CRISC Topic 4
Question #: 1373
Topic #: 1
What is the BEST recommendation to reduce the risk associated with potential system compromise when a vendor stops releasing security patches and updates for a business-critical legacy system?
A. Ensure regular backups take place.
B. Install antivirus software on the system.
C. Virtualize the system in the cloud.
D. Segment the system on its own network.
Selected Answer: D
Question #: 1371
Topic #: 1
Which of the following would MOST likely cause management to unknowingly accept excessive risk?
A. Lack of preventive controls
B. Risk tolerance being set too low
C. Inaccurate risk ratings
D. Satisfactory audit results
Selected Answer: C
Question #: 1369
Topic #: 1
Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)?
A. KRIs assist in the preparation of the organization’s risk profile.
B. KRIs signal that a change in the control environment has occurred.
C. KRIs provide an early warning that a risk threshold is about to be reached.
D. KRIs provide a basis to set the risk appetite for an organization.
Selected Answer: C
Question #: 1368
Topic #: 1
One of an organization’s key IT systems cannot be patched because the patches interfere with critical business application functionalities. Which of the following would be the risk practitioner’s BEST recommendation?
A. The associated IT risk should be accepted by management.
B. The organization’s IT risk appetite should be adjusted.
C. Additional mitigating controls should be identified.
D. The system should not be used until the application is changed.
Selected Answer: C
Question #: 1367
Topic #: 1
An organization recently acquired a new business division. Which of the following is MOST likely to be affected?
A. Risk tolerance
B. Risk appetite
C. Risk profile
D. Risk culture
Selected Answer: C
Question #: 1365
Topic #: 1
Which of the following would provide the MOST useful input when evaluating the appropriateness of risk responses?
A. Cost-benefit analysis
B. Control objectives
C. Incident reports
D. Risk tolerance
Selected Answer: A
Question #: 1364
Topic #: 1
Which of the following BEST balances the costs and benefits of managing IT risk?
A. Eliminating risk through preventive and detective controls
B. Prioritizing and addressing risk in line with risk appetite
C. Considering risk that can be shared with a third party
D. Evaluating the probability and impact of risk scenarios
Selected Answer: B
Question #: 1363
Topic #: 1
An organization has operations in a location that regularly experiences severe weather events. Which of the following would BEST help to mitigate the risk to operations?
A. Conduct a business impact analysis (BIA) for an alternate location.
B. Develop a business continuity plan (BCP).
C. Prepare a disaster recovery plan (DRP).
D. Prepare a cost-benefit analysis to evaluate relocation.
Selected Answer: B
Question #: 1362
Topic #: 1
An organization’s business gap analysis reveals the need for a robust IT risk strategy. Which of the following should be the risk practitioner’s PRIMARY consideration when participating in development of the new strategy?
A. Proposed risk budget
B. Risk indicators
C. Risk culture
D. Scale of technology
Selected Answer: C
Question #: 1361
Topic #: 1
The BEST indicator of the risk appetite of an organization is the:
A. risk management capability of the organization.
B. importance assigned to IT in meeting strategic goals.
C. board of directors’ response to identified risk factors.
D. regulatory environment of the organization.
Selected Answer: C
Question #: 1359
Topic #: 1
Which stakeholder is MOST important to include when defining a risk profile during the selection process for a new third-party application?
A. The information security manager
B. The third-party risk manager
C. The application vendor
D. The business process owner
Selected Answer: D
Question #: 1358
Topic #: 1
Which of the following is the MOST important course of action for a risk practitioner when reviewing the results of control performance monitoring?
A. Analyze appropriateness of key performance indicators (KPIs).
B. Evaluate changes to the organization’s risk profile.
C. Confirm controls achieve regulatory compliance.
D. Validate whether the controls effectively mitigate risk.
Selected Answer: D
Question #: 1357
Topic #: 1
Which of the following is MOST important for an organization to consider when developing its IT strategy?
A. The organization’s risk appetite statement
B. Legal and regulatory requirements
C. IT goals and objectives
D. Organizational goals and objectives
Selected Answer: D
Question #: 1356
Topic #: 1
Which of the following is the BEST recommendation to address recent IT risk trends that indicate social engineering attempts are increasing in the organization?
A. Update spam filters.
B. Conduct a simulated phishing attack.
C. Strengthen disciplinary procedures.
D. Revise the acceptable use policy.
Selected Answer: B
Question #: 1355
Topic #: 1
Which of the following is MOST important to determine as a result of a risk assessment?
A. Risk appetite statement
B. Process ownership
C. Risk response options
D. Risk tolerance levels
Selected Answer: C
Question #: 1354
Topic #: 1
Which risk response strategy could management apply to both positive and negative risk that has been identified?
A. Accept
B. Exploit
C. Mitigate
D. Transfer
Selected Answer: A
Question #: 1353
Topic #: 1
Which of the following is the MOST important consideration for effectively maintaining a risk register?
A. The register is updated frequently.
B. Compensating controls are identified.
C. The register is shared with executive management.
D. An IT owner is assigned for each risk scenario.
Selected Answer: A
Question #: 1352
Topic #: 1
A penetration test reveals several vulnerabilities in a web-facing application. Which of the following should be the FIRST step in selecting a risk response?
A. Assess the level of risk associated with the vulnerabilities.
B. Communicate the vulnerabilities to the risk owner.
C. Correct the vulnerabilities to mitigate potential risk exposure.
D. Develop a risk response action plan with key stakeholders.
Selected Answer: B
Question #: 1351
Topic #: 1
Which of the following is the GREATEST concern when establishing key risk indicators (KRIs)?
A. Nonexistent benchmark analysis
B. Ineffective methods to assess risk
C. Incomplete documentation for KRI monitoring
D. High percentage of lagging indicators
Selected Answer: B
Question #: 1350
Topic #: 1
Which of the following is the result of a realized risk scenario?
A. Threat event
B. Technical event
C. Loss event
D. Vulnerability event
Selected Answer: C
Question #: 1349
Topic #: 1
An organization has allowed several employees to retire early in order to avoid layoffs. Many of these employees have been subject matter experts for critical assets. Which type of risk is MOST likely to materialize?
A. Unauthorized access
B. Confidentiality breach
C. Intellectual property loss
D. Institutional knowledge loss
Selected Answer: D
Question #: 1348
Topic #: 1
Which of the following would be the BEST way for a risk practitioner to validate the effectiveness of a patching program?
A. Conduct vulnerability scans.
B. Review change control board documentation.
C. Interview IT operations personnel.
D. Conduct penetration testing.
Selected Answer: A
Question #: 1347
Topic #: 1
Which of the following is the PRIMARY reason to engage business unit managers in risk management processes?
A. Improved alignment with technical risk
B. Improved business operations efficiency
C. Better-informed business decisions
D. Enhanced understanding of enterprise architecture (EA)
Selected Answer: C
Question #: 1346
Topic #: 1
Which of the following should be considered FIRST when creating a comprehensive IT risk register?
A. Risk mitigation policies
B. Risk appetite
C. Risk analysis techniques
D. Risk management budget
Selected Answer: B
Question #: 1345
Topic #: 1
Which of the following should be the PRIMARY input to determine risk tolerance?
A. Risk management costs
B. Annual loss expectancy (ALE)
C. Regulatory requirements
D. Organizational objectives
Selected Answer: D
Question #: 1342
Topic #: 1
Which of the following should be the FIRST consideration when establishing a new risk governance program?
A. Creating policies and standards that are easy to comprehend
B. Developing an ongoing awareness and training program
C. Completing annual risk assessments on critical resources
D. Embedding risk management into the organization
Selected Answer: D
Question #: 1340
Topic #: 1
An organization is planning to outsource its payroll function to an external service provider. Which of the following should be the MOST important consideration when selecting the provider?
A. Transparency of key performance indicators (KPIs)
B. Right to audit the provider
C. Disaster recovery plan (ORP) of the system
D. Internal controls to ensure data privacy
Selected Answer: B
Question #: 1339
Topic #: 1
Which of the following is the MOST effective way to promote organization-wide awareness of data security in response to an increase in regulatory penalties for data leakage?
A. Enforce sanctions for noncompliance with security procedures.
B. Require regular testing of the data breach response plan.
C. Conduct organization-wide phishing simulations.
D. Require training on the data handling policy.
Selected Answer: D
Question #: 1338
Topic #: 1
Reviewing which of the following BEST helps an organization gain insight into its overall risk profile?
A. Threat landscape
B. Risk metrics
C. Risk appetite
D. Risk register
Selected Answer: D
Question #: 1337
Topic #: 1
Which of the following proposed benefits is MOST likely to influence senior management approval to reallocate budget for a new security initiative?
A. Reduction in the number of incidents
B. Reduction in inherent risk
C. Reduction in residual risk
D. Reduction in the number of known vulnerabilities
Selected Answer: C
Question #: 1336
Topic #: 1
An internal audit report reveals that a legacy system is no longer supported. Which of the following is the risk practitioner’s MOST important action before recommending a risk response?
A. Explore the feasibility of replacing the legacy system.
B. Identify other legacy systems within the organization.
C. Assess the potential impact and cost of mitigation.
D. Review historical application downtime and frequency.
Selected Answer: C
Question #: 1335
Topic #: 1
An information security audit identified a risk resulting from the failure of an automated control. Who is responsible for ensuring the risk register is updated accordingly?
A. The control owner
B. The audit manager
C. The risk practitioner
D. The risk owner
Selected Answer: C
Question #: 1344
Topic #: 1
Which of the following is a risk practitioner’s BEST course of action after identifying risk scenarios related to noncompliance with new industry regulations?
A. Recalculate the risk.
B. Implement monitoring controls.
C. Escalate to senior management.
D. Transfer the risk.
Selected Answer: C
Question #: 1343
Topic #: 1
A risk practitioner is reviewing accountability assignments for data risk in the risk register. Which of the following would pose the GREATEST concern?
A. The risk owner is a staff member rather than a department manager.
B. The risk owner is in a business unit and does not report through the IT department.
C. The risk owner is not the control owner for associated data controls.
D. The risk owner is listed as the department responsible for decision making.
Selected Answer: C
Question #: 1341
Topic #: 1
Which of the following is the BEST way to protect sensitive data from administrators within a public cloud?
A. Encrypt the data in the cloud database.
B. Use an encrypted tunnel to connect to the cloud.
C. Encrypt data before it leaves the organization.
D. Encrypt physical hard drives within the cloud.
Selected Answer: C
Question #: 1334
Topic #: 1
A global organization has implemented an application that does not address all privacy requirements across multiple jurisdictions. Which of the following risk responses has the organization adopted with regard to privacy requirements?
A. Risk mitigation
B. Risk transfer
C. Risk avoidance
D. Risk acceptance
Selected Answer: D
Question #: 1333
Topic #: 1
Which of the following observations from a third-party service provider review would be of GREATEST concern to a risk practitioner?
A. The service contract is up for renewal in less than thirty days.
B. Key third-party personnel have recently been replaced.
C. Monthly service charges are significantly higher than industry norms.
D. Service level agreements (SLAs) have not been met over the last quarter.
Selected Answer: D
Question #: 1332
Topic #: 1
An organization uses one centralized single sign-on (SSO) control to cover many applications. Which of the following is the BEST course of action when a new application is added to the environment after testing of the SSO control has been completed?
A. Initiate a retest of the full control.
B. Re-evaluate the control during the next assessment.
C. Review the corresponding change control documentation.
D. Retest the control using the new application as the only sample.
Selected Answer: C
Question #: 1330
Topic #: 1
Which of the following is the MOST effective way to help ensure accountability for managing risk?
A. Assign process owners to key risk areas.
B. Assign incident response action plan responsibilities.
C. Create accurate process narratives.
D. Obtain independent risk assessments.
Selected Answer: A
Question #: 1329
Topic #: 1
Which of the following is MOST important when determining risk appetite?
A. Assessing regulatory requirements
B. Identifying risk tolerance
C. Benchmarking against industry standards
D. Gaining management consensus
Selected Answer: D
Question #: 1328
Topic #: 1
A risk practitioner has established that a particular control is working as desired, but the annual cost of maintenance has increased and now exceeds the expected annual loss exposure. The result is that the control is:
A. inefficient.
B. ineffective.
C. optimized.
D. mature.
Selected Answer: A
Question #: 1327
Topic #: 1
Which of the following presents the GREATEST challenge to managing an organization’s end-user devices?
A. Incompatible end-user devices
B. Unsupported end-user applications
C. Incomplete end-user device inventory
D. Multiple end-user device models
Selected Answer: C
Question #: 1326
Topic #: 1
The MAIN reason for prioritizing IT risk responses is to enable an organization to:
A. determine the risk appetite.
B. determine the budget.
C. define key performance indicators (KPIs).
D. optimize resource utilization.
Selected Answer: D
Question #: 1325
Topic #: 1
An organization’ s recovery team is attempting to recover critical data backups following a major flood in its data center. However, key team members do not know exactly what steps should be taken to address this crisis. Which of the following is the MOST likely cause of this situation?
A. Failure to test the disaster recovery plan (DRP)
B. Lack of well-documented business impact analysis (BIA)
C. Significant changes in management personnel
D. Lack of annual updates to the disaster recovery plan (DRP)
Selected Answer: A
Question #: 1324
Topic #: 1
Of the following, who is responsible for approval when a change in an application system is ready for release to production?
A. Business owner
B. Information security officer
C. Chief risk officer (CRO)
D. IT risk manager
Selected Answer: A
Question #: 1323
Topic #: 1
Which of the following should be the PRIMARY basis for prioritizing risk responses?
A. The replacement cost of the business asset
B. The impact of the risk
C. The classification of the business asset
D. The cost of risk mitigation controls
Selected Answer: B
Question #: 1322
Topic #: 1
Which of the following should be used as the PRIMARY basis for evaluating the state of an organization’s cloud computing environment against leading practices?
A. The cloud environment’s risk register
B. The cloud environment’s capability maturity model
C. The organization’s strategic plans for cloud computing
D. The cloud computing architecture
Selected Answer: B
Question #: 1321
Topic #: 1
When developing a response plan to address security incidents regarding sensitive data loss; it is MOST important to:
A. revalidate existing risk scenarios.
B. revalidate current key risk indicators (KRIs).
C. review the data classification policy.
D. revise risk management procedures.
Selected Answer: C
Question #: 1320
Topic #: 1
Which of the following is the PRIMARY objective of risk management?
A. Minimize business disruptions.
B. Achieve business objectives.
C. Identify and analyze risk.
D. Identify threats and vulnerabilities.
Selected Answer: B
Question #: 1319
Topic #: 1
Which of the following would be of GREATEST concern regarding an organization’s asset management?
A. Lack of a dedicated asset management team
B. Decentralized asset lists
C. Incomplete asset inventory
D. Lack of a mature records management program
Selected Answer: C
Question #: 1318
Topic #: 1
Senior management is deciding whether to share confidential data with the organization’s business partners. The BEST course of action for a risk practitioner would be to submit a report to senior management containing the:
A. project plan for classification of the data.
B. summary of data protection and privacy legislation.
C. design of controls to encrypt the data to be shared.
D. possible risk and suggested mitigation plans.
Selected Answer: D
Question #: 1316
Topic #: 1
Which of the following is MOST important to consider before determining a response to a vulnerability?
A. Monetary value of the asset
B. Lack of data to measure threat events
C. The cost to implement the risk response
D. The likelihood and impact of threat events
Selected Answer: D
Question #: 1313
Topic #: 1
Which of the following is the PRIMARY purpose of creating and documenting control procedures?
A. To help manage risk to acceptable tolerance levels
B. To facilitate ongoing audit and control testing
C. To establish and maintain a control inventory
D. To increase the likelihood of effective control operation
Selected Answer: A
Question #: 1312
Topic #: 1
Which of the following provides the MOST useful information to assess the magnitude of identified deficiencies in the IT control environment?
A. Threat analysis results
B. Peer benchmarks
C. Business impact analysis (BIA) results
D. Internal audit reports
Selected Answer: C
Question #: 1310
Topic #: 1
What should be the PRIMARY consideration related to data privacy protection when there are plans for a business initiative to make use of personal information?
A. Limit access to the personal data.
B. Do not collect or retain data that is not needed.
C. Redact data where possible.
D. Ensure all data is encrypted at rest and during transit.
Selected Answer: B
Question #: 1309
Topic #: 1
Which of the following is the GREATEST benefit of a three lines of defense structure?
A. Clear accountability for risk management processes
B. An effective risk culture that empowers employees to report risk
C. Improved effectiveness and efficiency of business operations
D. Effective segregation of duties to prevent internal fraud
Selected Answer: A
Question #: 1308
Topic #: 1
Which of the following is the BEST way to ensure data is properly sanitized while in cloud storage?
A. Cryptographically scrambling the data
B. Formatting the cloud storage at the block level
C. Deleting the data from the file system
D. Degaussing the cloud storage media
Selected Answer: A
Question #: 1307
Topic #: 1
An organization is adopting blockchain for a new financial system: Which of the following should be the GREATEST concern for a risk practitioner evaluating the system’s production readiness?
A. Slow adoption of the technology across the financial industry
B. Varying costs related to implementation and maintenance
C. Lack of commercial software support
D. Limited organizational knowledge of the underlying technology
Selected Answer: D
Question #: 1305
Topic #: 1
An organization plans to implement a new Software as a Service (SaaS) speech-to-text solution. Which of the following is MOST important to mitigate risk associated with data privacy?
A. Multi-factor authentication is set up for users.
B. The solution architecture is approved by IT.
C. A risk transfer clause is included in the contract.
D. Secure encryption protocols are utilized.
Selected Answer: D
Question #: 1303
Topic #: 1
Who is MOST important to include in the assessment of existing IT risk scenarios?
A. Risk management consultants
B. Business process owners
C. Technology subject matter experts
D. Business users of IT systems
Selected Answer: B
Question #: 1302
Topic #: 1
An organization has experienced a cyber attack that exposed customer personally identifiable information (PII) and caused extended outages of network services. Which of the following stakeholders are MOST important to include in the cyber response team to determine response actions?
A. Cyber risk remediation plan owners
B. Enterprise risk management (ERM) team
C. Security control owners based on control failures
D. Risk owners based on risk impact
Selected Answer: A
Question #: 1301
Topic #: 1
An incentive program is MOST likely implemented to manage the risk associated with loss of which organizational asset?
A. Employees
B. Reputation
C. Data
D. Customer lists
Selected Answer: A
Question #: 1300
Topic #: 1
Which of the following provides the MOST reliable evidence of a control’s effectiveness?
A. Senior management’s attestation
B. A detailed process walk-through
C. A risk and control self-assessment
D. A system-generated testing report
Selected Answer: D
Question #: 1298
Topic #: 1
The PRIMARY objective of testing the effectiveness of a new control before implementation is to:
A. comply with the organization’s policy.
B. consider automating the control.
C. evaluate the degree of risk mitigation.
D. measure efficiency of the control process.
Selected Answer: C
Question #: 1297
Topic #: 1
Which of the following is MOST important to include when reporting the effectiveness of risk management to senior management?
A. Impact due to changes in external and internal risk factors
B. Gaps in best practices and implemented controls across the industry
C. Changes in the organization’s risk appetite and risk tolerance levels
D. Changes in residual risk levels against acceptable levels
Selected Answer: D
Question #: 1296
Topic #: 1
Which of the following is MOST likely to deter an employee from engaging in inappropriate use of company-owned IT systems?
A. A centralized computer security response team
B. Communication of employee activity monitoring
C. Regular performance reviews and management check-ins
D. Code of ethics training for all employees
Selected Answer: B
Question #: 1295
Topic #: 1
Which of the following would be of MOST concern to a risk practitioner reviewing risk action plans for documented IT risk scenarios?
A. Many action plans were discontinued after senior management accepted the risk.
B. Individuals outside IT are managing action plans for the risk scenarios.
C. Target dates for completion are missing from some action plans.
D. Senior management approved multiple changes to several action plans.
Selected Answer: C
Question #: 1294
Topic #: 1
Which of the following is the PRIMARY objective of maintaining an information asset inventory?
A. To facilitate risk assessments
B. To protect information assets
C. To provide input to business impact analyses (BIAs)
D. To manage information asset licensing
Selected Answer: B
Question #: 1293
Topic #: 1
The PRIMARY reason for periodic penetration testing of Internet-facing applications is to:
A. verify Internet firewall control settings.
B. ensure policy and regulatory compliance.
C. identify vulnerabilities in the system.
D. assess the proliferation of new threats.
Selected Answer: C
Question #: 1292
Topic #: 1
Which of the following is the PRIMARY reason for an organization to include an acceptable use banner when users log in?
A. To enable rapid discovery of insider threat
B. To reduce the likelihood of insider threat
C. To eliminate the possibility of insider threat
D. To reduce the impact of insider threat
Selected Answer: B
Question #: 1291
Topic #: 1
After an annual risk assessment is completed, which of the following would be MOST important to communicate to stakeholders?
A. A change in the risk profile
B. A decrease in threats
C. An increase in identified risk scenarios
D. An increase in reported vulnerabilities
Selected Answer: A
Question #: 1290
Topic #: 1
Which of the following is MOST likely to introduce risk for financial institutions that use blockchain?
A. Disruption to business processes
B. Cost of implementation
C. Implementation of unproven applications
D. Increase in attack surface area
Selected Answer: C
Question #: 1289
Topic #: 1
Which of the following is the MOST effective way to identify an application backdoor prior to implementation?
A. Vulnerability analysis
B. Database activity monitoring
C. User acceptance testing (UAT)
D. Source code review
Selected Answer: D
Question #: 1288
Topic #: 1
Which of the following is the PRIMARY objective of establishing an organization’s risk tolerance and appetite?
A. To assist management in decision making
B. To create organization-wide risk awareness
C. To minimize risk mitigation efforts
D. To align with board reporting requirements
Selected Answer: A
Question #: 1287
Topic #: 1
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery test of critical business processes?
A. Number of issues and action items resolved during the recovery test
B. Percentage of processes recovered within the recovery time and point objectives
C. Percentage of job failures identified and resolved during the recovery process
D. Number of current test plans and procedures
Selected Answer: B
Question #: 1286
Topic #: 1
Which of the following has the GREATEST influence on an organization’s risk appetite?
A. Business objectives and strategies
B. Internal and external risk factors
C. Threats and vulnerabilities
D. Management culture and behavior
Selected Answer: D
Question #: 1285
Topic #: 1
Which of the following would provide the BEST evidence of an effective internal control environment?
A. Independent audit results
B. Regular stakeholder briefings
C. Adherence to governing policies
D. Risk assessment results
Selected Answer: A
Question #: 1284
Topic #: 1
Which of the following is the MOST comprehensive input to the risk assessment process specific to the effects of system downtime?
A. Business continuity plan (BCP) testing results
B. Recovery point objective (RPO)
C. Business impact analysis (BIA) results
D. Recovery time objective (RTO)
Selected Answer: C
Question #: 1283
Topic #: 1
A risk owner has identified a risk with high impact and very low likelihood. The potential loss is covered by insurance. Which of the following should the risk practitioner do NEXT?
A. Validate the risk response with internal audit.
B. Update the risk register.
C. Evaluate outsourcing the process.
D. Recommend avoiding the risk.
Selected Answer: B
Question #: 1282
Topic #: 1
Which of the following is performed after a risk assessment is completed?
A. Identifying vulnerabilities
B. Conducting an impact analysis
C. Defining risk response options
D. Defining risk taxonomy
Selected Answer: C
Question #: 1280
Topic #: 1
A control process has been implemented in response to a new regulatory requirement, but has significantly reduced productivity. Which of the following is the BEST way to resolve this concern?
A. Absorb the loss in productivity.
B. Escalate the issue to senior management.
C. Request a waiver to the requirements.
D. Remove the control to accommodate business objectives.
Selected Answer: B
Question #: 1279
Topic #: 1
Which of the following is the MOST important reason to validate that risk responses have been executed as outlined in the risk response plan?
A. To ensure residual risk is at an acceptable level
B. To ensure completion of the risk assessment cycle
C. To ensure control costs do not exceed benefits
D. To ensure controls are operating effectively
Selected Answer: A
Question #: 1278
Topic #: 1
Who is the BEST person to authorize access privileges to database tables for an application system used to process employee personal data?
A. Compliance manager
B. Data privacy manager
C. System administrator
D. Human resources (HR) manager
Selected Answer: B
Question #: 1277
Topic #: 1
An employee lost a personal mobile device that may contain sensitive corporate information. What should be the risk practitioner’s recommendation?
A. Conduct a risk analysis.
B. Invoke the incident response plan.
C. Disable the user account.
D. Initiate a remote data wipe.
Selected Answer: D
Question #: 1276
Topic #: 1
Which of the following is a risk practitioner’s BEST recommendation upon learning that an employee inadvertently disclosed sensitive data to a vendor?
A. Enroll the employee in additional security training.
B. Invoke the incident response plan.
C. Conduct an internal audit.
D. Instruct the vendor to delete the data.
Selected Answer: B
Question #: 1275
Topic #: 1
A MAJOR advantage of using key risk indicators (KRIs) is that they:
A. identity when risk exceeds defined thresholds.
B. assess risk scenarios that exceed defined thresholds.
C. help with internal control assessments concerning risk appetite.
D. identify scenarios that exceed defined risk appetite.
Selected Answer: A
Question #: 1274
Topic #: 1
Which of the following roles should be assigned accountability for monitoring risk levels?
A. Business manager
B. Risk owner
C. Control owner
D. Risk practitioner
Selected Answer: B
Question #: 1273
Topic #: 1
Which of the following situations presents the GREATEST challenge to creating a comprehensive IT risk profile of an organization?
A. Manual vulnerability scanning processes
B. Inaccurate documentation of enterprise architecture (EA)
C. Organizational reliance on third-party service providers
D. Risk-averse organizational risk appetite
Selected Answer: B
Question #: 1272
Topic #: 1
An organization is implementing a project to automate the purchasing process, including the modification of approval controls. Which of the following tasks is the responsibility of the risk practitioner?
A. Test approval process controls once the project is completed.
B. Update the existing controls for changes in approval processes from this project.
C. Perform a gap analysis of the impacted control processes.
D. Verify that existing controls continue to properly mitigate defined risk.
Selected Answer: C
Question #: 1271
Topic #: 1
Which of the following is the MOST effective way for a large and diversified organization to minimize risk associated with unauthorized software on company devices?
A. Perform frequent internal audits of enterprise IT infrastructure.
B. Scan end points for applications not included in the asset inventory.
C. Conduct frequent reviews of software licenses.
D. Prohibit the use of cloud-based virtual desktop software.
Selected Answer: B
Question #: 1270
Topic #: 1
Which of the following is the MOST important information to cover in a business continuity awareness training program for all employees of the organization?
A. Critical asset inventory
B. Communication plan
C. Segregation of duties
D. Recovery time objectives (RTOs)
Selected Answer: B
Question #: 1269
Topic #: 1
When performing a risk assessment of a new service to support a core business process, which of the following should be done FIRST to ensure continuity of operations?
A. Identity conditions that may cause disruptions.
B. Evaluate the probability of risk events.
C. Review incident response procedures.
D. Define metrics for restoring availability.
Selected Answer: A
Question #: 1268
Topic #: 1
Which of the following is the PRIMARY reason for a risk practitioner to review an organization’s IT asset inventory?
A. To plan for the replacement of assets at the end of their life cycles
B. To understand vulnerabilities associated with the use of the assets
C. To calculate mean time between failures (MTBF) for the assets
D. To assess requirements for reducing duplicate assets
Selected Answer: B
Question #: 1267
Topic #: 1
When confirming whether implemented controls are operating effectively, which of the following is MOST important to review?
A. Maturity model
B. Results of risk assessments
C. Number of emergency change requests
D. Results of benchmarking studies
Selected Answer: B
Question #: 1266
Topic #: 1
Which of the following is the GREATEST benefit of implementing an enterprise risk management (ERM) program?
A. A common view of enterprise risk is established.
B. Risk-aware decision making is enabled.
C. Risk management is integrated into the organization.
D. Risk management controls are implemented.
Selected Answer: B
Question #: 1265
Topic #: 1
Which of the following is the MOST important benefit of reporting risk assessment results to senior management?
A. Facilitation of risk-aware decision making
B. Alignment of business activities
C. Compilation of a comprehensive risk register
D. Promotion of a risk-aware culture
Selected Answer: A
Question #: 1264
Topic #: 1
The operational risk associated with attacks on a web application should be owned by the individual in charge of:
A. network operations.
B. the cybersecurity function.
C. application development.
D. the business function.
Selected Answer: D
Question #: 1263
Topic #: 1
Which of the following BEST reduces the risk associated with the theft of a laptop containing sensitive information?
A. Data encryption
B. Biometrics access control
C. Periodic backup
D. Cable lock
Selected Answer: A
Question #: 1262
Topic #: 1
Which component of a software inventory BEST enables the identification and mitigation of known vulnerabilities?
A. Software licensing information
B. Software version
C. Software support contract expiration
D. Assigned software manager
Selected Answer: B
Question #: 1261
Topic #: 1
Which of the following is the MOST important outcome of a business impact analysis (BIA)?
A. Reduction of security and business continuity threats
B. Completion of the business continuity plan (BCP)
C. Understanding and prioritization of critical processes
D. Identification of regulatory consequences
Selected Answer: C
Question #: 1260
Topic #: 1
Risk appetite should be PRIMARILY driven by which of the following?
A. Stakeholder requirements
B. Enterprise security architecture roadmap
C. Business impact analysis (BIA)
D. Legal and regulatory requirements
Selected Answer: A
Question #: 1259
Topic #: 1
Which of the following is the PRIMARY accountability for a control owner?
A. Ensure the control operates effectively.
B. Identify and assess control weaknesses.
C. Own the associated risk the control is mitigating.
D. Communicate risk to senior management.
Selected Answer: A
Question #: 1258
Topic #: 1
Which of the following would present the GREATEST challenge for a risk practitioner during a merger of two organizations?
A. Disparate platforms for governance, risk, and compliance (GRC) systems
B. Variances between organizational risk appetites
C. Dissimilar organizational risk acceptance protocols
D. Different taxonomies to categorize risk scenarios
Selected Answer: B
Question #: 1257
Topic #: 1
Which of the following would provide the MOST helpful input to develop risk scenarios associated with hosting an organization’s key IT applications in a cloud environment?
A. Conducting a risk workshop with key stakeholders
B. Reviewing the results of independent audits
C. Performing a due diligence review
D. Performing a site visit to the cloud provider’s data center
Selected Answer: A
Question #: 1256
Topic #: 1
A zero-day vulnerability has been discovered in a globally used brand of hardware server that allows hackers to gain access to affected IT systems. Which of the following is MOST likely to change as a result of this situation?
A. Control effectiveness
B. Risk appetite
C. Key risk indicator (KRI)
D. Risk likelihood
Selected Answer: D
Question #: 1255
Topic #: 1
The MOST important measure of the effectiveness of risk management in project implementation is the percentage of projects:
A. introduced into production without high-risk issues.
B. having the risk register updated regularly.
C. having an action plan to remediate overdue issues.
D. having key risk indicators (KRIs) established to measure risk.
Selected Answer: A
Question #: 1254
Topic #: 1
Which of the following should be accountable for ensuring that media containing financial information are adequately destroyed per an organization’s data disposal policy?
A. Data owner
B. Chief information officer (CIO)
C. Data architect
D. Compliance manager
Selected Answer: A
Question #: 1253
Topic #: 1
An organization retains footage from its data center security camera for 30 days when the policy requires 90-day retention. The business owner challenges whether the situation is worth remediating. Which of the following is the risk manager’s BEST response?
A. Evaluate the risk as a measure of probable loss.
B. Identify the regulatory bodies that may highlight this gap.
C. Verify if competitors comply with a similar policy.
D. Highlight news articles about data breaches.
Selected Answer: B
Question #: 1252
Topic #: 1
Which of the following provides the MOST comprehensive information when developing a risk profile for a system?
A. Risk assessment results
B. Key performance indicators (KPIs)
C. A mapping of resources to business processes
D. Results of a business impact analysis (BIA)
Selected Answer: A
Question #: 1251
Topic #: 1
Which of the following controls will BEST mitigate risk associated with excessive access privileges?
A. Frequent password expiration
B. Segregation of duties
C. Entitlement reviews
D. Review of user access logs
Selected Answer: C
Question #: 910
Topic #: 1
Which of the following criteria associated with key risk indicators (KRIs) BEST enables effective risk monitoring?
A. Use of industry risk data sources
B. Sensitivity to changes in risk levels
C. Low cost of development and maintenance
D. Approval by senior management
Selected Answer: B
Question #: 911
Topic #: 1
Which of the following is the BEST indication of a mature organizational risk culture?
A. Corporate risk appetite is communicated to staff members.
B. Risk policy has been published and acknowledged by employees.
C. Management encourages the reporting of policy breaches.
D. Risk owners understand and accept accountability for risk.
Selected Answer: D
Question #: 913
Topic #: 1
Which of the following facilitates a completely independent review of test results for evaluating control effectiveness?
A. Segregation of duties
B. Compliance review
C. Three lines of defense
D. Quality assurance review
Selected Answer: A
Question #: 1576
Topic #: 1
Which of the following scenarios is MOST likely to cause a risk practitioner to request a formal risk acceptance sign-off?
A. Residual risk in excess of the risk appetite cannot be mitigated.
B. Risk appetite has changed to align with organizational objectives.
C. Residual risk remains at the same level over time without further mitigation.
D. Inherent risk is too high, resulting in the cancellation of an initiative.
Selected Answer: D
Question #: 333
Topic #: 1
You are the project manager of HJT project. Important confidential files of your project are stored on a computer. Keeping the unauthorized access of this computer in mind, you have placed a hidden CCTV in the room, even on having protection password. Which kind of control CCTV is?
A. Technical control
B. Physical control
C. Administrative control
D. Management control
Selected Answer: B
Question #: 589
Topic #: 1
Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?
A. Control self-assessment (CSA)
B. Vulnerability and threat analysis
C. User acceptance testing (UAT)
D. Control remediation planning
Selected Answer: A
Question #: 342
Topic #: 1
Natural disaster is BEST associated to which of the following types of risk?
A. Short-term
B. Long-term
C. Discontinuous
D. Large impact
Selected Answer: B
Question #: 550
Topic #: 1
When evaluating enterprise IT risk management, it is MOST important to:
A. create new control processes to reduce identified IT risk scenarios
B. review alignment with the organization’s investment plan
C. report identified IT risk scenarios to senior management
D. confirm the organization’s risk appetite and tolerance
Selected Answer: D
Question #: 531
Topic #: 1
An organization operates in a jurisdiction where heavy fines are imposed for leakage of customer data. Which of the following provides the BEST input to assess the inherent risk impact?
A. Number of customer records held
B. Number of databases that host customer data
C. Number of encrypted customer databases
D. Number of staff members having access to customer data
Selected Answer: A
Question #: 515
Topic #: 1
An organization’s internal auditors have identified a new IT control deficiency in the organization’s identity and access management (IAM) system. It is most important for the risk practitioner to:
A. perform a follow-up risk assessment to quantify the risk impact
B. verify that applicable risk owners understand the risk
C. implement compensating controls to address the deficiency
D. recommend replacement of the deficient system
Selected Answer: B
Question #: 467
Topic #: 1
Which of the following BEST indicates the effectiveness of an organization’s data loss prevention (DLP) program?
A. Reduction in financial impact associated with data loss incidents
B. Reduction in the number of false positives and false negatives
C. Reduction in the number of approved exceptions to the DLP policy
D. Reduction in the severity of detected data loss events
Selected Answer: A
Question #: 166
Topic #: 1
Ben is the project manager of the CMH Project for his organization. He has identified a risk that has a low probability of happening, but the impact of the risk event could save the project and the organization with a significant amount of capital. Ben assigns Laura to the risk event and instructs her to research the time, cost, and method to improve the probability of the positive risk event. Ben then communicates the risk event and response to management. What risk response has been used here?
A. Transference
B. Enhance
C. Exploit
D. Sharing
Selected Answer: D
Question #: 778
Topic #: 1
Which of the following would BEST help secure online financial transactions from improper users?
A. Multi-factor authentication
B. Periodic review of audit trails
C. Multi-level authorization
D. Review of log-in attempts
Selected Answer: A
Question #: 26
Topic #: 1
You work as the project manager for Bluewell Inc. There has been a delay in your project work that is adversely affecting the project schedule. You decide, with your stakeholders’ approval, to fast track the project work to get the project done faster. When you fast track the project, what is likely to increase?
A. Human resource needs
B. Quality control concerns
C. Costs
D. Risks
Selected Answer: C
Question #: 1394
Topic #: 1
Which of the following is MOST useful for measuring the existing risk management process against a desired date?
A. Capability maturity model
B. Risk scenario analysis
C. Risk management framework
D. Balanced scorecard
Selected Answer: A
