CRISC Topic 6
Question #: 727
Topic #: 1
Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system.
These scenarios will be owned by the system manager. Which of the following would be the BEST method to use when developing the scenarios?
A. Bottom-up approach
B. Cause-and-effect diagram
C. Top-down approach
D. Delphi technique
Selected Answer: A
Question #: 716
Topic #: 1
Which of the following is the MOST important outcome of reviewing the risk management process?
A. Improving the competencies of employees who performed the review
B. Assuring the risk profile supports the IT objectives
C. Determining what changes should be made to IS policies to reduce risk
D. Determining that procedures used in risk assessment are appropriate
Selected Answer: D
Question #: 1443
Topic #: 1
Which of the following is the GREATEST risk associated with a blockchain implementation?
A. Regulatory changes require increased transparency and centralization.
B. Legacy systems require third-party operational support.
C. Reviews of the underlying code have not been performed.
D. The technology is used in emerging markets with many vulnerabilities.
Selected Answer: C
Question #: 1236
Topic #: 1
Which of the following is the BEST key performance indicator (KPI) to measure how effectively risk management practices are embedded in the project management office (PMO)?
A. Reduction in audits involving external risk consultants
B. Percentage of projects with key risk accepted by the project steering committee
C. Percentage of projects with developed controls on scope creep
D. Reduction in risk policy noncompliance findings
Selected Answer: C
Question #: 1122
Topic #: 1
Which of the following is the MOST important responsibility of an IT risk committee charged with overseeing IT risk management?
A. Conduct regular surveys to assess organizational risk awareness
B. Implement an industry-recognized IT risk management framework
C. Ensure significant risk scenarios are elevated to the board
D. Develop and communicate an IT risk RACI chart.
Selected Answer: C
Question #: 688
Topic #: 1
What can be determined from the risk scenario chart?
A. The multiple risk factors addressed by a chosen response
B. Relative positions on the risk map
C. Capability of enterprise to implement
D. Risk treatment options
Selected Answer: C
Question #: 653
Topic #: 1
Which of the following is MOST effective against external threats to an organization’s confidential information?
A. Single sign-on
B. Strong authentication
C. Data integrity checking
D. Intrusion detection system
Selected Answer: D
Question #: 649
Topic #: 1
Which of the following is the GREATEST benefit of analyzing logs collected from different systems?
A. Developing threats are detected earlier.
B. Forensic investigations are facilitated.
C. Security violations can be identified.
D. A record of incidents is maintained.
Selected Answer: A
Question #: 645
Topic #: 1
In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data?
A. Evaluating each of the data sources for vulnerabilities
B. Establishing an intellectual property agreement
C. Benchmarking to industry best practice
D. Periodically reviewing big data strategies
Selected Answer: D
Question #: 498
Topic #: 1
Which of the following should be done FIRST when a new risk scenario has been identified?
A. Assess the risk awareness program
B. Assess the risk training program
C. Identify the risk owner
D. Estimate the residual risk
Selected Answer: C
Question #: 484
Topic #: 1
During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:
A. a control mitigation plan is in place
B. residual risk is accepted
C. compensating controls are in place
D. risk management is effective
Selected Answer: C
Question #: 959
Topic #: 1
Which of the following should a risk practitioner validate FIRST when a mitigating control cannot be implemented fully to support business objectives?
A. If the risk owner has accepted the risk
B. If compensating controls have been implemented
C. If insurance coverage has been obtained
D. If business objectives continue to align with organizational goals
Selected Answer: A
Question #: 952
Topic #: 1
Which of the following would be the GREATEST challenge when implementing a corporate risk framework for a global organization?
A. Business continuity
B. Risk taxonomy
C. Management support
D. Privacy risk controls
Selected Answer: B
Question #: 617
Topic #: 1
Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?
A. To continuously improve risk management processes
B. To build an organizational risk-aware culture
C. To comply with legal and regulatory requirements
D. To identify gaps in risk management practices
Selected Answer: D
Question #: 585
Topic #: 1
Which of the following would be considered a vulnerability?
A. Delayed removal of employee access
B. Corruption of files due to malware
C. Authorized administrative access to HR files
D. Server downtime due to a denial of service (DoS) attack
Selected Answer: A
Question #: 899
Topic #: 1
Which of the following controls BEST enables an organization to ensure a complete and accurate IT asset inventory?
A. Requesting an asset list from business owners
B. Prohibiting the use of personal devices for business
C. Performing network scanning for unknown devices
D. Documenting asset configuration baselines
Selected Answer: D
Question #: 1090
Topic #: 1
Who is PRIMARILY accountable for risk treatment decisions?
A. Risk manager
B. Business manager
C. Data owner
D. Risk owner
Selected Answer: D
Question #: 886
Topic #: 1
Which of the following is the BEST
approach when a risk practitioner has been asked by a business unit manager for special consideration during a risk assessment of a system?
A. Conduct an abbreviated version of the assessment.
B. Recommend an internal auditor perform the review.
C. Perform the assessment as it would normally be done.
D. Report the business unit manager for a possible ethics violation.
Selected Answer: C
Question #: 549
Topic #: 1
An organization uses a vendor to destroy hard drives. Which of the following would BEST reduce the risk of data leakage?
A. Implement an encryption policy for the hard drives
B. Require the vendor to degauss the hard drives
C. Use an accredited vendor to dispose of the hard drives
D. Require confirmation of destruction from the IT manager
Selected Answer: C
Question #: 548
Topic #: 1
Which of the following would be MOST useful when measuring the progress of a risk response action plan?
A. Resource expenditure against budget
B. An up-to-date risk register
C. Percentage of mitigated risk scenarios
D. Annual loss expectancy (ALE) changes
Selected Answer: A
Question #: 547
Topic #: 1
In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities. The risk practitioner’s BEST recommendation to further reduce the impact of ransomware attacks would be to implement:
A. encryption for data at rest
B. encryption for data in motion
C. two-factor authentication
D. continuous data backup controls
Selected Answer: A
Question #: 978
Topic #: 1
From a risk management perspective, which of the following is the PRIMARY benefit of using automated system configuration validation tools?
A. Staff costs are reduced.
B. Operational costs are reduced.
C. Inherent risk is reduced.
D. Residual risk is reduced.
Selected Answer: D
Question #: 955
Topic #: 1
An organization has completed a risk assessment of one of its service providers. Who should be accountable for ensuring that risk responses are implemented?
A. IT risk practitioner
B. The relationship owner
C. Third-party security team
D. Legal representation of the business
Selected Answer: B
Question #: 954
Topic #: 1
Which of the following management actions will MOST likely change the likelihood rating of a risk scenario related to remote network access?
A. Implementing multi-factor authentication
B. Updating the organizational policy for remote access
C. Creating metrics to track remote connections
D. Updating remote desktop software
Selected Answer: A
Question #: 951
Topic #: 1
A large organization needs to report risk at all levels for a new centralized virtualization project to reduce cost and improve performance. Which of the following would MOST effectively represent the overall risk of the project to senior management?
A. Risk heat map
B. Centralized risk register
C. Key risk indicators (KRIs)
D. Aggregated key performance indicators (KPIs)
Selected Answer: A
Question #: 940
Topic #: 1
Which of the following is the BEST metric to demonstrate the effectiveness of an organization’s software testing program?
A. Percentage of applications covered the testing team
B. Average time to complete software test cases
C. The number of personnel dedicated to software testing
D. Number of incidents resulting from software changes
Selected Answer: D
Question #: 936
Topic #: 1
Which of the following is the BEST way for an organization to enable risk treatment decisions?
A. Establish clear accountability for risk.
B. Develop comprehensive policies and standards.
C. Allocate sufficient funds for risk remediation.
D. Promote risk and security awareness.
Selected Answer: A
Question #: 925
Topic #: 1
Which of the following BEST protects an organization against breaches when using a software as a service (SaaS) application?
A. Security information and event management (SIEM) solutions
B. Control self-assessment (CSA)
C. Data privacy impact assessment (DPIA)
D. Data loss prevention (DLP) tools
Selected Answer: D
Question #: 922
Topic #: 1
Which of the following is the MOST effective control to ensure user access is maintained on a least-privilege basis?
A. Change log review
B. User recertification
C. Access log monitoring
D. User authorization
Selected Answer: B
Question #: 920
Topic #: 1
Which of the following MUST be updated to maintain an IT risk register?
A. Risk appetite
B. Risk tolerance
C. Expected frequency and potential impact
D. Enterprise-wide IT risk assessment
Selected Answer: C
Question #: 918
Topic #: 1
Which of the following is MOST important to the successful development of IT risk scenarios?
A. Control effectiveness assessment
B. Threat and vulnerability analysis
C. Internal and external audit reports
D. Cost-benefit analysis
Selected Answer: B
Question #: 912
Topic #: 1
The BEST key performance indicator (KPI) for monitoring adherence to an organization’s user accounts provisioning practices is the percentage of:
A. active accounts belonging to former personnel.
B. accounts with dormant activity.
C. accounts without documented approval.
D. user accounts with default passwords.
Selected Answer: C
Question #: 852
Topic #: 1
Which of the following is the MAIN reason for analyzing risk scenarios?
A. Establishing a risk appetite
B. Identifying additional risk scenarios
C. Updating the heat map
D. Assessing loss expectancy
Selected Answer: D
Question #: 874
Topic #: 1
The BEST way to obtain senior management support for investment in a control implementation would be to articulate the reduction in:
A. vulnerabilities.
B. detected incidents.
C. inherent risk.
D. residual risk.
Selected Answer: D
Question #: 869
Topic #: 1
Which of the following should be the MOST important consideration for senior management when developing a risk response strategy?
A. Risk appetite
B. Cost of controls
C. Risk tolerance
D. Probability definition
Selected Answer: A
Question #: 868
Topic #: 1
When reporting on the performance of an organization’s control environment, including which of the following would BEST inform stakeholders’ risk decision- making?
A. A report of deficiencies noted during controls testing
B. Spend to date on mitigating control implementation
C. A status report of control deployment
D. The audit plan for the upcoming period
Selected Answer: A
Question #: 865
Topic #: 1
Which of the following BEST measures the impact of business interruptions caused by an IT service outage?
A. Duration of service outage
B. Cost of remediation efforts
C. Sustained financial loss
D. Average time to recovery
Selected Answer: C
Question #: 859
Topic #: 1
Which of the following BEST indicates whether security awareness training is effective?
A. Course evaluation
B. User behavior after training
C. User self-assessment
D. Quality of training materials
Selected Answer: B
Question #: 847
Topic #: 1
The MAIN goal of the risk analysis process is to determine the:
A. potential severity of impact.
B. control deficiencies.
C. frequency and magnitude of loss.
D. threats and vulnerabilities.
Selected Answer: C
Question #: 846
Topic #: 1
Which of the following is MOST important for an organization that wants to reduce IT operational risk?
A. Decentralizing IT infrastructure.
B. Increasing the frequency of data backups.
C. Increasing senior management’s understanding of IT operations.
D. Minimizing complexity of IT infrastructure.
Selected Answer: D
Question #: 845
Topic #: 1
Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy?
A. Information security director
B. Internal audit director
C. Chief information officer
D. Chief financial officer
Selected Answer: C
Question #: 841
Topic #: 1
A new international data privacy regulation requires personal data to be disposed after the specified retention period, which is different from the local regulatory requirement. Which of the following is the risk practitioner’s BEST recommendation to resolve the disparity?
A. Adopt the international standard.
B. Adopt the standard determined by legal counsel.
C. Adopt the local standard.
D. Adopt the least stringent standard determined by the risk committee.
Selected Answer: B
Question #: 837
Topic #: 1
Which of the following provides the MOST important information to facilitate a risk response decision?
A. Risk appetite.
B. Industry best practices.
C. Key risk indicators.
D. Audit findings.
Selected Answer: A
Question #: 830
Topic #: 1
Which of the following is the MOST appropriate key risk indicator (KRI) for backup media that is recycled monthly?
A. Time required for backup restoration testing.
B. Change in size of data backed up.
C. Successful completion of backup operations.
D. Percentage of failed restore tests.
Selected Answer: D
Question #: 823
Topic #: 1
Controls should be defined during the design phase of system development because:
A. technical specifications are defined during this phase.
B. structured programming techniques require that controls be designed before coding begins.
C. its more cost-effective to determine controls in the early design phase.
D. structured analysis techniques exclude identification of controls.
Selected Answer: C
Question #: 820
Topic #: 1
The PRIMARY purpose of IT control status reporting is to:
A. assist internal audit in evaluating and initiating remediation efforts.
B. ensure compliance with IT governance strategy.
C. facilitate the comparison of the current and desired states.
D. benchmark IT controls with industry standards.
Selected Answer: C
Question #: 819
Topic #: 1
An internal audit report reveals that not all IT application databases have encryption in place. Which of the following information would be MOST important for assessing the risk impact?
A. The reason some databases have not been encrypted.
B. A list of unencrypted databases which contain sensitive data.
C. The cost required to enforce encryption.
D. The number of users who can access sensitive data.
Selected Answer: B
Question #: 815
Topic #: 1
The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:
A. new vulnerabilities identified.
B. recurring vulnerabilities.
C. vulnerabilities remediated.
D. vulnerability scans.
Selected Answer: C
Question #: 806
Topic #: 1
What should a risk practitioner do NEXT if an ineffective key control is identified on a critical system?
A. Revalidate the risk assessment.
B. Escalate to senior management.
C. Propose acceptance of the risk.
D. Conduct a gap analysis.
Selected Answer: B
Question #: 805
Topic #: 1
An organization must implement changes as the result of new regulations. Which of the following should the risk practitioner do FIRST to prepare for these changes?
A. Engage the legal department.
B. Conduct a gap analysis.
C. Implement compensating controls.
D. Review the risk profile.
Selected Answer: B
Question #: 786
Topic #: 1
Which of the following is the BEST indicator of the effectiveness of IT risk management processes?
A. Time between when IT risk scenarios are identified and the enterprise’s response.
B. Percentage of business users completing risk training.
C. Percentage of high-risk scenarios for which risk action plans have been developed.
D. Number of key risk indicators (KRIs) defined.
Selected Answer: A
Question #: 651
Topic #: 1
When developing a new risk register, a risk practitioner should focus on which of the following risk management activities?
A. Risk response planning
B. Risk identification
C. Risk monitoring and control
D. Risk management strategy planning
Selected Answer: B
Question #: 689
Topic #: 1
When collecting information to identify IT-related risk, a risk practitioner should FIRST focus on IT:
A. security policies.
B. process maps.
C. risk tolerance level,
D. risk appetite.
Selected Answer: B
Question #: 672
Topic #: 1
An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan. Which of the following is the risk practitioner’s BEST course of action?
A. Revert the implemented mitigation measures until approval is obtained.
B. Validate the adequacy of the implemented risk mitigation measures.
C. Report the observation to the chief risk officer (CRO).
D. Update the risk register with the implemented risk mitigation actions.
Selected Answer: C
Question #: 493
Topic #: 1
Which of the following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?
A. Conduct user acceptance testing
B. Perform a post-implementation review
C. Interview process owners
D. Review the key performance indicators (KPIs)
Selected Answer: B
Question #: 639
Topic #: 1
An organization is planning to engage a cloud-based service provider for some of its data-intensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?
A. Service level agreement
B. Right to audit the provider
C. Customer service reviews
D. Scope of services provided
Selected Answer: B
Question #: 799
Topic #: 1
The PRIMARY goal of a risk management program is to:
A. facilitate resource availability.
B. safeguard corporate assets.
C. help ensure objectives are met.
D. help prevent operational losses.
Selected Answer: C
Question #: 798
Topic #: 1
Which of the following IT key risk indicators (KRIs) provides management with the BEST feedback on IT capacity?
A. Trends in IT resource usage.
B. Increased resource availability.
C. Trends in IT maintenance costs.
D. Increased number of incidents.
Selected Answer: A
Question #: 794
Topic #: 1
Who should be accountable for monitoring the control environment to ensure controls are effective?
A. Risk owner
B. Security monitoring operations
C. Impacted data owner
D. System owner
Selected Answer: A
Question #: 790
Topic #: 1
The BEST criteria when selecting a risk response is the:
A. effectiveness of risk response options
B. alignment of response to industry standards
C. importance of IT risk within the enterprise
D. capability to implement the response
Selected Answer: A
Question #: 789
Topic #: 1
Which of the following is the MOST important consideration when determining whether to accept residual risk after security controls have been implemented on a critical system?
A. Cost of the information control system.
B. Cost versus benefit of additional mitigating controls.
C. Annualized loss expectancy (ALE) for the system.
D. Frequency of business impact.
Selected Answer: B
Question #: 784
Topic #: 1
An organization moved its payroll system to a Software as a Service (SaaS) application. A new data privacy regulation stipulates that data can only be processed within the country where it is collected. Which of the following should be done FIRST when addressing this situation?
A. Analyze data protection methods.
B. Understand data flows.
C. Include a right-to-audit clause.
D. Implement strong access controls.
Selected Answer: B
Question #: 724
Topic #: 1
An organization has completed a project to implement encryption on all databases that host customer data. Which of the following elements of the risk register should be updated to reflect this change?
A. Risk tolerance
B. Inherent risk
C. Risk appetite
D. Risk likelihood
Selected Answer: D
Question #: 722
Topic #: 1
An organization has implemented a preventive control to lock user accounts after three unsuccessful login attempts. This practice has been proven to be unproductive, and a change in the control threshold value has been recommended. Who should authorize changing this threshold?
A. Control owner
B. IT security manager
C. Risk owner
D. IT system owner
Selected Answer: A
Question #: 721
Topic #: 1
Which of the following is the PRIMARY objective of providing an aggregated view of IT risk to business management?
A. To provide consistent and clear terminology
B. To allow for proper review of risk tolerance
C. To identify dependencies for reporting risk
D. To enable consistent data on risk to be obtained
Selected Answer: B
Question #: 710
Topic #: 1
Which of the following BEST indicates effective information security incident management?
A. Frequency of information security incident response plan testing
B. Percentage of high risk security incidents
C. Monthly trend of information security-related incidents
D. Average time to identify critical information security incidents
Selected Answer: D
Question #: 590
Topic #: 1
Which of the following would prompt changes in key risk indicator (KRI) thresholds?
A. Changes in risk appetite or tolerance
B. Modification to risk categories
C. Knowledge of new and emerging threats
D. Changes to the risk register
Selected Answer: A
Question #: 583
Topic #: 1
A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?
A. Implement a tool to create and distributive violation reports
B. Block unencrypted outgoing emails which contain sensitive data
C. Implement a progressive disciplinary process for email violations
D. Raise awareness of encryption requirements for sensitive data
Selected Answer: B
Question #: 582
Topic #: 1
During an IT department reorganization, the manager of a risk mitigation action plan was replaced. The new manager has begun implementing a new control after identifying a more effective option. Which of the following is the risk practitioner’s BEST course of action?
A. Communicate the decision to the risk owner for approval
B. Identify an owner for the new control
C. Modify the action plan in the risk register
D. Seek approval from the previous action plan manager
Selected Answer: B
Question #: 574
Topic #: 1
Which of the following roles is BEST suited to help a risk practitioner understand the impact of IT-related events on business objectives?
A. Process owners
B. IT management
C. Senior management
D. Internal audit
Selected Answer: C
Question #: 536
Topic #: 1
An organization is considering acquiring a new line of business and wants to develop new IT risk scenarios to guide its decisions. Which of the following would add the MOST value to the new risk scenarios?
A. Audit findings
B. Expected losses
C. Cost-benefit analysis
D. Organizational threats
Selected Answer: B
Question #: 777
Topic #: 1
Which of the following can be used to assign a monetary value to risk?
A. Annual loss expectancy (ALE)
B. Business impact analysis
C. Cost-benefit analysis
D. Inherent vulnerabilities
Selected Answer: A
Question #: 773
Topic #: 1
Which of the following is MOST important when discussing risk within an organization?
A. Adopting a common risk taxonomy.
B. Creating a risk communication policy.
C. Using key performance indicators (KPIs).
D. Using key risk indicators (KRIs).
Selected Answer: A
Question #: 771
Topic #: 1
Which of the following is the BEST indication of the effectiveness of a business continuity program?
A. Business continuity tests are performed successfully and issues are addressed.
B. Business continuity and disaster recovery plans are regularly updated.
C. Business impact analyses (BIAs) are reviewed and updated in a timely manner.
D. Business units are familiar with the business continuity plans (BCPs) and process.
Selected Answer: A
Question #: 770
Topic #: 1
After the implementation of Internet of Things (IoT) devices, new risk scenarios were identified. What is the PRIMARY reason to report this information to risk owners?
A. To reevaluate continued use of IoT devices.
B. To recommend changes to the IoT policy.
C. To confirm the impact to the risk profile.
D. To add new controls to mitigate the risk.
Selected Answer: C
Question #: 769
Topic #: 1
The PRIMARY objective for requiring an independent review of an organizations IT risk management process should be to:
A. ensure IT risk management is focused on mitigating potential risk.
B. confirm that IT risk assessment results are expressed as business impact.
C. assess gaps in IT risk management operations and strategic focus.
D. verify implemented controls to reduce the likelihood of threat materialization.
Selected Answer: C
Question #: 765
Topic #: 1
Which of the following is the MOST important topic to cover in a risk awareness training program for all staff?
A. The risk department’s roles and responsibilities.
B. Policy compliance requirements and exceptions process.
C. The organization’s information security risk profile.
D. Internal and external information security incidents.
Selected Answer: C
Question #: 759
Topic #: 1
Which of the following should an organization perform to forecast the effects of a disaster?
A. Analyze capability maturity model gaps.
B. Define recovery time objectives (RTOs).
C. Develop a business impact analysis (BIA).
D. Simulate a disaster recovery.
Selected Answer: C
Question #: 754
Topic #: 1
Prudent business practice requires that risk appetite not exceed:
A. risk capacity.
B. inherent risk.
C. risk tolerance.
D. residual risk.
Selected Answer: A
Question #: 751
Topic #: 1
To effectively support business decisions, an IT risk register MUST:
A. reflect the results of risk assessments.
B. effectively support a business maturity model.
C. be available to operational risk groups.
D. be reviewed by the IT steering committee.
Selected Answer: A
Question #: 749
Topic #: 1
A data processing center operates in a jurisdiction where new regulations have significantly increased penalties for data breaches. Which of the following elements of the risk register is MOST important to update to reflect this change?
A. Risk impact
B. Risk trend
C. Risk appetite
D. Risk likelihood
Selected Answer: A
Question #: 743
Topic #: 1
Accountability for a particular risk is BEST represented in a:
A. risk register.
B. RACI matrix.
C. risk catalog.
D. risk scenario.
Selected Answer: B
Question #: 514
Topic #: 1
A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to:
A. include a roadmap to achieve operational excellence
B. include a summary linking information to stakeholder needs
C. publish the report on-demand for stakeholders
D. include detailed deviations from industry benchmarks
Selected Answer: B
Question #: 507
Topic #: 1
A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner’s GREATEST concern?
A. Aggregate risk approaching the tolerance threshold
B. Vulnerabilities are not being mitigated
C. Security policies are not being reviewed periodically
D. Risk owners are focusing more on efficiency
Selected Answer: A
Question #: 756
Topic #: 1
Which of the following is MOST important to include when identifying risk scenarios for inclusion in a risk review of a third-party service provider?
A. Open vendor issues.
B. Purchasing agreements.
C. Supplier questionnaires.
D. Process mapping.
Selected Answer: A
Question #: 613
Topic #: 1
Which of the following is the MOST important factor when deciding on a control to mitigate risk exposure?
A. Comparison against best practice
B. Relevance to the business process
C. Regulatory compliance requirements
D. Cost-benefit analysis
Selected Answer: D
Question #: 736
Topic #: 1
Which of the following is the MOST important key performance indicator (KPI) to establish in the service agreement (SLA) for an outsourced data center?
A. Number of key systems hosted
B. Percentage of system availability
C. Average response time to resolve system incidents
D. Percentage of systems included in recovery processes
Selected Answer: B
Question #: 735
Topic #: 1
Which of the following would be the BEST
recommendation if the level of risk in the IT risk profile has decreased and is now below management’s risk appetite?
A. Decrease the number of related risk scenarios.
B. Optimize the control environment.
C. Realign risk appetite to the current risk level.
D. Reduce the risk management budget.
Selected Answer: B
Question #: 734
Topic #: 1
Which of the following risk management practices BEST facilitates the incorporation of IT risk scenarios into the enterprise-wide risk register?
A. Key risk indicators (KRIs) are developed for key IT risk scenarios.
B. IT risk scenarios are developed in the context of organizational objectives.
C. IT risk scenarios are assessed by the enterprise risk management team.
D. Risk appetites for IT risk scenarios are approved by key business stakeholders.
Selected Answer: B
Question #: 729
Topic #: 1
Which of the following is the MOST important element of a successful risk awareness training program?
A. Mapping to a recognized standard
B. Providing metrics for measurement
C. Customizing content for the audience
D. Providing incentives to participants
Selected Answer: C
Question #: 728
Topic #: 1
Which of the following is the MAIN reason for documenting the performance of controls?
A. Justifying return on investment
B. Demonstrating effective risk mitigation
C. Providing accurate risk reporting
D. Obtaining management sign-off
Selected Answer: B
Question #: 725
Topic #: 1
A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?
A. Action plans to address risk scenarios requiring treatment
B. The team that performed the risk assessment
C. An assigned risk manager to provide oversight
D. The methodology used to perform the risk assessment
Selected Answer: A
Question #: 720
Topic #: 1
Which of the following is the PRIMARY reason to perform ongoing risk assessments?
A. The risk environment is subject to change.
B. The information security budget must be justified.
C. Emerging risk must be continuously reported to management.
D. New system vulnerabilities emerge at frequent intervals.
Selected Answer: A
Question #: 718
Topic #: 1
The BEST key performance indicator (KPI) to measure the effectiveness of a backup process would be the number of:
A. backup recovery requests.
B. resources to monitor backups.
C. restoration monitoring reports.
D. recurring restore failures.
Selected Answer: D
Question #: 712
Topic #: 1
An organization is considering allowing users to access company data from their personal devices. Which of the following is the MOST important factor when assessing the risk?
A. Classification of the data
B. Type of device
C. Remote management capabilities
D. Volume of data
Selected Answer: A
Question #: 709
Topic #: 1
Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?
A. Customer database manager
B. Audit committee
C. Data privacy officer
D. Customer data custodian
Selected Answer: B
Question #: 690
Topic #: 1
The MOST important characteristic of an organization’s policies is to reflect the organization’s:
A. risk appetite
B. capabilities
C. asset value
D. risk assessment methodology
Selected Answer: A
Question #: 680
Topic #: 1
Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?
A. Leveraging existing metrics
B. Optimizing risk treatment decisions
C. Obtaining buy-in from risk owners
D. Improving risk awareness
Selected Answer: C
Question #: 675
Topic #: 1
Which of the following would be a risk practitioner’s BEST recommendation for preventing cyber intrusion?
A. Implement data loss prevention (DLP) tools.
B. Implement network segregation.
C. Establish a cyber response plan.
D. Strengthen vulnerability remediation efforts.
Selected Answer: B
Question #: 673
Topic #: 1
Which of the following is the BEST course of action when risk is found to be above the acceptable risk appetite?
A. Execute the risk response plan.
B. Analyze the effectiveness of controls.
C. Maintain the current controls.
D. Review risk tolerance levels.
Selected Answer: D
Question #: 671
Topic #: 1
Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?
A. Redundant compensating controls are in place.
B. Asset custodians are responsible for defining controls instead of asset owners.
C. A high number of approved exceptions exist with compensating controls.
D. Successive assessments have the same recurring vulnerabilities.
Selected Answer: D
Question #: 670
Topic #: 1
Which of the following will BEST mitigate the risk associated with IT and business misalignment?
A. Introducing an established framework for IT architecture
B. Establishing business key performance indicators (KPIs)
C. Involving the business process owner in IT strategy
D. Establishing key risk indicators (KRIs)
Selected Answer: C
Question #: 665
Topic #: 1
Which of the following would be the BEST key performance indicator (KPI) for monitoring the effectiveness of the IT asset management process?
A. Percentage of unpatched IT assets
B. The number of IT assets procured during the previous month
C. The number of IT assets securely disposed during the past year
D. Percentage of IT assets without ownership
Selected Answer: A
Question #: 662
Topic #: 1
Which of the following should be the HIGHEST priority when developing a risk response?
A. The risk response is accounted for in the budget.
B. The risk response aligns with the organization’s risk appetite.
C. The risk response is based on a cost-benefit analysis.
D. The risk response addresses the risk with a holistic view.
Selected Answer: B
Question #: 661
Topic #: 1
A key risk indicator (KRI) is reported to senior management on a periodic basis as exceeding thresholds, but each time senior management has decided to take no action to reduce the risk. Which of the following is the MOST likely reason for senior management’s response?
A. The underlying data source for the KRI is using inaccurate data and needs to be corrected.
B. The KRI threshold needs to be revised to better align with the organization’s risk appetite.
C. Senior management does not understand the KRI and should undergo risk training.
D. The KRI is not providing useful information and should be removed from the KRI inventory.
Selected Answer: B
Question #: 660
Topic #: 1
A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner’s BEST course of action when a compensating control needs to be applied?
A. Record the risk as accepted in the risk register.
B. Obtain the risk owner’s approval.
C. Inform senior management.
D. Update the risk response plan.
Selected Answer: D
Question #: 657
Topic #: 1
Which of the following would BEST help an enterprise prioritize risk scenarios?
A. Industry best practices
B. Degree of variances in the risk
C. Cost of risk mitigation
D. Placement on the risk map
Selected Answer: D
Question #: 656
Topic #: 1
The GREATEST concern when maintaining a risk register is that:
A. executive management does not perform periodic reviews.
B. significant changes in risk factors are excluded.
C. IT risk is not linked with IT assets.
D. impacts are recorded in qualitative terms.
Selected Answer: B
Question #: 655
Topic #: 1
A risk practitioner has identified that the organization’s secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?
A. Business continuity director
B. Business application owner
C. Disaster recovery manager
D. Data center manager
Selected Answer: B
Question #: 654
Topic #: 1
Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications?
A. Include information security control specifications in business cases.
B. Identify key risk indicators (KRIs) as process output.
C. Identify information security controls in the requirements analysis.
D. Design key performance indicators (KPIs) for security in system specifications.
Selected Answer: C
Question #: 650
Topic #: 1
Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?
A. Average time to provision user accounts
B. Password reset volume per month
C. Number of tickers for provisioning new accounts
D. Average account lockout time
Selected Answer: A
Question #: 647
Topic #: 1
Which of the following approaches will BEST help to ensure the effectiveness of risk awareness training?
A. Reviewing content with senior management
B. Using reputable third-party training programs
C. Piloting courses with focus groups
D. Creating modules for targeted audiences
Selected Answer: C
Question #: 644
Topic #: 1
IT management has asked for a consolidated view into the organization’s risk profile to enable project prioritization and resource allocation. Which of the following materials would be MOST helpful?
A. List of key risk indicators
B. Internal audit reports
C. IT risk register
D. List of approved projects
Selected Answer: C
Question #: 643
Topic #: 1
An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?
A. The organization’s vendor management office
B. The organization’s management
C. The control operators at the third party
D. The third party’s management
Selected Answer: B
Question #: 642
Topic #: 1
After identifying new risk events during a project, the project manager’s NEXT step should be to:
A. continue with a quantitative risk analysis
B. determine if the scenarios need to be accepted or responded to
C. continue with a qualitative risk analysis
D. record the scenarios into the risk register
Selected Answer: B
Question #: 641
Topic #: 1
Which of the following would BEST help to ensure that identified risk is efficiently managed?
A. Reviewing the maturity of the control environment
B. Maintaining a key risk indicator for each asset in the risk register
C. Regularly monitoring the project plan
D. Periodically reviewing controls per the risk treatment plan
Selected Answer: D
Question #: 640
Topic #: 1
An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?
A. Invoke the disaster recovery plan (DRP) during an incident
B. Reduce the recovery time by strengthening the response team
C. Prepare a cost-benefit analysis of alternatives available
D. Implement redundant infrastructure for the application
Selected Answer: C
Question #: 637
Topic #: 1
The annualized loss expectancy (ALE) method of risk analysis:
A. uses qualitative risk rankings such as low, medium, and high
B. can be used to determine the indirect business impact
C. helps in calculating the expected cost of controls
D. can be used in a cost-benefit analysis
Selected Answer: D
Question #: 635
Topic #: 1
The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:
A. ensure business unit risk uniformly distributed
B. build a risk profile for management review
C. quantify the organization’s risk appetite
D. implement uniform controls for common risk scenarios
Selected Answer: B
Question #: 468
Topic #: 1
An organization has outsourced its IT security management function to an external service provider. The BEST party to own the IT security controls under this arrangement is the:
A. organization’s risk function
B. service provider’s audit function
C. organization’s IT management
D. service provider’s IT security function
Selected Answer: A
Question #: 630
Topic #: 1
While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BEST reduce the risk associated with such a data breach?
A. Engaging a third party to validate operational controls
B. Using the same cloud vendor as a competitor
C. Using field-level encryption with a vendor-supplied key
D. Ensuring the vendor does not know the encryption key
Selected Answer: C
Question #: 625
Topic #: 1
A risk practitioner discovers several key documents detailing the design of a product currently in development have been posted on the Internet. What should be the risk practitioner’s FIRST course of action?
A. Perform a root cause analysis
B. Conduct an immediate risk assessment
C. Invoke the established incident response plan
D. Inform internal audit
Selected Answer: C
Question #: 622
Topic #: 1
Which of the following would BEST ensure that identified risk scenarios are addressed?
A. Performing real-time monitoring of threats
B. Creating a separate risk register for key business units
C. Performing regular risk control self-assessments
D. Reviewing the implementation of the risk response
Selected Answer: D
Question #: 621
Topic #: 1
Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?
A. Conduct an awareness program for data owners and users
B. Maintain and review the classified data inventory
C. Implement mandatory encryption on data
D. Define and implement a data classification policy
Selected Answer: B
Question #: 620
Topic #: 1
Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?
A. Frequency of failure of control
B. Contingency plan for residual risk
C. Cost-benefit analysis of automation
D. Impact due to failure of control
Selected Answer: C
Question #: 619
Topic #: 1
While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:
A. control is ineffective and should be strengthened
B. risk is inefficiently controlled
C. risk is efficiently controlled
D. control is weak and should be removed
Selected Answer: C
Question #: 618
Topic #: 1
A risk practitioner is assisting with the preparation of a report on the organization’s disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?
A. The percentage of systems meeting recovery target times has increased
B. The number of systems requiring a recovery plan has increased
C. The number of systems tested in the last year has increased
D. The percentage of systems with long recovery target times has decreased
Selected Answer: D
Question #: 616
Topic #: 1
Which of the following risk register updates is MOST important for senior management to review?
A. Avoiding a risk that was previously accepted
B. Extending the date of a future action plan by two months
C. Retiring a risk scenario no longer used
D. Changing a risk owner
Selected Answer: A
Question #: 615
Topic #: 1
Which of the following is the PRIMARY purpose of periodically reviewing an organization’s risk profile?
A. Design and implement risk response action plans
B. Align business objectives with risk appetite
C. Enable risk-based decision making
D. Update risk responses in the risk register
Selected Answer: C
Question #: 614
Topic #: 1
Which of the following controls will BEST detect unauthorized modification of data by a database administrator?
A. Reviewing database access rights
B. Reviewing changes to edit checks
C. Comparing data to input records
D. Reviewing database activity logs
Selected Answer: D
Question #: 612
Topic #: 1
Which of the following BEST provides an early warning that network access of terminated employees is not being revoked in accordance with the service level agreement (SLA)?
A. Monitoring key access control performance indicators
B. Updating multi-factor authentication
C. Analyzing access control logs for suspicious activity
D. Revising the service level agreement (SLA)
Selected Answer: A
Question #: 609
Topic #: 1
Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system?
A. Control owner
B. Risk owner
C. Data owner
D. System owner
Selected Answer: A
Question #: 608
Topic #: 1
A business unit has decided to accept the risk of implementing an off-the-shelf, commercial software package that uses weak password controls. The BEST course of action would be to:
A. obtain management approval for policy exception
B. continue the implementation with no changes
C. develop an improved password software routine
D. select another application with strong password controls
Selected Answer: A
Question #: 606
Topic #: 1
Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?
A. A control self-assessment
B. Benchmarking against peers
C. Transaction logging
D. Continuous monitoring
Selected Answer: D
Question #: 605
Topic #: 1
A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:
A. no action is required as there was no impact
B. a root cause analysis is required
C. hardware needs to be upgraded
D. controls are effective for ensuring continuity
Selected Answer: D
Question #: 604
Topic #: 1
Which of the following helps ensure compliance with a non-repudiation policy requirement for electronic transactions?
A. Digital signatures
B. Digital certificates
C. One-time passwords
D. Encrypted passwords
Selected Answer: A
Question #: 603
Topic #: 1
A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization.
Which of the following components of this review would provide the MOST useful information?
A. Risk appetite statement
B. Risk management policies
C. Risk register
D. Enterprise risk management framework
Selected Answer: C
Question #: 602
Topic #: 1
During testing, a risk practitioner finds the IT department’s recovery time objective (RTO) for a key system does not align with the enterprise’s business continuity plan (BCP). Which of the following should be done NEXT?
A. Complete a risk exception form
B. Report the gap to senior management
C. Consult with the business owner to update the BCP
D. Consult with the IT department to update the RTO
Selected Answer: D
Question #: 601
Topic #: 1
Which of the following is MOST helpful in identifying new risk exposures due to changes in the business environment?
A. Industry benchmarking
B. Standard operating procedures
C. Control gap analysis
D. SWOT analysis
Selected Answer: D
Question #: 600
Topic #: 1
Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:
A. provide a current reference to stakeholders for risk-based decisions
B. minimize the number of risk scenarios for risk assessment
C. aggregate risk scenarios identified across different business units
D. build a threat profile of the organization for management review
Selected Answer: A
Question #: 596
Topic #: 1
Which of the following is the MOST cost-effective way to test a business continuity plan?
A. Conduct a tabletop exercise
B. Conduct interviews with key stakeholders
C. Conduct a disaster recovery exercise
D. Conduct a full functional exercise
Selected Answer: A
Question #: 595
Topic #: 1
The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:
A. focus on the business drivers
B. reference best practice
C. benchmark with competitor’s actions
D. align with audit results
Selected Answer: A
Question #: 594
Topic #: 1
A risk practitioner has been asked to advise management on developing a log collection and correlation strategy. Which of the following should be the MOST important consideration when developing this strategy?
A. Ensuring the inclusion of all computing resources as log sources
B. Ensuring time synchronization of log sources
C. Ensuring read-write access to all log sources
D. Ensuring the inclusion of external threat intelligence log sources
Selected Answer: B
