CRISC Topic 7
Question #: 593
Topic #: 1
A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:
A. treatment
B. identification
C. communication
D. assessment
Selected Answer: C
Question #: 592
Topic #: 1
Which of the following provides the BEST evidence of the effectiveness of an organization’s account provisioning process?
A. User provisioning
B. Security log monitoring
C. Entitlement reviews
D. Role-based access controls
Selected Answer: C
Question #: 588
Topic #: 1
A newly hired risk practitioner finds that the risk register has not been updated in the past year. What is the risk practitioner’s BEST course of action?
A. Implement a process improvement and replace the old risk register
B. Outsource the process for updating the risk register
C. Identify changes in risk factors and initiate risk reviews
D. Engage an external consultant to redesign the risk management process
Selected Answer: C
Question #: 587
Topic #: 1
After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:
A. inform the IT manager of the concerns and propose measures to reduce them
B. inform the process owner of the concerns and propose measures to reduce them
C. inform the development team of the concerns, and together formulate risk reduction measures
D. recommend a program that minimizes the concerns of that production system
Selected Answer: A
Question #: 586
Topic #: 1
Which of the following tools is MOST effective in identifying trends in the IT risk profile?
A. Risk dashboard
B. Risk register
C. Risk self-assessment
D. Risk map
Selected Answer: A
Question #: 578
Topic #: 1
Which of the following would MOST likely result in updates to an IT risk appetite statement?
A. Changes in senior management
B. External audit findings
C. Feedback from focus groups
D. Self-assessment reports
Selected Answer: A
Question #: 572
Topic #: 1
Which of the following is the MOST important data source for monitoring key risk indicators (KRIs)?
A. Audit reports from internal information systems audits
B. Directives from legal and regulatory authorities
C. Trend analysis of external risk factors
D. Automated logs collected from different systems
Selected Answer: D
Question #: 570
Topic #: 1
Which of the following is the BEST indication of an improved risk-aware culture following the implementation of a security awareness training program for all employees?
A. An increase in the number of identified system flaws
B. A reduction in the number of help desk calls
C. An increase in the number of incidents reported
D. A reduction in the number of user access resets
Selected Answer: C
Question #: 565
Topic #: 1
An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?
A. Develop a compensating control
B. Identify risk responses
C. Allocate remediation resources
D. Perform a cost-benefit analysis
Selected Answer: B
Question #: 560
Topic #: 1
Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?
A. Gather scenarios from senior management
B. Derive scenarios from IT risk policies and standards
C. Benchmark scenarios against industry peers
D. Map scenarios to a recognized risk management framework
Selected Answer: B
Question #: 557
Topic #: 1
Which of the following is the BEST evidence that a user account has been properly authorized?
A. Notification from human resources that the account is active
B. Formal approval of the account by the user’s manager
C. User privileges matching the request form
D. An email from the user accepting the account
Selected Answer: B
Question #: 556
Topic #: 1
Which of the following is the BEST way to identify changes to the risk landscape?
A. Access reviews
B. Root cause analysis
C. Internal audit reports
D. Threat modeling
Selected Answer: D
Question #: 554
Topic #: 1
A risk owner should be the person accountable for:
A. implementing actions
B. managing controls
C. the risk management process
D. the business process
Selected Answer: A
Question #: 552
Topic #: 1
Which of the following should be management’s PRIMARY consideration when approving risk response action plans?
A. Prioritization for implementing the action plans
B. Ability of the action plans to address multiple risk scenarios
C. Ease of implementing the risk treatment solution
D. Changes in residual risk after implementing the plans
Selected Answer: D
Question #: 545
Topic #: 1
Participants in a risk workshop have become focused on the financial cost to mitigate risk rather than choosing the most appropriate response. Which of the following is the BEST way to address this type of issue in the long term?
A. Review the risk register and risk scenarios
B. Calculate annualized loss expectancy of risk scenarios
C. Raise the maturity of organizational risk management
D. Perform a return on investment analysis
Selected Answer: C
Question #: 544
Topic #: 1
A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?
A. An increase in attempted distributed denial of service (DDoS) attacks
B. An increase in attempted website phishing attacks
C. A decrease in remediated web security vulnerabilities
D. A decrease in achievement of service level agreements (SLAs)
Selected Answer: D
Question #: 542
Topic #: 1
From a risk management perspective, the PRIMARY objective of using maturity models is to enable:
A. solution delivery
B. strategic alignment
C. resource utilization
D. performance evaluation
Selected Answer: D
Question #: 541
Topic #: 1
To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:
A. clearly define the project scope
B. perform background checks on the vendor
C. notify network administrators before testing
D. require the vendor to sign a nondisclosure agreement (NDA)
Selected Answer: A
Question #: 535
Topic #: 1
Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis?
A. Inherent risk might not be considered
B. Implementation costs might increase
C. Risk factors might not be relevant to the organization
D. Quantitative analysis might not be possible
Selected Answer: C
Question #: 533
Topic #: 1
A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:
A. collaborate with management to meet compliance requirements
B. conduct a gap analysis against compliance criteria
C. identify necessary controls to ensure compliance
D. modify internal assurance activities to include control validation
Selected Answer: B
Question #: 530
Topic #: 1
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process?
A. Percentage of vulnerabilities remediated within the agreed service level
B. Number of vulnerabilities identified during the period
C. Number of vulnerabilities re-opened during the period
D. Percentage of vulnerabilities escalated to senior management
Selected Answer: A
Question #: 529
Topic #: 1
Which of the following should be an element of the risk appetite of an organization?
A. The enterprise’s capacity to absorb loss
B. The effectiveness of compensating controls
C. The amount of inherent risk considered appropriate
D. The residual risk affected be preventive controls
Selected Answer: A
Question #: 525
Topic #: 1
Which of the following is the BEST way to mitigate the risk associated with fraudulent use of an enterprise’s brand on Internet sites?
A. Utilizing data loss prevention technology
B. Scanning the Internet to search for unauthorized usage
C. Monitoring the enterprise’s use of the Internet
D. Developing training and awareness campaigns
Selected Answer: B
Question #: 516
Topic #: 1
The MOST effective way to increase the likelihood that risk responses will be implemented is to:
A. review progress reports
B. create an action plan
C. perform regular audits
D. assign ownership
Selected Answer: D
Question #: 1093
Topic #: 1
In the three lines of defense model, which of the following activities would be completed by the FIRST line of defense?
A. A risk practitioner executes an annual assessment of key controls that impact financial statements
B. Internal control activities are reviewed monthly by a risk management committee
C. Control owners review a monthly report on the operation of high-risk controls
D. Internal audit reviews high-risk areas to ensure controls are executed in a timely manner
Selected Answer: C
Question #: 506
Topic #: 1
After mapping generic risk scenarios to organizational security policies, the NEXT course of action should be to:
A. record risk scenarios in the risk register for analysis
B. validate the risk scenarios for business applicability
C. reduce the number of risk scenarios to a manageable set
D. perform a risk analysis on the risk scenarios
Selected Answer: B
Question #: 1029
Topic #: 1
During a risk assessment of a financial institution, a risk practitioner discovers that tellers can initiate and approve transactions of significant value. This team is also responsible for ensuring transactions are recorded and balances are reconciled by the end of the day. Which of the following is the risk practitioner’s BEST recommendation to mitigate the associated risk?
A. Require a code of ethics.
B. Implement continuous monitoring.
C. Implement segregation of duties.
D. Require a second level of approval.
Selected Answer: C
Question #: 252
Topic #: 1
You are the project manager of your enterprise. You have introduced an intrusion detection system for the control. You have identified a warning of violation of security policies of your enterprise. What type of control is an intrusion detection system (IDS)?
A. Detective
B. Corrective
C. Preventative
D. Recovery
Selected Answer: A
Question #: 998
Topic #: 1
Which of the following contributes MOST to the effective implementation of risk responses?
A. Clear understanding of the risk.
B. Detailed standards and procedures.
C. Comparable industry risk trends.
D. Appropriate resources.
Selected Answer: A
Question #: 112
Topic #: 1
Which of the following operational risks ensures that the provision of a quality product is not overshadowed by the production costs of that product?
A. Information security risks
B. Contract and product liability risks
C. Project activity risks
D. Profitability operational risks
Selected Answer: D
Question #: 93
Topic #: 1
Which of the following is described by the definition given below?
“It is the expected guaranteed value of taking a risk.”
A. Certainty equivalent value
B. Risk premium
C. Risk value guarantee
D. Certain value assurance
Selected Answer: A
Question #: 633
Topic #: 1
Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?
A. An increase in control vulnerabilities
B. An increase in inherent risk
C. A decrease in control layering effectiveness
D. An increase in the level of residual risk
Selected Answer: A
Question #: 483
Topic #: 1
The compensating control that MOST effectively addresses the risk associated with piggybacking into a restricted area without a dead-man door is:
A. using two-factor authentication
B. using biometric door locks
C. requiring employees to wear ID badges
D. security awareness training
Selected Answer: B
Question #: 481
Topic #: 1
An organization has experienced several incidents of extended network outages that have exceeded tolerance. Which of the following should be the risk practitioner’s FIRST step to address this situation?
A. Recommend a root cause analysis of the incidents
B. Update the risk tolerance level to acceptable thresholds
C. Recommend additional controls to address the risk
D. Update the incident-related risk trend in the risk register
Selected Answer: A
Question #: 480
Topic #: 1
Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?
A. Enabling risk-based decision making
B. Increasing process control efficiencies
C. Better understanding of the risk appetite
D. Improving audit results
Selected Answer: A
Question #: 477
Topic #: 1
Which of the following would BEST help minimize the risk associated with social engineering threats?
A. Reviewing the organization’s risk appetite
B. Enforcing employee sanctions
C. Enforcing segregation of duties
D. Conducting phishing exercises
Selected Answer: D
Question #: 476
Topic #: 1
Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior
BEST represents:
A. a vulnerability
B. a control
C. an impact
D. a threat
Selected Answer: A
Question #: 473
Topic #: 1
Which of the following is the BEST indicator of an effective IT security awareness program?
A. Decreased success rate of internal phishing tests
B. Number of employees that complete security training
C. Number of disciplinary actions issued for security violations
D. Decreased number of reported security incidents
Selected Answer: D
Question #: 462
Topic #: 1
Which of the following is the PRIMARY consideration when establishing an organization’s risk management methodology?
A. Risk tolerance level
B. Benchmarking information
C. Resource requirements
D. Business context
Selected Answer: D
Question #: 455
Topic #: 1
Which of the following would present the GREATEST challenge when assigning accountability for control ownership?
A. Unclear reporting relationships
B. Weak governance structures
C. Senior management scrutiny
D. Complex regulatory environment
Selected Answer: A
Question #: 451
Topic #: 1
The PRIMARY advantage of implementing an IT risk management framework is the:
A. alignment of business goals with IT objectives
B. improvement of controls within the organization and minimized losses
C. compliance with relevant legal and regulatory requirements
D. establishment of a reliable basis for risk-aware decision making
Selected Answer: D
Question #: 448
Topic #: 1
The PRIMARY objective of testing the effectiveness of a new control before implementation is to:
A. comply with the organization’s policy
B. ensure that risk is mitigated by the control
C. confirm control alignment with business objectives
D. measure efficiency of the control process
Selected Answer: B
Question #: 445
Topic #: 1
Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?
A. Accurate measurement of loss impact
B. Early detection of emerging threats
C. Identification of controls gaps that may lead to noncompliance
D. Prioritization of risk action plans across departments
Selected Answer: A
Question #: 432
Topic #: 1
Which of the following should be the MOST important consideration when determining controls necessary for a highly critical information system?
A. The number of vulnerabilities to the system
B. The level of acceptable risk to the organization
C. The organization’s available budget
D. The number of threats to the system
Selected Answer: B
Question #: 1100
Topic #: 1
An organization has initiated quarterly briefings for executive management with a focus on increasing risk awareness. Which of the following is MOST relevant to include in this briefing?
A. The risk register
B. Risk management best practices
C. Updates to security policies
D. Recent security incidents
Selected Answer: B
Question #: 1078
Topic #: 1
A third-party vendor has offered to perform user access provisioning and termination. Which of the following control accountabilities is BEST retained within the organization?
A. Reviewing access control lists
B. Performing user access recertification
C. Authorizing user access requests
D. Terminating inactive user access
Selected Answer: C
Question #: 1058
Topic #: 1
Which of the following is a risk practitioner’s BEST recommendation to address an organization’s need to secure multiple systems with limited IT resources?
A. Perform a vulnerability analysis.
B. Schedule a penetration test.
C. Apply available security patches.
D. Conduct a business impact analysis (BIA).
Selected Answer: C
Question #: 1054
Topic #: 1
Which of the following would MOST likely drive the need to review and update key performance indicators (KPIs) for critical IT assets?
A. Changes in service level objectives
B. Findings from continuous monitoring
C. The outsourcing of related IT processes
D. Outcomes of periodic risk assessments
Selected Answer: A
Question #: 1052
Topic #: 1
Which of the following is the BEST way to address a board’s concern about the organization’s cybersecurity posture?
A. Update security risk scenarios
B. Create a new security risk officer role
C. Assess security capabilities against an industry framework
D. Contract with a third party to perform vulnerability testing
Selected Answer: C
Question #: 532
Topic #: 1
An organization has allowed its cyber risk insurance to lapse while seeking a new insurance provider. The risk practitioner should report to management that the risk has been:
A. accepted
B. mitigated
C. transferred
D. avoided
Selected Answer: A
Question #: 1046
Topic #: 1
The MOST significant benefit of using a consistent risk ranking methodology across an organization is that it enables:
A. assignment of risk to the appropriate owners.
B. allocation of available resources.
C. risk to be expressed in quantifiable terms.
D. clear understanding of risk levels.
Selected Answer: D
Question #: 1044
Topic #: 1
Which of the following is the MOST important success factor when introducing risk management in an organization?
A. Establishing executive management support
B. Implementing a risk register
C. Assigning risk ownership
D. Defining a risk mitigation strategy and plan
Selected Answer: A
Question #: 1042
Topic #: 1
Which of the following will MOST effectively align IT controls with corporate risk tolerance?
A. Benchmarks against industry leading practices
B. Internal policies approved by stakeholders
C. Key performance indicators (KPIs) approved by stakeholders
D. Risk management framework
Selected Answer: C
Question #: 1038
Topic #: 1
Which of the following BEST supports the management of identified risk scenarios?
A. Using key risk indicators (KRIs)
B. Maintaining a risk register
C. Collecting risk event data
D. Defining risk parameters
Selected Answer: B
Question #: 1037
Topic #: 1
Which of the following should be the risk practitioner’s FIRST course of action when an organization has decided to expand into new product areas?
A. Review existing risk scenarios with stakeholders.
B. Present a business case for new controls to stakeholders.
C. Revise the organization’s risk and control policy.
D. Identify any new business objectives with stakeholders.
Selected Answer: D
Question #: 1035
Topic #: 1
Which of the following is the MOST important information to be communicated during security awareness training?
A. Corporate risk profile
B. Recent security incidents
C. Management’s expectations
D. The current risk management capability
Selected Answer: A
Question #: 1031
Topic #: 1
Reviewing which of the following provides the BEST indication of an organization’s risk tolerance?
A. Risk sharing strategy
B. Risk assessments
C. Risk transfer agreements
D. Risk policies
Selected Answer: B
Question #: 1006
Topic #: 1
Which of the following is the MOST significant indicator of the need to perform a penetration test?
A. An increase in the number of infrastructure changes
B. An increase in the number of security incidents
C. An increase in the number of high-risk audit findings
D. An increase in the percentage of turnover in IT personnel
Selected Answer: A
Question #: 505
Topic #: 1
An organization has engaged a third party to provide an Internet gateway encryption service that protects sensitive data uploaded to a cloud service. This is an example of risk:
A. transfer
B. acceptance
C. mitigation
D. avoidance
Selected Answer: A
Question #: 503
Topic #: 1
Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?
A. Communicating components of risk and their acceptable levels
B. Performing a benchmark analysis and evaluating gaps
C. Participating in peer reviews and implementing best practices
D. Conducting risk assessments and implementing controls
Selected Answer: A
Question #: 502
Topic #: 1
Who should be responsible for implementing and maintaining security controls?
A. Data custodian
B. Internal auditor
C. Data owner
D. End user
Selected Answer: A
Question #: 499
Topic #: 1
Which of the following is MOST important to update when an organization’s risk appetite changes?
A. Key risk indicators (KRIs)
B. Risk taxonomy
C. Key performance indicators (KPIs)
D. Risk reporting methodology
Selected Answer: A
Question #: 497
Topic #: 1
An organization has outsourced an application to a Software as a Service (SaaS) provider. The risk associated with the use of this service should be owned by the:
A. service provider’s IT manager
B. service provider’s risk manager
C. organization’s business process manager
D. organization’s vendor manager
Selected Answer: C
Question #: 496
Topic #: 1
The FIRST step for a startup company when developing a disaster recovery plan should be to identify:
A. current vulnerabilities
B. a suitable alternate site
C. recovery time objectives
D. critical business processes
Selected Answer: D
Question #: 492
Topic #: 1
An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?
A. Process owner
B. Internal auditor
C. Risk manager
D. Project sponsor
Selected Answer: A
Question #: 491
Topic #: 1
When developing risk scenarios, it is MOST important to ensure they are:
A. structured and reportable
B. flexible and scalable
C. relevant and realistic
D. comprehensive and detailed
Selected Answer: C
Question #: 64
Topic #: 1
Which of following is NOT used for measurement of Critical Success Factors of the project?
A. Productivity
B. Quality
C. Quantity
D. Customer service
Selected Answer: C
Question #: 1213
Topic #: 1
Due to budget constraints, an organization cannot implement encryption to all databases. Which of the following is the MOST useful information to identify high- risk databases where encryption should be applied?
A. Business impact assessment (BIA)
B. Unsupported database list
C. Penetration test results
D. Data classification scheme
Selected Answer: D
Question #: 490
Topic #: 1
A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?
A. Chief risk officer (CRO)
B. Business continuity manager (BCM)
C. Human resources manager (HRM)
D. Chief information officer (CIO)
Selected Answer: D
Question #: 489
Topic #: 1
Which of the following should be of MOST concern to a risk practitioner reviewing findings from a recent audit of an organization’s data center?
A. Ownership of an audit finding has not been assigned
B. The data center is not fully redundant
C. Audit findings were not communicated to senior management
D. Key risk indicators (KRIs) for the data center do not include critical components
Selected Answer: A
Question #: 487
Topic #: 1
An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner’s FIRST course of action?
A. Deploy a compensating control to address the identified deficiencies
B. Report the ineffective control for inclusion in the next audit report
C. Determine if the impact is outside the risk appetite
D. Request a formal acceptance of risk from senior management
Selected Answer: C
Question #: 486
Topic #: 1
Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?
A. Audit trails for updates and deletions
B. Encrypted storage of data
C. Links to source data
D. Check totals on data records and data fields
Selected Answer: D
Question #: 485
Topic #: 1
An IT control gap has been identified in a key process. Who would be the MOST appropriate owner of the risk associated with this gap?
A. Business process owner
B. Chief information security officer
C. Operational risk manager
D. Key control owner
Selected Answer: A
Question #: 482
Topic #: 1
Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario?
A. Assess the vulnerability management process
B. Conduct a control self-assessment
C. Reassess the inherent risk of the target
D. Conduct a vulnerability assessment
Selected Answer: D
Question #: 196
Topic #: 1
Which of the following items is considered as an objective of the three dimensional model within the framework described in COSO ERM?
A. Risk assessment
B. Financial reporting
C. Control environment
D. Monitoring
Selected Answer: B
Question #: 479
Topic #: 1
An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:
A. communicate the consequences for violations
B. implement industry best practices
C. reduce the organization’s risk appetite
D. reduce the risk to an acceptable level
Selected Answer: D
Question #: 472
Topic #: 1
Which of the following should be the PRIMARY focus of an IT risk awareness program?
A. Cultivate long-term behavioral change
B. Demonstrate regulatory compliance
C. Ensure compliance with the organization’s internal policies
D. Communicate IT risk policy to the participants
Selected Answer: A
Question #: 466
Topic #: 1
What is the PRIMARY reason to categorize risk scenarios by business process?
A. To determine aggregated risk levels by risk owner
B. To identify situations that result in over-control
C. To enable management to implement cost-effective risk mitigation
D. To show business activity deficiencies that need to be improved
Selected Answer: C
Question #: 460
Topic #: 1
Effective risk communication BEST benefits an organization by:
A. improving the effectiveness of IT controls
B. helping personnel make better-informed decisions
C. increasing participation in the risk assessment process
D. assisting the development of a risk register
Selected Answer: B
Question #: 456
Topic #: 1
If preventive controls cannot be implemented due to technology limitations, which of the following should be done FIRST to reduce risk?
A. Redefine the business process to reduce the risk
B. Evaluate alternative controls
C. Develop a plan to upgrade technology
D. Define a process for monitoring risk
Selected Answer: B
Question #: 453
Topic #: 1
The MAIN purpose of conducting a control self-assessment (CSA) is to:
A. reduce the dependency on external audits
B. gain a better understanding of the risk in the organization
C. gain a better understanding of the control effectiveness in the organization
D. adjust the controls prior to an external audit
Selected Answer: C
Question #: 452
Topic #: 1
It is MOST important for a risk practitioner to have an awareness of an organization’s processes in order to:
A. perform a business impact analysis (BIA)
B. establish risk guidelines
C. understand control design
D. identify potential sources of risk
Selected Answer: D
Question #: 449
Topic #: 1
An organization has granted a vendor access to its data in order to analyze customer behavior. Which of the following would be the MOST effective control to mitigate the risk of customer data leakage?
A. Restrict access to customer data on a ג€need to knowג€ basis
B. Enforce criminal background checks
C. Mask customer data fields
D. Require vendor to sign a confidentiality agreement
Selected Answer: C
Question #: 446
Topic #: 1
An organization has been notified that a disgruntled, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization?
A. A brute force attack has been detected
B. An external vulnerability scan has been detected
C. An increase in support requests has been observed
D. Authentication logs have been disabled
Selected Answer: D
Question #: 443
Topic #: 1
Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?
A. Reviewing logs for unauthorized data transfers
B. Configuring the DLP control to block credit card numbers
C. Testing the transmission of credit card numbers
D. Testing the DLP rule change control process
Selected Answer: C
Question #: 440
Topic #: 1
To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:
A. risk assessment results
B. cost-benefit analysis
C. vulnerability assessment results
D. risk mitigation approach
Selected Answer: A
Question #: 435
Topic #: 1
A PRIMARY advantage of involving business management in evaluating and managing risk is that management:
A. can make better informed business decisions
B. better understands the system architecture
C. can balance technical and business risk
D. is more objective than risk management
Selected Answer: A
Question #: 429
Topic #: 1
A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:
A. quantify key risk indicators (KRIs)
B. recommend risk tolerance thresholds
C. provide a quantified detailed analysis
D. map findings to objectives
Selected Answer: D
Question #: 428
Topic #: 1
To help ensure the success of a major IT project, it is MOST important to:
A. obtain approval from business process owners
B. obtain the appropriate stakeholders’ commitment
C. update the risk register on a regular basis
D. align the project with the IT risk framework
Selected Answer: B
Question #: 423
Topic #: 1
When developing IT risk scenarios, it is CRITICAL to involve:
A. process owners
B. IT managers
C. internal auditors
D. senior management
Selected Answer: A
Question #: 422
Topic #: 1
Which of the following approaches would BEST help to identify relevant risk scenarios?
A. Engage line management in risk assessment workshops
B. Escalate the situation to risk leadership
C. Engage internal audit for risk assessment workshops
D. Review system and process documentation
Selected Answer: D
Question #: 134
Topic #: 1
Which of the following are external risk factors?
Each correct answer represents a complete solution. (Choose three.)
A. Geopolitical situation
B. Complexity of the enterprise
C. Market
D. Competition
Selected Answer: AC
Question #: 1195
Topic #: 1
Risk avoidance is the BEST risk treatment strategy when:
A. proposed mitigation strategies are not technically feasible.
B. insurance can be obtained only with substantial premiums.
C. transfer and mitigation options cost more than they save.
D. the residual risk is outside the organizational risk appetite.
Selected Answer: D
Question #: 11
Topic #: 1
You are the project manager of GHT project. Your project team is in the process of identifying project risks on your current project. The team has the option to use all of the following tools and techniques to diagram some of these potential risks EXCEPT for which one?
A. Process flowchart
B. Ishikawa diagram
C. Influence diagram
D. Decision tree diagram
Selected Answer: B
Question #: 1132
Topic #: 1
Senior management wants to increase investment in the organization’s cybersecurity program in response to changes in the external threat landscape. Which of the following would BEST help to prioritize investment efforts?
A. Reviewing the outcome of the latest security risk assessment
B. Increasing the frequency of updates to the risk register
C. Engaging independent cybersecurity consultants
D. Analyzing cyber intelligence reports
Selected Answer: A
Question #: 76
Topic #: 1
You are working with a vendor on your project. A stakeholder has requested a change for the project, which will add value to the project deliverables. The vendor that you’re working with on the project will be affected by the change. What system can help you introduce and execute the stakeholder change request with the vendor?
A. Contract change control system
B. Scope change control system
C. Cost change control system
D. Schedule change control system
Selected Answer: A
Question #: 406
Topic #: 1
Which of the following is the MOST important factor affecting risk management in an organization?
A. The risk manager’s expertise
B. Regulatory requirements
C. Board of director’s expertise
D. The organization’s culture
Selected Answer: D
Question #: 404
Topic #: 1
Which of the following data would be used when performing a business impact analysis (BIA)?
A. Cost of regulatory compliance
B. Expected costs for recovering the business
C. Cost-benefit analysis of running the current business
D. Projected impact of current business on future business
Selected Answer: B
Question #: 977
Topic #: 1
An organization has made a decision to purchase a new IT system. During which phase of the system development life cycle (SDLC) will identified risk MOST likely lead to architecture and design trade-offs?
A. Acquisition
B. Implementation
C. Initiation
D. Operation and maintenance
Selected Answer: A
Question #: 974
Topic #: 1
As part of business continuity planning, which of the following is MOST important to include in a business impact analysis (BIA)?
A. An assessment of threats to the organization
B. An assessment of recovery scenarios
C. Industry standard framework
D. Documentation of testing procedures
Selected Answer: A
Question #: 628
Topic #: 1
An organization operates in an environment where reduced time-to-market for new software products is a top business priority. Which of the following should be the risk practitioner’s GREATEST concern?
A. Email infrastructure does not have proper rollback plans
B. Sufficient resources are not assigned to IT development projects
C. The corporate email system does not identify and store phishing emails
D. Customer support help desk staff does not have adequate training
Selected Answer: B
Question #: 1189
Topic #: 1
Which of the following is the MOST important reason for a risk practitioner to identify stakeholders for each IT risk scenario?
A. To ensure enterprise-wide risk management
B. To identity key risk indicators (KRIs)
C. To enable a comprehensive view of risk
D. To establish control ownership
Selected Answer: A
Question #: 1007
Topic #: 1
Which of the following provides the MOST reliable information to ensure a newly acquired company has appropriate IT controls in place?
A. Vulnerability assessment
B. Information system audit
C. Penetration testing
D. IT risk assessment
Selected Answer: D
Question #: 967
Topic #: 1
A recent internal risk review reveals the majority of core IT application recovery time objectives (RTOs) have exceeded the maximum time defined by the business application owners. Which of the following is MOST likely to change as a result?
A. Risk tolerance
B. Risk likelihood
C. Risk appetite
D. Risk forecasting
Selected Answer: B
Question #: 926
Topic #: 1
Which of the following is the GREATEST risk associated with the misclassification of data?
A. Data disruption
B. Inadequate resource allocation
C. Unauthorized access
D. Inadequate retention schedules
Selected Answer: C
Question #: 567
Topic #: 1
A contract associated with a cloud service provider MUST include:
A. a business recovery plan
B. ownership of responsibilities
C. provision for source code escrow
D. the provider’s financial statements
Selected Answer: B
Question #: 563
Topic #: 1
An effective control environment is BEST indicated by controls that:
A. minimize senior management’s risk tolerance
B. manage risk within the organization’s risk appetite
C. are cost-effective to implement
D. reduce the thresholds of key risk indicators (KRIs)
Selected Answer: B
Question #: 561
Topic #: 1
Which of the following BEST measures the efficiency of an incident response process?
A. Number of incidents lacking responses
B. Number of incidents escalated to management
C. Average time between changes and updating of escalation matrix
D. Average gap between actual and agreed response times
Selected Answer: D
Question #: 558
Topic #: 1
Which of the following elements of a risk register is MOST likely to change as a result of change in management’s risk appetite?
A. Risk likelihood and impact
B. Risk velocity
C. Inherent risk
D. Key risk indicator (KRI) thresholds
Selected Answer: D
Question #: 555
Topic #: 1
Which of the following is the MOST effective key performance indicator (KPI) for change management?
A. Percentage of successful changes
B. Number of changes implemented
C. Percentage of changes with a fallback plan
D. Average time required to implement a change
Selected Answer: A
Question #: 551
Topic #: 1
Which of the following is MOST important to communicate to senior management during the initial implementation of a risk management program?
A. Risk ownership
B. Best practices
C. Desired risk level
D. Regulatory compliance
Selected Answer: C
Question #: 546
Topic #: 1
Which of the following is the BEST key performance indicator (KPI) to measure the maturity of an organization’s security incident handling process?
A. The number of resolved security incidents
B. The number of security incidents escalated to senior management
C. The number of newly identified security incidents
D. The number of recurring security incidents
Selected Answer: D
Question #: 792
Topic #: 1
What is the GREATEST concern with maintaining decentralized risk registers instead of a consolidated risk register?
A. Aggregated risk may exceed the enterprise’s risk appetite and tolerance.
B. Duplicate resources may be used to manage risk registers.
C. Standardization of risk management practices may be difficult to enforce.
D. Risk analysis may be inconsistent due to non-uniform impact and likelihood scales.
Selected Answer: A
Question #: 1057
Topic #: 1
When is the BEST time to identify risk associated with major projects to determine a mitigation plan?
A. Project execution phase
B. Project closing phase
C. Project planning phase
D. Project initiation phase
Selected Answer: C
Question #: 519
Topic #: 1
The best way to test the operational effectiveness of a data backup procedure is to:
A. inspect a selection of audit trails and backup logs
B. conduct an audit of files stored offsite
C. demonstrate a successful recovery from backup files
D. interview employees to compare actual with expected procedures
Selected Answer: C
Question #: 956
Topic #: 1
A risk practitioner identifies a database application that has been developed and implemented by the business independently of IT. Which of the following is the
BEST course of action?
A. Document the reasons for the exception.
B. Include the application in IT risk assessments.
C. Propose that the application be transferred to IT.
D. Escalate the concern to senior management.
Selected Answer: B
Question #: 908
Topic #: 1
What is the PRIMARY purpose of a business impact analysis (BIA)?
A. To determine the likelihood and impact of threats to business operations
B. To evaluate the priority of business operations in case of disruption
C. To estimate resource requirements for related business processes
D. To identify important business processes in the organization
Selected Answer: D
Question #: 474
Topic #: 1
Which of the following is the MOST important benefit of key risk indicators (KRIs)?
A. Assisting in continually optimizing risk governance
B. Providing an early warning to take proactive actions
C. Enabling the documentation and analysis of trends
D. Ensuring compliance with regulatory requirements
Selected Answer: B
Question #: 566
Topic #: 1
Which of the following statements BEST describes risk appetite?
A. Acceptable variation between risk thresholds and business objectives
B. The amount of risk an organization is willing to accept
C. The effective management of risk and internal control environments
D. The acceptable variation relative to the achievement of objectives
Selected Answer: B
Question #: 408
Topic #: 1
When reviewing management’s IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?
A. Propose mitigating controls
B. Assess management’s risk tolerance
C. Recommend management accept the low risk scenarios
D. Re-evaluate the risk scenarios associated with the control
Selected Answer: D
Question #: 398
Topic #: 1
Which of the following is the BEST indicator of the effectiveness of a control action plan’s implementation?
A. Increased risk appetite
B. Increased number of controls
C. Reduced risk level
D. Stakeholder commitment
Selected Answer: A
Question #: 397
Topic #: 1
Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?
A. Availability of in-house resources
B. Completeness of system documentation
C. Variances between planned and actual cost
D. Results of end-user acceptance testing
Selected Answer: D
Question #: 385
Topic #: 1
You are the project manager of the NHQ project in Bluewell Inc. The project has an asset valued at $200,000 and is subjected to an exposure factor of 45 percent.
If the annual rate of occurrence of loss in this project is once a month, then what will be the Annual Loss Expectancy (ALE) of the project?
A. $ 2,160,000
B. $ 95,000
C. $ 108,000
D. $ 90,000
Selected Answer: B
Question #: 361
Topic #: 1
You are the project manager of your enterprise. You have identified several risks. Which of the following responses to risk is considered the MOST appropriate?
A. Any of the above
B. Insuring
C. Avoiding
D. Accepting
Selected Answer: D
Question #: 415
Topic #: 1
Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)?
A. Management approval
B. Automation
C. Annual review
D. Relevance
Selected Answer: D
Question #: 163
Topic #: 1
One of the risk events you’ve identified is classified as force majeure. What risk response is likely to be used?
A. Acceptance
B. Transference
C. Enhance
D. Mitigation
Selected Answer: C
Question #: 226
Topic #: 1
Della works as a project manager for Tech Perfect Inc. She is studying the documentation of planning of a project. The documentation states that there are twenty- eight stakeholders with the project. What will be the number of communication channels for the project?
A. 250
B. 28
C. 378
D. 300
Selected Answer: C
Question #: 890
Topic #: 1
Which of the following is the MOST important component in a risk treatment plan?
A. Target completion date
B. Treatment plan ownership
C. Treatment plan justification
D. Technical details
Selected Answer: B
Question #: 892
Topic #: 1
An organization is preparing to transfer a large number of customer service representatives to the sales department. Of the following, who is responsible for mitigating the risk associated with residual system access?
A. IT service desk manager
B. Access control manager
C. Customer service manager
D. Sales manager
Selected Answer: B
Question #: 916
Topic #: 1
To communicate the risk associated with IT in business terms, which of the following MUST be defined?
A. Risk appetite of the organization
B. Compliance objectives
C. Organizational objectives
D. Inherent and residual risk
Selected Answer: C
Question #: 937
Topic #: 1
Which of the following is the BEST method of creating risk awareness in an organization?
A. Making the risk register available to project stakeholders
B. Ensuring senior management commitment to risk training
C. Providing regular communication to risk managers
D. Appointing the risk manager from the business units
Selected Answer: B
Question #: 948
Topic #: 1
An organization is developing a security risk awareness training program for the IT help desk and has asked the risk practitioner for suggestions. In addition to technical topics, which of the following is MOST important to recommend be included in the training?
A. Identity verification procedures
B. Incident reporting procedures
C. Security policy review
D. Password selection options
Selected Answer: A
