CRISC Topic 5
Question #: 1482
Topic #: 1
Which of the following would be the MOST effective mitigating control when a legacy application does not have the capability to appropriately enforce separation of duties?
A. Establish delegated authorities.
B. Periodically validate user entitlements.
C. Monitor transaction logs.
D. Develop user access policies.
Selected Answer: C
Question #: 1473
Topic #: 1
An organization has purchased insurance coverage against potential unauthorized disclosure of personal data. What should be expected as a result of this risk response?
A. Reduced impact of a data breach
B. Removal of the scenario from further analysis
C. Reduced likelihood of a data breach
D. Increased tolerance against a data breach
Selected Answer: A
Question #: 1459
Topic #: 1
Which of the following processes BEST enables a risk practitioner to gather evidence about the threat environment for further analysis?
A. Risk assessment
B. Threat modeling
C. Vulnerability scanning
D. Threat intelligence
Selected Answer: D
Question #: 1218
Topic #: 1
Management has implemented two new preventative controls to address a risk found in an audit. Following closure of the issue, which of the following is MOST important to update in the risk register?
A. Key controls
B. Likelihood
C. Inherent risk
D. Impact
Selected Answer: A
Question #: 1216
Topic #: 1
Which of the following is the MOST effective way to manage risk scenarios identified in the risk register?
A. Ensure risk scenarios are regularly reviewed and updated in the risk register.
B. Conduct risk assessment workshops across the organization.
C. Present and discuss all risk scenarios in the register at regular risk committee meetings.
D. Prepare risk treatment plans in accordance with the organization’s risk appetite.
Selected Answer: D
Question #: 907
Topic #: 1
Which of the following will BEST help in communicating strategic risk priorities?
A. Heat map
B. Business impact analysis (BIA)
C. Risk register
D. Balanced scorecard
Selected Answer: D
Question #: 906
Topic #: 1
The GREATEST benefit of including low-probability, high-impact events in a risk assessment is the ability to:
A. identify root causes for relevant events.
B. develop understandable and realistic risk scenarios.
C. perform an aggregated cost-benefit analysis.
D. develop a comprehensive risk mitigation strategy.
Selected Answer: D
Question #: 904
Topic #: 1
Which of the following statements BEST illustrates the relationship between key performance indicators (KPIs) and key control indicators (KCIs)?
A. KPIs measure manual controls, while KCIs measure automated controls.
B. KPIs and KCIs both contribute to understanding of control effectiveness.
C. KCIs are applied at the operational level, while KPIs are at the strategic level.
D. A robust KCI program will replace the need to measure KPIs.
Selected Answer: B
Question #: 900
Topic #: 1
Which of the following scenarios represents a threat?
A. Storing corporate data in unencrypted form on a laptop
B. Visitors not signing in as per policy
C. A virus transmitted on a USB thumb drive
D. Connecting a laptop to a free, open, wireless access point (hotspot)
Selected Answer: C
Question #: 915
Topic #: 1
An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the risk associated with these new entries has been:
A. accepted
B. mitigated
C. deferred
D. transferred
Selected Answer: D
Question #: 813
Topic #: 1
Which of the following MUST be assessed before considering risk treatment options for a scenario with significant impact?
A. Cost-benefit analysis.
B. Incident probability.
C. Risk magnitude.
D. Risk appetite.
Selected Answer: C
Question #: 804
Topic #: 1
Which of the following is MOST important for evaluating the operational effectiveness of a newly implemented control?
A. Continuous auditing techniques are used to ensure ongoing control monitoring.
B. Control owners are conducting timely monitoring and reporting of the control results.
C. The source data used for control performance is accurate and complete.
D. Self-assessment testing results are regularly verified by independent control testes.
Selected Answer: C
Question #: 803
Topic #: 1
Which of the following should be the PRIMARY objective of a risk awareness training program?
A. To promote awareness of the risk governance function.
B. To clarify fundamental risk management principles.
C. To enable risk-based decision making.
D. To ensure sufficient resources are available.
Selected Answer: C
Question #: 800
Topic #: 1
An organization’s chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a denial-of-service (DoS) attack. In this situation, the risk practitioner’s BEST course of action is to:
A. validate the CTO’s decision wish the business process owner.
B. recommend that the CTO revisit the risk acceptance decision.
C. identify key risk indicators (KRIs) for ongoing monitoring.
D. update the risk register with the selected risk response.
Selected Answer: C
Question #: 707
Topic #: 1
A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?
A. Senior management allocation of risk management resources
B. Senior management roles and responsibilities
C. The organization’s strategic risk management projects
D. The organization’s risk appetite and tolerance
Selected Answer: B
Question #: 678
Topic #: 1
The MAIN reason for creating and maintaining a risk register is to:
A. account for identified key risk factors.
B. ensure assets have low residual risk.
C. define the risk assessment methodology.
D. assess effectiveness of different projects.
Selected Answer: A
Question #: 638
Topic #: 1
An organization delegates its data processing to the internal IT team to manage information through its applications. Which of the following is the role of the internal IT team in this situation?
A. Data owners
B. Data custodians
C. Data controllers
D. Data processors
Selected Answer: B
Question #: 576
Topic #: 1
Which of the following BEST enables the identification of trends in risk levels?
A. Measurements for key risk indicators (KRIs) are repeatable
B. Qualitative definitions for key risk indicators (KRIs) are used
C. Quantitative measurements are used for key risk indicators (KRIs)
D. Correlation between risk levels and key risk indicators (KRIs) is positive
Selected Answer: C
Question #: 575
Topic #: 1
It is MOST appropriate for changes to be promoted to production after they are:
A. approved by the business owner
B. tested by business owners
C. communicated to business management
D. initiated by business users
Selected Answer: A
Question #: 539
Topic #: 1
What is the PRIMARY reason to periodically review key performance indicators (KPIs)?
A. Identify trends
B. Optimize resources needed for controls
C. Ensure compliance
D. Promote a risk-aware culture
Selected Answer: A
Question #: 504
Topic #: 1
Which of the following is the BEST key performance indicator (KPI) to measure the ability to deliver uninterrupted IT services?
A. Mean time between failures
B. Unplanned downtime
C. Mean time to recover
D. Planned downtime
Selected Answer: A
Question #: 500
Topic #: 1
Which of the following is the BEST way to validate whether controls have been implemented according to the risk mitigation action plan?
A. Implement key risk indicators (KRIs)
B. Test the control design
C. Test the control environment
D. Implement key performance indicators (KPIs)
Selected Answer: B
Question #: 488
Topic #: 1
Which of the following is the GREATEST advantage of implementing a risk management program?
A. Promoting a risk-aware culture
B. Improving security governance
C. Enabling risk-aware decisions
D. Reducing residual risk
Selected Answer: C
Question #: 811
Topic #: 1
Which of the following is MOST important when developing key risk indicators (KRIs)?
A. Availability of qualitative data.
B. Alignment with regulatory requirements.
C. Property set thresholds.
D. Alignment with industry benchmarks.
Selected Answer: C
Question #: 808
Topic #: 1
An organization has introduced risk ownership to establish clear accountability for each process. To ensure effective risk ownership, it is MOST important that:
A. risk owners have decision-making authority.
B. senior management has oversight of the process.
C. segregation of duties exists between risk and process owners.
D. process ownership aligns with IT system ownership.
Selected Answer: A
Question #: 780
Topic #: 1
Which of the following BEST indicates that an organization has implemented IT performance requirements?
A. Vendor references
B. Accountability matrix
C. Benchmarking data
D. Service level agreements
Selected Answer: D
Question #: 779
Topic #: 1
Which of the following is the BEST indication that an organization is following a mature risk management process?
A. Executive management receives periodic risk awareness training.
B. Attributes of each risk scenario have been documented within the risk register.
C. The risk register is frequently utilized for decision-making.
D. A dashboard has been developed for senior management to provide real-time risk values.
Selected Answer: C
Question #: 764
Topic #: 1
After recent updates to the risk register, management has requested that the overall level of residual risk be reduced. Which of the following is the risk practitioner’s BEST course of action?
A. Prioritize remediation plans.
B. Recommend the acceptance of low-level risk.
C. Develop new risk action plans with risk owners.
D. Implement additional controls.
Selected Answer: C
Question #: 755
Topic #: 1
Which of the following BEST illustrates the relationship of actual risk exposure to appetite?
A. Residual risk that exceeds appetite.
B. Risk events in the risk profile.
C. Percentage of high risk scenarios.
D. Controls that exceed risk appetite.
Selected Answer: A
Question #: 753
Topic #: 1
Which of the following issues regarding an organization’s IT incident response plan would be the GREATEST concern?
A. The incident response capability is outsourced.
B. Teams are not operational until an incident occurs.
C. Not all employees have attended incident response training.
D. Roles and responsibilities are not clearly defined.
Selected Answer: D
Question #: 471
Topic #: 1
An identified high-probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy (ALE). Which of the following is the BEST risk response?
A. Avoid
B. Transfer
C. Accept
D. Mitigate
Selected Answer: C
Question #: 464
Topic #: 1
Which of the following is MOST helpful in developing key risk indicator thresholds?
A. Loss expectancy information
B. IT service level agreements
C. Control performance results
D. Remediation activity progress
Selected Answer: A
Question #: 463
Topic #: 1
Which of the following is the BEST metric to demonstrate the effectiveness of an organization’s change management process?
A. Average time to complete changes
B. Increase in the number of emergency changes
C. Percent of unauthorized changes
D. Increase in the frequency of changes
Selected Answer: C
Question #: 458
Topic #: 1
The PRIMARY benefit of conducting continuous monitoring of access controls is the ability to identify.
A. possible noncompliant activities that lead to data disclosure
B. leading or lagging key risk indicators (KRIs)
C. inconsistencies between security policies and procedures
D. unknown threats to undermine existing access controls
Selected Answer: A
Question #: 442
Topic #: 1
As part of an overall IT risk management plan, an IT risk register BEST helps management:
A. stay current with existing control status
B. align IT processes with business objectives
C. understand the organizational risk profile
D. communicate the enterprise risk management policy
Selected Answer: C
Question #: 441
Topic #: 1
The BEST control to mitigate the risk associated with project scope creep is to:
A. consult with senior management on a regular basis
B. apply change management procedures
C. ensure extensive user involvement
D. deploy CASE tools in software development
Selected Answer: B
Question #: 437
Topic #: 1
Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?
A. Ability to predict trends
B. Ongoing availability of data
C. Availability of automated reporting systems
D. Ability to aggregate data
Selected Answer: A
Question #: 433
Topic #: 1
When defining thresholds for control key performance indicators (KPIs), it is MOST helpful to align:
A. key risk indicators (KRIs) with risk appetite of the business
B. the control key performance indicators (KPIs) with audit findings
C. control performance with risk tolerance of business owners
D. information risk assessments with enterprise risk assessments
Selected Answer: C
Question #: 421
Topic #: 1
All business units within an organization have the same risk response plan for creating local disaster recovery plans. In an effort to achieve cost effectiveness., the
BEST course of action would be to:
A. outsource disaster recovery to an external provider
B. select a provider to standardize the disaster recovery plans
C. evaluate opportunities to combine disaster recovery plans
D. centralize the risk response function at the enterprise level
Selected Answer: C
Question #: 409
Topic #: 1
The BEST way to determine the likelihood of a system availability risk scenario is by assessing the:
A. availability of fault tolerant software
B. strategic plan for business growth
C. vulnerability scan results of critical systems
D. redundancy of technical infrastructure
Selected Answer: D
Question #: 403
Topic #: 1
Which of the following activities would BEST facilitate effective risk management throughout the organization?
A. Performing a business impact analysis
B. Performing frequent audits
C. Reviewing risk-related process documentation
D. Conducting periodic risk assessments
Selected Answer: D
Question #: 48
Topic #: 1
Which of the following events refer to loss of integrity?
Each correct answer represents a complete solution. (Choose three.)
A. Someone sees company’s secret formula
B. Someone makes unauthorized changes to a Web site
C. An e-mail message is modified in transit
D. A virus infects a file
Selected Answer: BCD
Question #: 517
Topic #: 1
The BEST method to align an organization’s business continuity plan (BCP) and disaster recovery plan (DRP) with core business needs to:
A. outsource the maintenance of the BCP and DRP to a third party
B. include BCP and DRP responsibilities as part of the new employee training
C. execute periodic walk-throughs of the BCP and DRP
D. update the business impact analysis (BIA) for significant business changes
Selected Answer: D
Question #: 347
Topic #: 1
What are the key control activities to be done to ensure business alignment?
Each correct answer represents a part of the solution. (Choose two.)
A. Define the business requirements for the management of data by IT
B. Conduct IT continuity tests on a regular basis or when there are major changes in the IT infrastructure
C. Periodically identify critical data that affect business operations
D. Establish an independent test task force that keeps track of all events
Selected Answer: C
Question #: 345
Topic #: 1
What are the functions of the auditor while analyzing risk?
Each correct answer represents a complete solution. (Choose three.)
A. Aids in determining audit objectives
B. Identify threats and vulnerabilities to the information system
C. Provide information for evaluation of controls in audit planning
D. Supporting decision based on risks
Selected Answer: B
Question #: 296
Topic #: 1
Which of the following is the best reason for performing risk assessment?
A. To determine the present state of risk
B. To analyze the effect on the business
C. To satisfy regulatory requirements
D. To budget appropriately for the application of various controls
Selected Answer: B
Question #: 287
Topic #: 1
Which of the following are true for threats?
Each correct answer represents a complete solution. (Choose three.)
A. They can become more imminent as time goes by, or it can diminish
B. They can result in risks from external sources
C. They are possibility
D. They are real
E. They will arise and stay in place until they are properly dealt.
Selected Answer: D
Question #: 186
Topic #: 1
Beth is a project team member on the JHG Project. Beth has added extra features to the project and this has introduced new risks to the project work. The project manager of the JHG project elects to remove the features Beth has added. The process of removing the extra features to remove the risks is called what?
A. Detective control
B. Preventive control
C. Corrective control
D. Scope creep
Selected Answer: C
Question #: 184
Topic #: 1
What are the three PRIMARY steps to be taken to initialize the project?
Each correct answer represents a complete solution. (Choose three.)
A. Conduct a feasibility study
B. Define requirements
C. Acquire software
D. Plan risk management
Selected Answer: C
Question #: 171
Topic #: 1
You are the project manager of HGT project. You are in the first phase of the risk response process and are doing following tasks :
Communicating risk analysis results
Reporting risk management activities and the state of compliance
Interpreting independent risk assessment findings
Identifying business opportunities
Which of the following process are you performing?
A. Articulating risk
B. Mitigating risk
C. Tracking risk
D. Reporting risk
Selected Answer: D
Question #: 164
Topic #: 1
You are the project manager of GHT project. You have applied certain control to prevent the unauthorized changes in your project. Which of the following control you would have applied for this purpose?
A. Personnel security control
B. Access control
C. Configuration management control
D. Physical and environment protection control
Selected Answer: A
Question #: 775
Topic #: 1
An organization has just started accepting credit card payments from customers via the corporate website. Which of the following is MOST likely to increase as a result of this new initiative?
A. Risk appetite
B. Residual risk
C. Risk tolerance
D. Inherent risk
Selected Answer: D
Question #: 16
Topic #: 1
Which of the following processes is described in the statement below?
“It is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions.”
A. Risk governance
B. Risk identification
C. Risk response planning
D. Risk communication
Selected Answer: A
Question #: 717
Topic #: 1
Which of the following is the MOST important characteristic of an effective risk management program?
A. Risk response plans are documented.
B. Key risk indicators are defined.
C. Risk ownership is assigned.
D. Controls are mapped to key risk scenarios.
Selected Answer: C
Question #: 714
Topic #: 1
Which of the following is the MOST effective way to mitigate identified risk scenarios?
A. Document the risk tolerance of the organization.
B. Assign ownership of the risk response plan.
C. Provide awareness in early detection of risk.
D. Perform periodic audits on identified risk areas.
Selected Answer: B
Question #: 713
Topic #: 1
Whose risk tolerance matters MOST when making a risk decision?
A. Customers who would be affected by a breach
B. The information security manager
C. The business process owner of the exposed assets
D. Auditors, regulators, and standards organizations
Selected Answer: C
Question #: 705
Topic #: 1
Which of the following is the MOST important requirement for monitoring key risk indicators (KRIs) using log analysis?
A. Collecting logs from the entire set of IT systems
B. Providing accurate logs in a timely manner
C. Implementing an automated log analysis tool
D. Obtaining logs in an easily readable format
Selected Answer: B
Question #: 704
Topic #: 1
After a risk has been identified, who is in the BEST
position to select the appropriate risk treatment option?
A. The risk practitioner
B. The risk owner
C. The control owner
D. The business process owner
Selected Answer: B
Question #: 700
Topic #: 1
An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:
A. identify key process owners.
B. validate control process execution.
C. determine if controls are effective.
D. conduct a baseline assessment.
Selected Answer: D
Question #: 695
Topic #: 1
Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:
A. a vulnerability assessment.
B. a root cause analysis.
C. an impact assessment.
D. a gap analysis.
Selected Answer: B
Question #: 691
Topic #: 1
Which of the following is the BEST method for assessing control effectiveness?
A. Ad hoc reporting
B. Predictive analytics
C. Continuous monitoring
D. Control self-assessment
Selected Answer: C
Question #: 685
Topic #: 1
Quantifying the value of a single asset helps the organization to understand the:
A. necessity of developing a risk strategy.
B. consequences of risk materializing.
C. organization’s risk threshold.
D. overall effectiveness of risk management.
Selected Answer: B
Question #: 1250
Topic #: 1
When classifying and prioritizing risk responses, the areas to address FIRST are those with:
A. low cost effectiveness ratios and low risk levels.
B. high cost effectiveness ratios and low risk levels.
C. low cost effectiveness ratios and high risk levels.
D. high cost effectiveness ratios and high risk levels.
Selected Answer: D
Question #: 1068
Topic #: 1
Within the three lines of defense model, the accountability for the system of internal controls resides with:
A. enterprise risk management (ERM).
B. the risk practitioner.
C. the chief information officer (CIO).
D. the board of directors.
Selected Answer: D
Question #: 401
Topic #: 1
An organization is considering outsourcing user administration controls for a critical system. The potential vendor has offered to perform quarterly self-audits of its controls instead of having annual independent audits. Which of the following should be of GREATEST concern to the risk practitioner?
A. The vendor will not achieve best practices
B. The vendor will not ensure against control failure
C. The controls may not be properly tested
D. Lack of a risk-based approach to access control
Selected Answer: C
Question #: 543
Topic #: 1
Which of the following is the BEST indication of an effective risk management program?
A. Risk action plans are approved by senior management
B. Mitigating controls are designed and implemented
C. Residual risk is within the organizational risk appetite
D. Risk is recorded and tracked in the risk register
Selected Answer: C
Question #: 538
Topic #: 1
Which of the following is the BEST control to detect an advanced persistent threat (APT)?
A. Monitoring social media activities
B. Conducting regular penetration tests
C. Utilizing antivirus systems and firewalls
D. Implementing automated log monitoring
Selected Answer: D
Question #: 475
Topic #: 1
Which of the following is the GREATEST concern associated with redundant data in an organization’s inventory system?
A. Data inconsistency
B. Unnecessary data storage usage
C. Poor access control
D. Unnecessary costs of program changes
Selected Answer: B
Question #: 520
Topic #: 1
During a control review, the control owner states that an existing control has deteriorated over time. What is the BEST recommendation to the control owner?
A. Escalate the issue to senior management
B. Discuss risk mitigation options with the risk owner
C. Certify the control after documenting the concern
D. Implement compensating controls to reduce residual risk
Selected Answer: B
Question #: 469
Topic #: 1
Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?
A. Develop risk awareness training
B. Monitor employee usage
C. Identify the potential risk
D. Assess the potential risk
Selected Answer: C
Question #: 461
Topic #: 1
The PRIMARY reason, a risk practitioner would be interested in an internal audit report is to:
A. maintain a risk register based on noncompliances
B. plan awareness programs for business managers
C. assist in the development of a risk profile
D. evaluate maturity of the risk management process
Selected Answer: D
Question #: 457
Topic #: 1
Which of the following is the BEST way to identify changes in the risk profile of an organization?
A. Monitor key risk indicators (KRIs)
B. Monitor key performance indicators (KPIs)
C. Conduct a gap analysis
D. Interview the risk owner
Selected Answer: A
Question #: 450
Topic #: 1
An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure manuals for use by the part-time employees. Which of the following BEST describes this situation?
A. Risk
B. Policy violation
C. Threat
D. Vulnerability
Selected Answer: D
Question #: 447
Topic #: 1
When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes:
A. recommendations by an independent risk assessor
B. a summary of incidents that have impacted the organization
C. a detailed view of individual risk exposures
D. risk exposure in business terms
Selected Answer: D
Question #: 444
Topic #: 1
An IT department has organized training sessions to improve user awareness of organizational information security policies. Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training?
A. Number of training sessions completed
B. Percentage of staff members who complete the training with a passing score
C. Percentage of attendees versus total staff
D. Percentage of staff members who attend the training with positive feedback
Selected Answer: B
Question #: 990
Topic #: 1
Which of the following is MOST important for mitigating ethical risk when establishing accountability for control ownership?
A. Ensuring processes are documented to enable effective control execution
B. Ensuring schedules and deadlines for control-related deliverables are strictly monitored
C. Ensuring performance metrics balance business goals with risk appetite
D. Ensuring regular risk messaging is included in business communications from leadership
Selected Answer: C
Question #: 414
Topic #: 1
A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:
A. identifying risk mitigation controls
B. documenting the risk scenarios
C. validating the risk scenarios
D. updating the risk register
Selected Answer: C
Question #: 411
Topic #: 1
The BEST reason to classify IT assets during a risk assessment is to determine the:
A. appropriate level of protection
B. enterprise risk profile
C. priority in the risk register
D. business process owner
Selected Answer: A
Question #: 400
Topic #: 1
An organization maintains independent departmental risk registers that are not automatically aggregated. Which of the following is the GREATEST concern?
A. Resources may be inefficiently allocated
B. Management may be unable to accurately evaluate the risk profile
C. Multiple risk treatment efforts may be initiated to treat a given risk
D. The same risk factor may be identified in multiple areas
Selected Answer: B
Question #: 321
Topic #: 1
Which of the following role carriers has to account for collecting data on risk and articulating risk?
A. Enterprise risk committee
B. Business process owner
C. Chief information officer (CIO)
D. Chief risk officer (CRO)
Selected Answer: D
Question #: 300
Topic #: 1
Sensitive data has been lost after an employee inadvertently removed a file from the premises, in violation of organizational policy. Which of the following controls
MOST likely failed?
A. Background checks
B. Awareness training
C. User access
D. Policy management
Selected Answer: C
Question #: 298
Topic #: 1
What are the PRIMARY objectives of a control?
A. Detect, recover, and attack
B. Prevent, respond, and log
C. Prevent, control, and attack
D. Prevent, recover, and detect
Selected Answer: D
Question #: 292
Topic #: 1
Which of the following will significantly affect the standard information security governance model?
A. Currency with changing legislative requirements
B. Number of employees
C. Complexity of the organizational structure
D. Cultural differences between physical locations
Selected Answer: C
Question #: 266
Topic #: 1
You are the project manager of a project in Bluewell Inc. You and your project team have identified several project risks, completed risk analysis, and are planning to apply most appropriate risk responses. Which of the following tools would you use to choose the appropriate risk response?
A. Project network diagrams
B. Cause-and-effect analysis
C. Decision tree analysis
D. Delphi Technique
Selected Answer: C
Question #: 262
Topic #: 1
You are the project manager of RFT project. You have identified a risk that the enterprise’s IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become very expensive. To overcome this risk, the response adopted is re- architecture of the existing system and purchase of new integrated system. In which of the following risk prioritization options would this case be categorized?
A. Deferrals
B. Quick win
C. Business case to be made
D. Contagious risk
Selected Answer: C
Question #: 257
Topic #: 1
Which of the following is true for Single loss expectancy (SLE), Annual rate of occurrence (ARO), and Annual loss expectancy (ALE)?
A. ALE= ARO/SLE
B. ARO= SLE/ALE
C. ARO= ALE*SLE
D. ALE= ARO*SLE
Selected Answer: D
Question #: 254
Topic #: 1
Which among the following acts as a trigger for risk response process?
A. Risk level increases above risk appetite
B. Risk level increase above risk tolerance
C. Risk level equates risk appetite
D. Risk level equates the risk tolerance
Selected Answer: B
Question #: 247
Topic #: 1
John works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk?
A. Activity duration estimates
B. Activity cost estimates
C. Risk management plan
D. Schedule management plan
Selected Answer: A
Question #: 242
Topic #: 1
Which of the following baselines identifies the specifications required by the resource that meet the approved requirements?
A. Functional baseline
B. Allocated baseline
C. Product baseline
D. Developmental baseline
Selected Answer: B
Question #: 241
Topic #: 1
Tom works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks, and provides a quantitative assessment of the likely cost to complete the scheduled activities?
A. Activity duration estimates
B. Risk management plan
C. Cost management plan
D. Activity cost estimates
Selected Answer: D
Question #: 240
Topic #: 1
Kelly is the project manager of the NNQ Project for her company. This project will last for one year and has a budget of $350,000. Kelly is working with her project team and subject matter experts to begin the risk response planning process. What are the two inputs that Kelly would need to begin the plan risk response process?
A. Risk register and the results of risk analysis
B. Risk register and the risk response plan
C. Risk register and power to assign risk responses
D. Risk register and the risk management plan
Selected Answer: D
Question #: 235
Topic #: 1
You are the project manager of the QPS project. You and your project team have identified a pure risk. You along with the key stakeholders, decided to remove the pure risk from the project by changing the project plan altogether. What is a pure risk?
A. It is a risk event that only has a negative side and not any positive result.
B. It is a risk event that is created by the application of risk response.
C. It is a risk event that is generated due to errors or omission in the project work.
D. It is a risk event that cannot be avoided because of the order of the work.
Selected Answer: D
Question #: 227
Topic #: 1
Shawn is the project manager of the HWT project. In this project Shawn’s team reports that they have found a way to complete the project work cheaply than what was originally estimated earlier. The project team presents a new software that will help to automate the project work. While the software and the associated training costs $25,000 it will save the project nearly $65,000 in total costs. Shawn agrees to the software and changes the project management plan accordingly.
What type of risk response had been used by him?
A. Avoiding
B. Accepting
C. Exploiting
D. Enhancing
Selected Answer: C
Question #: 222
Topic #: 1
Which of the following are the common mistakes while implementing KRIs?
Each correct answer represents a complete solution. (Choose three.)
A. Choosing KRIs that are difficult to measure
B. Choosing KRIs that has high correlation with the risk
C. Choosing KRIs that are incomplete or inaccurate due to unclear specifications
D. Choosing KRIs that are not linked to specific risk
Selected Answer: C
Question #: 219
Topic #: 1
You are elected as the project manager of GHT project. You are in project initialization phase and are busy in defining requirements for your project. While defining requirements you are describing how users will interact with a system. Which of the following requirements are you defining here?
A. Technical requirement
B. Project requirement
C. Functional requirement
D. Business requirement
Selected Answer: C
Question #: 289
Topic #: 1
You are the project manager of GHT project. You have analyzed the risk and applied appropriate controls. In turn, you got residual risk as a result of this. Residual risk can be used to determine which of the following?
A. Status of enterprise’s risk
B. Appropriate controls to be applied next
C. The area that requires more control
D. Whether the benefits of such controls outweigh the costs
Selected Answer: B
Question #: 238
Topic #: 1
You are the project manager of your enterprise. You have identified new threats, and then evaluated the ability of existing controls to mitigate risk associated with new threats. You noticed that the existing control is not efficient in mitigating these new risks. What are the various steps you could take in this case?
Each correct answer represents a complete solution. (Choose three.)
A. Education of staff or business partners
B. Deployment of a threat-specific countermeasure
C. Modify of the technical architecture
D. Apply more controls
Selected Answer: BCD
Question #: 236
Topic #: 1
You work as a project manager for BlueWell Inc. You are preparing to plan risk responses for your project with your team. How many risk response types are available for a negative risk event in the project?
A. 5
B. 7
C. 1
D. 4
Selected Answer: D
Question #: 220
Topic #: 1
While considering entity-based risks, which dimension of the COSO ERM framework is being referred?
A. Organizational levels
B. Risk components
C. Strategic objectives
D. Risk objectives
Selected Answer: D
Question #: 1114
Topic #: 1
An organization is reviewing a contract for a Software as a Service (SaaS) sales application with a 99.9% uptime service level agreement (SLA). Which of the following BEST describes ownership of availability risk?
A. The liability for the risk is owned by the cloud provider
B. The liability for the risk is owned by the sales department
C. The risk is transferred to the cloud provider
D. The risk is shared by both organizations
Selected Answer: C
Question #: 939
Topic #: 1
Which of the following is the PRIMARY benefit of stakeholder involvement in risk scenario development?
A. Awareness of emerging business threats
B. Up-to-date knowledge on risk responses
C. Ability to determine business impact
D. Decision-making authority for risk treatment
Selected Answer: A
Question #: 169
Topic #: 1
Which of the following actions assures management that the organization’s objectives are protected from the occurrence of risk events?
A. Internal control
B. Risk management
C. Hedging
D. Risk assessment
Selected Answer: A
Question #: 157
Topic #: 1
Which of the following is the BEST method for discovering high-impact risk types?
A. Qualitative risk analysis
B. Delphi technique
C. Failure modes and effects analysis
D. Quantitative risk analysis
Selected Answer: C
Question #: 156
Topic #: 1
Using which of the following one can produce comprehensive result while performing qualitative risk analysis?
A. Scenarios with threats and impacts
B. Cost-benefit analysis
C. Value of information assets.
D. Vulnerability assessment
Selected Answer: A
Question #: 872
Topic #: 1
An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program. Which of the following is
MOST useful for this purpose?
A. Capability maturity level
B. Balanced scorecard
C. Control self-assessment (CSA)
D. Internal audit plan
Selected Answer: A
Question #: 1372
Topic #: 1
Which of the following is the MOST useful information for a risk practitioner when planning response activities after risk identification?
A. Risk priorities
B. Risk register
C. Risk heat maps
D. Risk appetite
Selected Answer: D
Question #: 6
Topic #: 1
Which of the following is the MOST important use of KRIs?
A. Providing a backward-looking view on risk events that have occurred
B. Providing an early warning signal
C. Providing an indication of the enterprise’s risk appetite and tolerance
D. Enabling the documentation and analysis of trends
Selected Answer: D
Question #: 4
Topic #: 1
You are the project manager of a large construction project. This project will last for 18 months and will cost $750,000 to complete. You are working with your project team, experts, and stakeholders to identify risks within the project before the project work begins. Management wants to know why you have scheduled so many risk identification meetings throughout the project rather than just initially during the project planning. What is the best reason for the duplicate risk identification sessions?
A. The iterative meetings allow all stakeholders to participate in the risk identification processes throughout the project phases.
B. The iterative meetings allow the project manager to discuss the risk events which have passed the project and which did not happen.
C. The iterative meetings allow the project manager and the risk identification participants to identify newly discovered risk events throughout the project.
D. The iterative meetings allow the project manager to communicate pending risks events during project execution.
Selected Answer: C
Question #: 2
Topic #: 1
You are the project manager of a HGT project that has recently finished the final compilation process. The project customer has signed off on the project completion and you have to do few administrative closure activities. In the project, there were several large risks that could have wrecked the project but you and your project team found some new methods to resolve the risks without affecting the project costs or project completion date. What should you do with the risk responses that you have identified during the project’s monitoring and controlling process?
A. Include the responses in the project management plan.
B. Include the risk responses in the risk management plan.
C. Include the risk responses in the organization’s lessons learned database.
D. Nothing. The risk responses are included in the project’s risk register already.
Selected Answer: C
Question #: 858
Topic #: 1
Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness?
A. To raise awareness of operational issues
B. To identify control vulnerabilities
C. To measure business exposure to risk
D. To monitor the achievement of set objectives
Selected Answer: A
Question #: 843
Topic #: 1
Which of the following would MOST likely result in updates to an IT risk profile?
A. Changes in senior management.
B. Establishment of a risk committee.
C. External audit findings.
D. Feedback from focus groups.
Selected Answer: A
Question #: 829
Topic #: 1
Which of the following is MOST important to have in place to ensure the effectiveness of risk and security metrics reporting?
A. Organizational reporting process.
B. Incident reporting procedures.
C. Regularly scheduled audits.
D. Incident management policy.
Selected Answer: A
Question #: 781
Topic #: 1
Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?
A. Obtain an objective view of process gaps and systemic errors.
B. Ensure the risk profile is defined and communicated.
C. Validate the threat management process.
D. Obtain objective assessment of the control environment.
Selected Answer: A
Question #: 51
Topic #: 1
You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won’t affect your project much if they happen. What should you do with these identified risk events?
A. These risks can be dismissed.
B. These risks can be accepted.
C. These risks can be added to a low priority risk watch list.
D. All risks must have a valid, documented risk response.
Selected Answer: C
Question #: 33
Topic #: 1
Ben works as a project manager for the MJH Project. In this project, Ben is preparing to identify stakeholders so he can communicate project requirements, status, and risks. Ben has elected to use a salience model as part of his stakeholder identification process. Which of the following activities best describes a salience model?
A. Describing classes of stakeholders based on their power (ability to impose their will), urgency (need for immediate attention), and legitimacy (their involvement is appropriate).
B. Grouping the stakeholders based on their level of authority (“power”) and their level or concern (“interest”) regarding the project outcomes.
C. Influence/impact grid, grouping the stakeholders based on their active involvement (“influence”) in the project and their ability to affect changes to the project’s planning or execution (“impact”).
D. Grouping the stakeholders based on their level of authority (“power”) and their active involvement (“influence”) in the project.
Selected Answer: A
Question #: 22
Topic #: 1
Which of the following is a technique that provides a systematic description of the combination of unwanted occurrences in a system?
A. Sensitivity analysis
B. Scenario analysis
C. Fault tree analysis
D. Cause and effect analysis
Selected Answer: C
Question #: 19
Topic #: 1
You are the project manager of GHT project. You have planned the risk response process and now you are about to implement various controls. What you should do before relying on any of the controls?
A. Review performance data
B. Discover risk exposure
C. Conduct pilot testing
D. Articulate risk
Selected Answer: C
Question #: 17
Topic #: 1
You are an experienced Project Manager that has been entrusted with a project to develop a machine which produces auto components. You have scheduled meetings with the project team and the key stakeholders to identify the risks for your project. Which of the following is a key output of this process?
A. Risk Register
B. Risk Management Plan
C. Risk Breakdown Structure
D. Risk Categories
Selected Answer: A
Question #: 812
Topic #: 1
Which of the following provides the MOST up-to-date information about the effectiveness of an organization’s overall IT control environment?
A. Periodic penetration testing.
B. Key performance indicators (KPIs).
C. Internal audit findings.
D. Risk heat maps.
Selected Answer: C
Question #: 774
Topic #: 1
Which of the following tools is MOST helpful when mapping IT risk management outcomes to organizational objectives?
A. Risk dashboard
B. RACI chart
C. Information security risk map
D. Strategic business plan
Selected Answer: A
Question #: 758
Topic #: 1
Which of the following will BEST help an organization evaluate the control environment of several third-party vendors?
A. Review vendors’ performance metrics on quality and delivery of processes.
B. Review vendors’ internal risk assessments covering key risk and controls.
C. Obtain independent control reports from high-risk vendors.
D. Obtain vendor references from third parties.
Selected Answer: C
Question #: 752
Topic #: 1
Which of the following is the STRONGEST indication that controls implemented as part of a risk action plan are not effective?
A. A security breach occurs.
B. Internal audit identifies recurring exceptions.
C. Changes are put into production without management approval.
D. A sample is used to validate the action plan.
Selected Answer: B
Question #: 738
Topic #: 1
From a business perspective, which of the following is the MOST important objective of a disaster recovery test?
A. All business-critical systems are successfully tested.
B. Errors are discovered in the disaster recovery process.
C. All critical data is recovered within recovery time objectives (RTOs).
D. The organization gains assurance it can recover from a disaster.
Selected Answer: D
Question #: 737
Topic #: 1
A trusted third party service provider has determined that the risk of a client’s systems being hacked is low. Which of the following would be the client’s BEST course of action?
A. Perform an independent audit of the third party.
B. Accept the risk based on the third party’s risk assessment.
C. Perform their own risk assessment.
D. Implement additional controls to address the risk.
Selected Answer: C
Question #: 732
Topic #: 1
Which of the following will BEST quantify the risk associated with malicious users in an organization?
A. Business impact analysis
B. Threat risk assessment
C. Vulnerability assessment
D. Risk analysis
Selected Answer: D
