
Which of the following is the MOST important risk management activity during project initiation?
A. Classify project data
B. Identifying key risk stakeholders
C. Establishing a risk mitigation plan
D. Defining key risk indicators (KRIs)
Selected Answer: B
Question #: 1461
Topic #: 1
To drive effective risk management, it is MOST important that an organization’s policy framework is:
A. mapped to an industry-standard framework.
B. aligned to the functional business structure.
C. approved by relevant stakeholders.
D. included in employee onboarding materials.
Selected Answer: C
Question #: 1458
Topic #: 1
An organization requires a third-party attestation report annually from all service providers. One service provider is unable to provide the required report due to recent changes in ownership. Which of the following is the BEST course of action for the risk practitioner?
A. Verify that an exception has been approved.
B. Implement additional controls to mitigate the risk.
C. Approve an exception for the report and document associated controls.
D. Execute an independent review of the service provider.
Selected Answer: D
Question #: 1457
Topic #: 1
Which of the following is the ULTIMATE objective of utilizing key control indicators (KCIs) in the risk management process?
A. To provide benchmarks for assessing control design effectiveness against industry peers
B. To provide insight into the effectiveness of the internal control environment
C. To provide early warning signs of a potential change in risk level
D. To provide a basis for determining the criticality of risk mitigation controls
Selected Answer: B
Question #: 1455
Topic #: 1
Which of the following is MOST likely to result in a major change to the overall risk profile of the organization?
A. Changes in internal and external auditors
B. Changes in vulnerability assessment and penetration testing
C. Changes in risk appetite and risk tolerance
D. Changes in internal and external risk factors
Selected Answer: C
Question #: 1454
Topic #: 1
Which of the following is the MOST effective way to validate organizational awareness of cybersecurity risk?
A. Implementing mock phishing exercises
B. Requiring two-factor authentication
C. Updating the information security policy
D. Conducting security awareness training
Selected Answer: A
Question #: 1453
Topic #: 1
Which of the following would be the result of a significant increase in the motivation of a malicious threat actor?
A. Increase in risk event likelihood
B. Increase in mitigating control costs
C. Increase in risk event impact
D. Increase in cybersecurity premiums
Selected Answer: B
Question #: 1452
Topic #: 1
The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for:
A. data classification and labeling.
B. data mining and analytics.
C. data retention and destruction.
D. data logging and monitoring.
Selected Answer: C
Question #: 1451
Topic #: 1
Which of the following is MOST likely to trigger the need for a risk reassessment?
A. Risk assessment tools have changed.
B. Audit programs have changed.
C. A vulnerability has been identified within the industry.
D. The scheduled review period has passed.
Selected Answer: D
Question #: 1450
Topic #: 1
Which of the following would BEST prevent an unscheduled application of a patch?
A. Segregation of duties
B. Compensating controls
C. Change management
D. Network-based access controls
Selected Answer: D
Question #: 1448
Topic #: 1
An organization has decided to migrate its critical system database containing customer information to branches located in other countries. Which of the following should be of MOST concern regarding the migration?
A. Regional regulatory requirements regarding the protection of sensitive data
B. Database synchronization and encryption policies
C. Security configurations of the database system after migration
D. Fault tolerance of each database with customer information
Selected Answer: C
Question #: 1447
Topic #: 1
Which of the following is the BEST method for assessing the current effectiveness of an organization’s risk management program against its desired level of capability?
A. Risk management maturity model
B. Risk management improvement program
C. Internal audit review
D. Benchmarking with peer organizations
Selected Answer: C
Question #: 1446
Topic #: 1
An enterprise has taken delivery of software patches that address vulnerabilities in its core business software. Prior to implementation, which of the following is the MOST important task to be performed?
A. Seek information from the software vendor to enable effective application of the patches.
B. Assess the impact of applying the patches on the production environment.
C. Determine in advance an off-peak period to apply the patches.
D. Survey other enterprises regarding their experiences with applying these patches.
Selected Answer: B
Question #: 1445
Topic #: 1
Which of the following is MOST helpful to facilitate the decision of recovery priorities in a disaster situation?
A. Risk scenario analysis
B. Key risk indicators (KRIs)
C. Recovery point objective (RPO)
D. Business impact analysis (BIA)
Selected Answer: D
Question #: 1444
Topic #: 1
Which of the following would BEST enable a risk-based decision when considering the use of an emerging technology for data processing?
A. Gap analysis
B. Resource skills matrix
C. Threat assessment
D. Data quality assurance (QA) plan
Selected Answer: C
Question #: 1442
Topic #: 1
Which of the following criteria is MOST important to include in an agreement with a penetration testing vendor?
A. Scope of the systems to be assessed
B. Steps to remediate identified vulnerabilities
C. Expectations of code escrow safeguards
D. Details of testing methods to be used
Selected Answer: C
Question #: 1441
Topic #: 1
An organization wants to transfer risk by purchasing cyber insurance. Which of the following would be MOST important for the risk practitioner to communicate to senior management for contract negotiation purposes?
A. Cyber insurance industry benchmarking report
B. Most recent IT audit report results
C. Current annualized loss expectancy report
D. Replacement cost of IT assets
Selected Answer: C
Question #: 1439
Topic #: 1
An IT risk threat analysis is BEST used to establish:
A. risk scenarios.
B. risk maps.
C. risk ownership.
D. risk appetite.
Selected Answer: A
Question #: 1438
Topic #: 1
Which of the following is the PRIMARY objective of aggregating the impact of IT risk scenarios and reflecting the results in the enterprise risk register?
A. To ensure IT risk scenarios are consistently assessed within the organization
B. To ensure IT risk ownership is assigned at the appropriate organizational level
C. To ensure IT risk impact can be compared to the IT risk appetite
D. To ensure IT risk appetite is communicated across the organization
Selected Answer: A
Question #: 1437
Topic #: 1
Which of the following is the BEST criteria to determine whether a control environment is effective?
A. The controls increase the organization’s tolerance for risk.
B. The controls increase the projected amount of loss the organization would incur.
C. The controls reduce the likelihood of realizing the associated risk scenario.
D. The controls transfer the associated risk to a third party.
Selected Answer: C
Question #: 1436
Topic #: 1
In response to recent security incidents, the IT risk management team is promoting a global security plan that defines controls to be implemented in multiple regions. Which of the following BEST enables the successful deployment of this plan?
A. Obtain the approval of each regional head.
B. Engage an external auditor in each region before deployment.
C. Provide each region with adequate funding.
D. Allow each region to adapt the plan to its local requirements
Selected Answer: D
Question #: 1434
Topic #: 1
Which of the following is the MOST important document regarding the treatment of sensitive data?
A. Organization risk profile
B. Digital rights management policy
C. Information classification policy
D. Encryption policy
Selected Answer: C
Question #: 1433
Topic #: 1
Which of the following provides the BEST indication of risk management maturity?
A. Comprehensive risk and control assessment methodology
B. Risk management policy alignment with corporate culture
C. Business continuity insurance coverage
D. Presence of a risk management framework
Selected Answer: B
Question #: 1432
Topic #: 1
An organization is considering the adoption of an aggressive business strategy to achieve desired growth. From a risk management perspective, what should the risk practitioner do NEXT?
A. Update risk awareness training to reflect current levels of risk appetite and tolerance.
B. Identify new threats resulting from the new business strategy.
C. Increase the scale for measuring impact due to threat materialization.
D. Inform the board of potential risk scenarios associated with aggressive business strategies.
Selected Answer: B
Question #: 1431
Topic #: 1
Which of the following is MOST important for the organization to consider before implementing a new in-house developed artificial intelligence (AI) solution?
A. Data feeds
B. Expected algorithm outputs
C. Industry trends in AI
D. Alert functionality
Selected Answer: A
Question #: 1430
Topic #: 1
Which of the following is MOST important when planning to implement a Software as a Service (SaaS) application to manage information?
A. Determining if sensitive data will be included
B. Assessing if adequate deconversion services are available
C. Reviewing service level agreements (SLAs)
D. Obtaining the service provider’s controls attestation
Selected Answer: A
Question #: 1429
Topic #: 1
A risk assessment of an organization’s architecture reveals that the middleware systems have a severe vulnerability that could compromise the confidentiality of record processing. Which of the following is the risk practitioner’s BEST course of action?
A. Recommend additional budget to cover the cost of an upgrade.
B. Develop a remediation plan with the business process owner.
C. Escalate the issue to senior management.
D. Document the issue in the business impact analysis (BIA).
Selected Answer: B
Question #: 1428
Topic #: 1
An organization is planning a project to replace several complex manual controls with automated processes. Which of the following is the risk practitioner’s MOST important course of action?
A. Test the automated processes to ensure results are accurate.
B. Determine whether the automated processes adequately address the risk.
C. Establish the degree of control efficiency improvement.
D. Update the associated control assessments for the automated processes.
Selected Answer: B
Question #: 1427
Topic #: 1
Which of the following is the MOST effective way to identify changes in the performance of the control environment?
A. Evaluate key performance indicators (KPIs).
B. Perform a control self-assessment (CSA).
C. Implement continuous monitoring.
D. Adjust key risk indicators (KRIs).
Selected Answer: C
Question #: 1426
Topic #: 1
Which strategy employed by risk management would BEST help to prevent internal fraud?
A. Require control owners to conduct an annual control certification.
B. Require the information security officer to review unresolved incidents.
C. Ensure segregation of duties are implemented within key systems or processes.
D. Conduct regular internal and external audits on the systems supporting financial reporting
Selected Answer: C
Question #: 1425
Topic #: 1
A key performance indicator (KPI) has been established to monitor the number of software changes that fail and must be re-implemented. An increase in the KPI indicates an ineffective:
A. preventive control.
B. deterrent control.
C. administrative control.
D. corrective control.
Selected Answer: D
Question #: 1424
Topic #: 1
Which of the following would have the GREATEST impact on reducing the risk associated with the implementation of a big data project?
A. Data governance
B. Data processing
C. Data scalability
D. Data quality
Selected Answer: A
Question #: 1423
Topic #: 1
Which of the following is the BEST way to reduce the likelihood of an individual performing a potentially harmful action as the result of unnecessary entitlement?
A. Least privilege
B. Application monitoring
C. Separation of duty
D. Nonrepudiation
Selected Answer: A
Question #: 1422
Topic #: 1
Which of the following should be done FIRST to enable consistent understanding of risk across the organization?
A. Prepare relevant risk scenarios for use across the organization.
B. Develop risk awareness communications for the organization.
C. Establish a common risk taxonomy for the organization.
D. Embed risk management practices throughout the organization.
Selected Answer: C
Question #: 1402
Topic #: 1
The PRIMARY objective of collecting information and reviewing documentation when performing periodic risk analyses should be to:
A. survey and analyze historical risk data
B. identify new or emerging risk issues
C. understand internal and external threat agents
D. satisfy audit requirements
Selected Answer: B
Question #: 1421
Topic #: 1
Optimized risk management is achieved when risk is reduced:
A. with strategic initiatives.
B. within resource availability.
C. below risk appetite.
D. to meet risk appetite.
Selected Answer: D
Question #: 1420
Topic #: 1
When assembling IT risk scenarios, it is MOST important that the scenarios:
A. describe worst-case situations and the inherent likelihood of risk.
B. are linked to relevant business risk and corresponding information classification.
C. can be used for efficient risk identification and subsequent risk analysis.
D. consider the information criteria efficiency, effectiveness, and availability.
Selected Answer: B
Question #: 1418
Topic #: 1
Which of the following is MOST helpful to review when assessing the risk exposure associated with ransomware?
A. Potentially impacted business processes
B. Recent changes in the environment
C. Key performance indicators (KPIs)
D. Suspected phishing events
Selected Answer: A
Question #: 1417
Topic #: 1
Which of the following has the GREATEST impact on ensuring the alignment of the risk profile with business objectives?
A. Incorporation of industry best practice benchmarks and standards
B. An effective enterprise-wide risk awareness program
C. Senior management approval of risk appetite and tolerance
D. Stage gate reviews throughout the risk management process
Selected Answer: C
Question #: 1416
Topic #: 1
After the announcement of a new IT regulatory requirement, it is MOST important for a risk practitioner to:
A. prepare an IT risk mitigation strategy
B. review the impact to the IT environment
C. escalate to senior management
D. perform a cost-benefit analysis
Selected Answer: B
Question #: 1415
Topic #: 1
Which of the following is the FIRST consideration to reduce risk associated with the storage of personal data?
A. Normalize the personal data.
B. Implement privacy training.
C. Minimize the collection of data.
D. Encrypt the personal data.
Selected Answer: C
Question #: 1414
Topic #: 1
The PRIMARY reason to implement a formalized risk taxonomy is to:
A. reduce subjectivity in risk management
B. comply with regulatory requirements
C. demonstrate best industry practice
D. improve visibility of overall risk exposure
Selected Answer: A
Question #: 1413
Topic #: 1
Which of the following analyses is MOST useful for prioritizing risk scenarios associated with loss of IT assets?
A. Cost-benefit analysis
B. Business impact analysis (BIA)
C. SWOT analysis
D. Root cause analysis
Selected Answer: B
Question #: 1412
Topic #: 1
Which of the following MOST effectively ensures controls are built into applications during development?
A. Independent post-implementation reviews of system development projects by internal audit
B. Static code scanning throughout the systems development life cycle (SDLC)
C. Dynamic security testing before applications move to production
D. Engagement of security team early in the systems development life cycle (SDLC)
Selected Answer: D
Question #: 1411
Topic #: 1
As part of software development projects, risk assessments are MOST effective when performed:
A. throughout the system development life cycle (SDLC).
B. before the decision is made to develop or acquire the software.
C. during system deployment and maintenance.
D. before developing the project charter for the software.
Selected Answer: A
Question #: 1410
Topic #: 1
Which of the following BEST enables risk mitigation associated with software licensing noncompliance?
A. Perform automated vulnerability scans.
B. Conduct annual reviews of license expiration dates.
C. Implement automated IT asset management controls
D. Document IT inventory management procedures.
Selected Answer: C
Question #: 1409
Topic #: 1
Which of the following provides the BEST assurance of control effectiveness for security risk scenarios in a service provider’s environment?
A. Independent assessment report
B. Penetration testing
C. Service-level monitoring
D. Service provider’s control self-assessment (CSA)
Selected Answer: A
Question #: 1408
Topic #: 1
Which of the following is a risk practitioner’s BEST course of action upon learning that regulatory authorities have concerns with an emerging technology the organization is considering?
A. Update risk responses.
B. Perform a threat assessment.
C. Redesign key risk indicators (KRIs).
D. Conduct a SWOT analysis.
Selected Answer: B
Question #: 1406
Topic #: 1
Which of the following is the MOST important metric to monitor the performance of the change management process?
A. Percentage of changes having segregation of duties in code deployment
B. Percentage of changes having completed post-implementation verification
C. Percentage of changes having to invoke the rollback plan
D. Percentage of changes having user acceptance testing (UAT) sign-off
Selected Answer: B
Question #: 1405
Topic #: 1
Which of the following is PRIMARILY a risk management responsibility of the first line of defense?
A. Implementing risk treatment plans
B. Conducting independent reviews of risk assessment results
C. Establishing risk policies and standards
D. Validating the status of risk mitigation efforts
Selected Answer: A
Question #: 1404
Topic #: 1
Which of the following is MOST important for managing ethical risk?
A. Involving senior management in resolving ethical disputes
B. Developing metrics to trend reported ethics violations
C. Establishing a code of conduct for employee behavior
D. Identifying the ethical concerns of each stakeholder
Selected Answer: C
Question #: 1403
Topic #: 1
An organization is developing a risk universe to create a holistic view of its overall risk profile. Which of the following is the GREATEST barrier to achieving the initiative’s objectives?
A. Lack of common understanding of the organization’s risk culture
B. Lack of cross-functional risk assessment workshops within the organization
C. Lack of quantitative methods to aggregate the total risk exposure
D. Lack of an integrated risk management system to aggregate risk scenarios
Selected Answer: A
Question #: 1401
Topic #: 1
Which of the following will BEST help to ensure new IT policies address the enterprise’s requirements?
A. Involve business owners in the policy development process.
B. Provide policy owners with greater enforcement authority.
C. Require business users to sign acknowledgment of the policies.
D. Involve IT leadership in the policy development process.
Selected Answer: A
Question #: 1400
Topic #: 1
Which of the following is the BEST risk management approach for the strategic IT planning process?
A. The IT strategic plan is developed from the organization-wide risk management plan.
B. Risk scenarios associated with IT strategic initiatives are identified and assessed.
C. Key performance indicators (KPIs) are established to track IT strategic initiatives.
D. The IT strategic plan is reviewed by the chief information security officer (CISO) and enterprise risk management (ERM).
Selected Answer: A
Question #: 1399
Topic #: 1
Management has determined that it will take significant time to remediate exposures in the current IT control environment. Which of the following is the BEST course of action?
A. Reassess the risk periodically.
B. Improve project management methodology.
C. Implement control monitoring.
D. Identify compensating controls.
Selected Answer: D
Question #: 1398
Topic #: 1
What is the MAIN benefit of using a top-down approach to develop risk scenarios?
A. It describes risk events specific to technology used by the enterprise.
B. It establishes the relationship between risk events and organizational objectives.
C. It helps management and the risk practitioner to refine risk scenarios.
D. It uses hypothetical and generic risk events specific to the enterprise.
Selected Answer: B
Question #: 1397
Topic #: 1
Which of the following is the GREATEST benefit of having a mature enterprise architecture (EA) in place?
A. Standards-based policies
B. Efficient operations
C. Regulatory compliance
D. Audit readiness
Selected Answer: B
Question #: 1396
Topic #: 1
Which of the following BEST reduces the probability of laptop theft?
A. Acceptable use policy
B. Asset tag with GPS
C. Cable lock
D. Data encryption
Selected Answer: C
Question #: 1395
Topic #: 1
Which of the following BEST enables senior management to compare the ratings of risk scenarios?
A. Control self-assessment (CSA)
B. Key risk indicators (KRIs)
C. Risk heat map
D. Key performance indicators (KPIs)
Selected Answer: C
Question #: 1393
Topic #: 1
Which of the following potential scenarios associated with the implementation of a new database technology presents the GREATEST risk to an organization?
A. Application and data migration cost for backups may exceed budget.
B. The organization may not have a sufficient number of skilled resources.
C. Data may not be recoverable due to system failures.
D. The database system may not be scalable in the future.
Selected Answer: C
Question #: 1392
Topic #: 1
Which of the following is the MOST effective way to reduce potential losses due to ongoing expense fraud?
A. Implement user access controls.
B. Develop and communicate fraud prevention policies.
C. Perform regular internal audits.
D. Conduct fraud prevention awareness training.
Selected Answer: C
Question #: 1390
Topic #: 1
Which of the following is the BEST evidence of the effectiveness of a security awareness program?
A. An increase in the number of user-reported security issues
B. A decrease in the number of security threats
C. An increase in the number of key performance indicators (KPIs)
D. A decrease in the number of failed login attempts
Selected Answer: A
Question #: 1387
Topic #: 1
Which of the following provides the MOST useful information for developing key risk indicators (KRIs)?
A. Business impact analysis (BIA) results
B. Risk scenario ownership
C. Possible causes of materialized risk
D. Risk thresholds
Selected Answer: D
Question #: 1386
Topic #: 1
An organization recently implemented a machine learning-based solution to monitor IT usage and analyze user behavior in an effort to detect internal fraud. Which of the following is MOST likely to be reassessed as a result of this initiative?
A. Risk likelihood
B. Risk appetite
C. Risk capacity
D. Risk culture
Selected Answer: A
Question #: 1385
Topic #: 1
Who should be responsible for determining which stakeholders need to be involved in the development of a risk scenario?
A. Risk owner
B. Control owner
C. Compliance manager
D. Risk practitioner
Selected Answer: D
Question #: 1383
Topic #: 1
Which of the following provides the BEST assurance of the effectiveness of vendor security controls?
A. Require independent control assessments.
B. Review vendor service level agreement (SLA) metrics.
C. Review vendor control self-assessments (CSA).
D. Obtain vendor references from existing customers
Selected Answer: A
Question #: 1382
Topic #: 1
Which of the following is the ULTIMATE goal of conducting a privacy impact analysis (PIA)?
A. To identify gaps in data protection controls
B. To identify personally identifiable information (PII)
C. To develop a customer notification plan
D. To determine gaps in data deidentification processes
Selected Answer: A
Question #: 1381
Topic #: 1
Which of the following is the BEST method to mitigate the risk of an unauthorized employee viewing confidential data in a database?
A. Implement a data masking process.
B. Include sanctions in nondisclosure agreements (NDAs).
C. Implement role-based access control.
D. Install a data loss prevention (DLP) tool.
Selected Answer: C
Question #: 1380
Topic #: 1
Which of the following is the MOST important characteristic of a key risk indicator (KRI) to enable decision-making?
A. Listing alternative causes for risk events
B. Setting minimum sample sizes to ensure accuracy
C. Monitoring the risk until exposure is reduced
D. Illustrating changes in risk trends
Selected Answer: D
Question #: 1379
Topic #: 1
A poster has been displayed in a data center that reads, “Anyone caught taking photographs in the data center may be subject to disciplinary action.” Which of the following control types has been implemented?
A. Preventative
B. Corrective
C. Detective
D. Deterrent
Selected Answer: D
Question #: 1378
Topic #: 1
An organization has been experiencing an increasing number of spear phishing attacks. Which of the following would be the MOST effective way to mitigate the risk associated with these attacks?
A. Implement a security awareness program.
B. Require strong password complexity.
C. Implement two-factor authentication.
D. Update firewall configuration.
Selected Answer: A
Question #: 1377
Topic #: 1
Which of the following BEST enables a risk practitioner to understand management’s approach to organizational risk?
A. Industry best practices for risk management
B. Risk appetite and risk tolerance
C. Prior year’s risk assessment results
D. Organizational structure and job descriptions
Selected Answer: B
Question #: 1376
Topic #: 1
A risk practitioner has identified that the agreed recovery time objective (RTO) with a Software as a Service (SaaS) provider is longer than the business expectation. Which of the following is the risk practitioner’s BEST course of action?
A. Collaborate with the risk owner to determine the risk response plan.
B. Include a right to audit clause in the service provider contract.
C. Advise the risk owner to accept the risk.
D. Document the gap in the risk register and report to senior management.
Selected Answer: A
Question #: 1375
Topic #: 1
A recent regulatory requirement has the potential to affect an organization’s use of a third party to supply outsourced business services. Which of the following is the BEST course of action?
A. Identify compensating controls.
B. Terminate the outsourcing agreement.
C. Transfer risk to the third party.
D. Conduct a gap analysis.
Selected Answer: D
