CRISC Topic 8
Question #: 975
Topic #: 1
When documenting a risk response, which of the following provides the STRONGEST evidence to support the decision?
A. A memo indicating risk acceptance
B. Verbal majority acceptance of risk by committee
C. List of compensating controls
D. IT audit follow-up responses
Selected Answer: C
Question #: 1013
Topic #: 1
The risk associated with an asset after controls are applied can be expressed as:
A. the likelihood of a given threat.
B. the magnitude of an impact.
C. a function of the likelihood and impact.
D. a function of the cost and effectiveness of controls.
Selected Answer: C
Question #: 1028
Topic #: 1
Which of the following should be the PRIMARY consideration when assessing the risk of using Internet of Things (IoT) devices to collect and process personally identifiable information (PII)?
A. Costs and benefits
B. Security features and support
C. Local laws and regulations
D. Business strategies and needs
Selected Answer: C
Question #: 1064
Topic #: 1
It is MOST important that security controls for a new system be documented in:
A. the security policy
B. testing requirements
C. system requirements
D. the implementation plan
Selected Answer: C
Question #: 1088
Topic #: 1
An organization will be impacted by a new data privacy regulation due to the location of its production facilities. What action should the risk practitioner take when evaluating the new regulation?
A. Perform an analysis of the new regulation to ensure current risk is identified.
B. Evaluate if the existing risk responses to the previous regulation are still adequate.
C. Assess the validity and perform update testing on data privacy controls.
D. Develop internal control assessments over data privacy for the new regulation.
Selected Answer: B
Question #: 1104
Topic #: 1
Which of the following is the MOST important step to ensure regulatory requirements are adequately addressed within an organization?
A. Employ IT solutions that meet regulatory requirements
B. Perform a gap analysis against regulatory requirements
C. Obtain necessary resources to address regulatory requirements
D. Develop a policy framework that addresses regulatory requirements
Selected Answer: B
Question #: 1023
Topic #: 1
A risk practitioner has just learned about new malware that has severely impacted industry peers worldwide. Which of the following should be done FIRST?
A. Notify executive management.
B. Update the IT risk register.
C. Design IT risk mitigation plans.
D. Analyze the impact to the organization.
Selected Answer: D
Question #: 1123
Topic #: 1
Of the following, whose input is ESSENTIAL when developing risk scenarios for the implementation of a third-party mobile application that stores customer data?
A. Business process owner
B. IT vendor manager
C. Information security manager
D. IT compliance manager
Selected Answer: A
Question #: 1137
Topic #: 1
When presenting risk, the BEST method to ensure that the risk is measurable against the organization’s risk appetite is through the use of a:
A. technology strategy plan
B. cause-and-effect diagram
C. risk map
D. maturity model
Selected Answer: C
Question #: 1136
Topic #: 1
Which of the following elements is MOST essential when creating risk scenarios?
A. Identified vulnerabilities
B. Business impact and cost analysis
C. Historical organizational and industry risk factors
D. A comprehensive control framework
Selected Answer: A
Question #: 1135
Topic #: 1
Which of the following elements of a risk register is MOST useful to share with key stakeholders to influence informed decision-making?
A. Threat source
B. Risk owner
C. Control owner
D. Mitigation plan
Selected Answer: D
Question #: 1146
Topic #: 1
Which of the following is the BEST way to mitigate the risk of inappropriate access to personally identifiable information (PII) by third-party cloud service personnel?
A. Utilize data encryption standards throughout the information life cycle
B. Ensure security clearance is in place within the third-party hiring process
C. Choose a third-party provider in a jurisdiction with few privacy regulations
D. Include data security requirements in the service level agreement (SLA)
Selected Answer: A
Question #: 1142
Topic #: 1
Which activity would BEST enable a risk manager to verify the scope of responsibilities for stakeholders in IT risk scenarios?
A. Tabletop exercise
B. Risk assessment
C. Vulnerability assessment
D. Interviews with IT staff
Selected Answer: B
Question #: 1158
Topic #: 1
A risk practitioner has been hired to establish risk management practices to be embedded across an organization. Which of the following should be the FIRST course of action?
A. Integrate risk management into operational procedures.
B. Engage key stakeholders in risk identification.
C. Implement risk management controls throughout the organization.
D. Establish an organization-wide risk taxonomy.
Selected Answer: B
Question #: 1151
Topic #: 1
Which of the following would be MOST helpful to management when reviewing enterprise risk appetite and tolerance?
A. SWOT analysis results
B. Risk mitigation plans
C. Internal audit recommendations
D. Threat analysis results
Selected Answer: B
Question #: 1168
Topic #: 1
Which of the following is the PRIMARY objective of engaging key stakeholders in the IT risk assessment process?
A. Increasing the quality of analysis
B. Ensuring proper budget allocation for risk remediation
C. Building a risk aware culture
D. Reducing the time required for risk analysis
Selected Answer: A
Question #: 1167
Topic #: 1
A risk assessment has identified concerns about vulnerabilities associated with an Internet-facing application. Which of the following is the risk practitioner’s BEST recommendation?
A. Review the configurations.
B. Verify the access controls.
C. Perform a penetration test.
D. Determine compensating controls.
Selected Answer: C
Question #: 1166
Topic #: 1
Which of the following will provide the BEST measure of compliance with IT policies?
A. Evaluate past policy review reports.
B. Test staff on their compliance responsibilities.
C. Perform penetration testing.
D. Conduct regular independent reviews.
Selected Answer: D
Question #: 993
Topic #: 1
Which of the following would BEST help to address the risk associated with malicious outsiders modifying application data?
A. Role-based access controls
B. Multi-factor authentication
C. Activation of control audits
D. Acceptable use policies
Selected Answer: B
Question #: 879
Topic #: 1
Several newly identified risk scenarios are being integrated into an organization’s risk register. The MOST appropriate risk owner would be the individual who:
A. is accountable for loss if the risk materializes.
B. is in charge of information security.
C. is responsible for enterprise risk management (ERM).
D. can implement remediation action plans.
Selected Answer: A
Question #: 681
Topic #: 1
Which of the following is MOST critical when designing controls?
A. Involvement of process owner
B. Involvement of internal audit
C. Identification of key risk indicators
D. Quantitative impact of the risk
Selected Answer: A
Question #: 1192
Topic #: 1
Which of the following is the MOST effective key risk indicator (KRI) for monitoring problem management?
A. Average duration to resolve incidents
B. Time between recurring incidents
C. Number of recurring incidents
D. Average time to identify incidents
Selected Answer: C
Question #: 1191
Topic #: 1
Which of the following is the BEST way to evaluate the risk awareness of control owners?
A. Conduct surveys and trend the results over time.
B. Mandate risk awareness training for control owners.
C. Include control owners in top-down risk workshops.
D. Include control owners in risk committee meetings and risk reporting.
Selected Answer: A
Question #: 1205
Topic #: 1
A hospital’s Internet of Things (IoT) bio-medical devices were recently hacked. Which of the following methods would BEST assist in identifying the control deficiencies?
A. SWOT analysis
B. Countermeasure analysis
C. Business impact analysis (BIA)
D. Gap analysis
Selected Answer: D
Question #: 1214
Topic #: 1
Which of the following is MOST important to include in a report for senior management after resolving a significant IT incident?
A. Incident resolution time and likelihood of recurrence
B. A list of impacted business functions and estimated business loss
C. Details of resolution methods and assessment of the incident
D. A detailed information security root cause analysis
Selected Answer: B
Question #: 1230
Topic #: 1
When creating a separate IT risk register for a large organization, which of the following is MOST important to consider with regard to the existing corporate risk register?
A. Relying on generic IT risk scenarios
B. Describing IT risk in business terms
C. Leveraging business risk professionals
D. Using a common risk taxonomy
Selected Answer: D
Question #: 1224
Topic #: 1
A recent change in accounting policy has the potential to impact a known risk related to an organization’s financial software. Which of the following should the risk practitioner do FIRST?
A. Analyze and update the risk register as needed.
B. Conduct software testing for required code updates.
C. Analyze and update associated control assessments.
D. Determine whether the risk response is still adequate.
Selected Answer: D
Question #: 1248
Topic #: 1
Which of the following should be the GREATEST concern to a risk practitioner when process documentation is incomplete?
A. Inability to identify the risk owner
B. Inability to identify process experts
C. Inability to allocate resources efficiently
D. Inability to complete the risk register
Selected Answer: A
Question #: 1243
Topic #: 1
A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access. Who is responsible for ensuring the control is designed to effectively address risk?
A. Control tester
B. Risk manager
C. Risk owner
D. Control owner
Selected Answer: B
Question #: 1242
Topic #: 1
A legacy application used for a critical business function relies on software that has reached the end of extended support. Which of the following is the MOST effective control to manage this application?
A. Increase the frequency of regular system and data backups.
B. Segment the application within the existing network.
C. Apply patches for a newer version of the application.
D. Subscribe to threat intelligence to monitor external attacks.
Selected Answer: B
Question #: 1306
Topic #: 1
The MAIN purpose of selecting a risk response is to:
A. mitigate the residual risk to be within tolerance.
B. ensure organizational awareness of the risk level.
C. demonstrate the effectiveness of risk management practices.
D. ensure compliance with local regulatory requirements.
Selected Answer: B
Question #: 1366
Topic #: 1
Which of the following BEST enables effective IT control implementation?
A. Information security policies
B. Documented procedures
C. Information security standards
D. Key risk indicators (KRIs)
Selected Answer: B
Question #: 512
Topic #: 1
Which of the following would be MOST helpful when estimating the likelihood of negative events?
A. Business impact analysis
B. Cost-benefit analysis
C. Risk response analysis
D. Threat analysis
Selected Answer: D
Question #: 668
Topic #: 1
Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?
A. Return on investment (ROI)
B. Risk mitigation budget
C. Cost-benefit analysis
D. Business impact analysis (BIA)
Selected Answer: C
Question #: 1231
Topic #: 1
Which of the following resources is MOST helpful to a risk practitioner when updating the likelihood rating in the risk register?
A. Business impact analysis (BIA)
B. Risk control assessment
C. Penetration test results
D. Audit reports with risk ratings
Selected Answer: B
Question #: 1222
Topic #: 1
An organization is required to comply with updates to an existing data protection regulation. Which of the following should the risk practitioner recommend be done
FIRST?
A. Perform effectiveness testing for the organization’s data protection controls.
B. Determine whether risk responses associated with the previous regulation are still adequate.
C. Perform a gap analysis to determine if additional controls are required.
D. Develop new internal control assessments for the updated regulation
Selected Answer: C
Question #: 1209
Topic #: 1
Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board?
A. A summary of IT risk scenarios with business cases
B. A summary of risk response plans with validation results
C. A report with control environment assessment results
D. A dashboard summarizing key risk indicators (KRIs)
Selected Answer: D
Question #: 1188
Topic #: 1
Which of the following provides the MOST useful information when assessing whether an organization has appropriately managed its level of risk compared to its established risk appetite?
A. Risk velocity
B. Residual risk
C. Inherent risk
D. Risk trend
Selected Answer: B
Question #: 1162
Topic #: 1
The objective of aligning mitigating controls to risk appetite is to ensure that:
A. exposures are reduced to the fullest extent.
B. insurance costs are minimized.
C. exposures are reduced only for critical business systems.
D. the cost of controls does not exceed the expected loss.
Selected Answer: D
Question #: 1160
Topic #: 1
Which of the following is the GREATEST benefit of using key control indicators (KCIs)?
A. The ability to focus on key controls related to one strategic risk
B. Notification when the established risk appetite level has been reached
C. The ability to track key controls related to risk scenarios
D. Notification when the established risk tolerance level has been reached
Selected Answer: D
Question #: 1159
Topic #: 1
An IT risk profile should be reviewed and updated when a new:
A. risk scenario has been developed.
B. vulnerability assessment tool is implemented.
C. IT asset has been procured.
D. audit finding has been issued.
Selected Answer: A
Question #: 425
Topic #: 1
Which of the following would be an IT business owner’s BEST course of action following an unexpected increase in emergency changes?
A. Conducting a root-cause analysis
B. Validating the adequacy of current processes
C. Evaluating the impact to control objectives
D. Reconfiguring the IT infrastructure
Selected Answer: A
Question #: 424
Topic #: 1
Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk?
A. An access control list
B. An acceptable usage policy
C. An intrusion detection system (IDS)
D. A data extraction tool
Selected Answer: B
Question #: 1370
Topic #: 1
An organization has agreed to a 99% availability for its online services and will not accept availability that falls below 98.5%. This is an example of:
A. risk mitigation.
B. risk appetite.
C. risk evaluation.
D. risk tolerance.
Selected Answer: D
Question #: 420
Topic #: 1
For a large software development project, risk assessments are MOST effective when performed:
A. during the development of the business case
B. at each stage of the system development life cycle (SDLC)
C. at system development
D. before system development begins
Selected Answer: B
Question #: 416
Topic #: 1
What should be PRIMARILY responsible for establishing an organization’s IT risk culture?
A. Risk management
B. IT management
C. Business process owner
D. Executive management
Selected Answer: D
Question #: 579
Topic #: 1
Which of the following would be MOST helpful to understand the impact of a new technology system on an organization’s current risk profile?
A. Conduct a gap analysis
B. Review existing risk mitigation controls
C. Perform a risk assessment
D. Hire consultants specializing in the new technology
Selected Answer: C
Question #: 1388
Topic #: 1
Which of the following is the GREATEST benefit of using IT risk scenarios?
A. They support compliance with regulations.
B. They provide evidence of risk assessment.
C. They facilitate communication of risk.
D. They enable the use of key risk indicators (KRIs).
Selected Answer: C
Question #: 1384
Topic #: 1
A risk practitioner recently discovered that personal information from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation?
A. Enable data encryption in the test environment.
B. Enforce multi-factor authentication within the test environment.
C. Prevent the use of production data in the test environment.
D. De-identify data before being transferred to the test environment.
Selected Answer: D
Question #: 1374
Topic #: 1
Which of the following would provide the MOST reliable evidence of the effectiveness of security controls implemented for a web application?
A. Penetration testing
B. Fault tree analysis
C. Vulnerability assessment
D. IT general controls audit
Selected Answer: A
Question #: 1360
Topic #: 1
Who is MOST appropriate to be assigned ownership of a control?
A. The individual responsible for control operation
B. The individual responsible for testing the control
C. The individual informed of the control effectiveness
D. The individual accountable for monitoring control effectiveness
Selected Answer: A
Question #: 412
Topic #: 1
Which of the following would BEST help to ensure that suspicious network activity is identified?
A. Analyzing server logs
B. Coordinating events with appropriate agencies
C. Analyzing intrusion detection system (IDS) logs
D. Using a third-party monitoring provider
Selected Answer: C
Question #: 1315
Topic #: 1
The MAJOR reason to classify information assets is to:
A. categorize data into groups.
B. maintain a current inventory and catalog of information assets.
C. determine their sensitivity and criticality.
D. establish recovery time objectives (RTOs).
Selected Answer: C
Question #: 1314
Topic #: 1
Of the following, who should be PRIMARILY responsible for performing user entitlement reviews?
A. Data custodian
B. IT personnel
C. Data owner
D. IT security manager
Selected Answer: C
Question #: 1311
Topic #: 1
Which of the following is the BEST approach for an organization in a heavily regulated industry to comprehensively test application functionality?
A. Use production data in a non-production environment.
B. Use anonymized data in a non-production environment.
C. Use test data in a production environment.
D. Use masked data in a non-production environment.
Selected Answer: D
Question #: 524
Topic #: 1
Risk management strategies are PRIMARILY adopted to:
A. achieve compliance with legal requirements
B. take necessary precautions for claims and losses
C. avoid risk for business and IT assets
D. achieve acceptable residual risk levels
Selected Answer: D
Question #: 1249
Topic #: 1
After entering a large number of low-risk scenarios into the risk register, it is MOST important for the risk practitioner to:
A. reconfirm risk tolerance levels.
B. analyze changes to aggregate risk.
C. prepare a follow-up risk assessment.
D. recommend acceptance of the risk scenarios.
Selected Answer: B
Question #: 1247
Topic #: 1
An organization has asked an IT risk practitioner to conduct an operational risk assessment on an initiative to outsource the organization’s customer service operations overseas. Which of the following would MOST significantly impact management’s decision?
A. Time zone difference of the outsourcing location
B. Ongoing financial viability of the outsourcing company
C. Historical network latency between the organization and outsourcing location
D. Cross-border information transfer restrictions in the outsourcing country
Selected Answer: D
Question #: 1246
Topic #: 1
Which of the following key performance indicators (KPIs) would BEST measure the risk of a service outage when using a Software as a Service (SaaS) vendor?
A. Frequency and number of new software releases
B. Frequency of business continuity plan (BCP) testing
C. Frequency and duration of unplanned downtime
D. Number of IT support staff available after business hours
Selected Answer: C
Question #: 1245
Topic #: 1
When implementing an IT risk management program, which of the following is the BEST time to evaluate current control effectiveness?
A. Before defining a framework
B. During the risk assessment
C. When evaluating risk response
D. When updating the risk register
Selected Answer: B
Question #: 1244
Topic #: 1
The cost of maintaining a control has grown to exceed the potential loss. Which of the following BEST describes this situation?
A. Effective risk management
B. Optimized control management
C. Over-controlled environment
D. Insufficient risk tolerance
Selected Answer: C
Question #: 1241
Topic #: 1
Which of the following is MOST helpful in providing a high-level overview of current IT risk severity?
A. Risk mitigation plans
B. Risk appetite statement
C. Heat map
D. Key risk indicators (KRIs)
Selected Answer: C
Question #: 1240
Topic #: 1
Which of the following will BEST ensure that controls adequately support business goals and objectives?
A. Using the risk management process
B. Enforcing strict disciplinary procedures in case of noncompliance
C. Adopting internationally accepted controls
D. Reviewing results of the annual company external audit
Selected Answer: A
Question #: 1239
Topic #: 1
Which of the following key control indicators (KCIs) BEST indicates whether security requirements are identified and managed throughout a project life cycle?
A. Number of employees completing project-specific security training
B. Number of projects going live without a security review
C. Number of security projects started in core departments
D. Number of security-related status reports submitted by project managers
Selected Answer: D
Question #: 1238
Topic #: 1
Which of the following is MOST important to ensure when reviewing an organization’s risk register?
A. Vulnerabilities have separate entries.
B. Control ownership is recorded.
C. Risk ownership is recorded.
D. Residual risk is less than inherent risk.
Selected Answer: C
Question #: 1237
Topic #: 1
To define the risk management strategy, which of the following MUST be set by the board of directors?
A. Risk governance
B. Annualized loss expectancy (ALE)
C. Risk appetite
D. Operational strategies
Selected Answer: C
Question #: 1235
Topic #: 1
An organization has decided to implement a new Internet of Things (IoT) solution. Which of the following should be done FIRST when addressing security concerns associated with this new technology?
A. Engage external security reviews.
B. Implement IoT device monitoring software.
C. Develop new IoT risk scenarios.
D. Introduce controls to the new threat environment.
Selected Answer: C
Question #: 1234
Topic #: 1
Which of the following is the PRIMARY reason for sharing risk assessment reports with senior stakeholders?
A. To enable senior management to compile a risk profile
B. To support decision-making for risk response
C. To secure resourcing for risk treatment efforts
D. To hold risk owners accountable for risk action plans
Selected Answer: B
Question #: 1233
Topic #: 1
Which of the following is the BEST course of action when an organization wants to reduce likelihood in order to reduce a risk level?
A. Implement preventive measures.
B. Transfer the risk.
C. Implement detective controls.
D. Monitor risk controls.
Selected Answer: A
Question #: 1232
Topic #: 1
Which of the following is MOST helpful in identifying loss magnitude during risk analysis of a new system?
A. Recovery time objective (RTO)
B. Business impact analysis (BIA)
C. Cyber insurance coverage
D. Cost-benefit analysis
Selected Answer: B
Question #: 1229
Topic #: 1
A failed IT system upgrade project has resulted in the corruption of an organization’s asset inventory database. Which of the following controls BEST mitigates the impact of this incident?
A. Authentication
B. Encryption
C. Backups
D. Configuration
Selected Answer: C
Question #: 1228
Topic #: 1
Which of the following BEST represents the desired risk posture for an organization?
A. Accepted risk is higher than risk tolerance.
B. Operational risk is higher than risk tolerance.
C. Inherent risk is lower than risk tolerance.
D. Residual risk is lower than risk tolerance.
Selected Answer: D
Question #: 1227
Topic #: 1
Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?
A. Risk scenarios
B. The risk tolerance level
C. A performance measurement
D. Occurrences of specific events
Selected Answer: D
Question #: 1226
Topic #: 1
An organization is implementing robotic process automation (RPA) to streamline business processes. Given that implementation of this technology is expected to impact existing controls, which of the following is the risk practitioner’s BEST course of action?
A. Perform a gap analysis of the impacted processes.
B. Update the data governance policy to address the new technology.
C. Reassess whether mitigating controls address the known risk in the processes.
D. Update processes to address the new technology.
Selected Answer: A
Question #: 1225
Topic #: 1
Which of the following is BEST determined by analysis of incident reports?
A. Changes in the external risk environment
B. Effectiveness of internal controls
C. Ranges for key performance indicators (KPIs)
D. Thresholds for key risk indicators (KRIs)
Selected Answer: B
Question #: 1223
Topic #: 1
Which of the following is MOST important when conducting a post-implementation review as part of the system development life cycle (SDLC)?
A. Verifying that project objectives are met
B. Reviewing the project initiation risk matrix
C. Identifying project cost overruns
D. Leveraging an independent review team
Selected Answer: A
Question #: 1221
Topic #: 1
A risk practitioner is working with the incident management team to prioritize activities. Which of the following should be the FIRST priority of the incident response plan?
A. Verify an incident actually occurred.
B. Verify the recovery time objective (RTO).
C. Brief the senior leadership team,
D. Identify the root cause of the incident.
Selected Answer: A
Question #: 1220
Topic #: 1
Which of the following BEST supports the effective adoption of risk management across the enterprise?
A. Basing risk action plans on end user assessments of risk
B. Assignment of risk-related responsibilities to end users
C. Participation by functions responsible for the risk
D. Comparison of risk assessment results with industry peers
Selected Answer: C
Question #: 1219
Topic #: 1
A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within the organization. Of the following, who should review the completed list and select the appropriate KRIs for implementation?
A. IT security managers
B. IT auditors
C. IT risk owners
D. IT control owners
Selected Answer: C
Question #: 1217
Topic #: 1
Which of the following is the MOST important concern when assigning multiple risk owners for an identified risk?
A. Risk ratings may be inconsistently applied.
B. Accountability may not be clearly defined.
C. Different risk taxonomies may be used.
D. Mitigation efforts may be duplicated.
Selected Answer: B
Question #: 1215
Topic #: 1
Which of the following is the MOST likely reason for a significant year-over-year increase in inherent risk?
A. Targeted cyberattacks against the organization’s infrastructure
B. A significant number of control failures identified during an audit
C. A lack of defined risk ownership due to organizational changes
D. An ineffective risk action plan validation process
Selected Answer: A
Question #: 1212
Topic #: 1
An organization has outsourced its customer management database to an external service provider. Of the following, who should be accountable for ensuring customer data privacy?
A. The organization’s business process owner
B. The organization’s information security manager
C. The organization’s vendor management officer
D. The vendor’s risk manager
Selected Answer: A
Question #: 1211
Topic #: 1
External auditors have found that management has not effectively monitored key security technologies that support regulatory objectives. Which type of indicator would BEST enable the organization to identify and correct this situation?
A. Key management indicator (KMI)
B. Key control indicator (KCI)
C. Key performance indicator (KPI)
D. Key risk indicator (KRI)
Selected Answer: B
Question #: 1210
Topic #: 1
A risk assessment has determined that an organization is highly susceptible to a vulnerability in its IT infrastructure. Which of the following is MOST important to communicate to the board?
A. Open source intelligence reports on successful attacks
B. Impact to the organization if the vulnerability is exploited
C. Results of the most recent penetration test
D. Results of a root cause analysis of the vulnerability
Selected Answer: B
Question #: 1208
Topic #: 1
Which of the following is the PRIMARY responsibility of a risk owner?
A. Determining risk appetite and tolerance
B. Developing relevant control procedures
C. Deciding responses to identified risk
D. Implementing risk action plans
Selected Answer: C
Question #: 1207
Topic #: 1
Which of the following should be a risk practitioner’s NEXT step after learning of an incident that has affected a competitor?
A. Develop risk scenarios.
B. Implement compensating controls.
C. Activate the incident response plan.
D. Update the risk register.
Selected Answer: A
Question #: 1206
Topic #: 1
A financial organization is considering a project to implement the use of blockchain technology. To help ensure the organization’s management team can make informed decisions on the project, which of the following should the risk practitioner reassess?
A. Risk tolerance
B. Risk classification
C. Business impact analysis (BIA)
D. Risk profile
Selected Answer: D
Question #: 1204
Topic #: 1
An organization’s chief information officer (CIO) has proposed investing in a new, untested technology to take advantage of being first to market. Senior management has concerns about the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization’s risk:
A. management capability
B. capacity
C. treatment strategy
D. appetite
Selected Answer: D
Question #: 1203
Topic #: 1
Using key risk indicators (KRIs) to illustrate changes in the risk profile PRIMARILY helps to:
A. assign ownership of emerging risk scenarios.
B. identify threats to emerging technologies.
C. communicate risk trends to stakeholders.
D. highlight noncompliance with the risk policy.
Selected Answer: C
Question #: 1202
Topic #: 1
Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?
A. To assess the vendor’s risk mitigation plans
B. To verify the vendor’s ongoing financial viability
C. To monitor the vendor’s control effectiveness
D. To provide input to the organization’s risk appetite
Selected Answer: C
Question #: 1200
Topic #: 1
Which of the following is MOST important for an IT risk practitioner to update once risk mitigation action plans have been verified as completed?
A. Risk rating
B. Control inventory
C. Risk impact
D. Control ownership
Selected Answer: A
Question #: 430
Topic #: 1
When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?
A. Exception handling policy
B. Benchmarking assessments
C. Vulnerability assessment results
D. Risk analysis results
Selected Answer: D
Question #: 1198
Topic #: 1
The IT risk profile is PRIMARILY a communication tool for:
A. external stakeholders.
B. senior management.
C. internal audit.
D. regulators.
Selected Answer: B
Question #: 1197
Topic #: 1
Which of the following provides the MOST useful information for regular reporting to senior management on the control environment’s effectiveness?
A. Capability maturity model
B. Key risk indicators (KRIs)
C. Balanced scorecard
D. Key performance indicators (KPIs)
Selected Answer: B
Question #: 1196
Topic #: 1
Which of the following is the MOST important objective from a cost perspective for considering aggregated risk responses in an organization?
A. Reduce likelihood
B. Address more than one risk response
C. Prioritize risk response options
D. Reduce impact
Selected Answer: B
Question #: 1194
Topic #: 1
Which of the following is MOST critical for a risk practitioner to continuously monitor to support senior management’s risk-related decision making?
A. Industry best practices in risk management
B. Types of losses experienced by peer organizations
C. The organization’s risk profile
D. Threat intelligence sources
Selected Answer: C
Question #: 1193
Topic #: 1
From a risk management perspective, which of the following is the PRIMARY purpose of conducting a root cause analysis following an incident?
A. To satisfy senior management expectations for incident response
B. To reduce incident response times defined in service level agreements (SLAs)
C. To minimize the likelihood of future occurrences
D. To ensure risk has been reduced to acceptable levels
Selected Answer: C
Question #: 1190
Topic #: 1
What is the PRIMARY role of the application owner when changes are being introduced into an existing environment?
A. Updating control procedures and documentation
B. Notifying owners of affected systems after the changes are implemented
C. Determining possible losses due to downtime during the changes
D. Approving the proposed changes based on impact analysis
Selected Answer: D
Question #: 1187
Topic #: 1
What should be the PRIMARY objective of updating a risk awareness program in response to a steady rise in cybersecurity threats across the industry?
A. To reduce the risk of insider threats that could compromise security practices
B. To increase familiarity and understanding of potential security incidents
C. To ensure compliance with risk management policies and procedures
D. To lower the organization’s risk appetite and tolerance levels
Selected Answer: B
Question #: 1186
Topic #: 1
During a risk assessment, a risk practitioner learns that an IT risk factor is adequately mitigated by compensating controls in an associated business process.
Which of the following would enable the MOST effective management of the residual risk?
A. Recommend additional IT controls to further reduce residual risk.
B. Request that ownership of the compensating controls is reassigned to IT.
C. Schedule periodic reviews of the compensating controls’ effectiveness.
D. Report the use of compensating controls to senior management.
Selected Answer: C
Question #: 1185
Topic #: 1
Which of the following would BEST enable senior management to make informed decisions about the effectiveness of existing controls to mitigate risk?
A. Quantitative analysis of total control cost in monetary terms
B. Quantitative measurement of the controls’ ability to reduce the likelihood of risk events occurring
C. Qualitative assessment of control effectiveness by surveying control owners
D. Qualitative measurement of the impact on business operations should a risk event occur
Selected Answer: B
Question #: 1184
Topic #: 1
An organization has outsourced its accounts payable function to an external service provider that does not have an effective business continuity pian (BCP) in place. Who owns the associated risk?
A. Service provider
B. Business continuity manager
C. Business process owner
D. The vendor’s risk manager
Selected Answer: C
Question #: 1183
Topic #: 1
Which of the following BEST enables an organization to develop a comprehensive key performance indicator (KPI) strategy to measure all key controls?
A. Use KPIs that can be financially quantified.
B. Align control performance goals to KPIs.
C. Minimize the number of lagging performance indicators.
D. Ensure controls have their own KPIs.
Selected Answer: B
Question #: 1182
Topic #: 1
Which of the following is the MOST important key performance indicator (KPI) to monitor the effectiveness of disaster recovery processes?
A. Percentage of issues arising from the disaster recovery test resolved on time
B. Percentage of IT systems included in the disaster recovery test scope
C. Percentage of IT systems recovered within the mean time to restore (MTTR) during the disaster recovery test
D. Percentage of IT systems meeting the recovery time objective (RTO) during the disaster recovery test
Selected Answer: D
Question #: 1181
Topic #: 1
Which of the following would be a risk practitioner’s GREATEST concern with the use of a vulnerability scanning tool?
A. Increased time to remediate vulnerabilities
B. Inaccurate reporting of results
C. Increased number of vulnerabilities
D. Network performance degradation
Selected Answer: B
Question #: 1180
Topic #: 1
When a risk practitioner is determining a system’s criticality, it is MOST helpful to review the associated:
A. process flow.
B. business impact analysis (BIA).
C. system architecture.
D. service level agreement (SLA).
Selected Answer: B
Question #: 1179
Topic #: 1
Which of the following is MOST important to promoting a risk-aware culture?
A. Communication of audit findings
B. Open communication of risk reporting
C. Procedures for security monitoring
D. Regular testing of risk controls
Selected Answer: B
Question #: 1178
Topic #: 1
Which of the following is the BEST way to ensure controls are maintained consistently across the environment?
A. Performing a gap analysis on process deviations
B. Conducting annual control assessments
C. Monitoring key risk indicators (KRIs)
D. Training operational staff on risk control procedures
Selected Answer: B
Question #: 1177
Topic #: 1
A risk practitioner is utilizing a risk heat map during a risk assessment. Risk events that are coded with the same color will have a similar:
A. risk response.
B. risk impact.
C. risk likelihood.
D. risk score.
Selected Answer: D
Question #: 1176
Topic #: 1
Which of the following is the PRIMARY reason to conduct risk assessments at periodic intervals?
A. To promote a risk-aware culture among staff
B. To ensure emerging risk is identified and monitored
C. To ensure risk trend data is collected and reported
D. To establish the maturity level of risk assessment processes
Selected Answer: B
Question #: 1175
Topic #: 1
Which of the following is MOST likely to be impacted when a global organization is required by law to implement a new data protection regulation across its operations?
A. Risk ownership assignments
B. Threat profile
C. Vulnerability assessment results
D. Risk profile
Selected Answer: D
Question #: 1174
Topic #: 1
Which of the following is MOST important for senior management to review during an acquisition?
A. Key risk indicator (KRI) thresholds
B. Risk framework and methodology
C. Risk communication plan
D. Risk appetite and tolerance
Selected Answer: D
Question #: 1087
Topic #: 1
An organization has provided legal text explaining the rights and expected behavior of users accessing a system from geographic locations that have strong privacy regulations. Which of the following control types has been applied?
A. Detective
B. Preventive
C. Compensating
D. Directive
Selected Answer: D
Question #: 1173
Topic #: 1
Which of the following is a risk practitioner’s BEST course of action if a risk assessment identifies a risk that is extremely unlikely but would have a severe impact should it occur?
A. Address the risk by analyzing treatment options.
B. Rate the risk as high priority based on the severe impact.
C. Ignore the risk due to the extremely low likelihood.
D. Obtain management’s consent to accept the risk.
Selected Answer: A
