Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: clap70

CRISC Certified in Risk and Information Systems Control Questions and Answers

Questions 4

An organization has established workflows in its service desk to support employee reports of security-related concerns. Which of the following is the MOST efficient approach to analyze these concerns?

Options:

A.

Map concerns to organizational assets.

B.

Sort concerns by likelihood.

C.

Align concerns to key vendors.

D.

Prioritize concerns based on frequency of reports.

Buy Now
Questions 5

Which of the following BEST enables an organization to address new risk associated with an Internet of Things (IoT) solution?

Options:

A.

Transferring the risk

B.

Introducing control procedures early in the life cycle

C.

Updating the risk tolerance to include the new risk

D.

Implementing IoT device monitoring software

Buy Now
Questions 6

Which of the following would MOST effectively reduce the potential for inappropriate exposure of vulnerabilities documented in an organization's risk register?

Options:

A.

Limit access to senior management only.

B.

Encrypt the risk register.

C.

Implement role-based access.

D.

Require users to sign a confidentiality agreement.

Buy Now
Questions 7

Which of the following is the GREATEST risk associated with inappropriate classification of data?

Options:

A.

Inaccurate record management data

B.

Users having unauthorized access to data

C.

Inaccurate recovery time objectives (RTOs)

D.

Lack of accountability for data ownership

Buy Now
Questions 8

Which of the following is the PRIMARY objective of risk management?

Options:

A.

Identify and analyze risk.

B.

Achieve business objectives

C.

Minimi2e business disruptions.

D.

Identify threats and vulnerabilities.

Buy Now
Questions 9

A risk practitioner has received an updated enterprise risk management (ERM) report showing that residual risk is now within the organization's defined appetite and tolerance levels. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Identify new risk entries to include in ERM.

B.

Remove the risk entries from the ERM register.

C.

Re-perform the risk assessment to confirm results.

D.

Verify the adequacy of risk monitoring plans.

Buy Now
Questions 10

A bank recently incorporated blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

reflect the results of risk assessments.

B.

be available to all stakeholders.

C.

effectively support a business maturity model.

D.

be reviewed by the IT steering committee.

Buy Now
Questions 11

Which of the following is the BEST recommendation to senior management when the results of a risk and control assessment indicate a risk scenario can only be partially mitigated?

Options:

A.

Implement controls to bring the risk to a level within appetite and accept the residual risk.

B.

Implement a key performance indicator (KPI) to monitor the existing control performance.

C.

Accept the residual risk in its entirety and obtain executive management approval.

D.

Separate the risk into multiple components and avoid the risk components that cannot be mitigated.

Buy Now
Questions 12

The BEST way to demonstrate alignment of the risk profile with business objectives is through:

Options:

A.

risk scenarios.

B.

risk tolerance.

C.

risk policy.

D.

risk appetite.

Buy Now
Questions 13

A risk practitioner is performing a risk assessment of recent external advancements in quantum computing. Which of the following would pose the GREATEST concern for the risk practitioner?

Options:

A.

The organization has incorporated blockchain technology in its operations.

B.

The organization has not reviewed its encryption standards.

C.

The organization has implemented heuristics on its network firewall.

D.

The organization has not adopted Infrastructure as a Service (laaS) for its operations.

Buy Now
Questions 14

Which of the following is the GREATEST benefit when enterprise risk management (ERM) provides oversight of IT risk management?

Options:

A.

Aligning IT with short-term and long-term goals of the organization

B.

Ensuring the IT budget and resources focus on risk management

C.

Ensuring senior management's primary focus is on the impact of identified risk

D.

Prioritizing internal departments that provide service to customers

Buy Now
Questions 15

A newly hired risk practitioner finds that the risk register has not been updated in the past year. What is the risk practitioner's BEST course of action?

Options:

A.

Identify changes in risk factors and initiate risk reviews.

B.

Engage an external consultant to redesign the risk management process.

C.

Outsource the process for updating the risk register.

D.

Implement a process improvement and replace the old risk register.

Buy Now
Questions 16

A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to:

Options:

A.

include detailed deviations from industry benchmarks,

B.

include a summary linking information to stakeholder needs,

C.

include a roadmap to achieve operational excellence,

D.

publish the report on-demand for stakeholders.

Buy Now
Questions 17

Which of the following is the MOST effective control to maintain the integrity of system configuration files?

Options:

A.

Recording changes to configuration files

B.

Implementing automated vulnerability scanning

C.

Restricting access to configuration documentation

D.

Monitoring against the configuration standard

Buy Now
Questions 18

Which of the following is the MOST important objective of establishing an enterprise risk management (ERM) function within an organization?

Options:

A.

To have a unified approach to risk management across the organization

B.

To have a standard risk management process for complying with regulations

C.

To optimize risk management resources across the organization

D.

To ensure risk profiles are presented in a consistent format within the organization

Buy Now
Questions 19

The PRIMARY benefit of using a maturity model is that it helps to evaluate the:

Options:

A.

capability to implement new processes

B.

evolution of process improvements

C.

degree of compliance with policies and procedures

D.

control requirements.

Buy Now
Questions 20

Which of the following is the BEST evidence that risk management is driving business decisions in an organization?

Options:

A.

Compliance breaches are addressed in a timely manner.

B.

Risk ownership is identified and assigned.

C.

Risk treatment options receive adequate funding.

D.

Residual risk is within risk tolerance.

Buy Now
Questions 21

An organization uses a vendor to destroy hard drives. Which of the following would BEST reduce the risk of data leakage?

Options:

A.

Require the vendor to degauss the hard drives

B.

Implement an encryption policy for the hard drives.

C.

Require confirmation of destruction from the IT manager.

D.

Use an accredited vendor to dispose of the hard drives.

Buy Now
Questions 22

Which of the following presents the GREATEST risk to change control in business application development over the complete life cycle?

Options:

A.

Emphasis on multiple application testing cycles

B.

Lack of an integrated development environment (IDE) tool

C.

Introduction of requirements that have not been approved

D.

Bypassing quality requirements before go-live

Buy Now
Questions 23

The PRIMARY reason for tracking the status of risk mitigation plans is to ensure:

Options:

A.

the proposed controls are implemented as scheduled.

B.

security controls are tested prior to implementation.

C.

compliance with corporate policies.

D.

the risk response strategy has been decided.

Buy Now
Questions 24

Which of the following is MOST important to review when evaluating the ongoing effectiveness of the IT risk register?

Options:

A.

The costs associated with mitigation options

B.

The status of identified risk scenarios

C.

The cost-benefit analysis of each risk response

D.

The timeframes for risk response actions

Buy Now
Questions 25

The PRIMARY benefit associated with key risk indicators (KRls) is that they:

Options:

A.

help an organization identify emerging threats.

B.

benchmark the organization's risk profile.

C.

identify trends in the organization's vulnerabilities.

D.

enable ongoing monitoring of emerging risk.

Buy Now
Questions 26

The risk associated with an asset after controls are applied can be expressed as:

Options:

A.

a function of the cost and effectiveness of controls.

B.

the likelihood of a given threat.

C.

a function of the likelihood and impact.

D.

the magnitude of an impact.

Buy Now
Questions 27

An organization has completed a project to implement encryption on all databases that host customer data. Which of the following elements of the risk register should be updated the reflect this change?

Options:

A.

Risk likelihood

B.

Inherent risk

C.

Risk appetite

D.

Risk tolerance

Buy Now
Questions 28

Which of the following would BEST help secure online financial transactions from improper users?

Options:

A.

Review of log-in attempts

B.

multi-level authorization

C.

Periodic review of audit trails

D.

multi-factor authentication

Buy Now
Questions 29

When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes

Options:

A.

risk exposure in business terms

B.

a detailed view of individual risk exposures

C.

a summary of incidents that have impacted the organization.

D.

recommendations by an independent risk assessor.

Buy Now
Questions 30

An organization wants to launch a campaign to advertise a new product Using data analytics, the campaign can be targeted to reach potential customers. Which of the following should be of GREATEST concern to the risk practitioner?

Options:

A.

Data minimization

B.

Accountability

C.

Accuracy

D.

Purpose limitation

Buy Now
Questions 31

Which of the following is MOST important for developing effective key risk indicators (KRIs)?

Options:

A.

Engaging sponsorship by senior management

B.

Utilizing data and resources internal to the organization

C.

Including input from risk and business unit management

D.

Developing in collaboration with internal audit

Buy Now
Questions 32

Which of the following approaches BEST identifies information systems control deficiencies?

Options:

A.

Countermeasures analysis

B.

Best practice assessment

C.

Gap analysis

D.

Risk assessment

Buy Now
Questions 33

Warning banners on login screens for laptops provided by an organization to its employees are an example of which type of control?

Options:

A.

Corrective

B.

Preventive

C.

Detective

D.

Deterrent

Buy Now
Questions 34

Which of the following is the BEST recommendation to address recent IT risk trends that indicate social engineering attempts are increasing in the organization?

Options:

A.

Conduct a simulated phishing attack.

B.

Update spam filters

C.

Revise the acceptable use policy

D.

Strengthen disciplinary procedures

Buy Now
Questions 35

Risk acceptance of an exception to a security control would MOST likely be justified when:

Options:

A.

automation cannot be applied to the control

B.

business benefits exceed the loss exposure.

C.

the end-user license agreement has expired.

D.

the control is difficult to enforce in practice.

Buy Now
Questions 36

The risk to an organization's reputation due to a recent cybersecurity breach is PRIMARILY considered to be:

Options:

A.

financial risk.

B.

data risk.

C.

operational risk.

D.

strategic risk.

Buy Now
Questions 37

Which of the following is the PRIMARY objective of a risk awareness program?

Options:

A.

To demonstrate senior management support

B.

To enhance organizational risk culture

C.

To increase awareness of risk mitigation controls

D.

To clearly define ownership of risk

Buy Now
Questions 38

Who is MOST important lo include in the assessment of existing IT risk scenarios?

Options:

A.

Technology subject matter experts

B.

Business process owners

C.

Business users of IT systems

D.

Risk management consultants

Buy Now
Questions 39

A failure in an organization’s IT system build process has resulted in several computers on the network missing the corporate endpoint detection and response (EDR) software. Which of the following should be the risk practitioner's IMMEDIATE concern?

Options:

A.

Threats are not being detected.

B.

Multiple corporate build images exist.

C.

The IT build process was not followed.

D.

The process documentation was not updated.

Buy Now
Questions 40

Recent penetration testing of an organization's software has identified many different types of security risks. Which of the following is the MOST likely root cause for the identified risk?

Options:

A.

SIEM software is producing faulty alerts.

B.

Threat modeling was not utilized in the software design process.

C.

The configuration management process is not applied consistently during development.

D.

An identity and access management (IAM) tool has not been properly integrated into the software.

Buy Now
Questions 41

Which of the following BEST reduces the likelihood of fraudulent activity that occurs through use of a digital wallet?

Options:

A.

Require public key infrastructure (PKI) to authorize transactions.

B.

Require multi-factor authentication (MFA) to access the digital wallet.

C.

Use a digital key to encrypt the contents of the wallet.

D.

Enable audit logging on the digital wallet's device.

Buy Now
Questions 42

Which of the following should be a risk practitioner's GREATEST concern upon learning of failures in a data migration activity?

Options:

A.

Availability of test data

B.

Integrity of data

C.

Cost overruns

D.

System performance

Buy Now
Questions 43

Which of the following is the PRIMARY accountability for a control owner?

Options:

A.

Communicate risk to senior management.

B.

Own the associated risk the control is mitigating.

C.

Ensure the control operates effectively.

D.

Identify and assess control weaknesses.

Buy Now
Questions 44

Which of the following would MOST likely cause management to unknowingly accept excessive risk?

Options:

A.

Satisfactory audit results

B.

Risk tolerance being set too low

C.

Inaccurate risk ratings

D.

Lack of preventive controls

Buy Now
Questions 45

Which of the following is MOST important to ensure risk management practices are effective at all levels within the organization?

Options:

A.

Communicating risk awareness materials regularly

B.

Establishing key risk indicators (KRIs) to monitor risk management processes

C.

Ensuring that business activities minimize inherent risk

D.

Embedding risk management in business activities

Buy Now
Questions 46

Which of the following is the BEST way to prevent the loss of highly sensitive data when disposing of storage media?

Options:

A.

Physical destruction

B.

Degaussing

C.

Data anonymization

D.

Data deletion

Buy Now
Questions 47

Which of the following would be the GREATEST challenge when implementing a corporate risk framework for a global organization?

Options:

A.

Privacy risk controls

B.

Business continuity

C.

Risk taxonomy

D.

Management support

Buy Now
Questions 48

The PRIMARY objective of a risk identification process is to:

Options:

A.

evaluate how risk conditions are managed.

B.

determine threats and vulnerabilities.

C.

estimate anticipated financial impact of risk conditions.

D.

establish risk response options.

Buy Now
Questions 49

Which of the following would BEST indicate to senior management that IT processes are improving?

Options:

A.

Changes in the number of intrusions detected

B.

Changes in the number of security exceptions

C.

Changes in the position in the maturity model

D.

Changes to the structure of the risk register

Buy Now
Questions 50

Which of the following is MOST helpful in aligning IT risk with business objectives?

Options:

A.

Introducing an approved IT governance framework

B.

Integrating the results of top-down risk scenario analyses

C.

Performing a business impact analysis (BlA)

D.

Implementing a risk classification system

Buy Now
Questions 51

Which of the following activities should only be performed by the third line of defense?

Options:

A.

Operating controls for risk mitigation

B.

Testing the effectiveness and efficiency of internal controls

C.

Providing assurance on risk management processes

D.

Recommending risk treatment options

Buy Now
Questions 52

The BEST way for an organization to ensure that servers are compliant to security policy is

to review:

Options:

A.

change logs.

B.

configuration settings.

C.

server access logs.

D.

anti-malware compliance.

Buy Now
Questions 53

Which of the following is the MOST important document regarding the treatment of sensitive data?

Options:

A.

Organization risk profile

B.

Information classification policy

C.

Encryption policy

D.

Digital rights management policy

Buy Now
Questions 54

Which of the following is the GREATEST risk of relying on artificial intelligence (Al) within heuristic security systems?

Options:

A.

Al may result in less reliance on human intervention.

B.

Malicious activity may inadvertently be classified as normal during baselining.

C.

Risk assessments of heuristic security systems are more difficult.

D.

Predefined patterns of malicious activity may quickly become outdated.

Buy Now
Questions 55

Which of the following is the BEST metric to demonstrate the effectiveness of an organization's patch management process?

Options:

A.

Average time to implement patches after vendor release

B.

Number of patches tested prior to deployment

C.

Increase in the frequency of patches deployed into production

D.

Percent of patches implemented within established timeframe

Buy Now
Questions 56

A large organization recently restructured the IT department and has decided to outsource certain functions. What action should the control owners in the IT department take?

Options:

A.

Conduct risk classification for associated IT controls.

B.

Determine whether risk responses still effectively address risk.

C.

Perform vulnerability and threat assessments.

D.

Analyze and update IT control assessments.

Buy Now
Questions 57

When establishing leading indicators for the information security incident response process it is MOST important to consider the percentage of reported incidents:

Options:

A.

that results in a full root cause analysis.

B.

used for verification within the SLA.

C.

that are verified as actual incidents.

D.

resolved within the SLA.

Buy Now
Questions 58

Which of the following is a PRIMARY objective of privacy impact assessments (PIAs)?

Options:

A.

To identify threats introduced by business processes

B.

To identify risk when personal information is collected

C.

To ensure senior management has approved the use of personal information

D.

To ensure compliance with data privacy laws and regulations

Buy Now
Questions 59

During the creation of an organization's IT risk management program, the BEST time to identify key risk indicators (KRIs) is while:

Options:

A.

Interviewing data owners

B.

Reviewing risk response plans with internal audit

C.

Developing a risk monitoring process

D.

Reviewing an external risk assessment

Buy Now
Questions 60

A deficient control has been identified which could result in great harm to an organization should a low frequency threat event occur. When communicating the associated risk to senior management the risk practitioner should explain:

Options:

A.

mitigation plans for threat events should be prepared in the current planning period.

B.

this risk scenario is equivalent to more frequent but lower impact risk scenarios.

C.

the current level of risk is within tolerance.

D.

an increase in threat events could cause a loss sooner than anticipated.

Buy Now
Questions 61

An organization has received notification that it is a potential victim of a cybercrime that may have compromised sensitive customer data. What should be The FIRST course of action?

Options:

A.

Invoke the incident response plan.

B.

Determine the business impact.

C.

Conduct a forensic investigation.

D.

Invoke the business continuity plan (BCP).

Buy Now
Questions 62

Which of the following would BEST provide early warning of a high-risk condition?

Options:

A.

Risk register

B.

Risk assessment

C.

Key risk indicator (KRI)

D.

Key performance indicator (KPI)

Buy Now
Questions 63

Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

Options:

A.

Implement segregation of duties.

B.

Enforce an internal data access policy.

C.

Enforce the use of digital signatures.

D.

Apply single sign-on for access control.

Buy Now
Questions 64

Which of the following is the BEST course of action to help reduce the probability of an incident recurring?

Options:

A.

Perform a risk assessment.

B.

Perform root cause analysis.

C.

Initiate disciplinary action.

D.

Update the incident response plan.

Buy Now
Questions 65

Which of the following presents the GREATEST security risk associated with Internet of Things (IoT) technology?

Options:

A.

The inability to monitor via network management solutions

B.

The lack of relevant IoT security frameworks to guide the risk assessment process

C.

The heightened level of IoT threats via the widespread use of smart devices

D.

The lack of updates for vulnerable firmware

Buy Now
Questions 66

Which of the following would be MOST helpful to a risk owner when making risk-aware decisions?

Options:

A.

Risk exposure expressed in business terms

B.

Recommendations for risk response options

C.

Resource requirements for risk responses

D.

List of business areas affected by the risk

Buy Now
Questions 67

During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition phase?

Options:

A.

Risk management framework adopted by each company

B.

Risk registers of both companies

C.

IT balanced scorecard of each company

D.

Most recent internal audit findings from both companies

Buy Now
Questions 68

Which of the following is the MOST essential characteristic of a good IT risk scenario?

Options:

A.

The scenario is aligned to business control processes.

B.

The scenario is aligned to the organization’s risk appetite and tolerance.

C.

The scenario is aligned to a business objective.

D.

The scenario is aligned to known vulnerabilities in information technology.

Buy Now
Questions 69

Which of the following stakeholders define risk tolerance for an enterprise?

Options:

A.

IT compliance and IT audit

B.

Regulators and shareholders

C.

The board and executive management

D.

Enterprise risk management (ERM)

Buy Now
Questions 70

Which of the following should be the MOST important consideration when determining controls necessary for a highly critical information system?

Options:

A.

The number of threats to the system

B.

The organization's available budget

C.

The number of vulnerabilities to the system

D.

The level of acceptable risk to the organization

Buy Now
Questions 71

An organization allows programmers to change production systems in emergency situations. Which of the following is the BEST control?

Options:

A.

Implementing an emergency change authorization process

B.

Periodically reviewing operator logs

C.

Limiting the number of super users

D.

Reviewing the programmers' emergency change reports

Buy Now
Questions 72

An insurance company handling sensitive and personal information from its customers receives a large volume of telephone requests and electronic communications daily. Which of the following

is MOST important to include in a risk awareness training session for the customer service department?

Options:

A.

Archiving sensitive information

B.

Understanding the incident management process

C.

Identifying social engineering attacks

D.

Understanding the importance of using a secure password

Buy Now
Questions 73

The BEST key performance indicator (KPI) for monitoring adherence to an organization's user accounts provisioning practices is the percentage of:

Options:

A.

accounts without documented approval

B.

user accounts with default passwords

C.

active accounts belonging to former personnel

D.

accounts with dormant activity.

Buy Now
Questions 74

Which of the following MUST be updated to maintain an IT risk register?

Options:

A.

Expected frequency and potential impact

B.

Risk tolerance

C.

Enterprise-wide IT risk assessment

D.

Risk appetite

Buy Now
Questions 75

Which of the following is the PRIMARY reason for a risk practitioner to report changes and trends in the IT risk profile to senior management?

Options:

A.

To ensure risk owners understand their responsibilities

B.

To ensure IT risk is managed within acceptable limits

C.

To ensure the organization complies with legal requirements

D.

To ensure the IT risk awareness program is effective

Buy Now
Questions 76

Which of the following is the BEST way to assess the effectiveness of an access management process?

Options:

A.

Comparing the actual process with the documented process

B.

Reviewing access logs for user activity

C.

Reconciling a list of accounts belonging to terminated employees

D.

Reviewing for compliance with acceptable use policy

Buy Now
Questions 77

Which of the following risk impacts should be the PRIMARY consideration for determining recovery priorities in a disaster recovery situation?

Options:

A.

Data security

B.

Recovery costs

C.

Business disruption

D.

Recovery resource availability

Buy Now
Questions 78

Which of the following BEST supports the management of identified risk scenarios?

Options:

A.

Collecting risk event data

B.

Maintaining a risk register

C.

Using key risk indicators (KRIs)

D.

Defining risk parameters

Buy Now
Questions 79

Which of the following process controls BEST mitigates the risk of an employee issuing fraudulent payments to a vendor?

Options:

A.

Performing credit verification of third-party vendors prior to payment

B.

Conducting system access reviews to ensure least privilege and appropriate access

C.

Performing regular reconciliation of payments to the check registers

D.

Enforcing segregation of duties between the vendor master file and invoicing

Buy Now
Questions 80

Which of the following proposed benefits is MOST likely to influence senior management approval to reallocate budget for a new security initiative?

Options:

A.

Reduction in the number of incidents

B.

Reduction in inherent risk

C.

Reduction in residual risk

D.

Reduction in the number of known vulnerabilities

Buy Now
Questions 81

Which of the following is MOST important when determining risk appetite?

Options:

A.

Assessing regulatory requirements

B.

Benchmarking against industry standards

C.

Gaining management consensus

D.

Identifying risk tolerance

Buy Now
Questions 82

Which of the following is the MOST reliable validation of a new control?

Options:

A.

Approval of the control by senior management

B.

Complete and accurate documentation of control objectives

C.

Control owner attestation of control effectiveness

D.

Internal audit review of control design

Buy Now
Questions 83

Which of the following is the MOST important criteria for selecting key risk indicators (KRIs)?

Options:

A.

Historical data availability

B.

Implementation and reporting effort

C.

Ability to display trends

D.

Sensitivity and reliability

Buy Now
Questions 84

Which of the following is the MOST effective way to validate organizational awareness of cybersecurity risk?

Options:

A.

Conducting security awareness training

B.

Updating the information security policy

C.

Implementing mock phishing exercises

D.

Requiring two-factor authentication

Buy Now
Questions 85

Which of the following is the PRIMARY reason for logging in a production database environment?

Options:

A.

To provide evidence of activities

B.

To prevent illicit actions of database administrators (DBAs)

C.

To ensure that changes are authorized

D.

To ensure that changes made are correctly applied

Buy Now
Questions 86

An organization has established a contract with a vendor that includes penalties for loss of availability. Which risk treatment has been adopted by the organization?

Options:

A.

Acceptance

B.

Avoidance

C.

Transfer

D.

Reduction

Buy Now
Questions 87

Which of the following is the BEST key control indicator (KCI) for risk related to IT infrastructure failure?

Options:

A.

Number of times the recovery plan is reviewed

B.

Number of successful recovery plan tests

C.

Percentage of systems with outdated virus protection

D.

Percentage of employees who can work remotely

Buy Now
Questions 88

Which of the following is the GREATEST benefit of using IT risk scenarios?

Options:

A.

They support compliance with regulations.

B.

They provide evidence of risk assessment.

C.

They facilitate communication of risk.

D.

They enable the use of key risk indicators (KRls)

Buy Now
Questions 89

Which of the following is MOST important to consider when determining the value of an asset during the risk identification process?

Options:

A.

The criticality of the asset

B.

The vulnerability profile of the asset

C.

The monetary value of the asset

D.

The size of the asset's user base

Buy Now
Questions 90

Which of the following is the MOST important reason to restrict access to the risk register on a need-to-know basis?

Options:

A.

It contains vulnerabilities and threats.

B.

The risk methodology is intellectual property.

C.

Contents may be used as auditable findings.

D.

Risk scenarios may be misinterpreted.

Buy Now
Questions 91

Which of the following will BEST help to ensure implementation of corrective action plans?

Options:

A.

Contracting to third parties

B.

Establishing employee awareness training

C.

Setting target dates to complete actions

D.

Assigning accountability to risk owners

Buy Now
Questions 92

Which of the following should be reported periodically to the risk committee?

Options:

A.

System risk and control matrix

B.

Emerging IT risk scenarios

C.

Changes to risk assessment methodology

D.

Audit committee charter

Buy Now
Questions 93

Which of the following outcomes of disaster recovery planning is MOST important to enable the initiation of necessary actions during a disaster?

Options:

A.

Definition of disaster recovery plan (DRP) scope and key stakeholders

B.

Recovery time and maximum acceptable data loss thresholds

C.

A checklist including equipment, location of data backups, and backup sites

D.

A list of business areas and critical functions subject to risk analysis

Buy Now
Questions 94

The PRIMARY reason to implement a formalized risk taxonomy is to:

Options:

A.

reduce subjectivity in risk management.

B.

comply with regulatory requirements.

C.

demonstrate best industry practice.

D.

improve visibility of overall risk exposure.

Buy Now
Questions 95

A software developer has administrative access to a production application. Which of the following should be of GREATEST concern to a risk practitioner?

Options:

A.

The administrative access does not allow for activity log monitoring.

B.

The administrative access does not follow password management protocols.

C.

The administrative access represents a deviation from corporate policy.

D.

The administrative access represents a segregation of duties conflict.

Buy Now
Questions 96

If concurrent update transactions to an account are not processed properly, which of the following will MOST likely be affected?

Options:

A.

Confidentiality

B.

Accountability

C.

Availability

D.

Integrity

Buy Now
Questions 97

An organization has restructured its business processes, and the business continuity plan (BCP) needs to be revised accordingly. Which of the following should be identified FIRST?

Options:

A.

Variances in recovery times

B.

Ownership assignment for controls

C.

New potentially disruptive scenarios

D.

Contractual changes with customers

Buy Now
Questions 98

Which of the following is the MOST critical consideration when awarding a project to a third-party service provider whose servers are located offshore?

Options:

A.

Difficulty of monitoring compliance due to geographical distance

B.

Cost implications due to installation of network intrusion detection systems (IDSs)

C.

Delays in incident communication

D.

Potential impact on data governance

Buy Now
Questions 99

An organizational policy requires critical security patches to be deployed in production within three weeks of patch availability. Which of the following is the BEST metric to verify adherence to the policy?

Options:

A.

Maximum time gap between patch availability and deployment

B.

Percentage of critical patches deployed within three weeks

C.

Minimum time gap between patch availability and deployment

D.

Number of critical patches deployed within three weeks

Buy Now
Questions 100

Which of the following describes the relationship between risk appetite and risk tolerance?

Options:

A.

Risk appetite is completely independent of risk tolerance.

B.

Risk tolerance is used to determine risk appetite.

C.

Risk appetite and risk tolerance are synonymous.

D.

Risk tolerance may exceed risk appetite.

Buy Now
Questions 101

Which of the following is the BEST method for identifying vulnerabilities?

Options:

A.

Batch job failure monitoring

B.

Periodic network scanning

C.

Annual penetration testing

D.

Risk assessments

Buy Now
Questions 102

Which of the following scenarios is MOST important to communicate to senior management?

Options:

A.

Accepted risk scenarios with detailed plans for monitoring

B.

Risk scenarios that have been shared with vendors and third parties

C.

Accepted risk scenarios with impact exceeding the risk tolerance

D.

Risk scenarios that have been identified, assessed, and responded to by the risk owners

Buy Now
Questions 103

Which of the following scenarios is MOST likely to cause a risk practitioner to request a formal risk acceptance sign-off?

Options:

A.

Residual risk in excess of the risk appetite cannot be mitigated.

B.

Inherent risk is too high, resulting in the cancellation of an initiative.

C.

Risk appetite has changed to align with organizational objectives.

D.

Residual risk remains at the same level over time without further mitigation.

Buy Now
Questions 104

The BEST way for management to validate whether risk response activities have been completed is to review:

Options:

A.

the risk register change log.

B.

evidence of risk acceptance.

C.

control effectiveness test results.

D.

control design documentation.

Buy Now
Questions 105

An organization recently implemented a machine learning-based solution to monitor IT usage and analyze user behavior in an effort to detect internal fraud. Which of the following is MOST likely to be reassessed as a result of this initiative?

Options:

A.

Risk likelihood

B.

Risk culture

C.

Risk appetite

D.

Risk capacity

Buy Now
Questions 106

Who should be responsible for determining which stakeholders need to be involved in the development of a risk scenario?

Options:

A.

Risk owner

B.

Risk practitioner

C.

Compliance manager

D.

Control owner

Buy Now
Questions 107

The PRIMARY benefit of selecting an appropriate set of key risk indicators (KRIs) is that they:

Options:

A.

serve as a basis for measuring risk appetite.

B.

align with the organization's risk profile.

C.

provide a warning of emerging high-risk conditions.

D.

provide data for updating the risk register.

Buy Now
Questions 108

Which of the following has the GREATEST positive impact on ethical compliance within the risk management process?

Options:

A.

Senior management demonstrates ethics in their day-to-day decision making.

B.

An independent ethics investigation team has been established.

C.

Employees are required to complete ethics training courses annually.

D.

The risk practitioner is required to consult with the ethics committee.

Buy Now
Questions 109

Which of the following is MOST important for management to consider when deciding whether to invest in an IT initiative that exceeds management's risk appetite?

Options:

A.

Risk management budget

B.

Risk management industry trends

C.

Risk tolerance

D.

Risk capacity

Buy Now
Questions 110

Which of the following is MOST useful for measuring the existing risk management process against a desired state?

Options:

A.

Balanced scorecard

B.

Risk management framework

C.

Capability maturity model

D.

Risk scenario analysis

Buy Now
Questions 111

Which of the following is the MOST important data attribute of key risk indicators (KRIs)?

Options:

A.

The data is measurable.

B.

The data is calculated continuously.

C.

The data is relevant.

D.

The data is automatically produced.

Buy Now
Questions 112

Which of the following is the FIRST step in risk assessment?

Options:

A.

Review risk governance

B.

Asset identification

C.

Identify risk factors

D.

Inherent risk identification

Buy Now
Questions 113

A risk practitioner has been notified that an employee sent an email in error containing customers' personally identifiable information (Pll). Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Report it to the chief risk officer.

B.

Advise the employee to forward the email to the phishing team.

C.

follow incident reporting procedures.

D.

Advise the employee to permanently delete the email.

Buy Now
Questions 114

Which of the following is the BEST Key control indicator KCO to monitor the effectiveness of patch management?

Options:

A.

Percentage of legacy servers out of support

B.

Percentage of severs receiving automata patches

C.

Number of unpremeditated vulnerabilities

D.

Number of intrusion attempts

Buy Now
Questions 115

An organization has committed to a business initiative with the knowledge that the risk exposure is higher than the risk appetite. Which of the following is the risk practitioner's MOST important action related to this decision?

Options:

A.

Recommend rejection of the initiative.

B.

Change the level of risk appetite.

C.

Document formal acceptance of the risk.

D.

Initiate a reassessment of the risk.

Buy Now
Questions 116

Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:

Options:

A.

minimize the number of risk scenarios for risk assessment.

B.

aggregate risk scenarios identified across different business units.

C.

build a threat profile of the organization for management review.

D.

provide a current reference to stakeholders for risk-based decisions.

Buy Now
Questions 117

The PRIMARY reason for a risk practitioner to review business processes is to:

Options:

A.

Benchmark against peer organizations.

B.

Identify appropriate controls within business processes.

C.

Assess compliance with global standards.

D.

Identify risk owners related to business processes.

Buy Now
Questions 118

The PRIMARY advantage of implementing an IT risk management framework is the:

Options:

A.

establishment of a reliable basis for risk-aware decision making.

B.

compliance with relevant legal and regulatory requirements.

C.

improvement of controls within the organization and minimized losses.

D.

alignment of business goals with IT objectives.

Buy Now
Questions 119

Which of the following is MOST helpful when prioritizing action plans for identified risk?

Options:

A.

Comparing risk rating against appetite

B.

Obtaining input from business units

C.

Determining cost of controls to mitigate risk

D.

Ranking the risk based on likelihood of occurrence

Buy Now
Questions 120

The FIRST task when developing a business continuity plan should be to:

Options:

A.

determine data backup and recovery availability at an alternate site.

B.

identify critical business functions and resources.

C.

define roles and responsibilities for implementation.

D.

identify recovery time objectives (RTOs) for critical business applications.

Buy Now
Questions 121

Which of the following is the BEST key performance indicator (KPI) for determining how well an IT policy is aligned to business requirements?

Options:

A.

Total cost to support the policy

B.

Number of exceptions to the policy

C.

Total cost of policy breaches

D.

Number of inquiries regarding the policy

Buy Now
Questions 122

Which of the following scenarios represents a threat?

Options:

A.

Connecting a laptop to a free, open, wireless access point (hotspot)

B.

Visitors not signing in as per policy

C.

Storing corporate data in unencrypted form on a laptop

D.

A virus transmitted on a USB thumb drive

Buy Now
Questions 123

A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology?

Options:

A.

IT system owner

B.

Chief financial officer

C.

Chief risk officer

D.

Business process owner

Buy Now
Questions 124

Which of the following is the PRIMARY risk management responsibility of the second line of defense?

Options:

A.

Monitoring risk responses

B.

Applying risk treatments

C.

Providing assurance of control effectiveness

D.

Implementing internal controls

Buy Now
Questions 125

Which of the following statements BEST illustrates the relationship between key performance indicators (KPIs) and key control indicators (KCIs)?

Options:

A.

KPIs measure manual controls, while KCIs measure automated controls.

B.

KPIs and KCIs both contribute to understanding of control effectiveness.

C.

A robust KCI program will replace the need to measure KPIs.

D.

KCIs are applied at the operational level while KPIs are at the strategic level.

Buy Now
Questions 126

Which of the following is the MOST important key performance indicator (KPI) to establish in the service level agreement (SLA) for an outsourced data center?

Options:

A.

Percentage of systems included in recovery processes

B.

Number of key systems hosted

C.

Average response time to resolve system incidents

D.

Percentage of system availability

Buy Now
Questions 127

A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?

Options:

A.

The organization's strategic risk management projects

B.

Senior management roles and responsibilities

C.

The organizations risk appetite and tolerance

D.

Senior management allocation of risk management resources

Buy Now
Questions 128

When a risk practitioner is building a key risk indicator (KRI) from aggregated data, it is CRITICAL that the data is derived from:

Options:

A.

business process owners.

B.

representative data sets.

C.

industry benchmark data.

D.

data automation systems.

Buy Now
Questions 129

The GREATEST benefit of including low-probability, high-impact events in a risk assessment is the ability to:

Options:

A.

develop a comprehensive risk mitigation strategy

B.

develop understandable and realistic risk scenarios

C.

identify root causes for relevant events

D.

perform an aggregated cost-benefit analysis

Buy Now
Questions 130

Which of the following is the BEST key control indicator (KCI) for a vulnerability management program?

Options:

A.

Percentage of high-risk vulnerabilities missed

B.

Number of high-risk vulnerabilities outstanding

C.

Defined thresholds for high-risk vulnerabilities

D.

Percentage of high-risk vulnerabilities addressed

Buy Now
Questions 131

Which of the following would be MOST helpful to an information security management team when allocating resources to mitigate exposures?

Options:

A.

Relevant risk case studies

B.

Internal audit findings

C.

Risk assessment results

D.

Penetration testing results

Buy Now
Questions 132

The PRIMARY reason to have risk owners assigned to entries in the risk register is to ensure:

Options:

A.

risk is treated appropriately

B.

mitigating actions are prioritized

C.

risk entries are regularly updated

D.

risk exposure is minimized.

Buy Now
Questions 133

The BEST indication that risk management is effective is when risk has been reduced to meet:

Options:

A.

risk levels.

B.

risk budgets.

C.

risk appetite.

D.

risk capacity.

Buy Now
Questions 134

Which of the following is the STRONGEST indication an organization has ethics management issues?

Options:

A.

Employees do not report IT risk issues for fear of consequences.

B.

Internal IT auditors report to the chief information security officer (CISO).

C.

Employees face sanctions for not signing the organization's acceptable use policy.

D.

The organization has only two lines of defense.

Buy Now
Questions 135

Which of the following BEST assists in justifying an investment in automated controls?

Options:

A.

Cost-benefit analysis

B.

Alignment of investment with risk appetite

C.

Elimination of compensating controls

D.

Reduction in personnel costs

Buy Now
Questions 136

A newly enacted information privacy law significantly increases financial penalties for breaches of personally identifiable information (Pll). Which of the following will MOST likely outcome for an organization affected by the new law?

Options:

A.

Increase in compliance breaches

B.

Increase in loss event impact

C.

Increase in residual risk

D.

Increase in customer complaints

Buy Now
Questions 137

Improvements in the design and implementation of a control will MOST likely result in an update to:

Options:

A.

inherent risk.

B.

residual risk.

C.

risk appetite

D.

risk tolerance

Buy Now
Questions 138

Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?

Options:

A.

Performing a benchmark analysis and evaluating gaps

B.

Conducting risk assessments and implementing controls

C.

Communicating components of risk and their acceptable levels

D.

Participating in peer reviews and implementing best practices

Buy Now
Questions 139

Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?

Options:

A.

Digital signatures

B.

Encrypted passwords

C.

One-time passwords

D.

Digital certificates

Buy Now
Questions 140

The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:

Options:

A.

align with audit results.

B.

benchmark with competitor s actions.

C.

reference best practice.

D.

focus on the business drivers

Buy Now
Questions 141

Which of the following is MOST helpful to management when determining the resources needed to mitigate a risk?

Options:

A.

An internal audit

B.

A heat map

C.

A business impact analysis (BIA)

D.

A vulnerability report

Buy Now
Questions 142

Which of the following is the BEST indication of the effectiveness of a business continuity program?

Options:

A.

Business continuity tests are performed successfully and issues are addressed.

B.

Business impact analyses are reviewed and updated in a timely manner.

C.

Business continuity and disaster recovery plans are regularly updated.

D.

Business units are familiar with the business continuity plans and process.

Buy Now
Questions 143

A maturity model will BEST indicate:

Options:

A.

confidentiality and integrity.

B.

effectiveness and efficiency.

C.

availability and reliability.

D.

certification and accreditation.

Buy Now
Questions 144

Who is responsible for IT security controls that are outsourced to an external service provider?

Options:

A.

Organization's information security manager

B.

Organization's risk function

C.

Service provider's IT management

D.

Service provider's information security manager

Buy Now
Questions 145

Which of the following is the PRIMARY reason to conduct risk assessments at periodic intervals?

Options:

A.

To ensure emerging risk is identified and monitored

B.

To establish the maturity level of risk assessment processes

C.

To promote a risk-aware culture among staff

D.

To ensure risk trend data is collected and reported

Buy Now
Questions 146

A change management process has recently been updated with new testing procedures. What is the NEXT course of action?

Options:

A.

Monitor processes to ensure recent updates are being followed.

B.

Communicate to those who test and promote changes.

C.

Conduct a cost-benefit analysis to justify the cost of the control.

D.

Assess the maturity of the change management process.

Buy Now
Questions 147

A robotic process automation (RPA) project has implemented new robots to enhance the efficiency of a sales business process. Which of the following provides the BEST evidence that the new controls have been implemented successfully?

Options:

A.

A post-implementation review has been conducted by key personnel.

B.

A qualified independent party assessed the new controls as effective.

C.

Senior management has signed off on the design of the controls.

D.

Robots have operated without human interference on a daily basis.

Buy Now
Questions 148

Which of the following is the BEST method to mitigate the risk of an unauthorized employee viewing confidential data in a database''

Options:

A.

Implement role-based access control

B.

Implement a data masking process

C.

Include sanctions in nondisclosure agreements (NDAs)

D.

Install a data loss prevention (DLP) tool

Buy Now
Questions 149

Which of the following contributes MOST to the effective implementation of risk responses?

Options:

A.

Clear understanding of the risk

B.

Comparable industry risk trends

C.

Appropriate resources

D.

Detailed standards and procedures

Buy Now
Questions 150

When of the following standard operating procedure (SOP) statements BEST illustrates appropriate risk register maintenance?

Options:

A.

Remove risk that has been mitigated by third-party transfer

B.

Remove risk that management has decided to accept

C.

Remove risk only following a significant change in the risk environment

D.

Remove risk when mitigation results in residual risk within tolerance levels

Buy Now
Questions 151

The BEST indicator of the risk appetite of an organization is the

Options:

A.

regulatory environment of the organization

B.

risk management capability of the organization

C.

board of directors' response to identified risk factors

D.

importance assigned to IT in meeting strategic goals

Buy Now
Questions 152

The MAIN reason for prioritizing IT risk responses is to enable an organization to:

Options:

A.

determine the risk appetite.

B.

determine the budget.

C.

define key performance indicators (KPIs).

D.

optimize resource utilization.

Buy Now
Questions 153

Which of the following would provide the MOST reliable evidence of the effectiveness of security controls implemented for a web application?

Options:

A.

Penetration testing

B.

IT general controls audit

C.

Vulnerability assessment

D.

Fault tree analysis

Buy Now
Questions 154

Who is the BEST person to the employee personal data?

Options:

A.

Human resources (HR) manager

B.

System administrator

C.

Data privacy manager

D.

Compliance manager

Buy Now
Questions 155

Which of the following would BEST facilitate the implementation of data classification requirements?

Options:

A.

Implementing a data toss prevention (DLP) solution

B.

Assigning a data owner

C.

Scheduling periodic audits

D.

Implementing technical controls over the assets

Buy Now
Questions 156

Which of the following is the MOST important benefit of reporting risk assessment results to senior management?

Options:

A.

Promotion of a risk-aware culture

B.

Compilation of a comprehensive risk register

C.

Alignment of business activities

D.

Facilitation of risk-aware decision making

Buy Now
Questions 157

Which of the following is MOST important for maintaining the effectiveness of an IT risk register?

Options:

A.

Removing entries from the register after the risk has been treated

B.

Recording and tracking the status of risk response plans within the register

C.

Communicating the register to key stakeholders

D.

Performing regular reviews and updates to the register

Buy Now
Questions 158

Effective risk communication BEST benefits an organization by:

Options:

A.

helping personnel make better-informed decisions

B.

assisting the development of a risk register.

C.

improving the effectiveness of IT controls.

D.

increasing participation in the risk assessment process.

Buy Now
Questions 159

A control process has been implemented in response to a new regulatory requirement, but has significantly reduced productivity. Which of the following is the BEST way to resolve this concern?

Options:

A.

Absorb the loss in productivity.

B.

Request a waiver to the requirements.

C.

Escalate the issue to senior management

D.

Remove the control to accommodate business objectives.

Buy Now
Questions 160

What information is MOST helpful to asset owners when classifying organizational assets for risk assessment?

Options:

A.

Potential loss to tie business due to non-performance of the asset

B.

Known emerging environmental threats

C.

Known vulnerabilities published by the asset developer

D.

Cost of replacing the asset with a new asset providing similar services

Buy Now
Questions 161

What is the PRIMARY purpose of a business impact analysis (BIA)?

Options:

A.

To determine the likelihood and impact of threats to business operations

B.

To identify important business processes in the organization

C.

To estimate resource requirements for related business processes

D.

To evaluate the priority of business operations in case of disruption

Buy Now
Questions 162

A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:

Options:

A.

updating the risk register.

B.

validating the risk scenarios.

C.

documenting the risk scenarios.

D.

identifying risk mitigation controls.

Buy Now
Questions 163

Which of the following is the PRIMARY risk management responsibility of the second line of defense?

Options:

A.

Monitoring risk responses

B.

Applying risk treatments

C.

Implementing internal controls

D.

Providing assurance of control effectiveness

Buy Now
Questions 164

Which of the following BEST enables senior management lo compare the ratings of risk scenarios?

Options:

A.

Key risk indicators (KRIs)

B.

Key performance indicators (KPIs)

C.

Control self-assessment (CSA)

D.

Risk heat map

Buy Now
Questions 165

Which of the following is the PRIMARY reason for an organization to include an acceptable use banner when users log in?

Options:

A.

To reduce the likelihood of insider threat

B.

To eliminate the possibility of insider threat

C.

To enable rapid discovery of insider threat

D.

To reduce the impact of insider threat

Buy Now
Questions 166

Which strategy employed by risk management would BEST help to prevent internal fraud?

Options:

A.

Require control owners to conduct an annual control certification.

B.

Conduct regular internal and external audits on the systems supporting financial reporting.

C.

Ensure segregation of duties are implemented within key systems or processes.

D.

Require the information security officer to review unresolved incidents.

Buy Now
Questions 167

Which of the following is the BEST source for identifying key control indicators (KCIs)?

Options:

A.

Privileged user activity monitoring controls

B.

Controls mapped to organizational risk scenarios

C.

Recent audit findings of control weaknesses

D.

A list of critical security processes

Buy Now
Questions 168

Who is BEST suited to provide information to the risk practitioner about the effectiveness of a technical control associated with an application?

Options:

A.

System owner

B.

Internal auditor

C.

Process owner

D.

Risk owner

Buy Now
Questions 169

Which of the following presents the GREATEST challenge for an IT risk practitioner who wants to report on trends in historical IT risk levels?

Options:

A.

Qualitative measures for potential loss events

B.

Changes in owners for identified IT risk scenarios

C.

Changes in methods used to calculate probability

D.

Frequent use of risk acceptance as a treatment option

Buy Now
Questions 170

An internal audit report reveals that not all IT application databases have encryption in place. Which of the following information would be MOST important for assessing the risk impact?

Options:

A.

The number of users who can access sensitive data

B.

A list of unencrypted databases which contain sensitive data

C.

The reason some databases have not been encrypted

D.

The cost required to enforce encryption

Buy Now
Questions 171

Reviewing historical risk events is MOST useful for which of the following processes within the risk management life cycle?

Options:

A.

Risk monitoring

B.

Risk mitigation

C.

Risk aggregation

D.

Risk assessment

Buy Now
Questions 172

Which of the following is the PRIMARY benefit of using an entry in the risk register to track the aggregate risk associated with server failure?

Options:

A.

It provides a cost-benefit analysis on control options available for implementation.

B.

It provides a view on where controls should be applied to maximize the uptime of servers.

C.

It provides historical information about the impact of individual servers malfunctioning.

D.

It provides a comprehensive view of the impact should the servers simultaneously fail.

Buy Now
Questions 173

Which of the following is the PRIMARY reason for monitoring activities performed in a production database environment?

Options:

A.

Ensuring that database changes are correctly applied

B.

Enforcing that changes are authorized

C.

Deterring illicit actions of database administrators

D.

Preventing system developers from accessing production data

Buy Now
Questions 174

Which of the following would BEST assist in reconstructing the sequence of events following a security incident across multiple IT systems in the organization's network?

Options:

A.

Network monitoring infrastructure

B.

Centralized vulnerability management

C.

Incident management process

D.

Centralized log management

Buy Now
Questions 175

Which of the following should be included in a risk scenario to be used for risk analysis?

Options:

A.

Risk appetite

B.

Threat type

C.

Risk tolerance

D.

Residual risk

Buy Now
Questions 176

Which of the following data would be used when performing a business impact analysis (BIA)?

Options:

A.

Cost-benefit analysis of running the current business

B.

Cost of regulatory compliance

C.

Projected impact of current business on future business

D.

Expected costs for recovering the business

Buy Now
Questions 177

Which of the following is the MOST appropriate action when a tolerance threshold is exceeded?

Options:

A.

Communicate potential impact to decision makers.

B.

Research the root cause of similar incidents.

C.

Verify the response plan is adequate.

D.

Increase human resources to respond in the interim.

Buy Now
Questions 178

Which of the following should be done FIRST when developing a data protection management plan?

Options:

A.

Perform a cost-benefit analysis.

B.

Identify critical data.

C.

Establish a data inventory.

D.

Conduct a risk analysis.

Buy Now
Questions 179

Which of the following should be the PRIMARY focus of an IT risk awareness program?

Options:

A.

Ensure compliance with the organization's internal policies

B.

Cultivate long-term behavioral change.

C.

Communicate IT risk policy to the participants.

D.

Demonstrate regulatory compliance.

Buy Now
Questions 180

Which of the following controls are BEST strengthened by a clear organizational code of ethics?

Options:

A.

Detective controls

B.

Administrative controls

C.

Technical controls

D.

Preventive controls

Buy Now
Questions 181

The BEST way to obtain senior management support for investment in a control implementation would be to articulate the reduction in:

Options:

A.

detected incidents.

B.

residual risk.

C.

vulnerabilities.

D.

inherent risk.

Buy Now
Questions 182

Prudent business practice requires that risk appetite not exceed:

Options:

A.

inherent risk.

B.

risk tolerance.

C.

risk capacity.

D.

residual risk.

Buy Now
Questions 183

The MAIN purpose of reviewing a control after implementation is to validate that the control:

Options:

A.

operates as intended.

B.

is being monitored.

C.

meets regulatory requirements.

D.

operates efficiently.

Buy Now
Questions 184

Days before the realization of an acquisition, a data breach is discovered at the company to be acquired. For the accruing organization, this situation represents which of the following?

Options:

A.

Threat event

B.

Inherent risk

C.

Risk event

D.

Security incident

Buy Now
Questions 185

A financial institution has identified high risk of fraud in several business applications. Which of the following controls will BEST help reduce the risk of fraudulent internal transactions?

Options:

A.

Periodic user privileges review

B.

Log monitoring

C.

Periodic internal audits

D.

Segregation of duties

Buy Now
Questions 186

Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?

Options:

A.

Ongoing availability of data

B.

Ability to aggregate data

C.

Ability to predict trends

D.

Availability of automated reporting systems

Buy Now
Questions 187

An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?

Options:

A.

Identify systems that are vulnerable to being exploited by the attack.

B.

Confirm with the antivirus solution vendor whether the next update will detect the attack.

C.

Verify the data backup process and confirm which backups are the most recent ones available.

D.

Obtain approval for funding to purchase a cyber insurance plan.

Buy Now
Questions 188

Which of the following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?

Options:

A.

Perform a post-implementation review.

B.

Conduct user acceptance testing.

C.

Review the key performance indicators (KPIs).

D.

Interview process owners.

Buy Now
Questions 189

The results of a risk assessment reveal risk scenarios with high impact and low likelihood of occurrence. Which of the following would be the BEST action to address these scenarios?

Options:

A.

Assemble an incident response team.

B.

Create a disaster recovery plan (DRP).

C.

Develop a risk response plan.

D.

Initiate a business impact analysis (BIA).

Buy Now
Questions 190

Which of the following is the BEST approach when a risk treatment plan cannot be completed on time?

Options:

A.

Implement compensating controls until the preferred action can be completed.

B.

Develop additional key risk indicators (KRIs) until the preferred action can be completed.

C.

Replace the action owner with a more experienced individual.

D.

Change the risk response strategy of the relevant risk to risk avoidance.

Buy Now
Questions 191

Which of the following would BEST facilitate the implementation of data classification requirements?

Options:

A.

Assigning a data owner

B.

Scheduling periodic audits

C.

Implementing technical controls over the assets

D.

Implementing a data loss prevention (DLP) solution

Buy Now
Questions 192

Which of the following should management consider when selecting a risk mitigation option?

Options:

A.

Maturity of the enterprise architecture

B.

Cost of control implementation

C.

Reliability of key performance indicators (KPIs)

D.

Reliability of key risk indicators (KPIs)

Buy Now
Questions 193

An organization has implemented a policy requiring staff members to take a minimum of five consecutive days' leave per year to mitigate the risk of malicious insider activities. Which of the following is the BEST key performance indicator (KPI) of the effectiveness of this policy?

Options:

A.

Financial loss incurred due to malicious activities since policy implementation

B.

Average number of consecutive days of leave per staff member

C.

Number of suspected malicious activities reported since policy implementation

D.

Percentage of staff turnover following five consecutive days of leave

Buy Now
Questions 194

Which of the following should be the PRIMARY consideration when assessing the risk of using Internet of Things (loT) devices to collect and process personally identifiable information (PII)?

Options:

A.

Business strategies and needs

B.

Security features and support

C.

Costs and benefits

D.

Local laws and regulations

Buy Now
Questions 195

A risk practitioner has been notified of a social engineering attack using artificial intelligence (AI) technology to impersonate senior management personnel. Which of the following would BEST mitigate the impact of such attacks?

Options:

A.

Subscription to data breach monitoring sites

B.

Suspension and takedown of malicious domains or accounts

C.

Increased monitoring of executive accounts

D.

Training and awareness of employees for increased vigilance

Buy Now
Questions 196

A recent internal risk review reveals the majority of core IT application recovery time objectives (RTOs) have exceeded the maximum time defined by the business application owners. Which of the following is MOST likely to change as a result?

Options:

A.

Risk forecasting

B.

Risk tolerance

C.

Risk likelihood

D.

Risk appetite

Buy Now
Questions 197

The PRIMARY purpose of using a framework for risk analysis is to:

Options:

A.

improve accountability

B.

improve consistency

C.

help define risk tolerance

D.

help develop risk scenarios.

Buy Now
Questions 198

While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially Which of the following would be the BEST approach for the risk practitioner to take?

Options:

A.

Temporarily suspend emergency changes.

B.

Document the control deficiency in the risk register.

C.

Conduct a root cause analysis.

D.

Continue monitoring change management metrics.

Buy Now
Questions 199

Which of the following should be the MOST important consideration when performing a vendor risk assessment?

Options:

A.

Results of the last risk assessment of the vendor

B.

Inherent risk of the business process supported by the vendor

C.

Risk tolerance of the vendor

D.

Length of time since the last risk assessment of the vendor

Buy Now
Questions 200

Which of the following tasks should be completed prior to creating a disaster recovery plan (DRP)?

Options:

A.

Conducting a business impact analysis (BIA)

B.

Identifying the recovery response team

C.

Procuring a recovery site

D.

Assigning sensitivity levels to data

Buy Now
Questions 201

Which of the following is the BEST approach when a risk practitioner has been asked by a business unit manager for special consideration during a risk assessment of a system?

Options:

A.

Conduct an abbreviated version of the assessment.

B.

Report the business unit manager for a possible ethics violation.

C.

Perform the assessment as it would normally be done.

D.

Recommend an internal auditor perform the review.

Buy Now
Questions 202

An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following should be the risk practitioner's NEXT course of action?

Options:

A.

Remove the associated risk from the register.

B.

Validate control effectiveness and update the risk register.

C.

Review the contract and service level agreements (SLAs).

D.

Obtain an assurance report from the third-party provider.

Buy Now
Questions 203

Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization's risk appetite?

Options:

A.

Establishing a series of key risk indicators (KRIs).

B.

Adding risk triggers to entries in the risk register.

C.

Implementing key performance indicators (KPIs).

D.

Developing contingency plans for key processes.

Buy Now
Questions 204

Which of the following is the BEST key performance indicator (KPI) to measure how effectively risk management practices are embedded in the project management office (PMO)?

Options:

A.

Percentage of projects with key risk accepted by the project steering committee

B.

Reduction in risk policy noncompliance findings

C.

Percentage of projects with developed controls on scope creep

D.

Reduction in audits involving external risk consultants

Buy Now
Questions 205

Which of the following would present the GREATEST challenge for a risk practitioner during a merger of two organizations?

Options:

A.

Variances between organizational risk appetites

B.

Different taxonomies to categorize risk scenarios

C.

Disparate platforms for governance, risk, and compliance (GRC) systems

D.

Dissimilar organizational risk acceptance protocols

Buy Now
Questions 206

An organization is outsourcing a key database to be hosted by an external service provider. Who is BEST suited to assess the impact of potential data loss?

Options:

A.

Database manager

B.

Public relations manager

C.

Data privacy manager

D.

Business manager

Buy Now
Questions 207

An organization has engaged a third party to provide an Internet gateway encryption service that protects sensitive data uploaded to a cloud service. This is an example of risk:

Options:

A.

mitigation.

B.

avoidance.

C.

transfer.

D.

acceptance.

Buy Now
Questions 208

A technology company is developing a strategic artificial intelligence (Al)-driven application that has high potential business value. At what point should the enterprise risk profile be updated?

Options:

A.

After user acceptance testing (UAT)

B.

Upon approval of the business case

C.

When user stories are developed

D.

During post-implementation review

Buy Now
Questions 209

From a risk management perspective, the PRIMARY objective of using maturity models is to enable:

Options:

A.

solution delivery.

B.

resource utilization.

C.

strategic alignment.

D.

performance evaluation.

Buy Now
Questions 210

A risk practitioner has been asked by executives to explain how existing risk treatment plans would affect risk posture at the end of the year. Which of the following is MOST helpful in responding to this request?

Options:

A.

Assessing risk with no controls in place

B.

Showing projected residual risk

C.

Providing peer benchmarking results

D.

Assessing risk with current controls in place

Buy Now
Questions 211

Which of the following will BEST help an organization evaluate the control environment of several third-party vendors?

Options:

A.

Review vendors' internal risk assessments covering key risk and controls.

B.

Obtain independent control reports from high-risk vendors.

C.

Review vendors performance metrics on quality and delivery of processes.

D.

Obtain vendor references from third parties.

Buy Now
Questions 212

During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:

Options:

A.

compensating controls are in place.

B.

a control mitigation plan is in place.

C.

risk management is effective.

D.

residual risk is accepted.

Buy Now
Questions 213

A risk practitioner is MOST likely to use a SWOT analysis to assist with which risk process?

Options:

A.

Risk assessment

B.

Risk reporting

C.

Risk mitigation

D.

Risk identification

Buy Now
Questions 214

Which of the following is the BEST way to validate the results of a vulnerability assessment?

Options:

A.

Perform a penetration test.

B.

Review security logs.

C.

Conduct a threat analysis.

D.

Perform a root cause analysis.

Buy Now
Questions 215

A risk practitioner is assisting with the preparation of a report on the organization s disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?

Options:

A.

The percentage of systems meeting recovery target times has increased.

B.

The number of systems tested in the last year has increased.

C.

The number of systems requiring a recovery plan has increased.

D.

The percentage of systems with long recovery target times has decreased.

Buy Now
Questions 216

An organization has established a policy prohibiting ransom payments if subjected to a ransomware attack. Which of the following is the MOST effective control to support this policy?

Options:

A.

Conducting periodic vulnerability scanning

B.

Creating immutable backups

C.

Performing required patching

D.

Implementing continuous intrusion detection monitoring

Buy Now
Questions 217

Which of the following is the BEST way to mitigate the risk associated with fraudulent use of an enterprise's brand on Internet sites?

Options:

A.

Utilizing data loss prevention (DLP) technology

B.

Monitoring the enterprise's use of the Internet

C.

Scanning the Internet to search for unauthorized usage

D.

Developing training and awareness campaigns

Buy Now
Questions 218

Which of the following is the BEST indicator of the effectiveness of a control action plan's implementation?

Options:

A.

Increased number of controls

B.

Reduced risk level

C.

Increased risk appetite

D.

Stakeholder commitment

Buy Now
Questions 219

Which of the following BEST indicates that an organizations risk management program is effective?

Options:

A.

Fewer security incidents have been reported.

B.

The number of audit findings has decreased.

C.

Residual risk is reduced.

D.

inherent risk Is unchanged.

Buy Now
Questions 220

A monthly payment report is generated from the enterprise resource planning (ERP) software to validate data against the old and new payroll systems. What is the BEST way to mitigate the risk associated with data integrity loss in the new payroll system after data migration?

Options:

A.

Compare new system reports with functional requirements.

B.

Compare encrypted data with checksums.

C.

Compare results of user acceptance testing (UAT) with the testing criteria.

D.

Compare processing output from both systems using the previous month's data.

Buy Now
Questions 221

Which of the following BEST reduces the probability of laptop theft?

Options:

A.

Cable lock

B.

Acceptable use policy

C.

Data encryption

D.

Asset tag with GPS

Buy Now
Questions 222

The PRIMARY purpose of a maturity model is to compare the:

Options:

A.

current state of key processes to their desired state.

B.

actual KPIs with target KPIs.

C.

organization to industry best practices.

D.

organization to peers.

Buy Now
Questions 223

Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications?

Options:

A.

Identify information security controls in the requirements analysis

B.

Identify key risk indicators (KRIs) as process output.

C.

Design key performance indicators (KPIs) for security in system specifications.

D.

Include information security control specifications in business cases.

Buy Now
Questions 224

Which of the following observations would be GREATEST concern to a risk practitioner reviewing the implementation status of management action plans?

Options:

A.

Management has not determined a final implementation date.

B.

Management has not completed an early mitigation milestone.

C.

Management has not secured resources for mitigation activities.

D.

Management has not begun the implementation.

Buy Now
Questions 225

Which of the following would be MOST relevant to stakeholders regarding ineffective control implementation?

Options:

A.

Threat to IT

B.

Number of control failures

C.

Impact on business

D.

Risk ownership

Buy Now
Questions 226

An organization has decided to outsource a web application, and customer data will be stored in the vendor's public cloud. To protect customer data, it is MOST important to ensure which of the following?

Options:

A.

The organization's incident response procedures have been updated.

B.

The vendor stores the data in the same jurisdiction.

C.

Administrative access is only held by the vendor.

D.

The vendor's responsibilities are defined in the contract.

Buy Now
Questions 227

The risk associated with inadvertent disclosure of database records from a public cloud service provider (CSP) would MOST effectively be reduced by:

Options:

A.

encrypting the data

B.

including a nondisclosure clause in the CSP contract

C.

assessing the data classification scheme

D.

reviewing CSP access privileges

Buy Now
Questions 228

Which of the following is MOST important to sustainable development of secure IT services?

Options:

A.

Security training for systems development staff

B.

\Well-documented business cases

C.

Security architecture principles

D.

Secure coding practices

Buy Now
Questions 229

Which of the following would be of GREATEST concern to a risk practitioner reviewing current key risk indicators (KRIs)?

Options:

A.

The KRIs' source data lacks integrity.

B.

The KRIs are not automated.

C.

The KRIs are not quantitative.

D.

The KRIs do not allow for trend analysis.

Buy Now
Questions 230

When collecting information to identify IT-related risk, a risk practitioner should FIRST focus on IT:

Options:

A.

risk appetite.

B.

security policies

C.

process maps.

D.

risk tolerance level

Buy Now
Questions 231

Which of the following would offer the MOST insight with regard to an organization's risk culture?

Options:

A.

Risk management procedures

B.

Senior management interviews

C.

Benchmark analyses

D.

Risk management framework

Buy Now
Questions 232

After identifying new risk events during a project, the project manager s NEXT step should be to:

Options:

A.

determine if the scenarios need 10 be accepted or responded to.

B.

record the scenarios into the risk register.

C.

continue with a qualitative risk analysis.

D.

continue with a quantitative risk analysis.

Buy Now
Questions 233

Which of the following will BEST help an organization select a recovery strategy for critical systems?

Options:

A.

Review the business impact analysis.

B.

Create a business continuity plan.

C.

Analyze previous disaster recovery reports.

D.

Conduct a root cause analysis.

Buy Now
Questions 234

Which of the following is the BEST course of action when risk is found to be above the acceptable risk appetite?

Options:

A.

Review risk tolerance levels

B.

Maintain the current controls.

C.

Analyze the effectiveness of controls.

D.

Execute the risk response plan

Buy Now
Questions 235

Which of the following is the BEST way to promote adherence to the risk tolerance level set by management?

Options:

A.

Defining expectations in the enterprise risk policy

B.

Increasing organizational resources to mitigate risks

C.

Communicating external audit results

D.

Avoiding risks that could materialize into substantial losses

Buy Now
Questions 236

Which of the following is the BEST approach for performing a business impact analysis (BIA) of a supply-chain management application?

Options:

A.

Reviewing the organization's policies and procedures

B.

Interviewing groups of key stakeholders

C.

Circulating questionnaires to key internal stakeholders

D.

Accepting IT personnel s view of business issues

Buy Now
Questions 237

When reporting risk assessment results to senior management, which of the following is MOST important to include to enable risk-based decision making?

Options:

A.

Risk action plans and associated owners

B.

Recent audit and self-assessment results

C.

Potential losses compared to treatment cost

D.

A list of assets exposed to the highest risk

Buy Now
Questions 238

Which of the following would MOST likely result in updates to an IT risk appetite statement?

Options:

A.

External audit findings

B.

Feedback from focus groups

C.

Self-assessment reports

D.

Changes in senior management

Buy Now
Questions 239

Which of the following will BEST communicate the importance of risk mitigation initiatives to senior management?

Options:

A.

Business case

B.

Balanced scorecard

C.

Industry standards

D.

Heat map

Buy Now
Questions 240

When communicating changes in the IT risk profile, which of the following should be included to BEST enable stakeholder decision making?

Options:

A.

List of recent incidents affecting industry peers

B.

Results of external attacks and related compensating controls

C.

Gaps between current and desired states of the control environment

D.

Review of leading IT risk management practices within the industry

Buy Now
Questions 241

The MOST effective approach to prioritize risk scenarios is by:

Options:

A.

assessing impact to the strategic plan.

B.

aligning with industry best practices.

C.

soliciting input from risk management experts.

D.

evaluating the cost of risk response.

Buy Now
Questions 242

Which of the following would BEST enable a risk practitioner to embed risk management within the organization?

Options:

A.

Provide risk management feedback to key stakeholders.

B.

Collect and analyze risk data for report generation.

C.

Monitor and prioritize risk data according to the heat map.

D.

Engage key stakeholders in risk management practices.

Buy Now
Questions 243

Which of the following should be a risk practitioner's NEXT action after identifying a high probability of data loss in a system?

Options:

A.

Enhance the security awareness program.

B.

Increase the frequency of incident reporting.

C.

Purchase cyber insurance from a third party.

D.

Conduct a control assessment.

Buy Now
Questions 244

Which of the following is the BEST measure of the effectiveness of an employee deprovisioning process?

Options:

A.

Number of days taken to remove access after staff separation dates

B.

Number of days taken for IT to remove access after receipt of HR instructions

C.

Number of termination requests processed per reporting period

D.

Number of days taken for HR to provide instructions to IT after staff separation dates

Buy Now
Questions 245

An organization has raised the risk appetite for technology risk. The MOST likely result would be:

Options:

A.

increased inherent risk.

B.

higher risk management cost

C.

decreased residual risk.

D.

lower risk management cost.

Buy Now
Questions 246

An organization's risk practitioner learns a new third-party system on the corporate network has introduced vulnerabilities that could compromise corporate IT systems. What should the risk practitioner do

FIRST?

Options:

A.

Confirm the vulnerabilities with the third party

B.

Identify procedures to mitigate the vulnerabilities.

C.

Notify information security management.

D.

Request IT to remove the system from the network.

Buy Now
Questions 247

Which of the following methods would BEST contribute to identifying obscure risk scenarios?

Options:

A.

Brainstorming sessions

B.

Control self-assessments

C.

Vulnerability analysis

D.

Monte Carlo analysis

Buy Now
Questions 248

The MOST important reason to aggregate results from multiple risk assessments on interdependent information systems is to:

Options:

A.

establish overall impact to the organization

B.

efficiently manage the scope of the assignment

C.

identify critical information systems

D.

facilitate communication to senior management

Buy Now
Questions 249

Which of the following is the MOST important component of effective security incident response?

Options:

A.

Network time protocol synchronization

B.

Identification of attack sources

C.

Early detection of breaches

D.

A documented communications plan

Buy Now
Questions 250

Which of the following IT key risk indicators (KRIs) provides management with the BEST feedback on IT capacity?

Options:

A.

Trends in IT resource usage

B.

Trends in IT maintenance costs

C.

Increased resource availability

D.

Increased number of incidents

Buy Now
Questions 251

From a risk management perspective, which of the following is the PRIMARY benefit of using automated system configuration validation tools?

Options:

A.

Residual risk is reduced.

B.

Staff costs are reduced.

C.

Operational costs are reduced.

D.

Inherent risk is reduced.

Buy Now
Questions 252

The BEST criteria when selecting a risk response is the:

Options:

A.

capability to implement the response

B.

importance of IT risk within the enterprise

C.

effectiveness of risk response options

D.

alignment of response to industry standards

Buy Now
Questions 253

Which of the following is MOST helpful in determining the effectiveness of an organization's IT risk mitigation efforts?

Options:

A.

Assigning identification dates for risk scenarios in the risk register

B.

Updating impact assessments for risk scenario

C.

Verifying whether risk action plans have been completed

D.

Reviewing key risk indicators (KRIS)

Buy Now
Questions 254

Which of the following would MOST likely drive the need to review and update key performance indicators (KPIs) for critical IT assets?

Options:

A.

The outsourcing of related IT processes

B.

Outcomes of periodic risk assessments

C.

Changes in service level objectives

D.

Findings from continuous monitoring

Buy Now
Questions 255

To implement the MOST effective monitoring of key risk indicators (KRIs), which of the following needs to be in place?

Options:

A.

Threshold definition

B.

Escalation procedures

C.

Automated data feed

D.

Controls monitoring

Buy Now
Questions 256

IT management has asked for a consolidated view into the organization's risk profile to enable project prioritization and resource allocation. Which of the following materials would

be MOST helpful?

Options:

A.

IT risk register

B.

List of key risk indicators

C.

Internal audit reports

D.

List of approved projects

Buy Now
Questions 257

Which of the following is the PRIMARY reason to perform ongoing risk assessments?

Options:

A.

Emerging risk must be continuously reported to management.

B.

New system vulnerabilities emerge at frequent intervals.

C.

The risk environment is subject to change.

D.

The information security budget must be justified.

Buy Now
Questions 258

Which of the following is the BEST course of action to reduce risk impact?

Options:

A.

Create an IT security policy.

B.

Implement corrective measures.

C.

Implement detective controls.

D.

Leverage existing technology

Buy Now
Questions 259

Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?

Options:

A.

To build an organizational risk-aware culture

B.

To continuously improve risk management processes

C.

To comply with legal and regulatory requirements

D.

To identify gaps in risk management practices

Buy Now
Questions 260

Which of the following is the MOST important factor affecting risk management in an organization?

Options:

A.

The risk manager's expertise

B.

Regulatory requirements

C.

Board of directors' expertise

D.

The organization's culture

Buy Now
Questions 261

A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?

Options:

A.

Document the finding in the risk register.

B.

Invoke the incident response plan.

C.

Re-evaluate key risk indicators.

D.

Modify the design of the control.

Buy Now
Questions 262

Which of the following is MOST important when developing key performance indicators (KPIs)?

Options:

A.

Alignment to risk responses

B.

Alignment to management reports

C.

Alerts when risk thresholds are reached

D.

Identification of trends

Buy Now
Questions 263

An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:

Options:

A.

validate control process execution.

B.

determine if controls are effective.

C.

identify key process owners.

D.

conduct a baseline assessment.

Buy Now
Questions 264

Which of the following would be considered a vulnerability?

Options:

A.

Delayed removal of employee access

B.

Authorized administrative access to HR files

C.

Corruption of files due to malware

D.

Server downtime due to a denial of service (DoS) attack

Buy Now
Questions 265

Which of the following is the MOST cost-effective way to test a business continuity plan?

Options:

A.

Conduct interviews with key stakeholders.

B.

Conduct a tabletop exercise.

C.

Conduct a disaster recovery exercise.

D.

Conduct a full functional exercise.

Buy Now
Questions 266

Which of the following will BEST mitigate the risk associated with IT and business misalignment?

Options:

A.

Establishing business key performance indicators (KPIs)

B.

Introducing an established framework for IT architecture

C.

Establishing key risk indicators (KRIs)

D.

Involving the business process owner in IT strategy

Buy Now
Questions 267

Which of the following is MOST helpful when determining whether a system security control is effective?

Options:

A.

Control standard operating procedures

B.

Latest security assessment

C.

Current security threat report

D.

Updated risk register

Buy Now
Questions 268

Risk management strategies are PRIMARILY adopted to:

Options:

A.

take necessary precautions for claims and losses.

B.

achieve acceptable residual risk levels.

C.

avoid risk for business and IT assets.

D.

achieve compliance with legal requirements.

Buy Now
Questions 269

Which of the following controls would BEST reduce the risk of account compromise?

Options:

A.

Enforce password changes.

B.

Enforce multi-factor authentication (MFA).

C.

Enforce role-based authentication.

D.

Enforce password encryption.

Buy Now
Questions 270

An organization is planning to engage a cloud-based service provider for some of its data-intensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?

Options:

A.

Service level agreement

B.

Customer service reviews

C.

Scope of services provided

D.

Right to audit the provider

Buy Now
Questions 271

Which of the following is MOST important to understand when determining an appropriate risk assessment approach?

Options:

A.

Complexity of the IT infrastructure

B.

Value of information assets

C.

Management culture

D.

Threats and vulnerabilities

Buy Now
Questions 272

Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?

Options:

A.

Maintain and review the classified data inventor.

B.

Implement mandatory encryption on data

C.

Conduct an awareness program for data owners and users.

D.

Define and implement a data classification policy

Buy Now
Questions 273

Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?

Options:

A.

Completeness of system documentation

B.

Results of end user acceptance testing

C.

Variances between planned and actual cost

D.

availability of in-house resources

Buy Now
Questions 274

What is the BEST information to present to business control owners when justifying costs related to controls?

Options:

A.

Loss event frequency and magnitude

B.

The previous year's budget and actuals

C.

Industry benchmarks and standards

D.

Return on IT security-related investments

Buy Now
Questions 275

A risk practitioner discovers several key documents detailing the design of a product currently in development have been posted on the Internet. What should be the risk practitioner's FIRST course of action?

Options:

A.

invoke the established incident response plan.

B.

Inform internal audit.

C.

Perform a root cause analysis

D.

Conduct an immediate risk assessment

Buy Now
Questions 276

A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:

Options:

A.

reduces risk to an acceptable level

B.

quantifies risk impact

C.

aligns with business strategy

D.

advances business objectives.

Buy Now
Questions 277

Which of the following roles would provide the MOST important input when identifying IT risk scenarios?

Options:

A.

Information security managers

B.

Internal auditors

C.

Business process owners

D.

Operational risk managers

Buy Now
Questions 278

Risk mitigation procedures should include:

Options:

A.

buying an insurance policy.

B.

acceptance of exposures

C.

deployment of counter measures.

D.

enterprise architecture implementation.

Buy Now
Questions 279

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?

Options:

A.

Number of users that participated in the DRP testing

B.

Number of issues identified during DRP testing

C.

Percentage of applications that met the RTO during DRP testing

D.

Percentage of issues resolved as a result of DRP testing

Buy Now
Questions 280

Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?

Options:

A.

Align business objectives to the risk profile.

B.

Assess risk against business objectives

C.

Implement an organization-specific risk taxonomy.

D.

Explain risk details to management.

Buy Now
Questions 281

Which of the following is the BEST key performance indicator (KPI) to measure the maturity of an organization's security incident handling process?

Options:

A.

The number of security incidents escalated to senior management

B.

The number of resolved security incidents

C.

The number of newly identified security incidents

D.

The number of recurring security incidents

Buy Now
Questions 282

A risk practitioner is organizing a training session lo communicate risk assessment methodologies to ensure a consistent risk view within the organization Which of the following i< the MOST important topic to cover in this training?

Options:

A.

Applying risk appetite

B.

Applying risk factors

C.

Referencing risk event data

D.

Understanding risk culture

Buy Now
Questions 283

Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?

Options:

A.

Implementing record retention tools and techniques

B.

Establishing e-discovery and data loss prevention (DLP)

C.

Sending notifications when near storage quota

D.

Implementing a bring your own device 1BVOD) policy

Buy Now
Questions 284

In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date?

Options:

A.

Risk questionnaire

B.

Risk register

C.

Management assertion

D.

Compliance manual

Buy Now
Questions 285

It is MOST appropriate for changes to be promoted to production after they are:

Options:

A.

communicated to business management

B.

tested by business owners.

C.

approved by the business owner.

D.

initiated by business users.

Buy Now
Questions 286

Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?

Options:

A.

Identification of controls gaps that may lead to noncompliance

B.

Prioritization of risk action plans across departments

C.

Early detection of emerging threats

D.

Accurate measurement of loss impact

Buy Now
Questions 287

A rule-based data loss prevention {DLP) tool has recently been implemented to reduce the risk of sensitive data leakage. Which of the following is MOST likely to change as a result of this implementation?

Options:

A.

Risk likelihood

B.

Risk velocity

C.

Risk appetite

D.

Risk impact

Buy Now
Questions 288

Calculation of the recovery time objective (RTO) is necessary to determine the:

Options:

A.

time required to restore files.

B.

point of synchronization

C.

priority of restoration.

D.

annual loss expectancy (ALE).

Buy Now
Questions 289

Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?

Options:

A.

Perform an m-depth code review with an expert

B.

Validate functionality by running in a test environment

C.

Implement a service level agreement.

D.

Utilize the change management process.

Buy Now
Questions 290

Which of the following is the MOST important benefit of key risk indicators (KRIs)'

Options:

A.

Assisting in continually optimizing risk governance

B.

Enabling the documentation and analysis of trends

C.

Ensuring compliance with regulatory requirements

D.

Providing an early warning to take proactive actions

Buy Now
Questions 291

Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?

Options:

A.

Risk mitigation budget

B.

Business Impact analysis

C.

Cost-benefit analysis

D.

Return on investment

Buy Now
Questions 292

A contract associated with a cloud service provider MUST include:

Options:

A.

ownership of responsibilities.

B.

a business recovery plan.

C.

provision for source code escrow.

D.

the providers financial statements.

Buy Now
Questions 293

Which of the following BEST enables effective risk-based decision making?

Options:

A.

Performing threat modeling to understand the threat landscape

B.

Minimizing the number of risk scenarios for risk assessment

C.

Aggregating risk scenarios across a key business unit

D.

Ensuring the risk register is updated to reflect changes in risk factors

Buy Now
Questions 294

Which of the following is the BEST method to identify unnecessary controls?

Options:

A.

Evaluating the impact of removing existing controls

B.

Evaluating existing controls against audit requirements

C.

Reviewing system functionalities associated with business processes

D.

Monitoring existing key risk indicators (KRIs)

Buy Now
Questions 295

Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?

Options:

A.

Testing the transmission of credit card numbers

B.

Reviewing logs for unauthorized data transfers

C.

Configuring the DLP control to block credit card numbers

D.

Testing the DLP rule change control process

Buy Now
Questions 296

The MAIN purpose of conducting a control self-assessment (CSA) is to:

Options:

A.

gain a better understanding of the control effectiveness in the organization

B.

gain a better understanding of the risk in the organization

C.

adjust the controls prior to an external audit

D.

reduce the dependency on external audits

Buy Now
Questions 297

Which of the following provides the BEST evidence of the effectiveness of an organization's account provisioning process?

Options:

A.

User provisioning

B.

Role-based access controls

C.

Security log monitoring

D.

Entitlement reviews

Buy Now
Questions 298

Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?

Options:

A.

Better understanding of the risk appetite

B.

Improving audit results

C.

Enabling risk-based decision making

D.

Increasing process control efficiencies

Buy Now
Questions 299

An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:

Options:

A.

reduce the risk to an acceptable level.

B.

communicate the consequences for violations.

C.

implement industry best practices.

D.

reduce the organization's risk appetite

Buy Now
Questions 300

Which of the following is the MOST important outcome of reviewing the risk management process?

Options:

A.

Assuring the risk profile supports the IT objectives

B.

Improving the competencies of employees who performed the review

C.

Determining what changes should be made to IS policies to reduce risk

D.

Determining that procedures used in risk assessment are appropriate

Buy Now
Questions 301

The PRIMARY objective of the board of directors periodically reviewing the risk profile is to help ensure:

Options:

A.

the risk strategy is appropriate

B.

KRIs and KPIs are aligned

C.

performance of controls is adequate

D.

the risk monitoring process has been established

Buy Now
Questions 302

Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?

Options:

A.

Sensitivity analysis

B.

Level of residual risk

C.

Cost-benefit analysis

D.

Risk appetite

Buy Now
Questions 303

Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?

Options:

A.

Changes in control design

B.

A decrease in the number of key controls

C.

Changes in control ownership

D.

An increase in residual risk

Buy Now
Questions 304

An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?

Options:

A.

The third party s management

B.

The organization's management

C.

The control operators at the third party

D.

The organization's vendor management office

Buy Now
Questions 305

Which of the following is a specific concern related to machine learning algorithms?

Options:

A.

Low software quality

B.

Lack of access controls

C.

Data breaches

D.

Data bias

Buy Now
Questions 306

An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:

Options:

A.

chief risk officer.

B.

project manager.

C.

chief information officer.

D.

business process owner.

Buy Now
Questions 307

The MOST important characteristic of an organization s policies is to reflect the organization's:

Options:

A.

risk assessment methodology.

B.

risk appetite.

C.

capabilities

D.

asset value.

Buy Now
Questions 308

Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?

Options:

A.

Identify the potential risk.

B.

Monitor employee usage.

C.

Assess the potential risk.

D.

Develop risk awareness training.

Buy Now
Questions 309

When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?

Options:

A.

Risk analysis results

B.

Exception handling policy

C.

Vulnerability assessment results

D.

Benchmarking assessments

Buy Now
Questions 310

When an organization's business continuity plan (BCP) states that it cannot afford to lose more than three hours of a critical application's data, the three hours is considered the application’s:

Options:

A.

Maximum tolerable outage (MTO).

B.

Recovery point objective (RPO).

C.

Mean time to restore (MTTR).

D.

Recovery time objective (RTO).

Buy Now
Questions 311

The PRIMARY reason a risk practitioner would be interested in an internal audit report is to:

Options:

A.

plan awareness programs for business managers.

B.

evaluate maturity of the risk management process.

C.

assist in the development of a risk profile.

D.

maintain a risk register based on noncompliance.

Buy Now
Questions 312

A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

Options:

A.

communication

B.

identification.

C.

treatment.

D.

assessment.

Buy Now
Questions 313

Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?

Options:

A.

Continuous monitoring

B.

A control self-assessment

C.

Transaction logging

D.

Benchmarking against peers

Buy Now
Questions 314

The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:

Options:

A.

implement uniform controls for common risk scenarios.

B.

ensure business unit risk is uniformly distributed.

C.

build a risk profile for management review.

D.

quantify the organization's risk appetite.

Buy Now
Questions 315

A data processing center operates in a jurisdiction where new regulations have significantly increased penalties for data breaches. Which of the following elements of the risk register is MOST important to update to reflect this change?

Options:

A.

Risk impact

B.

Risk trend

C.

Risk appetite

D.

Risk likelihood

Buy Now
Questions 316

Which of the following is MOST critical when designing controls?

Options:

A.

Involvement of internal audit

B.

Involvement of process owner

C.

Quantitative impact of the risk

D.

Identification of key risk indicators

Buy Now
Questions 317

Which of the following is the MOST important foundational element of an effective three lines of defense model for an organization?

Options:

A.

A robust risk aggregation tool set

B.

Clearly defined roles and responsibilities

C.

A well-established risk management committee

D.

Well-documented and communicated escalation procedures

Buy Now
Questions 318

Which of the following is the BEST indication of an effective risk management program?

Options:

A.

Risk action plans are approved by senior management.

B.

Residual risk is within the organizational risk appetite

C.

Mitigating controls are designed and implemented.

D.

Risk is recorded and tracked in the risk register

Buy Now
Questions 319

An application development team has a backlog of user requirements for a new system that will process insurance claim payments for customers. Which of the following should be the MOST important consideration for a risk-based review of the user requirements?

Options:

A.

Number of claims affected by the user requirements

B.

Number of customers impacted

C.

Impact to the accuracy of claim calculation

D.

Level of resources required to implement the user requirements

Buy Now
Questions 320

Which of the following controls will BEST detect unauthorized modification of data by a database administrator?

Options:

A.

Reviewing database access rights

B.

Reviewing database activity logs

C.

Comparing data to input records

D.

Reviewing changes to edit checks

Buy Now
Questions 321

The PRIMARY objective for selecting risk response options is to:

Options:

A.

reduce risk 10 an acceptable level.

B.

identify compensating controls.

C.

minimize residual risk.

D.

reduce risk factors.

Buy Now
Questions 322

An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST.

Options:

A.

The risk owner who also owns the business service enabled by this infrastructure

B.

The data center manager who is also employed under the managed hosting services contract

C.

The site manager who is required to provide annual risk assessments under the contract

D.

The chief information officer (CIO) who is responsible for the hosted services

Buy Now
Questions 323

An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?

Options:

A.

Develop a compensating control.

B.

Allocate remediation resources.

C.

Perform a cost-benefit analysis.

D.

Identify risk responses

Buy Now
Questions 324

Which of the following will BEST quantify the risk associated with malicious users in an organization?

Options:

A.

Business impact analysis

B.

Risk analysis

C.

Threat risk assessment

D.

Vulnerability assessment

Buy Now
Questions 325

Which of the following is MOST important when developing risk scenarios?

Options:

A.

Reviewing business impact analysis (BIA)

B.

Collaborating with IT audit

C.

Conducting vulnerability assessments

D.

Obtaining input from key stakeholders

Buy Now
Questions 326

An organization is implementing internet of Things (loT) technology to control temperature and lighting in its headquarters. Which of the following should be of GREATEST concern?

Options:

A.

Insufficient network isolation

B.

impact on network performance

C.

insecure data transmission protocols

D.

Lack of interoperability between sensors

Buy Now
Questions 327

The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning process is to:

Options:

A.

obtain the support of executive management.

B.

map the business processes to supporting IT and other corporate resources.

C.

identify critical business processes and the degree of reliance on support services.

D.

document the disaster recovery process.

Buy Now
Questions 328

In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data?

Options:

A.

Establishing an intellectual property agreement

B.

Evaluating each of the data sources for vulnerabilities

C.

Periodically reviewing big data strategies

D.

Benchmarking to industry best practice

Buy Now
Questions 329

Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Options:

A.

Using an aggregated view of organizational risk

B.

Ensuring relevance to organizational goals

C.

Relying on key risk indicator (KRI) data Including

D.

Trend analysis of risk metrics

Buy Now
Questions 330

Which of the following is the MOST effective key performance indicator (KPI) for change management?

Options:

A.

Percentage of changes with a fallback plan

B.

Number of changes implemented

C.

Percentage of successful changes

D.

Average time required to implement a change

Buy Now
Questions 331

The MOST effective way to increase the likelihood that risk responses will be implemented is to:

Options:

A.

create an action plan

B.

assign ownership

C.

review progress reports

D.

perform regular audits.

Buy Now
Questions 332

A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:

Options:

A.

conduct a gap analysis against compliance criteria.

B.

identify necessary controls to ensure compliance.

C.

modify internal assurance activities to include control validation.

D.

collaborate with management to meet compliance requirements.

Buy Now
Questions 333

During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?

Options:

A.

Data validation

B.

Identification

C.

Authentication

D.

Data integrity

Buy Now
Questions 334

When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?

Options:

A.

Assess management's risk tolerance.

B.

Recommend management accept the low-risk scenarios.

C.

Propose mitigating controls

D.

Re-evaluate the risk scenarios associated with the control

Buy Now
Questions 335

Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?

Options:

A.

Number of tickets for provisioning new accounts

B.

Average time to provision user accounts

C.

Password reset volume per month

D.

Average account lockout time

Buy Now
Questions 336

Upon learning that the number of failed back-up attempts continually exceeds the current risk threshold, the risk practitioner should:

Options:

A.

inquire about the status of any planned corrective actions

B.

keep monitoring the situation as there is evidence that this is normal

C.

adjust the risk threshold to better reflect actual performance

D.

initiate corrective action to address the known deficiency

Buy Now
Questions 337

Which of the following statements describes the relationship between key risk indicators (KRIs) and key control indicators (KCIs)?

Options:

A.

KRI design must precede definition of KCIs.

B.

KCIs and KRIs are independent indicators and do not impact each other.

C.

A decreasing trend of KRI readings will lead to changes to KCIs.

D.

Both KRIs and KCIs provide insight to potential changes in the level of risk.

Buy Now
Questions 338

An organization has implemented a preventive control to lock user accounts after three unsuccessful login attempts. This practice has been proven to be unproductive, and a change in the control threshold value has been recommended. Who should authorize changing this threshold?

Options:

A.

Risk owner

B.

IT security manager

C.

IT system owner

D.

Control owner

Buy Now
Questions 339

Which of the following should be the PRIMARY goal of developing information security metrics?

Options:

A.

Raising security awareness

B.

Enabling continuous improvement

C.

Identifying security threats

D.

Ensuring regulatory compliance

Buy Now
Questions 340

Which of the following is the GREATEST risk associated with the misclassification of data?

Options:

A.

inadequate resource allocation

B.

Data disruption

C.

Unauthorized access

D.

Inadequate retention schedules

Buy Now
Questions 341

Which of the following is the MOST important consideration when implementing ethical remote work monitoring?

Options:

A.

Monitoring is only conducted between official hours of business

B.

Employees are informed of how they are bong monitored

C.

Reporting on nonproductive employees is sent to management on a scheduled basis

D.

Multiple data monitoring sources are integrated into security incident response procedures

Buy Now
Questions 342

When performing a risk assessment of a new service to support a ewe Business process. which of the following should be done FRST10 ensure continuity of operations?

Options:

A.

a identity conditions that may cause disruptions

B.

Review incident response procedures

C.

Evaluate the probability of risk events

D.

Define metrics for restoring availability

Buy Now
Questions 343

An organization must make a choice among multiple options to respond to a risk. The stakeholders cannot agree and decide to postpone the decision. Which of the following risk responses has the organization adopted?

Options:

A.

Transfer

B.

Mitigation

C.

Avoidance

D.

Acceptance

Buy Now
Questions 344

The PRIMARY objective for requiring an independent review of an organization's IT risk management process should be to:

Options:

A.

assess gaps in IT risk management operations and strategic focus.

B.

confirm that IT risk assessment results are expressed as business impact.

C.

verify implemented controls to reduce the likelihood of threat materialization.

D.

ensure IT risk management is focused on mitigating potential risk.

Buy Now
Questions 345

Which of the following is the BEST evidence that a user account has been properly authorized?

Options:

A.

An email from the user accepting the account

B.

Notification from human resources that the account is active

C.

User privileges matching the request form

D.

Formal approval of the account by the user's manager

Buy Now
Questions 346

Which of the following should be the risk practitioner s FIRST course of action when an organization has decided to expand into new product areas?

Options:

A.

Identify any new business objectives with stakeholders.

B.

Present a business case for new controls to stakeholders.

C.

Revise the organization's risk and control policy.

D.

Review existing risk scenarios with stakeholders.

Buy Now
Questions 347

A business unit has decided to accept the risk of implementing an off-the-shelf, commercial software package that uses weak password controls. The BEST course of action would be to:

Options:

A.

obtain management approval for policy exception.

B.

develop an improved password software routine.

C.

select another application with strong password controls.

D.

continue the implementation with no changes.

Buy Now
Questions 348

What should a risk practitioner do FIRST when vulnerability assessment results identify a weakness in an application?

Options:

A.

Review regular control testing results.

B.

Recommend a penetration test.

C.

Assess the risk to determine mitigation needed.

D.

Analyze key performance indicators (KPIs).

Buy Now
Questions 349

Which of the following is the MOST important reason to create risk scenarios?

Options:

A.

To assist with risk identification

B.

To determine risk tolerance

C.

To determine risk appetite

D.

To assist in the development of risk responses

Buy Now
Questions 350

Which of the following is the PRIMARY reason for an organization to ensure the risk register is updated regularly?

Options:

A.

Risk assessment results are accessible to senior management and stakeholders.

B.

Risk mitigation activities are managed and coordinated.

C.

Key risk indicators (KRIs) are evaluated to validate they are still within the risk threshold.

D.

Risk information is available to enable risk-based decisions.

Buy Now
Questions 351

Which of the following is MOST likely to be impacted as a result of a new policy which allows staff members to remotely connect to the organization's IT systems via personal or public computers?

Options:

A.

Risk appetite

B.

Inherent risk

C.

Key risk indicator (KRI)

D.

Risk tolerance

Buy Now
Questions 352

When prioritizing risk response, management should FIRST:

Options:

A.

evaluate the organization s ability and expertise to implement the solution.

B.

evaluate the risk response of similar organizations.

C.

address high risk factors that have efficient and effective solutions.

D.

determine which risk factors have high remediation costs

Buy Now
Questions 353

Which of the following should be the MAIN consideration when validating an organization's risk appetite?

Options:

A.

Comparison against regulations

B.

Maturity of the risk culture

C.

Capacity to withstand loss

D.

Cost of risk mitigation options

Buy Now
Questions 354

Which of these documents is MOST important to request from a cloud service

provider during a vendor risk assessment?

Options:

A.

Nondisclosure agreement (NDA)

B.

Independent audit report

C.

Business impact analysis (BIA)

D.

Service level agreement (SLA)

Buy Now
Questions 355

The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:

Options:

A.

vulnerability scans.

B.

recurring vulnerabilities.

C.

vulnerabilities remediated,

D.

new vulnerabilities identified.

Buy Now
Questions 356

The MAIN purpose of a risk register is to:

Options:

A.

document the risk universe of the organization.

B.

promote an understanding of risk across the organization.

C.

enable well-informed risk management decisions.

D.

identify stakeholders associated with risk scenarios.

Buy Now
Questions 357

Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk?

Options:

A.

A data extraction tool

B.

An access control list

C.

An intrusion detection system (IDS)

D.

An acceptable usage policy

Buy Now
Questions 358

When assessing the maturity level of an organization's risk management framework, which of the following deficiencies should be of GREATEST concern to a risk practitioner?

Options:

A.

Unclear organizational risk appetite

B.

Lack of senior management participation

C.

Use of highly customized control frameworks

D.

Reliance on qualitative analysis methods

Buy Now
Questions 359

An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?

Options:

A.

Mitigate

B.

Accept

C.

Transfer

D.

Avoid

Buy Now
Questions 360

A risk practitioner notices that a particular key risk indicator (KRI) has remained below its established trigger point for an extended period of time. Which of the following should be done FIRST?

Options:

A.

Recommend a re-evaluation of the current threshold of the KRI.

B.

Notify management that KRIs are being effectively managed.

C.

Update the risk rating associated with the KRI In the risk register.

D.

Update the risk tolerance and risk appetite to better align to the KRI.

Buy Now
Questions 361

Which of the following is the BEST way to support communication of emerging risk?

Options:

A.

Update residual risk levels to reflect the expected risk impact.

B.

Adjust inherent risk levels upward.

C.

Include it on the next enterprise risk committee agenda.

D.

Include it in the risk register for ongoing monitoring.

Buy Now
Questions 362

An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following is the risk practitioner s BEST course of action?

Options:

A.

Accept the risk and document contingency plans for data disruption.

B.

Remove the associated risk scenario from the risk register due to avoidance.

C.

Mitigate the risk with compensating controls enforced by the third-party cloud provider.

D.

Validate the transfer of risk and update the register to reflect the change.

Buy Now
Questions 363

An organization has identified that terminated employee accounts are not disabled or deleted within the time required by corporate policy. Unsure of the reason, the organization has decided to monitor the situation for three months to obtain more information. As a result of this decision, the risk has been:

Options:

A.

avoided.

B.

accepted.

C.

mitigated.

D.

transferred.

Buy Now
Questions 364

Which of the following is the GREATEST concern associated with business end users developing their own applications on end user spreadsheets and database programs?

Options:

A.

An IT project manager is not assigned to oversee development.

B.

Controls are not applied to the applications.

C.

There is a lack of technology recovery options.

D.

The applications are not captured in the risk profile.

Buy Now
Questions 365

Which of the following should a risk practitioner do FIRST when an organization decides to use a cloud service?

Options:

A.

Review the vendor selection process and vetting criteria.

B.

Assess whether use of service falls within risk tolerance thresholds.

C.

Establish service level agreements (SLAs) with the vendor.

D.

Check the contract for appropriate security risk and control provisions.

Buy Now
Questions 366

Which of the following should be the PRIMARY objective of a risk awareness training program?

Options:

A.

To enable risk-based decision making

B.

To promote awareness of the risk governance function

C.

To clarify fundamental risk management principles

D.

To ensure sufficient resources are available

Buy Now
Questions 367

Which of the following is MOST important when developing risk scenarios?

Options:

A.

The scenarios are based on industry best practice.

B.

The scenarios focus on current vulnerabilities.

C.

The scenarios are relevant to the organization.

D.

The scenarios include technical consequences.

Buy Now
Questions 368

Which of the following BEST facilitates the development of effective IT risk scenarios?

Options:

A.

Utilization of a cross-functional team

B.

Participation by IT subject matter experts

C.

Integration of contingency planning

D.

Validation by senior management

Buy Now
Questions 369

Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy?

Options:

A.

Chief financial officer

B.

Information security director

C.

Internal audit director

D.

Chief information officer

Buy Now
Questions 370

After migrating a key financial system to a new provider, it was discovered that a developer could gain access to the production environment. Which of the following is the BEST way to mitigate the risk in this situation?

Options:

A.

Escalate the issue to the service provider.

B.

Re-certify the application access controls.

C.

Remove the developer's access.

D.

Review the results of pre-migration testing.

Buy Now
Questions 371

An IT license audit has revealed that there are several unlicensed copies of co be to:

Options:

A.

immediately uninstall the unlicensed software from the laptops

B.

centralize administration rights on laptops so that installations are controlled

C.

report the issue to management so appropriate action can be taken.

D.

procure the requisite licenses for the software to minimize business impact.

Buy Now
Questions 372

Which of the following will provide the BEST measure of compliance with IT policies?

Options:

A.

Evaluate past policy review reports.

B.

Conduct regular independent reviews.

C.

Perform penetration testing.

D.

Test staff on their compliance responsibilities.

Buy Now
Questions 373

Which of the following activities is PRIMARILY the responsibility of senior management?

Options:

A.

Bottom-up identification of emerging risks

B.

Categorization of risk scenarios against a standard taxonomy

C.

Prioritization of risk scenarios based on severity

D.

Review of external loss data

Buy Now
Questions 374

Which of the following is MOST important for a risk practitioner to update when a software upgrade renders an existing key control ineffective?

Options:

A.

Audit engagement letter

B.

Risk profile

C.

IT risk register

D.

Change control documentation

Buy Now
Questions 375

Which of the following methods is the BEST way to measure the effectiveness of automated information security controls prior to going live?

Options:

A.

Testing in a non-production environment

B.

Performing a security control review

C.

Reviewing the security audit report

D.

Conducting a risk assessment

Buy Now
Questions 376

A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges. What is the risk practitioner's BEST course of action?

Options:

A.

Review the design of the machine learning model against control objectives.

B.

Adopt the machine learning model as a replacement for current manual access reviews.

C.

Ensure the model assists in meeting regulatory requirements for access controls.

D.

Discourage the use of emerging technologies in key processes.

Buy Now
Questions 377

A control owner identifies that the organization's shared drive contains personally identifiable information (Pll) that can be accessed by all personnel. Which of the following is the MOST effective risk response?

Options:

A.

Protect sensitive information with access controls.

B.

Implement a data loss prevention (DLP) solution.

C.

Re-communicate the data protection policy.

D.

Implement a data encryption solution.

Buy Now
Questions 378

An organization's senior management is considering whether to acquire cyber insurance. Which of the following is the BEST way for the risk practitioner to enable management’s decision?

Options:

A.

Perform a cost-benefit analysis.

B.

Conduct a SWOT analysis.

C.

Provide data on the number of risk events from the last year.

D.

Report on recent losses experienced by industry peers.

Buy Now
Questions 379

An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?

Options:

A.

Invoke the disaster recovery plan during an incident.

B.

Prepare a cost-benefit analysis of alternatives available

C.

Implement redundant infrastructure for the application.

D.

Reduce the recovery time by strengthening the response team.

Buy Now
Questions 380

Which of the following should be a risk practitioner's NEXT step upon learning the impact of an organization's noncompliance with a specific legal regulation?

Options:

A.

Identify risk response options.

B.

Implement compensating controls.

C.

Invoke the incident response plan.

D.

Document the penalties for noncompliance.

Buy Now
Questions 381

Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

Options:

A.

a gap analysis

B.

a root cause analysis.

C.

an impact assessment.

D.

a vulnerability assessment.

Buy Now
Questions 382

A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:

Options:

A.

a root cause analysis is required

B.

controls are effective for ensuring continuity

C.

hardware needs to be upgraded

D.

no action is required as there was no impact

Buy Now
Questions 383

Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?

Options:

A.

Encrypted storage of data

B.

Links to source data

C.

Audit trails for updates and deletions

D.

Check totals on data records and data fields

Buy Now
Questions 384

When of the following is the MOST significant exposure when an application uses individual user accounts to access the underlying database?

Options:

A.

Users may share accounts with business system analyst

B.

Application may not capture a complete audit trail.

C.

Users may be able to circumvent application controls.

D.

Multiple connects to the database are used and slow the process

Buy Now
Questions 385

The PRIMARY goal of a risk management program is to:

Options:

A.

facilitate resource availability.

B.

help ensure objectives are met.

C.

safeguard corporate assets.

D.

help prevent operational losses.

Buy Now
Questions 386

Within the three lines of defense model, the accountability for the system of internal control resides with:

Options:

A.

the chief information officer (CIO).

B.

the board of directors

C.

enterprise risk management

D.

the risk practitioner

Buy Now
Questions 387

A risk practitioner identifies a database application that has been developed and implemented by the business independently of IT. Which of the following is the BEST course of action?

Options:

A.

Escalate the concern to senior management.

B.

Document the reasons for the exception.

C.

Include the application in IT risk assessments.

D.

Propose that the application be transferred to IT.

Buy Now
Questions 388

Winch of the following can be concluded by analyzing the latest vulnerability report for the it infrastructure?

Options:

A.

Likelihood of a threat

B.

Impact of technology risk

C.

Impact of operational risk

D.

Control weakness

Buy Now
Questions 389

The MOST important consideration when selecting a control to mitigate an identified risk is whether:

Options:

A.

the cost of control exceeds the mitigation value

B.

there are sufficient internal resources to implement the control

C.

the mitigation measures create compounding effects

D.

the control eliminates the risk

Buy Now
Questions 390

Which of the following would be MOST useful to senior management when determining an appropriate risk response?

Options:

A.

A comparison of current risk levels with established tolerance

B.

A comparison of cost variance with defined response strategies

C.

A comparison of current risk levels with estimated inherent risk levels

D.

A comparison of accepted risk scenarios associated with regulatory compliance

Buy Now
Questions 391

When formulating a social media policy lo address information leakage, which of the following is the MOST important concern to address?

Options:

A.

Sharing company information on social media

B.

Sharing personal information on social media

C.

Using social media to maintain contact with business associates

D.

Using social media for personal purposes during working hours

Buy Now
Questions 392

Which of the following is the GREATEST concern associated with redundant data in an organization's inventory system?

Options:

A.

Poor access control

B.

Unnecessary data storage usage

C.

Data inconsistency

D.

Unnecessary costs of program changes

Buy Now
Questions 393

An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern?

Options:

A.

Potential increase in regulatory scrutiny

B.

Potential system downtime

C.

Potential theft of personal information

D.

Potential legal risk

Buy Now
Questions 394

Determining if organizational risk is tolerable requires:

Options:

A.

mapping residual risk with cost of controls

B.

comparing against regulatory requirements

C.

comparing industry risk appetite with the organizations.

D.

understanding the organization's risk appetite.

Buy Now
Questions 395

An IT department has organized training sessions to improve user awareness of organizational information security policies. Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training?

Options:

A.

Number of training sessions completed

B.

Percentage of staff members who complete the training with a passing score

C.

Percentage of attendees versus total staff

D.

Percentage of staff members who attend the training with positive feedback

Buy Now
Questions 396

Which of the following is MOST important for mitigating ethical risk when establishing accountability for control ownership?

Options:

A.

Ensuring processes are documented to enable effective control execution

B.

Ensuring regular risk messaging is Included in business communications from leadership

C.

Ensuring schedules and deadlines for control-related deliverables are strictly monitored

D.

Ensuring performance metrics balance business goals with risk appetite

Buy Now
Questions 397

An organization's control environment is MOST effective when:

Options:

A.

controls perform as intended.

B.

controls operate efficiently.

C.

controls are implemented consistent

D.

control designs are reviewed periodically

Buy Now
Questions 398

Which of the following s MOST likely to deter an employee from engaging in inappropriate use of company owned IT systems?

Options:

A.

A centralized computer security response team

B.

Regular performance reviews and management check-ins

C.

Code of ethics training for all employees

D.

Communication of employee activity monitoring

Buy Now
Questions 399

Which of the following has the GREATEST influence on an organization's risk appetite?

Options:

A.

Threats and vulnerabilities

B.

Internal and external risk factors

C.

Business objectives and strategies

D.

Management culture and behavior

Buy Now
Questions 400

Which of the following is the MOST critical factor to consider when determining an organization's risk appetite?

Options:

A.

Fiscal management practices

B.

Business maturity

C.

Budget for implementing security

D.

Management culture

Buy Now
Questions 401

Which of the following is the GREATEST benefit of a three lines of defense structure?

Options:

A.

An effective risk culture that empowers employees to report risk

B.

Effective segregation of duties to prevent internal fraud

C.

Clear accountability for risk management processes

D.

Improved effectiveness and efficiency of business operations

Buy Now
Questions 402

Which of the following is the MOST important objective from a cost perspective for considering aggregated risk responses in an organization?

Options:

A.

Prioritize risk response options

B.

Reduce likelihood.

C.

Address more than one risk response

D.

Reduce impact

Buy Now
Questions 403

A risk practitioner implemented a process to notify management of emergency changes that may not be approved. Which of the following is the BEST way to provide this information to management?

Options:

A.

Change logs

B.

Change management meeting minutes

C.

Key control indicators (KCIs)

D.

Key risk indicators (KRIs)

Buy Now
Questions 404

Which of the following would BEST facilitate the implementation of data classification requirements?

Options:

A.

Assigning a data owner

B.

Implementing technical control over the assets

C.

Implementing a data loss prevention (DLP) solution

D.

Scheduling periodic audits

Buy Now
Questions 405

An IT risk threat analysis is BEST used to establish

Options:

A.

risk scenarios

B.

risk maps

C.

risk appetite

D.

risk ownership.

Buy Now
Questions 406

Which of the following, who should be PRIMARILY responsible for performing user entitlement reviews?

Options:

A.

IT security manager

B.

IT personnel

C.

Data custodian

D.

Data owner

Buy Now
Questions 407

Risk appetite should be PRIMARILY driven by which of the following?

Options:

A.

Enterprise security architecture roadmap

B.

Stakeholder requirements

C.

Legal and regulatory requirements

D.

Business impact analysis (BIA)

Buy Now
Questions 408

What is the PRIMARY reason an organization should include background checks on roles with elevated access to production as part of its hiring process?

Options:

A.

Reduce internal threats

B.

Reduce exposure to vulnerabilities

C.

Eliminate risk associated with personnel

D.

Ensure new hires have the required skills

Buy Now
Questions 409

Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board''

Options:

A.

A summary of risk response plans with validation results

B.

A report with control environment assessment results

C.

A dashboard summarizing key risk indicators (KRIs)

D.

A summary of IT risk scenarios with business cases

Buy Now
Questions 410

Which of the following is a risk practitioner's MOST important responsibility in managing risk acceptance that exceeds risk tolerance?

Options:

A.

Verify authorization by senior management.

B.

Increase the risk appetite to align with the current risk level

C.

Ensure the acceptance is set to expire over lime

D.

Update the risk response in the risk register.

Buy Now
Questions 411

Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the following would BEST help to prioritize investment efforts?

Options:

A.

Analyzing cyber intelligence reports

B.

Engaging independent cybersecurity consultants

C.

Increasing the frequency of updates to the risk register

D.

Reviewing the outcome of the latest security risk assessment

Buy Now
Questions 412

An organization has asked an IT risk practitioner to conduct an operational risk assessment on an initiative to outsource the organization's customer service operations overseas. Which of the following would MOST significantly impact management's decision?

Options:

A.

Time zone difference of the outsourcing location

B.

Ongoing financial viability of the outsourcing company

C.

Cross-border information transfer restrictions in the outsourcing country

D.

Historical network latency between the organization and outsourcing location

Buy Now
Questions 413

Which of the following is the BEST indicator of executive management's support for IT risk mitigation efforts?

Options:

A.

The number of stakeholders involved in IT risk identification workshops

B.

The percentage of corporate budget allocated to IT risk activities

C.

The percentage of incidents presented to the board

D.

The number of executives attending IT security awareness training

Buy Now
Questions 414

It is MOST important that security controls for a new system be documented in:

Options:

A.

testing requirements

B.

the implementation plan.

C.

System requirements

D.

The security policy

Buy Now
Questions 415

An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning of the associated risk entries?

Options:

A.

The volume of risk scenarios is too large

B.

Risk aggregation has not been completed

C.

Risk scenarios are not applicable

D.

The risk analysts for each scenario is incomplete

Buy Now
Questions 416

Which of the following would BEST enable a risk-based decision when considering the use of an emerging technology for data processing?

Options:

A.

Gap analysis

B.

Threat assessment

C.

Resource skills matrix

D.

Data quality assurance plan

Buy Now
Questions 417

Which of the following is the MAIN purpose of monitoring risk?

Options:

A.

Communication

B.

Risk analysis

C.

Decision support

D.

Benchmarking

Buy Now
Questions 418

Which risk response strategy could management apply to both positive and negative risk that has been identified?

Options:

A.

Transfer

B.

Accept

C.

Exploit

D.

Mitigate

Buy Now
Questions 419

Which of the following is MOST helpful to understand the consequences of an IT risk event?

Options:

A.

Fault tree analysis

B.

Historical trend analysis

C.

Root cause analysis

D.

Business impact analysis (BIA)

Buy Now
Questions 420

Which of the following is the MOST effective way for a large and diversified organization to minimize risk associated with unauthorized software on company devices?

Options:

A.

Scan end points for applications not included in the asset inventory.

B.

Prohibit the use of cloud-based virtual desktop software.

C.

Conduct frequent reviews of software licenses.

D.

Perform frequent internal audits of enterprise IT infrastructure.

Buy Now
Questions 421

An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?

Options:

A.

Business benefits of shadow IT

B.

Application-related expresses

C.

Classification of the data

D.

Volume of data

Buy Now
Questions 422

A bank recently incorporated Blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner’s BEST course of action?

Options:

A.

Determine whether risk responses are still adequate.

B.

Analyze and update control assessments with the new processes.

C.

Analyze the risk and update the risk register as needed.

D.

Conduct testing of the control that mitigate the existing risk.

Buy Now
Questions 423

Which of the following will BEST help to ensure new IT policies address the enterprise's requirements?

Options:

A.

involve IT leadership in the policy development process

B.

Require business users to sign acknowledgment of the poises

C.

involve business owners in the pokey development process

D.

Provide policy owners with greater enforcement authority

Buy Now
Questions 424

Which of the following is the GREATEST benefit of centralizing IT systems?

Options:

A.

Risk reporting

B.

Risk classification

C.

Risk monitoring

D.

Risk identification

Buy Now
Questions 425

A risk practitioner recently discovered that personal information from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation?

Options:

A.

Enable data encryption in the test environment.

B.

Prevent the use of production data in the test environment

C.

De-identify data before being transferred to the test environment.

D.

Enforce multi-factor authentication within the test environment.

Buy Now
Questions 426

A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within theorganization of the following, who should review the completed list and select the appropriate KRIs for implementation?

Options:

A.

IT security managers

B.

IT control owners

C.

IT auditors

D.

IT risk owners

Buy Now
Questions 427

The objective of aligning mitigating controls to risk appetite is to ensure that:

Options:

A.

exposures are reduced to the fullest extent

B.

exposures are reduced only for critical business systems

C.

insurance costs are minimized

D.

the cost of controls does not exceed the expected loss.

Buy Now
Questions 428

Using key risk indicators (KRIs) to illustrate changes in the risk profile PRIMARILY helps to:

Options:

A.

communicate risk trends to stakeholders.

B.

assign ownership of emerging risk scenarios.

C.

highlight noncompliance with the risk policy

D.

identify threats to emerging technologies.

Buy Now
Questions 429

A risk practitioner observed Vial a high number of pokey exceptions were approved by senior management. Which of the following is the risk practitioner’s BEST course of action to determine root cause?

Options:

A.

Review the risk profile

B.

Review pokey change history

C.

interview the control owner

D.

Perform control testing

Buy Now
Questions 430

A risk practitioner has identified that the agreed recovery time objective (RTO) with a Software as a Service (SaaS) provider is longer than the business expectation. Which ot the following is the risk practitioner's BEST course of action?

Options:

A.

Collaborate with the risk owner to determine the risk response plan.

B.

Document the gap in the risk register and report to senior management.

C.

Include a right to audit clause in the service provider contract.

D.

Advise the risk owner to accept the risk.

Buy Now
Questions 431

An organization's recovery team is attempting to recover critical data backups following a major flood in its data center. However, key team members do not know exactly what steps should be taken to address this crisis. Which of the following is the MOST likely cause of this situation?

Options:

A.

Failure to test the disaster recovery plan (DRP)

B.

Lack of well-documented business impact analysis (BIA)

C.

Lack of annual updates to the disaster recovery plan (DRP)

D.

Significant changes in management personnel

Buy Now
Questions 432

An organization has experienced several incidents of extended network outages that have exceeded tolerance. Which of the following should be the risk practitioner's FIRST step to address this situation?

Options:

A.

Recommend additional controls to address the risk.

B.

Update the risk tolerance level to acceptable thresholds.

C.

Update the incident-related risk trend in the risk register.

D.

Recommend a root cause analysis of the incidents.

Buy Now
Questions 433

An organization is concerned that its employees may be unintentionally disclosing data through the use of social media sites. Which of the following will MOST effectively mitigate tins risk?

Options:

A.

Requiring the use of virtual private networks (VPNs)

B.

Establishing a data classification policy

C.

Conducting user awareness training

D.

Requiring employee agreement of the acceptable use policy

Buy Now
Questions 434

Which of the following is the MOST important consideration when developing risk strategies?

Options:

A.

Organization's industry sector

B.

Long-term organizational goals

C.

Concerns of the business process owners

D.

History of risk events

Buy Now
Questions 435

An organization maintains independent departmental risk registers that are not automatically aggregated. Which of the following is the GREATEST concern?

Options:

A.

Management may be unable to accurately evaluate the risk profile.

B.

Resources may be inefficiently allocated.

C.

The same risk factor may be identified in multiple areas.

D.

Multiple risk treatment efforts may be initiated to treat a given risk.

Buy Now
Questions 436

When performing a risk assessment of a new service to support a core business process, which of the following should be done FIRST to ensure continuity of operations?

Options:

A.

Define metrics for restoring availability.

B.

Identify conditions that may cause disruptions.

C.

Review incident response procedures.

D.

Evaluate the probability of risk events.

Buy Now
Questions 437

An organization has decided to implement a new Internet of Things (loT) solution. Which of the following should be done FIRST when addressing security concerns associated with this new technology?

Options:

A.

Develop new loT risk scenarios.

B.

Implement loT device monitoring software.

C.

Introduce controls to the new threat environment.

D.

Engage external security reviews.

Buy Now
Questions 438

When developing risk scenario using a list of generic scenarios based on industry best practices, it is MOST imported to:

Options:

A.

Assess generic risk scenarios with business users.

B.

Validate the generic risk scenarios for relevance.

C.

Select the maximum possible risk scenarios from the list.

D.

Identify common threats causing generic risk scenarios

Buy Now
Questions 439

An organization control environment is MOST effective when:

Options:

A.

control designs are reviewed periodically

B.

controls perform as intended.

C.

controls are implemented consistently.

D.

controls operate efficiently

Buy Now
Questions 440

An organization has agreed to a 99% availability for its online services and will not accept availability that falls below 98.5%. This is an example of:

Options:

A.

risk mitigation.

B.

risk evaluation.

C.

risk appetite.

D.

risk tolerance.

Buy Now
Questions 441

An organization has completed a risk assessment of one of its service providers. Who should be accountable for ensuring that risk responses are implemented?

Options:

A.

IT risk practitioner

B.

Third -partf3ecurity team

C.

The relationship owner

D.

Legal representation of the business

Buy Now
Questions 442

Which of the following is the MOST important information to cover a business continuity awareness Ira nine, program for all employees of the organization?

Options:

A.

Recovery time objectives (RTOs)

B.

Segregation of duties

C.

Communication plan

D.

Critical asset inventory

Buy Now
Questions 443

Business management is seeking assurance from the CIO that IT has a plan in place for early identification of potential issues that could impact the delivery of a new application Which of the following is the BEST way to increase the chances of a successful delivery'?

Options:

A.

Implement a release and deployment plan

B.

Conduct comprehensive regression testing.

C.

Develop enterprise-wide key risk indicators (KRls)

D.

Include business management on a weekly risk and issues report

Buy Now
Questions 444

Which component of a software inventory BEST enables the identification and mitigation of known vulnerabilities?

Options:

A.

Software version

B.

Assigned software manager

C.

Software support contract expiration

D.

Software licensing information

Buy Now
Questions 445

Who should be responsible (of evaluating the residual risk after a compensating control has been

Options:

A.

Compliance manager

B.

Risk owner

C.

Control owner

D.

Risk practitioner

Buy Now
Questions 446

Which of the following would MOST likely require a risk practitioner to update the risk register?

Options:

A.

An alert being reported by the security operations center.

B.

Development of a project schedule for implementing a risk response

C.

Completion of a project for implementing a new control

D.

Engagement of a third party to conduct a vulnerability scan

Buy Now
Questions 447

Which of the following is the BEST approach for an organization in a heavily regulated industry to comprehensively test application functionality?

Options:

A.

Use production data in a non-production environment

B.

Use masked data in a non-production environment

C.

Use test data in a production environment

D.

Use anonymized data in a non-production environment

Buy Now
Questions 448

The following is the snapshot of a recently approved IT risk register maintained by an organization's information security department.

After implementing countermeasures listed in ‘’Risk Response Descriptions’’ for each of the Risk IDs, which of the following component of the register MUST change?

Options:

A.

Risk Impact Rating

B.

Risk Owner

C.

Risk Likelihood Rating

D.

Risk Exposure

Buy Now
Questions 449

Which of the following is the MOST important reason to validate that risk responses have been executed as outlined in the risk response plan''

Options:

A.

To ensure completion of the risk assessment cycle

B.

To ensure controls arc operating effectively

C.

To ensure residual risk Is at an acceptable level

D.

To ensure control costs do not exceed benefits

Buy Now
Questions 450

An organization has experienced a cyber-attack that exposed customer personally identifiable information (Pll) and caused extended outages of network services. Which of the following stakeholders are MOST important to include in the cyber response team to determine response actions?

Options:

A.

Security control owners based on control failures

B.

Cyber risk remediation plan owners

C.

Risk owners based on risk impact

D.

Enterprise risk management (ERM) team

Buy Now
Questions 451

Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?

Options:

A.

The program has not decreased threat counts.

B.

The program has not considered business impact.

C.

The program has been significantly revised

D.

The program uses non-customized training modules.

Buy Now
Questions 452

Which of the following BEST helps to identify significant events that could impact an organization?

Options:

A.

Control analysis

B.

Vulnerability analysis

C.

Scenario analysis

D.

Heat map analysis

Buy Now
Questions 453

What should be the PRIMARY consideration related to data privacy protection when there are plans for a business initiative to make use of personal information?

Options:

A.

Do not collect or retain data that is not needed.

B.

Redact data where possible.

C.

Limit access to the personal data.

D.

Ensure all data is encrypted at rest and during transit.

Buy Now
Questions 454

An internal audit report reveals that a legacy system is no longer supported Which of the following is the risk practitioner's MOST important action before recommending a risk response'

Options:

A.

Review historical application down me and frequency

B.

Assess the potential impact and cost of mitigation

C.

identify other legacy systems within the organization

D.

Explore the feasibility of replacing the legacy system

Buy Now
Questions 455

Which of the following is the PRIMARY reason for a risk practitioner to review an organization's IT asset inventory?

Options:

A.

To plan for the replacement of assets at the end of their life cycles

B.

To assess requirements for reducing duplicate assets

C.

To understand vulnerabilities associated with the use of the assets

D.

To calculate mean time between failures (MTBF) for the assets

Buy Now
Questions 456

Which of the following is the BEST indication that key risk indicators (KRls) should be revised?

Options:

A.

A decrease in the number of critical assets covered by risk thresholds

B.

An Increase In the number of risk threshold exceptions

C.

An increase in the number of change events pending management review

D.

A decrease In the number of key performance indicators (KPls)

Buy Now
Questions 457

An organization's chief information officer (CIO) has proposed investing in a new. untested technology to take advantage of being first to market Senior management has concerns about the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization's risk:

Options:

A.

capacity.

B.

appetite.

C.

management capability.

D.

treatment strategy.

Buy Now
Questions 458

An organization recently configured a new business division Which of the following is MOST likely to be affected?

Options:

A.

Risk profile

B.

Risk culture

C.

Risk appetite

D.

Risk tolerance

Buy Now
Questions 459

After entering a large number of low-risk scenarios into the risk register, it is MOST important for the risk practitioner to:

Options:

A.

prepare a follow-up risk assessment.

B.

recommend acceptance of the risk scenarios.

C.

reconfirm risk tolerance levels.

D.

analyze changes to aggregate risk.

Buy Now
Questions 460

Which of the following would provide the MOST helpful input to develop risk scenarios associated with hosting an organization's key IT applications in a cloud environment?

Options:

A.

Reviewing the results of independent audits

B.

Performing a site visit to the cloud provider's data center

C.

Performing a due diligence review

D.

Conducting a risk workshop with key stakeholders

Buy Now
Questions 461

Which of the following would MOST effectively reduce risk associated with an increase of online transactions on a retailer website?

Options:

A.

Scalable infrastructure

B.

A hot backup site

C.

Transaction limits

D.

Website activity monitoring

Buy Now
Questions 462

The BEST key performance indicator (KPI) to measure the effectiveness of the security patching process is the percentage of patches installed:

Options:

A.

by the security administration team.

B.

successfully within the expected time frame.

C.

successfully during the first attempt.

D.

without causing an unplanned system outage.

Buy Now
Questions 463

A newly incorporated enterprise needs to secure its information assets From a governance perspective which of the following should be done FIRST?

Options:

A.

Define information retention requirements and policies

B.

Provide information security awareness training

C.

Establish security management processes and procedures

D.

Establish an inventory of information assets

Buy Now
Questions 464

When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:

Options:

A.

information risk assessments with enterprise risk assessments.

B.

key risk indicators (KRIs) with risk appetite of the business.

C.

the control key performance indicators (KPIs) with audit findings.

D.

control performance with risk tolerance of business owners.

Buy Now
Questions 465

Which of the following would be a risk practitioner's BEST course of action when a project team has accepted a risk outside the established risk appetite?

Options:

A.

Reject the risk acceptance and require mitigating controls.

B.

Monitor the residual risk level of the accepted risk.

C.

Escalate the risk decision to the project sponsor for review.

D.

Document the risk decision in the project risk register.

Buy Now
Questions 466

Which of the following is the MOST important consideration for effectively maintaining a risk register?

Options:

A.

An IT owner is assigned for each risk scenario.

B.

The register is updated frequently.

C.

The register is shared with executive management.

D.

Compensating controls are identified.

Buy Now
Questions 467

In order to determining a risk is under-controlled the risk practitioner will need to

Options:

A.

understand the risk tolerance

B.

monitor and evaluate IT performance

C.

identify risk management best practices

D.

determine the sufficiency of the IT risk budget

Buy Now
Questions 468

Who is BEST suited to provide objective input when updating residual risk to reflect the results of control effectiveness?

Options:

A.

Control owner

B.

Risk owner

C.

Internal auditor

D.

Compliance manager

Buy Now
Questions 469

Which of the following would be the result of a significant increase in the motivation of a malicious threat actor?

Options:

A.

Increase in mitigating control costs

B.

Increase in risk event impact

C.

Increase in risk event likelihood

D.

Increase in cybersecurity premium

Buy Now
Questions 470

Which of the following BEST reduces the risk associated with the theft of a laptop containing sensitive information?

Options:

A.

Cable lock

B.

Data encryption

C.

Periodic backup

D.

Biometrics access control

Buy Now
Questions 471

Which of the following is MOST helpful in providing a high-level overview of current IT risk severity*?

Options:

A.

Risk mitigation plans

B.

heat map

C.

Risk appetite statement

D.

Key risk indicators (KRls)

Buy Now
Questions 472

Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data?

Options:

A.

The cost associated with incident response activitiesThe composition and number of records in the information asset

B.

The maximum levels of applicable regulatory fines

C.

The length of time between identification and containment of the incident

Buy Now
Exam Code: CRISC
Exam Name: Certified in Risk and Information Systems Control
Last Update: Apr 1, 2025
Questions: 1575
CRISC pdf

CRISC PDF

$25.5  $84.99
CRISC Engine

CRISC Testing Engine

$30  $99.99
CRISC PDF + Engine

CRISC PDF + Testing Engine

$40.5  $134.99