Month End Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtick70

CRISC Certified in Risk and Information Systems Control Questions and Answers

Questions 4

Which of the following would BEST mitigate an identified risk scenario?

Options:

A.

Conducting awareness training

B.

Executing a risk response plan

C.

Establishing an organization's risk tolerance

D.

Performing periodic audits

Buy Now
Questions 5

A risk practitioner has been notified of a social engineering attack using artificial intelligence (AI) technology to impersonate senior management personnel. Which of the following would BEST mitigate the impact of such attacks?

Options:

A.

Subscription to data breach monitoring sites

B.

Suspension and takedown of malicious domains or accounts

C.

Increased monitoring of executive accounts

D.

Training and awareness of employees for increased vigilance

Buy Now
Questions 6

While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially Which of the following would be the BEST approach for the risk practitioner to take?

Options:

A.

Temporarily suspend emergency changes.

B.

Document the control deficiency in the risk register.

C.

Conduct a root cause analysis.

D.

Continue monitoring change management metrics.

Buy Now
Questions 7

Which of the following presents the GREATEST security risk associated with Internet of Things (IoT) technology?

Options:

A.

The inability to monitor via network management solutions

B.

The lack of relevant IoT security frameworks to guide the risk assessment process

C.

The heightened level of IoT threats via the widespread use of smart devices

D.

The lack of updates for vulnerable firmware

Buy Now
Questions 8

Which of the following should be initiated when a high number of noncompliant conditions are observed during review of a control procedure?

Options:

A.

Disciplinary action

B.

A control self-assessment

C.

A review of the awareness program

D.

Root cause analysis

Buy Now
Questions 9

An organization's senior management is considering whether to acquire cyber insurance. Which of the following is the BEST way for the risk practitioner to enable management’s decision?

Options:

A.

Perform a cost-benefit analysis.

B.

Conduct a SWOT analysis.

C.

Provide data on the number of risk events from the last year.

D.

Report on recent losses experienced by industry peers.

Buy Now
Questions 10

Which of the following approaches BEST identifies information systems control deficiencies?

Options:

A.

Countermeasures analysis

B.

Best practice assessment

C.

Gap analysis

D.

Risk assessment

Buy Now
Questions 11

Improvements in the design and implementation of a control will MOST likely result in an update to:

Options:

A.

inherent risk.

B.

residual risk.

C.

risk appetite

D.

risk tolerance

Buy Now
Questions 12

The patch management process is MOST effectively monitored through which of the following key control indicators (KCIs)?

Options:

A.

Number of legacy servers out of support

B.

Percentage of patches deployed within the target time frame

C.

Number of patches deployed outside of business hours

D.

Percentage of patched systems tested

Buy Now
Questions 13

Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data?

Options:

A.

The cost associated with incident response activitiesThe composition and number of records in the information asset

B.

The maximum levels of applicable regulatory fines

C.

The length of time between identification and containment of the incident

Buy Now
Questions 14

Which of the following would present the GREATEST challenge for a risk practitioner during a merger of two organizations?

Options:

A.

Variances between organizational risk appetites

B.

Different taxonomies to categorize risk scenarios

C.

Disparate platforms for governance, risk, and compliance (GRC) systems

D.

Dissimilar organizational risk acceptance protocols

Buy Now
Questions 15

Which of the following BEST enables the identification of trends in risk levels?

Options:

A.

Correlation between risk levels and key risk indicators (KRIs) is positive.

B.

Measurements for key risk indicators (KRIs) are repeatable

C.

Quantitative measurements are used for key risk indicators (KRIs).

D.

Qualitative definitions for key risk indicators (KRIs) are used.

Buy Now
Questions 16

Which of the following is necessary to enable an IT risk register to be consolidated with the rest of the organization’s risk register?

Options:

A.

Risk taxonomy

B.

Risk response

C.

Risk appetite

D.

Risk ranking

Buy Now
Questions 17

What should a risk practitioner do FIRST when vulnerability assessment results identify a weakness in an application?

Options:

A.

Review regular control testing results.

B.

Recommend a penetration test.

C.

Assess the risk to determine mitigation needed.

D.

Analyze key performance indicators (KPIs).

Buy Now
Questions 18

Which of the following is the MOST important reason to create risk scenarios?

Options:

A.

To assist with risk identification

B.

To determine risk tolerance

C.

To determine risk appetite

D.

To assist in the development of risk responses

Buy Now
Questions 19

Which of the following BEST protects an organization against breaches when using a software as a service (SaaS) application?

Options:

A.

Control self-assessment (CSA)

B.

Security information and event management (SIEM) solutions

C.

Data privacy impact assessment (DPIA)

D.

Data loss prevention (DLP) tools

Buy Now
Questions 20

Which of the following BEST assists in justifying an investment in automated controls?

Options:

A.

Cost-benefit analysis

B.

Alignment of investment with risk appetite

C.

Elimination of compensating controls

D.

Reduction in personnel costs

Buy Now
Questions 21

Which of the following provides the MOST useful information for developing key risk indicators (KRIs)?

Options:

A.

Business impact analysis (BIA) results

B.

Risk scenario ownership

C.

Risk thresholds

D.

Possible causes of materialized risk

Buy Now
Questions 22

To enable effective risk governance, it is MOST important for senior management to:

Options:

A.

Ensure the IT governance framework is up to date.

B.

Communicate the risk management strategy across the organization.

C.

Gain a clear understanding of business risk and related ownership.

D.

Ensure security policies and procedures are documented.

Buy Now
Questions 23

Which of the following provides the BEST evidence that a selected risk treatment plan is effective?

Options:

A.

Identifying key risk indicators (KRIs)

B.

Evaluating the return on investment (ROI)

C.

Evaluating the residual risk level

D.

Performing a cost-benefit analysis

Buy Now
Questions 24

What should a risk practitioner do FIRST when a shadow IT application is identified in a business owner's business impact analysis (BIA)?

Options:

A.

Include the application in the business continuity plan (BCP).

B.

Determine the business purpose of the application.

C.

Segregate the application from the network.

D.

Report the finding to management.

Buy Now
Questions 25

Which of the following should be the PRIMARY basis for deciding whether to disclose information related to risk events that impact external stakeholders?

Options:

A.

Stakeholder preferences

B.

Contractual requirements

C.

Regulatory requirements

D.

Management assertions

Buy Now
Questions 26

Key risk indicators (KRIs) are MOST useful during which of the following risk management phases?

Options:

A.

Monitoring

B.

Analysis

C.

Identification

D.

Response selection

Buy Now
Questions 27

When creating a separate IT risk register for a large organization, which of the following is MOST important to consider with regard to the existing corporate risk 'register?

Options:

A.

Leveraging business risk professionals

B.

Relying on generic IT risk scenarios

C.

Describing IT risk in business terms

D.

Using a common risk taxonomy

Buy Now
Questions 28

Determining if organizational risk is tolerable requires:

Options:

A.

mapping residual risk with cost of controls

B.

comparing against regulatory requirements

C.

comparing industry risk appetite with the organizations.

D.

understanding the organization's risk appetite.

Buy Now
Questions 29

When classifying and prioritizing risk responses, the areas to address FIRST are those with:

Options:

A.

low cost effectiveness ratios and high risk levels

B.

high cost effectiveness ratios and low risk levels.

C.

high cost effectiveness ratios and high risk levels

D.

low cost effectiveness ratios and low risk levels.

Buy Now
Questions 30

The MAIN purpose of having a documented risk profile is to:

Options:

A.

comply with external and internal requirements.

B.

enable well-informed decision making.

C.

prioritize investment projects.

D.

keep the risk register up-to-date.

Buy Now
Questions 31

Which of the following BEST facilities the alignment of IT risk management with enterprise risk management (ERM)?

Options:

A.

Adopting qualitative enterprise risk assessment methods

B.

Linking IT risk scenarios to technology objectives

C.

linking IT risk scenarios to enterprise strategy

D.

Adopting quantitative enterprise risk assessment methods

Buy Now
Questions 32

Which of the following is BEST measured by key control indicators (KCIs)?

Options:

A.

Historical trends of the organizational risk profile

B.

Cost efficiency of risk treatment plan projects

C.

Comprehensiveness of risk assessment procedures

D.

Effectiveness of organizational defense in depth

Buy Now
Questions 33

It is MOST important to the effectiveness of an IT risk management function that the associated processes are:

Options:

A.

aligned to an industry-accepted framework.

B.

reviewed and approved by senior management.

C.

periodically assessed against regulatory requirements.

D.

updated and monitored on a continuous basis.

Buy Now
Questions 34

Which of the following is the MOST reliable validation of a new control?

Options:

A.

Approval of the control by senior management

B.

Complete and accurate documentation of control objectives

C.

Control owner attestation of control effectiveness

D.

Internal audit review of control design

Buy Now
Questions 35

Which of the following is the MOST important component in a risk treatment plan?

Options:

A.

Technical details

B.

Target completion date

C.

Treatment plan ownership

D.

Treatment plan justification

Buy Now
Questions 36

What is the MOST important consideration when selecting key performance indicators (KPIs) for control monitoring?

Options:

A.

Source information is acquired at stable cost.

B.

Source information is tailored by removing outliers.

C.

Source information is readily quantifiable.

D.

Source information is consistently available.

Buy Now
Questions 37

Which of the following BEST facilitates the identification of appropriate key performance indicators (KPIs) for a risk management program?

Options:

A.

Reviewing control objectives

B.

Aligning with industry best practices

C.

Consulting risk owners

D.

Evaluating KPIs in accordance with risk appetite

Buy Now
Questions 38

Which of the following is the PRIMARY reason to conduct risk assessments at periodic intervals?

Options:

A.

To ensure emerging risk is identified and monitored

B.

To establish the maturity level of risk assessment processes

C.

To promote a risk-aware culture among staff

D.

To ensure risk trend data is collected and reported

Buy Now
Questions 39

A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?

Options:

A.

The organization's strategic risk management projects

B.

Senior management roles and responsibilities

C.

The organizations risk appetite and tolerance

D.

Senior management allocation of risk management resources

Buy Now
Questions 40

Which of the following should be the FIRST step when a company is made aware of new regulatory requirements impacting IT?

Options:

A.

Perform a gap analysis.

B.

Prioritize impact to the business units.

C.

Perform a risk assessment.

D.

Review the risk tolerance and appetite.

Buy Now
Questions 41

To reduce costs, an organization is combining the second and third tines of defense in a new department that reports to a recently appointed C-level executive. Which of the following is the GREATEST concern with this situation?

Options:

A.

The risk governance approach of the second and third lines of defense may differ.

B.

The independence of the internal third line of defense may be compromised.

C.

Cost reductions may negatively impact the productivity of other departments.

D.

The new structure is not aligned to the organization's internal control framework.

Buy Now
Questions 42

Which of the following is the MOST important enabler of effective risk management?

Options:

A.

User awareness of policies and procedures

B.

Implementation of proper controls

C.

Senior management support

D.

Continuous monitoring of threats and vulnerabilities

Buy Now
Questions 43

An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?

Options:

A.

Invoke the disaster recovery plan during an incident.

B.

Prepare a cost-benefit analysis of alternatives available

C.

Implement redundant infrastructure for the application.

D.

Reduce the recovery time by strengthening the response team.

Buy Now
Questions 44

Which of the following should be of GREATEST concern lo a risk practitioner reviewing the implementation of an emerging technology?

Options:

A.

Lack of alignment to best practices

B.

Lack of risk assessment

C.

Lack of risk and control procedures

D.

Lack of management approval

Buy Now
Questions 45

Calculation of the recovery time objective (RTO) is necessary to determine the:

Options:

A.

time required to restore files.

B.

point of synchronization

C.

priority of restoration.

D.

annual loss expectancy (ALE).

Buy Now
Questions 46

If concurrent update transactions to an account are not processed properly, which of the following will MOST likely be affected?

Options:

A.

Confidentiality

B.

Accountability

C.

Availability

D.

Integrity

Buy Now
Questions 47

A business manager wants to leverage an existing approved vendor solution from another area within the organization. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Recommend allowing the new usage based on prior approval.

B.

Request a new third-party review.

C.

Request revalidation of the original use case.

D.

Assess the risk associated with the new use case.

Buy Now
Questions 48

Which of the following is a business asset for an organization that runs only in a Software as a Service (SaaS) cloud computing environment?

Options:

A.

Hosted data

B.

Platforms

C.

Containers

D.

Security logs

Buy Now
Questions 49

Which of the following provides the BEST measurement of an organization's risk management maturity level?

Options:

A.

Level of residual risk

B.

The results of a gap analysis

C.

IT alignment to business objectives

D.

Key risk indicators (KRIs)

Buy Now
Questions 50

Which of the following would be a risk practitioner’s BEST recommendation upon learning of an updated cybersecurity regulation that could impact the organization?

Options:

A.

Perform a gap analysis

B.

Conduct system testing

C.

Implement compensating controls

D.

Update security policies

Buy Now
Questions 51

The PRIMARY objective of collecting information and reviewing documentation when performing periodic risk analysis should be to:

Options:

A.

Identify new or emerging risk issues.

B.

Satisfy audit requirements.

C.

Survey and analyze historical risk data.

D.

Understand internal and external threat agents.

Buy Now
Questions 52

Which of the following is MOST helpful to review when identifying risk scenarios associated with the adoption of Internet of Things (loT) technology in an organization?

Options:

A.

The business case for the use of loT

B.

The loT threat landscape

C.

Policy development for loT

D.

The network that loT devices can access

Buy Now
Questions 53

What is a risk practitioner's BEST approach to monitor and measure how quickly an exposure to a specific risk can affect the organization?

Options:

A.

Create an asset valuation report.

B.

Create key performance indicators (KPls).

C.

Create key risk indicators (KRIs).

D.

Create a risk volatility report.

Buy Now
Questions 54

What should be the PRIMARY driver for periodically reviewing and adjusting key risk indicators (KRIs)?

Options:

A.

Risk impact

B.

Risk likelihood

C.

Risk appropriate

D.

Control self-assessments (CSAs)

Buy Now
Questions 55

Which of the following is the MOST common concern associated with outsourcing to a service provider?

Options:

A.

Lack of technical expertise

B.

Combining incompatible duties

C.

Unauthorized data usage

D.

Denial of service attacks

Buy Now
Questions 56

Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?

Options:

A.

Testing the transmission of credit card numbers

B.

Reviewing logs for unauthorized data transfers

C.

Configuring the DLP control to block credit card numbers

D.

Testing the DLP rule change control process

Buy Now
Questions 57

Of the following, who is accountable for ensuing the effectiveness of a control to mitigate risk?

Options:

A.

Control owner

B.

Risk manager

C.

Control operator

D.

Risk treatment owner

Buy Now
Questions 58

An information system for a key business operation is being moved from an in-house application to a Software as a Service (SaaS) vendor. Which of the following will have the GREATEST impact on the ability to monitor risk?

Options:

A.

Reduced ability to evaluate key risk indicators (KRIs)

B.

Reduced access to internal audit reports

C.

Dependency on the vendor's key performance indicators (KPIs)

D.

Dependency on service level agreements (SLAs)

Buy Now
Questions 59

Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?

Options:

A.

impact due to failure of control

B.

Frequency of failure of control

C.

Contingency plan for residual risk

D.

Cost-benefit analysis of automation

Buy Now
Questions 60

Which of the following BEST represents a critical threshold value for a key control indicator (KCI)?

Options:

A.

The value at which control effectiveness would fail

B.

Thresholds benchmarked to peer organizations

C.

A typical operational value

D.

A value that represents the intended control state

Buy Now
Questions 61

Options:

A.

Develop policies with less restrictive requirements to ensure consistency across the organization.

B.

Develop a global policy to be applied uniformly by each country.

C.

Develop country-specific policies to address local regulations.

D.

Develop a global policy that accommodates country-specific requirements.

Buy Now
Questions 62

What is the PRIMARY reason an organization should include background checks on roles with elevated access to production as part of its hiring process?

Options:

A.

Reduce internal threats

B.

Reduce exposure to vulnerabilities

C.

Eliminate risk associated with personnel

D.

Ensure new hires have the required skills

Buy Now
Questions 63

Which of the following should be the PRIMARY basis for establishing a priority sequence when restoring business processes after a disruption?

Options:

A.

Recovery Time Objective (RTO)

B.

Mean Time to Recover (MTTR)

C.

Mean Time Between Failures (MTBF)

D.

Recovery Point Objective (RPO)

Buy Now
Questions 64

The MAIN goal of the risk analysis process is to determine the:

Options:

A.

potential severity of impact

B.

frequency and magnitude of loss

C.

control deficiencies

D.

threats and vulnerabilities

Buy Now
Questions 65

Which of the following should be the PRIMARY objective of a risk awareness training program?

Options:

A.

To enable risk-based decision making

B.

To promote awareness of the risk governance function

C.

To clarify fundamental risk management principles

D.

To ensure sufficient resources are available

Buy Now
Questions 66

When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?

Options:

A.

Assess management's risk tolerance.

B.

Recommend management accept the low-risk scenarios.

C.

Propose mitigating controls

D.

Re-evaluate the risk scenarios associated with the control

Buy Now
Questions 67

An organization is unable to implement a multi-factor authentication requirement until the next fiscal year due to budget constraints. Consequently, a policy exception must be submitted. Which of the following is MOST important to include in the analysis of the exception?

Options:

A.

Sections of the policy that may justify not implementing the requirement

B.

Risk associated with the inability to implement the requirement

C.

Budget justification to implement the new requirement during the current year

D.

Industry best practices with respect to implementation of the proposed control

Buy Now
Questions 68

Establishing and organizational code of conduct is an example of which type of control?

Options:

A.

Preventive

B.

Directive

C.

Detective

D.

Compensating

Buy Now
Questions 69

An organization recently experienced a cyber attack that resulted in the loss of confidential customer data. Which of the following is the risk practitioner's BEST recommendation after recovery steps have been completed?

Options:

A.

Develop new key risk indicators (KRIs).

B.

Perform a root cause analysis.

C.

Recommend the purchase of cyber insurance.

D.

Review the incident response plan.

Buy Now
Questions 70

Which of the following BEST supports ethical IT risk management practices?

Options:

A.

Robust organizational communication channels

B.

Mapping of key risk indicators (KRIs) to corporate strategy

C.

Capability maturity models integrated with risk management frameworks

D.

Rigorously enforced operational service level agreements (SLAs)

Buy Now
Questions 71

Which of the following risk register updates is MOST important for senior management to review?

Options:

A.

Extending the date of a future action plan by two months

B.

Retiring a risk scenario no longer used

C.

Avoiding a risk that was previously accepted

D.

Changing a risk owner

Buy Now
Questions 72

A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within theorganization of the following, who should review the completed list and select the appropriate KRIs for implementation?

Options:

A.

IT security managers

B.

IT control owners

C.

IT auditors

D.

IT risk owners

Buy Now
Questions 73

Which of the following is the PRIMARY objective of aggregating the impact of IT risk scenarios and reflecting the results in the enterprise risk register?

Options:

A.

To ensure IT risk appetite is communicated across the organization

B.

To ensure IT risk impact can be compared to the IT risk appetite

C.

To ensure IT risk ownership is assigned at the appropriate organizational level

D.

To ensure IT risk scenarios are consistently assessed within the organization

Buy Now
Questions 74

An organization has established a single enterprise-wide risk register that records high-level risk scenarios. The IT risk department has created its own register to record more granular scenarios applicable to IT. Which of the following is the BEST way to ensure alignment between these two registers?

Options:

A.

Map the granular risk scenarios to the high-level risk register items.

B.

List application and server vulnerabilities in the IT risk register.

C.

Identify overlapping risk scenarios between the two registers.

D.

Maintain both high-level and granular risk scenarios in a single register.

Buy Now
Questions 75

Which of the following is the GREATEST risk associated with inappropriate classification of data?

Options:

A.

Inaccurate record management data

B.

Inaccurate recovery time objectives (RTOs)

C.

Lack of accountability for data ownership

D.

Users having unauthorized access to data

Buy Now
Questions 76

Which of the following is the MOST important responsibility of a risk owner?

Options:

A.

Testing control design

B.

Accepting residual risk

C.

Establishing business information criteria

D.

Establishing the risk register

Buy Now
Questions 77

A newly incorporated enterprise needs to secure its information assets From a governance perspective which of the following should be done FIRST?

Options:

A.

Define information retention requirements and policies

B.

Provide information security awareness training

C.

Establish security management processes and procedures

D.

Establish an inventory of information assets

Buy Now
Questions 78

An IT risk practitioner has been tasked to engage key stakeholders to assess risk for key IT risk scenarios. Which of the following is the PRIMARY benefit of this activity?

Options:

A.

Establishing the available risk mitigation budget

B.

Verifying the relevance of risk ratings

C.

Demonstrating compliance to regulatory bodies

D.

Assessing IT risk management culture

Buy Now
Questions 79

Which of the following is the BEST criterion to determine whether higher residual risk ratings in the risk register should be accepted?

Options:

A.

Risk maturity

B.

Risk policy

C.

Risk appetite

D.

Risk culture

Buy Now
Questions 80

Which of the following would BEST help an enterprise define and communicate its risk appetite?

Options:

A.

Gap analysis

B.

Risk assessment

C.

Heat map

D.

Risk register

Buy Now
Questions 81

When determining risk ownership, the MAIN consideration should be:

Options:

A.

who owns the business process.

B.

the amount of residual risk.

C.

who is responsible for risk mitigation.

D.

the total cost of risk treatment.

Buy Now
Questions 82

Which of the following scenarios is MOST important to communicate to senior management?

Options:

A.

Accepted risk scenarios with detailed plans for monitoring

B.

Risk scenarios that have been shared with vendors and third parties

C.

Accepted risk scenarios with impact exceeding the risk tolerance

D.

Risk scenarios that have been identified, assessed, and responded to by the risk owners

Buy Now
Questions 83

Which of the following BEST informs decision-makers about the value of a notice and consent control for the collection of personal information?

Options:

A.

A comparison of the costs of notice and consent control options

B.

Examples of regulatory fines incurred by industry peers for noncompliance

C.

A report of critical controls showing the importance of notice and consent

D.

A cost-benefit analysis of the control versus probable legal action

Buy Now
Questions 84

An organization has an internal control that requires all access for employees be removed within 15 days of their termination date. Which of the following should the risk practitioner use to monitor

adherence to the 15-day threshold?

Options:

A.

Operation level agreement (OLA)

B.

Service level agreement (SLA)

C.

Key performance indicator (KPI)

D.

Key risk indicator (KRI)

Buy Now
Questions 85

Which of the following BEST enforces access control for an organization that uses multiple cloud technologies?

Options:

A.

Senior management support of cloud adoption strategies

B.

Creation of a cloud access risk management policy

C.

Adoption of a cloud access security broker (CASB) solution

D.

Expansion of security information and event management (SIEM) to cloud services

Buy Now
Questions 86

Options:

A.

Some risk remediation activities from the last assessment are still in progress.

B.

The risk scenarios have never been updated.

C.

The risk scenario development process was led by an external consultant.

D.

The number of risk scenarios is very high.

Buy Now
Questions 87

Which of the following is the MOST important for an organization to have in place to ensure IT asset protection?

Options:

A.

Procedures for risk assessments on IT assets

B.

An IT asset management checklist

C.

An IT asset inventory populated by an automated scanning tool

D.

A plan that includes processes for the recovery of IT assets

Buy Now
Questions 88

Which of the following would BEST enable a risk practitioner to embed risk management within the organization?

Options:

A.

Provide risk management feedback to key stakeholders.

B.

Collect and analyze risk data for report generation.

C.

Monitor and prioritize risk data according to the heat map.

D.

Engage key stakeholders in risk management practices.

Buy Now
Questions 89

An organization is adopting block chain for a new financial system. Which of the following should be the GREATEST concern for a risk practitioner evaluating the system's production readiness?

Options:

A.

Limited organizational knowledge of the underlying technology

B.

Lack of commercial software support

C.

Varying costs related to implementation and maintenance

D.

Slow adoption of the technology across the financial industry

Buy Now
Questions 90

Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?

Options:

A.

Ongoing availability of data

B.

Ability to aggregate data

C.

Ability to predict trends

D.

Availability of automated reporting systems

Buy Now
Questions 91

The design of procedures to prevent fraudulent transactions within an enterprise resource planning (ERP) system should be based on:

Options:

A.

stakeholder risk tolerance.

B.

benchmarking criteria.

C.

suppliers used by the organization.

D.

the control environment.

Buy Now
Questions 92

Which of the following is MOST important to include when reporting the effectiveness of risk management to senior management?

Options:

A.

Changes in the organization's risk appetite and risk tolerance levels

B.

Impact due to changes in external and internal risk factors

C.

Changes in residual risk levels against acceptable levels

D.

Gaps in best practices and implemented controls across the industry

Buy Now
Questions 93

Which of the following is the PRIMARY reason for conducting peer reviews of risk analysis?

Options:

A.

To enhance compliance with standards

B.

To minimize subjectivity of assessments

C.

To increase consensus among peers

D.

To provide assessments for benchmarking

Buy Now
Questions 94

An organization planning to transfer and store its customer data with an offshore cloud service provider should be PRIMARILY concerned with:

Options:

A.

data aggregation

B.

data privacy

C.

data quality

D.

data validation

Buy Now
Questions 95

Which of the following is the BEST indication of a mature organizational risk culture?

Options:

A.

Corporate risk appetite is communicated to staff members.

B.

Risk owners understand and accept accountability for risk.

C.

Risk policy has been published and acknowledged by employees.

D.

Management encourages the reporting of policy breaches.

Buy Now
Questions 96

A highly regulated enterprise is developing a new risk management plan to specifically address legal and regulatory risk scenarios What should be done FIRST by IT governance to support this effort?

Options:

A.

Request a regulatory risk reporting methodology

B.

Require critical success factors (CSFs) for IT risks.

C.

Establish IT-specific compliance objectives

D.

Communicate IT key risk indicators (KRIs) and triggers

Buy Now
Questions 97

Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the following would BEST help to prioritize investment efforts?

Options:

A.

Analyzing cyber intelligence reports

B.

Engaging independent cybersecurity consultants

C.

Increasing the frequency of updates to the risk register

D.

Reviewing the outcome of the latest security risk assessment

Buy Now
Questions 98

Which of the following issues found during the review of a newly created disaster recovery plan (DRP) should be of MOST concern?

Options:

A.

Some critical business applications are not included in the plan

B.

Several recovery activities will be outsourced

C.

The plan is not based on an internationally recognized framework

D.

The chief information security officer (CISO) has not approved the plan

Buy Now
Questions 99

Which of the following BEST enables effective IT control implementation?

Options:

A.

Key risk indicators (KRIs)

B.

Documented procedures

C.

Information security policies

D.

Information security standards

Buy Now
Questions 100

Which of the following would MOST likely cause management to unknowingly accept excessive risk?

Options:

A.

Satisfactory audit results

B.

Risk tolerance being set too low

C.

Inaccurate risk ratings

D.

Lack of preventive controls

Buy Now
Questions 101

Which of the following is MOST helpful to management when determining the resources needed to mitigate a risk?

Options:

A.

An internal audit

B.

A heat map

C.

A business impact analysis (BIA)

D.

A vulnerability report

Buy Now
Questions 102

When of the following standard operating procedure (SOP) statements BEST illustrates appropriate risk register maintenance?

Options:

A.

Remove risk that has been mitigated by third-party transfer

B.

Remove risk that management has decided to accept

C.

Remove risk only following a significant change in the risk environment

D.

Remove risk when mitigation results in residual risk within tolerance levels

Buy Now
Questions 103

An organization recently implemented an automated interface for uploading payment files to its banking system to replace manual processing. Which of the following elements of the risk register is MOST appropriate for the risk practitioner to update to reflect the improved control?

Options:

A.

Risk scenarios

B.

Risk ownership

C.

Risk impact

D.

Risk likelihood

Buy Now
Questions 104

A multinational company needs to implement a new centralized security system. The risk practitioner has identified a conflict between the organization's data-handling policy and local privacy regulations. Which of the following would be the BEST recommendation?

Options:

A.

Request a policy exception from senior management.

B.

Comply with the organizational policy.

C.

Report the noncompliance to the local regulatory agency.

D.

Request an exception from the local regulatory agency.

Buy Now
Questions 105

The BEST way to test the operational effectiveness of a data backup procedure is to:

Options:

A.

conduct an audit of files stored offsite.

B.

interview employees to compare actual with expected procedures.

C.

inspect a selection of audit trails and backup logs.

D.

demonstrate a successful recovery from backup files.

Buy Now
Questions 106

Which of the following techniques is MOST helpful when quantifying the potential loss impact of cyber risk?

Options:

A.

Cost-benefit analysis

B.

Penetration testing

C.

Business impact analysis (BIA)

D.

Security assessment

Buy Now
Questions 107

Which of the following would BEST facilitate the maintenance of data classification requirements?

Options:

A.

Scheduling periodic audits

B.

Assigning a data custodian

C.

Implementing technical controls over the assets

D.

Establishing a data loss prevention (DLP) solution

Buy Now
Questions 108

Which of the following is the MOST important element of a successful risk awareness training program?

Options:

A.

Customizing content for the audience

B.

Providing incentives to participants

C.

Mapping to a recognized standard

D.

Providing metrics for measurement

Buy Now
Questions 109

Which of the following stakeholders define risk tolerance for an enterprise?

Options:

A.

IT compliance and IT audit

B.

Regulators and shareholders

C.

The board and executive management

D.

Enterprise risk management (ERM)

Buy Now
Questions 110

Who should be responsible for approving the cost of controls to be implemented for mitigating risk?

Options:

A.

Risk practitioner

B.

Risk owner

C.

Control owner

D.

Control implementer

Buy Now
Questions 111

Which of the following risk scenarios would be the GREATEST concern as a result of a single sign-on implementation?

Options:

A.

User access may be restricted by additional security.

B.

Unauthorized access may be gained to multiple systems.

C.

Security administration may become more complex.

D.

User privilege changes may not be recorded.

Buy Now
Questions 112

When evaluating enterprise IT risk management it is MOST important to:

Options:

A.

create new control processes to reduce identified IT risk scenarios

B.

confirm the organization’s risk appetite and tolerance

C.

report identified IT risk scenarios to senior management

D.

review alignment with the organization's investment plan

Buy Now
Questions 113

While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BES reduce the risk associated with such a data breach?

Options:

A.

Ensuring the vendor does not know the encryption key

B.

Engaging a third party to validate operational controls

C.

Using the same cloud vendor as a competitor

D.

Using field-level encryption with a vendor supplied key

Buy Now
Questions 114

Which of the following provides the MOST useful information to determine risk exposure following control implementations?

Options:

A.

Strategic plan and risk management integration

B.

Risk escalation and process for communication

C.

Risk limits, thresholds, and indicators

D.

Policies, standards, and procedures

Buy Now
Questions 115

Which of the following provides the BEST evidence that robust risk management practices are in place within an organization?

Options:

A.

A management-approved risk dashboard

B.

A current control framework

C.

A regularly updated risk register

D.

Regularly updated risk management procedures

Buy Now
Questions 116

Which of the following outcomes of disaster recovery planning is MOST important to enable the initiation of necessary actions during a disaster?

Options:

A.

Definition of disaster recovery plan (DRP) scope and key stakeholders

B.

Recovery time and maximum acceptable data loss thresholds

C.

A checklist including equipment, location of data backups, and backup sites

D.

A list of business areas and critical functions subject to risk analysis

Buy Now
Questions 117

Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system. These scenarios will be owned by the system manager. Which of the following would be the BEST method to use when developing the scenarios?

Options:

A.

Cause-and-effect diagram

B.

Delphi technique

C.

Bottom-up approach

D.

Top-down approach

Buy Now
Questions 118

From a business perspective, which of the following is the MOST important objective of a disaster recovery test?

Options:

A.

The organization gains assurance it can recover from a disaster

B.

Errors are discovered in the disaster recovery process.

C.

All business-critical systems are successfully tested.

D.

All critical data is recovered within recovery time objectives (RTOs).

Buy Now
Questions 119

Which of the following is the PRIMARY reason for a risk practitioner to report changes and trends in the IT risk profile to senior management?

Options:

A.

To ensure risk owners understand their responsibilities

B.

To ensure IT risk is managed within acceptable limits

C.

To ensure the organization complies with legal requirements

D.

To ensure the IT risk awareness program is effective

Buy Now
Questions 120

Which of the following would BEST mitigate the risk associated with reputational damage from inappropriate use of social media sites by employees?

Options:

A.

Validating employee social media accounts and passwords

B.

Monitoring Internet usage on employee workstations

C.

Disabling social media access from the organization's technology

D.

Implementing training and awareness programs

Buy Now
Questions 121

Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization's risk appetite?

Options:

A.

Developing contingency plans for key processes

B.

Implementing key performance indicators (KPIs)

C.

Adding risk triggers to entries in the risk register

D.

Establishing a series of key risk indicators (KRIs)

Buy Now
Questions 122

Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

Options:

A.

Risk tolerance is decreased.

B.

Residual risk is increased.

C.

Inherent risk is increased.

D.

Risk appetite is decreased

Buy Now
Questions 123

Who should be responsible for implementing and maintaining security controls?

Options:

A.

End user

B.

Internal auditor

C.

Data owner

D.

Data custodian

Buy Now
Questions 124

A risk practitioner is involved in a comprehensive overhaul of the organizational risk management program. Which of the following should be reviewed FIRST to help identify relevant IT risk scenarios?

Options:

A.

Technology threats

B.

IT assets

C.

Security vulnerabilities

D.

IT risk register

Buy Now
Questions 125

Which of the following is MOST important information to review when developing plans for using emerging technologies?

Options:

A.

Existing IT environment

B.

IT strategic plan

C.

Risk register

D.

Organizational strategic plan

Buy Now
Questions 126

What should be the PRIMARY objective for a risk practitioner performing a post-implementation review of an IT risk mitigation project?

Options:

A.

Documenting project lessons learned

B.

Validating the risk mitigation project has been completed

C.

Confirming that the project budget was not exceeded

D.

Verifying that the risk level has been lowered

Buy Now
Questions 127

Within the risk management space, which of the following activities could be

delegated to a cloud service provider?

Options:

A.

Risk oversight

B.

Control implementation

C.

Incident response

D.

User access reviews

Buy Now
Questions 128

A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges. What is the risk practitioner's BEST course of action?

Options:

A.

Review the design of the machine learning model against control objectives.

B.

Adopt the machine learning model as a replacement for current manual access reviews.

C.

Ensure the model assists in meeting regulatory requirements for access controls.

D.

Discourage the use of emerging technologies in key processes.

Buy Now
Questions 129

Which of the following BEST indicates that an organization's disaster recovery plan (DRP) will mitigate the risk of the organization failing to recover from a major service disruption?

Options:

A.

An experienced and certified disaster recovery team

B.

A record of quarterly disaster recovery tests

C.

A comprehensive list of critical applications

D.

A defined recovery point objective (RPO)

Buy Now
Questions 130

Which of the following is the MOST important input when developing risk scenarios?

Options:

A.

Key performance indicators

B.

Business objectives

C.

The organization's risk framework

D.

Risk appetite

Buy Now
Questions 131

Which of the following is the BEST approach for determining whether a risk action plan is effective?

Options:

A.

Comparing the remediation cost against budget

B.

Assessing changes in residual risk

C.

Assessing the inherent risk

D.

Monitoring changes of key performance indicators(KPIs)

Buy Now
Questions 132

Changes in which of the following would MOST likely cause a risk practitioner to adjust the risk impact rating in the risk register?

Options:

A.

Control effectiveness

B.

Risk appetite

C.

Control costs

D.

Risk tolerance

Buy Now
Questions 133

Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis?

Options:

A.

Quantitative analysis might not be possible.

B.

Risk factors might not be relevant to the organization

C.

Implementation costs might increase.

D.

Inherent risk might not be considered.

Buy Now
Questions 134

Which of the following is a KEY responsibility of the second line of defense?

Options:

A.

Implementing control activities

B.

Monitoring control effectiveness

C.

Conducting control self-assessments

D.

Owning risk scenarios

Buy Now
Questions 135

When determining the accuracy of a key risk indicator (KRI), it is MOST important that the indicator:

Options:

A.

is correlated to risk and tracks variances in the risk.

B.

is assigned to IT processes and projects with a low level of risk.

C.

has a high correlation with the process outcome.

D.

triggers response based on risk thresholds.

Buy Now
Questions 136

A service organization is preparing to adopt an IT control framework to comply with the contractual requirements of a new client. Which of the following would be MOST helpful to the risk practitioner?

Options:

A.

Negotiating terms of adoption

B.

Understanding the timeframe to implement

C.

Completing a gap analysis

D.

Initiating the conversion

Buy Now
Questions 137

During the initial risk identification process for a business application, it is MOST important to include which of the following stakeholders?

Options:

A.

Business process owners

B.

Business process consumers

C.

Application architecture team

D.

Internal audit

Buy Now
Questions 138

Which of the following would be MOST beneficial as a key risk indicator (KRI)?

Options:

A.

Current capital allocation reserves

B.

Negative security return on investment (ROI)

C.

Project cost variances

D.

Annualized loss projections

Buy Now
Questions 139

Owners of technical controls should be PRIMARILY accountable for ensuring the controls are:

Options:

A.

Mapped to the corresponding business areas.

B.

Aligned with corporate security policies.

C.

Effectively implemented and maintained.

D.

Designed based on standards and frameworks.

Buy Now
Questions 140

Within the three lines of defense model, the responsibility for managing risk and controls resides with:

Options:

A.

operational management.

B.

the risk practitioner.

C.

the internal auditor.

D.

executive management.

Buy Now
Questions 141

Which of the following is a risk practitioner's MOST important course of action when the level of risk has exceeded risk tolerance?

Options:

A.

Facilitate a review of risk tolerance levels

B.

Adjust the risk impact and likelihood scale

C.

Revise key risk indicator (KRI) thresholds

D.

Introduce the risk treatment process

Buy Now
Questions 142

A risk practitioner implemented a process to notify management of emergency changes that may not be approved. Which of the following is the BEST way to provide this information to management?

Options:

A.

Change logs

B.

Change management meeting minutes

C.

Key control indicators (KCIs)

D.

Key risk indicators (KRIs)

Buy Now
Questions 143

An organization has outsourced its billing function to an external service provider. Who should own the risk of customer data leakage caused by the service provider?

Options:

A.

The service provider

B.

Vendor risk manager

C.

Legal counsel

D.

Business process owner

Buy Now
Questions 144

Which of the following would be a risk practitioner's MOST important action upon learning that an IT control has failed?

Options:

A.

Implement a replacement control.

B.

Adjust residual risk rating.

C.

Escalate to senior management.

D.

Review compensating controls.

Buy Now
Questions 145

Which of the following is the GREATEST concern associated with redundant data in an organization's inventory system?

Options:

A.

Poor access control

B.

Unnecessary data storage usage

C.

Data inconsistency

D.

Unnecessary costs of program changes

Buy Now
Questions 146

Which of the following BEST supports the integration of IT risk management into an organization's strategic planning?

Options:

A.

Clearly defined organizational goals and objectives

B.

Incentive plans that reward employees based on IT risk metrics

C.

Regular organization-wide risk awareness training

D.

A comprehensive and documented IT risk management plan

Buy Now
Questions 147

When establishing leading indicators for the information security incident response process it is MOST important to consider the percentage of reported incidents:

Options:

A.

that results in a full root cause analysis.

B.

used for verification within the SLA.

C.

that are verified as actual incidents.

D.

resolved within the SLA.

Buy Now
Questions 148

An IT department has organized training sessions to improve user awareness of organizational information security policies. Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training?

Options:

A.

Number of training sessions completed

B.

Percentage of staff members who complete the training with a passing score

C.

Percentage of attendees versus total staff

D.

Percentage of staff members who attend the training with positive feedback

Buy Now
Questions 149

Which of the following is MOST important when determining risk appetite?

Options:

A.

Assessing regulatory requirements

B.

Benchmarking against industry standards

C.

Gaining management consensus

D.

Identifying risk tolerance

Buy Now
Questions 150

Which of the following is a risk practitioner's BEST recommendation to address an organization's need to secure multiple systems with limited IT resources?

Options:

A.

Apply available security patches.

B.

Schedule a penetration test.

C.

Conduct a business impact analysis (BIA)

D.

Perform a vulnerability analysis.

Buy Now
Questions 151

Which of the following BEST confirms the existence and operating effectiveness of information systems controls?

Options:

A.

Self-assessment questionnaires completed by management

B.

Review of internal audit and third-party reports

C.

Management review and sign-off on system documentation

D.

First-hand direct observation of the controls in operation

Buy Now
Questions 152

A global company s business continuity plan (BCP) requires the transfer of its customer information….

event of a disaster. Which of the following should be the MOST important risk consideration?

Options:

A.

The difference In the management practices between each company

B.

The cloud computing environment is shared with another company

C.

The lack of a service level agreement (SLA) in the vendor contract

D.

The organizational culture differences between each country

Buy Now
Questions 153

The MOST important reason to aggregate results from multiple risk assessments on interdependent information systems is to:

Options:

A.

establish overall impact to the organization

B.

efficiently manage the scope of the assignment

C.

identify critical information systems

D.

facilitate communication to senior management

Buy Now
Questions 154

Which of the following should be the PRIMARY focus of an IT risk awareness program?

Options:

A.

Ensure compliance with the organization's internal policies

B.

Cultivate long-term behavioral change.

C.

Communicate IT risk policy to the participants.

D.

Demonstrate regulatory compliance.

Buy Now
Questions 155

Of the following, who is responsible for approval when a change in an application system is ready for release to production?

Options:

A.

Information security officer

B.

IT risk manager

C.

Business owner

D.

Chief risk officer (CRO)

Buy Now
Questions 156

Which of the following presents the GREATEST privacy risk related to personal data processing for a global organization?

Options:

A.

Privacy risk awareness training has not been conducted across the organization.

B.

The organization has not incorporated privacy into its risk management framework.

C.

The organization allows staff with access to personal data to work remotely.

D.

Personal data processing occurs in an offshore location with a data sharing agreement.

Buy Now
Questions 157

Who is MOST appropriate to be assigned ownership of a control

Options:

A.

The individual responsible for control operation

B.

The individual informed of the control effectiveness

C.

The individual responsible for resting the control

D.

The individual accountable for monitoring control effectiveness

Buy Now
Questions 158

Which of the following would be MOST helpful to a risk owner when making risk-aware decisions?

Options:

A.

Risk exposure expressed in business terms

B.

Recommendations for risk response options

C.

Resource requirements for risk responses

D.

List of business areas affected by the risk

Buy Now
Questions 159

While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:

Options:

A.

control is ineffective and should be strengthened

B.

risk is inefficiently controlled.

C.

risk is efficiently controlled.

D.

control is weak and should be removed.

Buy Now
Questions 160

The BEST indication that risk management is effective is when risk has been reduced to meet:

Options:

A.

risk levels.

B.

risk budgets.

C.

risk appetite.

D.

risk capacity.

Buy Now
Questions 161

Which of the following is the PRIMARY risk management responsibility of the third line of defense?

Options:

A.

Providing assurance of the effectiveness of risk management activities

B.

Providing guidance on the design of effective controls

C.

Providing advisory services on enterprise risk management (ERM)

D.

Providing benchmarking on other organizations' risk management programs

Buy Now
Questions 162

Which of the following would be MOST helpful to an information security management team when allocating resources to mitigate exposures?

Options:

A.

Relevant risk case studies

B.

Internal audit findings

C.

Risk assessment results

D.

Penetration testing results

Buy Now
Questions 163

Of the following, whose input is ESSENTIAL when developing risk scenarios for the implementation of a third-party mobile application that stores customer data?

Options:

A.

Information security manager

B.

IT vendor manager

C.

Business process owner

D.

IT compliance manager

Buy Now
Questions 164

Who is accountable for the process when an IT stakeholder operates a key control to address a risk scenario?

Options:

A.

Data custodian

B.

Risk owner

C.

System owner

D.

IT manager

Buy Now
Questions 165

A global organization is considering the transfer of its customer information systems to an overseas cloud service provider in the event of a disaster. Which of the following should be the MOST important risk consideration?

Options:

A.

Regulatory restrictions for cross-border data transfer

B.

Service level objectives in the vendor contract

C.

Organizational culture differences between each country

D.

Management practices within each company

Buy Now
Questions 166

The BEST reason to classify IT assets during a risk assessment is to determine the:

Options:

A.

priority in the risk register.

B.

business process owner.

C.

enterprise risk profile.

D.

appropriate level of protection.

Buy Now
Questions 167

Which of the following can be used to assign a monetary value to risk?

Options:

A.

Annual loss expectancy (ALE)

B.

Business impact analysis

C.

Cost-benefit analysis

D.

Inherent vulnerabilities

Buy Now
Questions 168

The PRIMARY reason for prioritizing risk scenarios is to:

Options:

A.

provide an enterprise-wide view of risk

B.

support risk response tracking

C.

assign risk ownership

D.

facilitate risk response decisions.

Buy Now
Questions 169

Which of the following emerging technologies is frequently used for botnet distributed denial of service (DDoS) attacks?

Options:

A.

Internet of Things (IoT)

B.

Quantum computing

C.

Virtual reality (VR)

D.

Machine learning

Buy Now
Questions 170

To ensure key risk indicators (KRIs) are effective and meaningful, the KRIs should be aligned to:

Options:

A.

A control framework

B.

Industry standards

C.

Capability maturity targets

D.

Business processes

Buy Now
Questions 171

Which of the following s MOST likely to deter an employee from engaging in inappropriate use of company owned IT systems?

Options:

A.

A centralized computer security response team

B.

Regular performance reviews and management check-ins

C.

Code of ethics training for all employees

D.

Communication of employee activity monitoring

Buy Now
Questions 172

Of the following, who is BEST suited to assist a risk practitioner in developing a relevant set of risk scenarios?

Options:

A.

Internal auditor

B.

Asset owner

C.

Finance manager

D.

Control owner

Buy Now
Questions 173

The PRIMARY reason to have risk owners assigned to entries in the risk register is to ensure:

Options:

A.

risk is treated appropriately

B.

mitigating actions are prioritized

C.

risk entries are regularly updated

D.

risk exposure is minimized.

Buy Now
Questions 174

What are the MOST important criteria to consider when developing a data classification scheme to facilitate risk assessment and the prioritization of risk mitigation activities?

Options:

A.

Mitigation and control value

B.

Volume and scope of data generated daily

C.

Business criticality and sensitivity

D.

Recovery point objective (RPO) and recovery time objective (RTO)

Buy Now
Questions 175

Which of the following is MOST important to consider when determining risk appetite?

Options:

A.

Service level agreements (SLAs)

B.

Risk heat map

C.

IT capacity

D.

Risk culture

Buy Now
Questions 176

Using key risk indicators (KRIs) to illustrate changes in the risk profile PRIMARILY helps to:

Options:

A.

communicate risk trends to stakeholders.

B.

assign ownership of emerging risk scenarios.

C.

highlight noncompliance with the risk policy

D.

identify threats to emerging technologies.

Buy Now
Questions 177

An organization retains footage from its data center security camera for 30 days when the policy requires 90-day retention The business owner challenges whether the situation is worth remediating Which of the following is the risk manager s BEST response'

Options:

A.

Identify the regulatory bodies that may highlight this gap

B.

Highlight news articles about data breaches

C.

Evaluate the risk as a measure of probable loss

D.

Verify if competitors comply with a similar policy

Buy Now
Questions 178

Which of the following is the GREATEST benefit of centralizing IT systems?

Options:

A.

Risk reporting

B.

Risk classification

C.

Risk monitoring

D.

Risk identification

Buy Now
Questions 179

Which of the following should be the MOST important consideration when performing a vendor risk assessment?

Options:

A.

Results of the last risk assessment of the vendor

B.

Inherent risk of the business process supported by the vendor

C.

Risk tolerance of the vendor

D.

Length of time since the last risk assessment of the vendor

Buy Now
Questions 180

Which of the following is MOST important to communicate to senior management during the initial implementation of a risk management program?

Options:

A.

Regulatory compliance

B.

Risk ownership

C.

Best practices

D.

Desired risk level

Buy Now
Questions 181

Which of the following is the BEST indication of the effectiveness of a business continuity program?

Options:

A.

Business continuity tests are performed successfully and issues are addressed.

B.

Business impact analyses are reviewed and updated in a timely manner.

C.

Business continuity and disaster recovery plans are regularly updated.

D.

Business units are familiar with the business continuity plans and process.

Buy Now
Questions 182

Which of the following is the MOST important factor to consider when determining whether to approve a policy exception request?

Options:

A.

Volume of exceptions

B.

Lack of technical resources

C.

Cost of noncompliance

D.

Time required to implement controls

Buy Now
Questions 183

The MOST essential content to include in an IT risk awareness program is how to:

Options:

A.

define the IT risk framework for the organization

B.

populate risk register entries and build a risk profile for management reporting

C.

comply with the organization's IT risk and information security policies

D.

prioritize IT-related actions by considering risk appetite and risk tolerance

Buy Now
Questions 184

Which of the following is the MOST important objective of establishing an enterprise risk management (ERM) function within an organization?

Options:

A.

To have a unified approach to risk management across the organization

B.

To have a standard risk management process for complying with regulations

C.

To optimize risk management resources across the organization

D.

To ensure risk profiles are presented in a consistent format within the organization

Buy Now
Questions 185

An organization control environment is MOST effective when:

Options:

A.

control designs are reviewed periodically

B.

controls perform as intended.

C.

controls are implemented consistently.

D.

controls operate efficiently

Buy Now
Questions 186

Which of the following BEST helps to identify significant events that could impact an organization?

Options:

A.

Control analysis

B.

Vulnerability analysis

C.

Scenario analysis

D.

Heat map analysis

Buy Now
Questions 187

The GREATEST concern when maintaining a risk register is that:

Options:

A.

impacts are recorded in qualitative terms.

B.

executive management does not perform periodic reviews.

C.

IT risk is not linked with IT assets.

D.

significant changes in risk factors are excluded.

Buy Now
Questions 188

Which of the following should be the PRIMARY consideration for a startup organization that has decided to adopt externally-sourced security policies?

Options:

A.

Availability of policy updates and support

B.

Stakeholder buy-in of policies

C.

Applicability to business operations

D.

Compliance with local regulations

Buy Now
Questions 189

Which of the following should be the PRIMARY focus of a disaster recovery management (DRM) framework and related processes?

Options:

A.

Restoring IT and cybersecurity operations

B.

Assessing the impact and probability of disaster scenarios

C.

Ensuring timely recovery of critical business operations

D.

Determining capacity for alternate sites

Buy Now
Questions 190

A compensating control is MOST appropriate when:

Options:

A.

Management wants to increase the number of controls.

B.

A vulnerability is identified.

C.

Existing controls are inadequate.

D.

A key control is already in place and operating effectively.

Buy Now
Questions 191

Which of the following is MOST important for an organization that wants to reduce IT operational risk?

Options:

A.

Increasing senior management's understanding of IT operations

B.

Increasing the frequency of data backups

C.

Minimizing complexity of IT infrastructure

D.

Decentralizing IT infrastructure

Buy Now
Questions 192

Which of the following proposed benefits is MOST likely to influence senior management approval to reallocate budget for a new security initiative?

Options:

A.

Reduction in the number of incidents

B.

Reduction in inherent risk

C.

Reduction in residual risk

D.

Reduction in the number of known vulnerabilities

Buy Now
Questions 193

Which of the following risk register elements is MOST likely to be updated if the attack surface or exposure of an asset is reduced?

Options:

A.

Likelihood rating

B.

Control effectiveness

C.

Assessment approach

D.

Impact rating

Buy Now
Questions 194

Which of the following is the MOST important reason to link an effective key control indicator (KCI) to relevant key risk indicators (KRIs)?

Options:

A.

To monitor changes in the risk environment

B.

To provide input to management for the adjustment of risk appetite

C.

To monitor the accuracy of threshold levels in metrics

D.

To obtain business buy-in for investment in risk mitigation measures

Buy Now
Questions 195

Risk management strategies are PRIMARILY adopted to:

Options:

A.

take necessary precautions for claims and losses.

B.

achieve acceptable residual risk levels.

C.

avoid risk for business and IT assets.

D.

achieve compliance with legal requirements.

Buy Now
Questions 196

A risk practitioner notices a risk scenario associated with data loss at the organization's cloud provider is assigned to the provider who should the risk scenario be reassigned to.

Options:

A.

Senior management

B.

Chief risk officer (CRO)

C.

Vendor manager

D.

Data owner

Buy Now
Questions 197

During the control evaluation phase of a risk assessment, it is noted that multiple controls are ineffective. Which of the following should be the risk practitioner's FIRST course of action?

Options:

A.

Recommend risk remediation of the ineffective controls.

B.

Compare the residual risk to the current risk appetite.

C.

Determine the root cause of the control failures.

D.

Escalate the control failures to senior management.

Buy Now
Questions 198

A company has recently acquired a customer relationship management (CRM) application from a certified software vendor. Which of the following will BE ST help lo prevent technical vulnerabilities from being exploded?

Options:

A.

implement code reviews and Quality assurance on a regular basis

B.

Verity me software agreement indemnifies the company from losses

C.

Review the source coda and error reporting of the application

D.

Update the software with the latest patches and updates

Buy Now
Questions 199

Which of the following would provide the MOST comprehensive information for updating an organization's risk register?

Options:

A.

Results of the latest risk assessment

B.

Results of a risk forecasting analysis

C.

A review of compliance regulations

D.

Findings of the most recent audit

Buy Now
Questions 200

Which of the following should be the PRIMARY input to determine risk tolerance?

Options:

A.

Regulatory requirements

B.

Organizational objectives

C.

Annual loss expectancy (ALE)

D.

Risk management costs

Buy Now
Questions 201

The MOST important reason to monitor key risk indicators (KRIs) is to help management:

Options:

A.

identity early risk transfer strategies.

B.

lessen the impact of realized risk.

C.

analyze the chain of risk events.

D.

identify the root cause of risk events.

Buy Now
Questions 202

An organization outsources the processing of us payroll data A risk practitioner identifies a control weakness at the third party trial exposes the payroll data. Who should own this risk?

Options:

A.

The third party's IT operations manager

B.

The organization's process owner

C.

The third party's chief risk officer (CRO)

D.

The organization's risk practitioner

Buy Now
Questions 203

Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?

Options:

A.

Sensitivity analysis

B.

Level of residual risk

C.

Cost-benefit analysis

D.

Risk appetite

Buy Now
Questions 204

Which of the following is MOST helpful in aligning IT risk with business objectives?

Options:

A.

Introducing an approved IT governance framework

B.

Integrating the results of top-down risk scenario analyses

C.

Performing a business impact analysis (BlA)

D.

Implementing a risk classification system

Buy Now
Questions 205

An organization is planning to engage a cloud-based service provider for some of its data-intensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?

Options:

A.

Service level agreement

B.

Customer service reviews

C.

Scope of services provided

D.

Right to audit the provider

Buy Now
Questions 206

Who is MOST important lo include in the assessment of existing IT risk scenarios?

Options:

A.

Technology subject matter experts

B.

Business process owners

C.

Business users of IT systems

D.

Risk management consultants

Buy Now
Questions 207

When developing a risk awareness training program, which of the following training topics would BEST facilitate a thorough understanding of risk scenarios?

Options:

A.

Mapping threats to organizational objectives

B.

Reviewing past audits

C.

Analyzing key risk indicators (KRIs)

D.

Identifying potential sources of risk

Buy Now
Questions 208

What should be the PRIMARY consideration related to data privacy protection when there are plans for a business initiative to make use of personal information?

Options:

A.

Do not collect or retain data that is not needed.

B.

Redact data where possible.

C.

Limit access to the personal data.

D.

Ensure all data is encrypted at rest and during transit.

Buy Now
Questions 209

Which of the following is MOST likely to introduce risk for financial institutions that use blockchain?

Options:

A.

Cost of implementation

B.

Implementation of unproven applications

C.

Disruption to business processes

D.

Increase in attack surface area

Buy Now
Questions 210

it was determined that replication of a critical database used by two business units failed. Which of the following should be of GREATEST concern1?

Options:

A.

The underutilization of the replicated Iink

B.

The cost of recovering the data

C.

The lack of integrity of data

D.

The loss of data confidentiality

Buy Now
Questions 211

The purpose of requiring source code escrow in a contractual agreement is to:

Options:

A.

ensure that the source code is valid and exists.

B.

ensure that the source code is available if the vendor ceases to exist.

C.

review the source code for adequacy of controls.

D.

ensure the source code is available when bugs occur.

Buy Now
Questions 212

Which of the following is the MOST effective way to incorporate stakeholder concerns when developing risk scenarios?

Options:

A.

Evaluating risk impact

B.

Establishing key performance indicators (KPIs)

C.

Conducting internal audits

D.

Creating quarterly risk reports

Buy Now
Questions 213

Which of the following is BEST used to aggregate data from multiple systems to identify abnormal behavior?

Options:

A.

Cyber threat intelligence

B.

Anti-malware software

C.

Endpoint detection and response (EDR)

D.

SIEM systems

Buy Now
Questions 214

Which of the following is the GREATEST benefit when enterprise risk management (ERM) provides oversight of IT risk management?

Options:

A.

Aligning IT with short-term and long-term goals of the organization

B.

Ensuring the IT budget and resources focus on risk management

C.

Ensuring senior management's primary focus is on the impact of identified risk

D.

Prioritizing internal departments that provide service to customers

Buy Now
Questions 215

Which of the following activities is PRIMARILY the responsibility of senior management?

Options:

A.

Bottom-up identification of emerging risks

B.

Categorization of risk scenarios against a standard taxonomy

C.

Prioritization of risk scenarios based on severity

D.

Review of external loss data

Buy Now
Questions 216

A risk practitioner is organizing a training session lo communicate risk assessment methodologies to ensure a consistent risk view within the organization Which of the following i< the MOST important topic to cover in this training?

Options:

A.

Applying risk appetite

B.

Applying risk factors

C.

Referencing risk event data

D.

Understanding risk culture

Buy Now
Questions 217

Which of the following is the BEST approach to mitigate the risk associated with outsourcing network management to an external vendor who will have access to sensitive information assets?

Options:

A.

Prepare a skills matrix to illustrate tasks and required expertise.

B.

Require periodic security assessments of the vendor within the contract.

C.

Perform due diligence to enable holistic assessment of the vendor.

D.

Plan a phased approach for the transition of processes to the vendor.

Buy Now
Questions 218

Which of the following BEST mitigates the risk associated with inadvertent data leakage by users who work remotely?

Options:

A.

Conducting training on the protection of organizational assets

B.

Configuring devices to use virtual IP addresses

C.

Ensuring patching for end-user devices

D.

Providing encrypted access to organizational assets

Buy Now
Questions 219

Which of the following should be the PRIMARY focus of an independent review of a risk management process?

Options:

A.

Accuracy of risk tolerance levels

B.

Consistency of risk process results

C.

Participation of stakeholders

D.

Maturity of the process

Buy Now
Questions 220

To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:

Options:

A.

risk mitigation approach

B.

cost-benefit analysis.

C.

risk assessment results.

D.

vulnerability assessment results

Buy Now
Questions 221

Which of the following activities should be performed FIRST when establishing IT risk management processes?

Options:

A.

Collect data of past incidents and lessons learned.

B.

Conduct a high-level risk assessment based on the nature of business.

C.

Identify the risk appetite of the organization.

D.

Assess the goals and culture of the organization.

Buy Now
Questions 222

A risk practitioner has learned that an effort to implement a risk mitigation action plan has stalled due to lack of funding. The risk practitioner should report that the associated risk has been:

Options:

A.

mitigated

B.

accepted

C.

avoided

D.

deferred

Buy Now
Questions 223

It is MOST appropriate for changes to be promoted to production after they are:

Options:

A.

communicated to business management

B.

tested by business owners.

C.

approved by the business owner.

D.

initiated by business users.

Buy Now
Questions 224

Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?

Options:

A.

A companion of risk assessment results to the desired state

B.

A quantitative presentation of risk assessment results

C.

An assessment of organizational maturity levels and readiness

D.

A qualitative presentation of risk assessment results

Buy Now
Questions 225

Which of the following should be the PRIMARY concern when changes to firewall rules do not follow change management requirements?

Options:

A.

Potential audit findings

B.

Insufficient risk governance

C.

Potential business impact

D.

Inaccurate documentation

Buy Now
Questions 226

Which of the following should be the PRIMARY basis for prioritizing risk responses?

Options:

A.

The impact of the risk

B.

The replacement cost of the business asset

C.

The cost of risk mitigation controls

D.

The classification of the business asset

Buy Now
Questions 227

Which of the following will provide the BEST measure of compliance with IT policies?

Options:

A.

Evaluate past policy review reports.

B.

Conduct regular independent reviews.

C.

Perform penetration testing.

D.

Test staff on their compliance responsibilities.

Buy Now
Questions 228

Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?

Options:

A.

Occurrences of specific events

B.

A performance measurement

C.

The risk tolerance level

D.

Risk scenarios

Buy Now
Questions 229

Which of the following would BEST ensure that identified risk scenarios are addressed?

Options:

A.

Reviewing the implementation of the risk response

B.

Creating a separate risk register for key business units

C.

Performing real-time monitoring of threats

D.

Performing regular risk control self-assessments

Buy Now
Questions 230

Which of the following is the GREATEST risk associated with an environment that lacks documentation of the architecture?

Options:

A.

Unknown vulnerabilities

B.

Legacy technology systems

C.

Network isolation

D.

Overlapping threats

Buy Now
Questions 231

Which of the following is the GREATEST concern related to the monitoring of key risk indicators (KRIs)?

Options:

A.

Logs are retained for longer than required.

B.

Logs are reviewed annually.

C.

Logs are stored in a multi-tenant cloud environment.

D.

Logs are modified before analysis is conducted.

Buy Now
Questions 232

The analysis of which of the following will BEST help validate whether suspicious network activity is malicious?

Options:

A.

Logs and system events

B.

Intrusion detection system (IDS) rules

C.

Vulnerability assessment reports

D.

Penetration test reports

Buy Now
Questions 233

Which of the following is the GREATEST benefit for an organization with a strong risk awareness culture?

Options:

A.

Reducing the involvement by senior management

B.

Using more risk specialists

C.

Reducing the need for risk policies and guidelines

D.

Discussing and managing risk as a team

Buy Now
Questions 234

Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?

Options:

A.

A decrease in control layering effectiveness

B.

An increase in inherent risk

C.

An increase in control vulnerabilities

D.

An increase in the level of residual risk

Buy Now
Questions 235

Key control indicators (KCls) help to assess the effectiveness of the internal control environment PRIMARILY by:

Options:

A.

ensuring controls are operating efficiently and facilitating productivity.

B.

enabling senior leadership to better understand the level of risk the organization is facing.

C.

monitoring changes in the likelihood of adverse events due to ineffective controls.

D.

providing information on the degree to which controls are meeting intended objectives.

Buy Now
Questions 236

Which component of a software inventory BEST enables the identification and mitigation of known vulnerabilities?

Options:

A.

Software version

B.

Assigned software manager

C.

Software support contract expiration

D.

Software licensing information

Buy Now
Questions 237

An organization is considering modifying its system to enable acceptance of credit card payments. To reduce the risk of data exposure, which of the following should the organization do FIRST?

Options:

A.

Conduct a risk assessment.

B.

Update the security strategy.

C.

Implement additional controls.

D.

Update the risk register.

Buy Now
Questions 238

During which phase of the system development life cycle (SDLC) should information security requirements for the implementation of a new IT system be defined?

Options:

A.

Monitoring

B.

Development

C.

Implementation

D.

Initiation

Buy Now
Questions 239

During a risk assessment of a financial institution, a risk practitioner discovers that tellers can initiate and approve transactions of significant value. This team is also responsible for ensuring transactions are recorded and balances are reconciled by the end of the day. Which of the following is the risk practitioner's BEST recommendation to mitigate the associated risk?

Options:

A.

Implement continuous monitoring.

B.

Require a second level of approval.

C.

Implement separation of duties.

D.

Require a code of ethics.

Buy Now
Questions 240

Which of the following provides the MOST useful information to senior management about risk mitigation status?

Options:

A.

Risk strategy

B.

Risk register

C.

Gap analysis

D.

Business impact analysis (BIA)

Buy Now
Questions 241

Which of the following would be MOST helpful when communicating roles associated with the IT risk management process?

Options:

A.

Skills matrix

B.

Job descriptions

C.

RACI chart

D.

Organizational chart

Buy Now
Questions 242

An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?

Options:

A.

Project sponsor

B.

Process owner

C.

Risk manager

D.

Internal auditor

Buy Now
Questions 243

Which of the following methods is the BEST way to measure the effectiveness of automated information security controls prior to going live?

Options:

A.

Testing in a non-production environment

B.

Performing a security control review

C.

Reviewing the security audit report

D.

Conducting a risk assessment

Buy Now
Questions 244

Upon learning that the number of failed backup attempts continually exceeds

the current risk threshold, the risk practitioner should:

Options:

A.

initiate corrective action to address the known deficiency.

B.

adjust the risk threshold to better reflect actual performance.

C.

inquire about the status of any planned corrective actions.

D.

keep monitoring the situation as there is evidence that this is normal.

Buy Now
Questions 245

A control owner identifies that the organization's shared drive contains personally identifiable information (Pll) that can be accessed by all personnel. Which of the following is the MOST effective risk response?

Options:

A.

Protect sensitive information with access controls.

B.

Implement a data loss prevention (DLP) solution.

C.

Re-communicate the data protection policy.

D.

Implement a data encryption solution.

Buy Now
Questions 246

An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure manuals for use by the part-time employees. Which of the following BEST describes this situation?

Options:

A.

Threat

B.

Risk

C.

Vulnerability

D.

Policy violation

Buy Now
Questions 247

If preventive controls cannot be Implemented due to technology limitations, which of the following should be done FIRST to reduce risk7

Options:

A.

Evaluate alternative controls.

B.

Redefine the business process to reduce the risk.

C.

Develop a plan to upgrade technology.

D.

Define a process for monitoring risk.

Buy Now
Questions 248

Who is accountable for authorizing application access in a cloud Software as a Service (SaaS) solution?

Options:

A.

Cloud service provider

B.

IT department

C.

Senior management

D.

Business unit owner

Buy Now
Questions 249

Who should be accountable for monitoring the control environment to ensure controls are effective?

Options:

A.

Risk owner

B.

Security monitoring operations

C.

Impacted data owner

D.

System owner

Buy Now
Questions 250

A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner s NEXT step? r

Options:

A.

Prepare a business case for the response options.

B.

Identify resources for implementing responses.

C.

Develop a mechanism for monitoring residual risk.

D.

Update the risk register with the results.

Buy Now
Questions 251

From a risk management perspective, which of the following is the PRIMARY purpose of conducting a root cause analysis following an incident?

Options:

A.

To reduce incident response times defined in SLAs

B.

To satisfy senior management expectations for incident response

C.

To ensure risk has been reduced to acceptable levels

D.

To minimize the likelihood of future occurrences

Buy Now
Questions 252

Which of the following resources is MOST helpful to a risk practitioner when updating the likelihood rating in the risk register?

Options:

A.

Risk control assessment

B.

Audit reports with risk ratings

C.

Penetration test results

D.

Business impact analysis (BIA)

Buy Now
Questions 253

The PRIMARY reason to implement a formalized risk taxonomy is to:

Options:

A.

reduce subjectivity in risk management.

B.

comply with regulatory requirements.

C.

demonstrate best industry practice.

D.

improve visibility of overall risk exposure.

Buy Now
Questions 254

Which of the following would provide the MOST useful information to a risk owner when reviewing the progress of risk mitigation?

Options:

A.

Key audit findings

B.

Treatment plan status

C.

Performance indicators

D.

Risk scenario results

Buy Now
Questions 255

Which of the following is the BEST indication of an enhanced risk-aware culture?

Options:

A.

Users have read and agreed to comply with security policies.

B.

Risk issues are openly discussed within the organization.

C.

Scores have improved on risk awareness quizzes.

D.

There is a decrease in the number of reported incidents.

Buy Now
Questions 256

An organization has outsourced its customer management database to an external service provider. Of the following, who should be accountable for ensuring customer data privacy?

Options:

A.

The organization's business process owner

B.

The organization's information security manager

C.

The organization's vendor management officer

D.

The vendor's risk manager

Buy Now
Questions 257

Implementing which of the following will BEST help ensure that systems comply with an established baseline before deployment?

Options:

A.

Vulnerability scanning

B.

Continuous monitoring and alerting

C.

Configuration management

D.

Access controls and active logging

Buy Now
Questions 258

The implementation of a risk treatment plan will exceed the resources originally allocated for the risk response. Which of the following should be the risk owner's NEXT action?

Options:

A.

Perform a risk assessment.

B.

Accept the risk of not implementing.

C.

Escalate to senior management.

D.

Update the implementation plan.

Buy Now
Questions 259

A risk practitioner is performing a risk assessment of recent external advancements in quantum computing. Which of the following would pose the GREATEST concern for the risk practitioner?

Options:

A.

The organization has not adopted Infrastructure as a Service (IaaS) for its operations

B.

The organization has incorporated blockchain technology in its operations

C.

The organization has implemented heuristics on its network firewall

D.

The organization has not reviewed its encryption standards

Buy Now
Questions 260

A risk practitioner shares the results of a vulnerability assessment for a critical business application with the business manager. Which of the following is the NEXT step?

Options:

A.

Develop a risk action plan to address the findings.

B.

Evaluate the impact of the vulnerabilities to the business application.

C.

Escalate the findings to senior management and internal audit.

D.

Conduct a penetration test to validate the vulnerabilities from the findings.

Buy Now
Questions 261

Which of the following is MOST important when identifying an organization's risk exposure associated with Internet of Things (loT) devices?

Options:

A.

Defined remediation plans

B.

Management sign-off on the scope

C.

Manual testing of device vulnerabilities

D.

Visibility into all networked devices

Buy Now
Questions 262

Which of the following is the PRIMARY benefit when senior management periodically reviews and updates risk appetite and tolerance levels?

Options:

A.

It ensures compliance with the risk management framework.

B.

It ensures an effective risk aggregation process.

C.

It ensures decisions are risk-informed.

D.

It ensures a consistent approach for risk assessments.

Buy Now
Questions 263

Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Options:

A.

Including trend analysis of risk metrics

B.

Using an aggregated view of organizational risk

C.

Relying on key risk indicator (KRI) data

D.

Ensuring relevance to organizational goals

Buy Now
Questions 264

Options:

A.

Risk tolerance

B.

Risk velocity

C.

Risk appetite

D.

Risk capacity

Buy Now
Questions 265

Which of the following is MOST important to have in place to ensure the effectiveness of risk and security metrics reporting?

Options:

A.

Organizational reporting process

B.

Incident reporting procedures

C.

Regularly scheduled audits

D.

Incident management policy

Buy Now
Questions 266

Which of the following should be of GREATEST concern to a risk practitioner when determining the effectiveness of IT controls?

Options:

A.

Configuration updates do not follow formal change control.

B.

Operational staff perform control self-assessments.

C.

Controls are selected without a formal cost-benefit

D.

analysis-Management reviews security policies once every two years.

Buy Now
Questions 267

For a large software development project, risk assessments are MOST effective when performed:

Options:

A.

before system development begins.

B.

at system development.

C.

at each stage of the system development life cycle (SDLC).

D.

during the development of the business case.

Buy Now
Questions 268

Which of the following is the BEST method to track asset inventory?

Options:

A.

Periodic asset review by management

B.

Asset registration form

C.

Automated asset management software

D.

IT resource budgeting process

Buy Now
Questions 269

Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?

Options:

A.

Digital signatures

B.

Encrypted passwords

C.

One-time passwords

D.

Digital certificates

Buy Now
Questions 270

Participants in a risk workshop have become focused on the financial cost to mitigate risk rather than choosing the most appropriate response. Which of the following is the BEST way to address this type of issue in the long term?

Options:

A.

Perform a return on investment analysis.

B.

Review the risk register and risk scenarios.

C.

Calculate annualized loss expectancy of risk scenarios.

D.

Raise the maturity of organizational risk management.

Buy Now
Questions 271

A risk practitioner has been asked by executives to explain how existing risk treatment plans would affect risk posture at the end of the year. Which of the following is MOST helpful in responding to this request?

Options:

A.

Assessing risk with no controls in place

B.

Showing projected residual risk

C.

Providing peer benchmarking results

D.

Assessing risk with current controls in place

Buy Now
Questions 272

It is MOST important for a risk practitioner to have an awareness of an organization s processes in order to:

Options:

A.

perform a business impact analysis.

B.

identify potential sources of risk.

C.

establish risk guidelines.

D.

understand control design.

Buy Now
Questions 273

Which of the following provides the MOST helpful reference point when communicating the results of a risk assessment to stakeholders?

Options:

A.

Risk tolerance

B.

Risk appetite

C.

Risk awareness

D.

Risk policy

Buy Now
Questions 274

Which of the following is MOST commonly compared against the risk appetite?

Options:

A.

IT risk

B.

Inherent risk

C.

Financial risk

D.

Residual risk

Buy Now
Questions 275

Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?

Options:

A.

A high number of approved exceptions exist with compensating controls.

B.

Successive assessments have the same recurring vulnerabilities.

C.

Redundant compensating controls are in place.

D.

Asset custodians are responsible for defining controls instead of asset owners.

Buy Now
Questions 276

Which of the following BEST indicates the effectiveness of anti-malware software?

Options:

A.

Number of staff hours lost due to malware attacks

B.

Number of downtime hours in business critical servers

C.

Number of patches made to anti-malware software

D.

Number of successful attacks by malicious software

Buy Now
Questions 277

An enterprise has taken delivery of software patches that address vulnerabilities in its core business software. Prior to implementation, which of the following is the MOST important task to be performed?

Options:

A.

Assess the impact of applying the patches on the production environment.

B.

Survey other enterprises regarding their experiences with applying these patches.

C.

Seek information from the software vendor to enable effective application of the patches.

D.

Determine in advance an off-peak period to apply the patches.

Buy Now
Questions 278

An organization's control environment is MOST effective when:

Options:

A.

controls perform as intended.

B.

controls operate efficiently.

C.

controls are implemented consistent

D.

control designs are reviewed periodically

Buy Now
Questions 279

Which key performance indicator (KPI) BEST measures the effectiveness of an organization's disaster recovery program?

Options:

A.

Number of disaster recovery scenarios identified

B.

Percentage of employees involved in the disaster recovery exercise

C.

Number of total systems recovered within the recovery point objective (RPO)

D.

Percentage of critical systems recovered within the recovery time objective (RTO)

Buy Now
Questions 280

An organization is concerned that a change in its market situation may impact the current level of acceptable risk for senior management. As a result, which of the following is MOST important to reevaluate?

Options:

A.

Risk classification

B.

Risk policy

C.

Risk strategy

D.

Risk appetite

Buy Now
Questions 281

Which of the following is the BEST way to manage the risk associated with malicious activities performed by database administrators (DBAs)?

Options:

A.

Activity logging and monitoring

B.

Periodic access review

C.

Two-factor authentication

D.

Awareness training and background checks

Buy Now
Questions 282

Which of the following would BEST provide early warning of a high-risk condition?

Options:

A.

Risk register

B.

Risk assessment

C.

Key risk indicator (KRI)

D.

Key performance indicator (KPI)

Buy Now
Questions 283

The head of a business operations department asks to review the entire IT risk register. Which of the following would be the risk manager s BEST approach to this request before sharing the register?

Options:

A.

Escalate to senior management

B.

Require a nondisclosure agreement.

C.

Sanitize portions of the register

D.

Determine the purpose of the request

Buy Now
Questions 284

An organization's capability to implement a risk management framework is PRIMARILY influenced by the:

Options:

A.

guidance of the risk practitioner.

B.

competence of the staff involved.

C.

approval of senior management.

D.

maturity of its risk culture.

Buy Now
Questions 285

Which of the following is a risk practitioner's BEST course of action if a risk assessment identifies a risk that is extremely unlikely but would have a severe impact should it occur?

Options:

A.

Rate the risk as high priority based on the severe impact.

B.

Obtain management's consent to accept the risk.

C.

Ignore the risk due to the extremely low likelihood.

D.

Address the risk by analyzing treatment options.

Buy Now
Questions 286

Which of the following will be the GREATEST concern when assessing the risk profile of an organization?

Options:

A.

The risk profile was not updated after a recent incident

B.

The risk profile was developed without using industry standards.

C.

The risk profile was last reviewed two years ago.

D.

The risk profile does not contain historical loss data.

Buy Now
Questions 287

An organization has determined that risk is not being adequately tracked and

managed due to a distributed operating model. Which of the following is the

BEST way to address this issue?

Options:

A.

Increase the frequency of risk assessments.

B.

Revalidate the organization's risk appetite

C.

Create a centralized portfolio of risk scenarios.

D.

Create dashboards for risk metrics.

Buy Now
Questions 288

Effective risk communication BEST benefits an organization by:

Options:

A.

helping personnel make better-informed decisions

B.

assisting the development of a risk register.

C.

improving the effectiveness of IT controls.

D.

increasing participation in the risk assessment process.

Buy Now
Questions 289

Which of the following is the BEST way to determine the value of information assets for risk management purposes?

Options:

A.

Assess the loss impact if the information is inadvertently disclosed.

B.

Calculate the overhead required to keep the information secure throughout its life cycle.

C.

Calculate the replacement cost of obtaining the information from alternate sources.

D.

Assess the market value offered by consumers of the information.

Buy Now
Questions 290

Following the implementation of an Internet of Things (loT) solution, a risk practitioner identifies new risk factors with impact to existing controls. Which of the following is MOST important to include in a report to stakeholders?

Options:

A.

Identified vulnerabilities

B.

Business managers' concerns

C.

Changes to residual risk

D.

Risk strategies of peer organizations

Buy Now
Questions 291

Which of the following will BEST communicate the importance of risk mitigation initiatives to senior management?

Options:

A.

Business case

B.

Balanced scorecard

C.

Industry standards

D.

Heat map

Buy Now
Questions 292

A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

Options:

A.

communication

B.

identification.

C.

treatment.

D.

assessment.

Buy Now
Questions 293

A large organization recently restructured the IT department and has decided to outsource certain functions. What action should the control owners in the IT department take?

Options:

A.

Conduct risk classification for associated IT controls.

B.

Determine whether risk responses still effectively address risk.

C.

Perform vulnerability and threat assessments.

D.

Analyze and update IT control assessments.

Buy Now
Questions 294

Which of the following is the BEST way to prevent the loss of highly sensitive data when disposing of storage media?

Options:

A.

Physical destruction

B.

Degaussing

C.

Data anonymization

D.

Data deletion

Buy Now
Questions 295

Which of the following is the MOST important characteristic of an effective risk management program?

Options:

A.

Risk response plans are documented

B.

Controls are mapped to key risk scenarios.

C.

Key risk indicators are defined.

D.

Risk ownership is assigned

Buy Now
Questions 296

Key risk indicators (KRIs) BEST support risk treatment when they:

Options:

A.

Set performance expectations for controls.

B.

Align with key business objectives.

C.

Indicate that the risk is approaching predefined thresholds.

D.

Articulate likelihood and impact in quantitative terms.

Buy Now
Questions 297

The risk associated with an asset after controls are applied can be expressed as:

Options:

A.

a function of the cost and effectiveness of controls.

B.

the likelihood of a given threat.

C.

a function of the likelihood and impact.

D.

the magnitude of an impact.

Buy Now
Questions 298

Which of the following BEST indicates the efficiency of a process for granting access privileges?

Options:

A.

Average time to grant access privileges

B.

Number of changes in access granted to users

C.

Average number of access privilege exceptions

D.

Number and type of locked obsolete accounts

Buy Now
Questions 299

Reviewing which of the following BEST helps an organization gam insight into its overall risk profile''

Options:

A.

Risk register

B.

Risk appetite

C.

Threat landscape

D.

Risk metrics

Buy Now
Questions 300

Which of the following will be MOST effective in uniquely identifying the originator of electronic transactions?

Options:

A.

Digital signature

B.

Edit checks

C.

Encryption

D.

Multifactor authentication

Buy Now
Questions 301

Which of the following scenarios presents the GREATEST risk of noncompliance with data privacy best practices?

Options:

A.

Making data available to a larger audience of customers

B.

Data not being disposed according to the retention policy

C.

Personal data not being de-identified properly

D.

Data being used for purposes the data subjects have not opted into

Buy Now
Questions 302

A risk practitioner is MOST likely to use a SWOT analysis to assist with which risk process?

Options:

A.

Risk assessment

B.

Risk reporting

C.

Risk mitigation

D.

Risk identification

Buy Now
Questions 303

Which of the following is the PRIMARY responsibility of a control owner?

Options:

A.

To make risk-based decisions and own losses

B.

To ensure implemented controls mitigate risk

C.

To approve deviations from controls

D.

To design controls that will eliminate risk

Buy Now
Questions 304

An application runs a scheduled job that compiles financial data from multiple business systems and updates the financial reporting system. If this job runs too long, it can delay financial reporting. Which of the following is the risk practitioner's BEST recommendation?

Options:

A.

Implement database activity and capacity monitoring.

B.

Ensure the business is aware of the risk.

C.

Ensure the enterprise has a process to detect such situations.

D.

Consider providing additional system resources to this job.

Buy Now
Questions 305

A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology?

Options:

A.

IT system owner

B.

Chief financial officer

C.

Chief risk officer

D.

Business process owner

Buy Now
Questions 306

Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?

Options:

A.

An updated risk register

B.

Risk assessment results

C.

Technical control validation

D.

Control testing results

Buy Now
Questions 307

A risk practitioner is performing a risk assessment of recent external advancements in quantum computing. Which of the following would pose the GREATEST concern for the risk practitioner?

Options:

A.

The organization has incorporated blockchain technology in its operations.

B.

The organization has not reviewed its encryption standards.

C.

The organization has implemented heuristics on its network firewall.

D.

The organization has not adopted Infrastructure as a Service (laaS) for its operations.

Buy Now
Questions 308

What is the MOST important consideration when aligning IT risk management with the enterprise risk management (ERM) framework?

Options:

A.

Risk and control ownership

B.

Senior management participation

C.

Business unit support

D.

Risk nomenclature and taxonomy

Buy Now
Questions 309

Which of the following controls are BEST strengthened by a clear organizational code of ethics?

Options:

A.

Detective controls

B.

Administrative controls

C.

Technical controls

D.

Preventive controls

Buy Now
Questions 310

To implement the MOST effective monitoring of key risk indicators (KRIs), which of the following needs to be in place?

Options:

A.

Threshold definition

B.

Escalation procedures

C.

Automated data feed

D.

Controls monitoring

Buy Now
Questions 311

An organization is planning to move its application infrastructure from on-premises to the cloud. Which of the following is the BEST course of the actin to address the risk associated with data transfer if the relationship is terminated with the vendor?

Options:

A.

Meet with the business leaders to ensure the classification of their transferred data is in place

B.

Ensure the language in the contract explicitly states who is accountable for each step of the data transfer process

C.

Collect requirements for the environment to ensure the infrastructure as a service (IaaS) is configured appropriately.

D.

Work closely with the information security officer to ensure the company has the proper security controls in place.

Buy Now
Questions 312

The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:

Options:

A.

vulnerability scans.

B.

recurring vulnerabilities.

C.

vulnerabilities remediated,

D.

new vulnerabilities identified.

Buy Now
Questions 313

Which of the following is MOST helpful in providing a high-level overview of current IT risk severity*?

Options:

A.

Risk mitigation plans

B.

heat map

C.

Risk appetite statement

D.

Key risk indicators (KRls)

Buy Now
Questions 314

The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:

Options:

A.

align with audit results.

B.

benchmark with competitor s actions.

C.

reference best practice.

D.

focus on the business drivers

Buy Now
Questions 315

Which of the following potential scenarios associated with the implementation of a new database technology presents the GREATEST risk to an organization?

Options:

A.

The organization may not have a sufficient number of skilled resources.

B.

Application and data migration cost for backups may exceed budget.

C.

Data may not be recoverable due to system failures.

D.

The database system may not be scalable in the future.

Buy Now
Questions 316

Which of the following is the BEST way for a risk practitioner to verify that management has addressed control issues identified during a previous external audit?

Options:

A.

Interview control owners.

B.

Observe the control enhancements in operation.

C.

Inspect external audit documentation.

D.

Review management's detailed action plans.

Buy Now
Questions 317

Which of the following should be a risk practitioner's NEXT step upon learning the impact of an organization's noncompliance with a specific legal regulation?

Options:

A.

Identify risk response options.

B.

Implement compensating controls.

C.

Invoke the incident response plan.

D.

Document the penalties for noncompliance.

Buy Now
Questions 318

Which of the following provides the BEST evidence of the effectiveness of an organization's account provisioning process?

Options:

A.

User provisioning

B.

Role-based access controls

C.

Security log monitoring

D.

Entitlement reviews

Buy Now
Questions 319

A trusted third-party service provider has determined that the risk of a client's systems being hacked is low. Which of the following would be the client's BEST course of action?

Options:

A.

Perform their own risk assessment

B.

Implement additional controls to address the risk.

C.

Accept the risk based on the third party's risk assessment

D.

Perform an independent audit of the third party.

Buy Now
Questions 320

Which of the following provides the MOST reliable evidence to support conclusions after completing an information systems controls assessment?

Options:

A.

Risk and control self-assessment (CSA) reports

B.

Information generated by the systems

C.

Control environment narratives

D.

Confirmation from industry peers

Buy Now
Questions 321

The BEST key performance indicator (KPI) to measure the effectiveness of the security patching process is the percentage of patches installed:

Options:

A.

by the security administration team.

B.

successfully within the expected time frame.

C.

successfully during the first attempt.

D.

without causing an unplanned system outage.

Buy Now
Questions 322

Which of the following is the FIRST step when conducting a business impact analysis (BIA)?

Options:

A.

Identifying critical information assets

B.

Identifying events impacting continuity of operations.

C.

Creating a data classification scheme

D.

Analyzing previous risk assessment results

Buy Now
Questions 323

An IT license audit has revealed that there are several unlicensed copies of co be to:

Options:

A.

immediately uninstall the unlicensed software from the laptops

B.

centralize administration rights on laptops so that installations are controlled

C.

report the issue to management so appropriate action can be taken.

D.

procure the requisite licenses for the software to minimize business impact.

Buy Now
Questions 324

An internally developed payroll application leverages Platform as a Service (PaaS) infrastructure from the cloud. Who owns the related data confidentiality risk?

Options:

A.

IT infrastructure head

B.

Human resources head

C.

Supplier management head

D.

Application development head

Buy Now
Questions 325

After entering a large number of low-risk scenarios into the risk register, it is MOST important for the risk practitioner to:

Options:

A.

prepare a follow-up risk assessment.

B.

recommend acceptance of the risk scenarios.

C.

reconfirm risk tolerance levels.

D.

analyze changes to aggregate risk.

Buy Now
Questions 326

A business delegates its application data management to the internal IT team. Which of the following is the role of the internal IT team in this situation?

Options:

A.

Data controllers

B.

Data custodians

C.

Data analysts

D.

Data owners

Buy Now
Questions 327

When prioritizing risk response, management should FIRST:

Options:

A.

evaluate the organization s ability and expertise to implement the solution.

B.

evaluate the risk response of similar organizations.

C.

address high risk factors that have efficient and effective solutions.

D.

determine which risk factors have high remediation costs

Buy Now
Questions 328

Which of the following BEST measures the impact of business interruptions caused by an IT service outage?

Options:

A.

Sustained financial loss

B.

Cost of remediation efforts

C.

Duration of service outage

D.

Average time to recovery

Buy Now
Questions 329

Which of the following should be done FIRST when developing an initial set of risk scenarios for an organization?

Options:

A.

Refer to industry standard scenarios.

B.

Use a top-down approach.

C.

Consider relevant business activities.

D.

Use a bottom-up approach.

Buy Now
Questions 330

Which of the following activities is a responsibility of the second line of defense?

Options:

A.

Challenging risk decision making

B.

Developing controls to manage risk scenarios

C.

Implementing risk response plans

D.

Establishing organizational risk appetite

Buy Now
Questions 331

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery test of critical business processes?

Options:

A.

Percentage of job failures identified and resolved during the recovery process

B.

Percentage of processes recovered within the recovery time and point objectives

C.

Number of current test plans and procedures

D.

Number of issues and action items resolved during the recovery test

Buy Now
Questions 332

A new software package that could help mitigate risk in an organization has become available. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Perform a business impact analysis (BIA).

B.

Perform a cost-benefit analysis.

C.

Review industry best practice.

D.

Review risk governance policies.

Buy Now
Questions 333

Which of the following resources is MOST helpful when creating a manageable set of IT risk scenarios?

Options:

A.

Results of current and past risk assessments

B.

Organizational strategy and objectives

C.

Lessons learned from materialized risk scenarios

D.

Internal and external audit findings

Buy Now
Questions 334

Which of the following should be the FIRST course of action if the risk associated with a new technology is found to be increasing?

Options:

A.

Re-evaluate current controls.

B.

Revise the current risk action plan.

C.

Escalate the risk to senior management.

D.

Implement additional controls.

Buy Now
Questions 335

A new regulator/ requirement imposes severe fines for data leakage involving customers' personally identifiable information (Pll). The risk practitioner has recommended avoiding the risk. Which of the following actions would BEST align with this recommendation?

Options:

A.

Reduce retention periods for Pll data.

B.

Move Pll to a highly-secured outsourced site.

C.

Modify business processes to stop collecting Pll.

D.

Implement strong encryption for Pll.

Buy Now
Questions 336

To communicate the risk associated with IT in business terms, which of the following MUST be defined?

Options:

A.

Compliance objectives

B.

Risk appetite of the organization

C.

Organizational objectives

D.

Inherent and residual risk

Buy Now
Questions 337

An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk?

Options:

A.

Perform a risk assessment

B.

Disable user access.

C.

Develop an access control policy.

D.

Perform root cause analysis.

Buy Now
Questions 338

In a public company, which group is PRIMARILY accountable for ensuring sufficient attention and resources are applied to the risk management process?

Options:

A.

Board of directors

B.

Risk officers

C.

Line management

D.

Senior management

Buy Now
Questions 339

An organization wants to transfer risk by purchasing cyber insurance. Which of the following would be MOST important for the risk practitioner to communicate to senior management for contract negotiation purposes?

Options:

A.

Most recent IT audit report results

B.

Replacement cost of IT assets

C.

Current annualized loss expectancy report

D.

Cyber insurance industry benchmarking report

Buy Now
Questions 340

Which of the following is MOST important for a multinational organization to consider when developing its security policies and standards?

Options:

A.

Regional competitors' policies and standards

B.

Ability to monitor and enforce compliance

C.

Industry-standard templates

D.

Differences in regulatory requirements

Buy Now
Questions 341

Which of the following provides the MOST up-to-date information about the effectiveness of an organization's overall IT control environment?

Options:

A.

Key performance indicators (KPIs)

B.

Risk heat maps

C.

Internal audit findings

D.

Periodic penetration testing

Buy Now
Questions 342

Which of the following is the MOST important reason to revisit a previously accepted risk?

Options:

A.

To update risk ownership

B.

To review the risk acceptance with new stakeholders

C.

To ensure risk levels have not changed

D.

To ensure controls are still operating effectively

Buy Now
Questions 343

Which of the following is the BEST Key control indicator KCO to monitor the effectiveness of patch management?

Options:

A.

Percentage of legacy servers out of support

B.

Percentage of severs receiving automata patches

C.

Number of unpremeditated vulnerabilities

D.

Number of intrusion attempts

Buy Now
Questions 344

Which of the following should be done FIRST upon learning that the organization will be affected by a new regulation in its industry?

Options:

A.

Transfer the risk.

B.

Perform a gap analysis.

C.

Determine risk appetite for the new regulation.

D.

Implement specific monitoring controls.

Buy Now
Questions 345

A bank recently incorporated Blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner’s BEST course of action?

Options:

A.

Determine whether risk responses are still adequate.

B.

Analyze and update control assessments with the new processes.

C.

Analyze the risk and update the risk register as needed.

D.

Conduct testing of the control that mitigate the existing risk.

Buy Now
Questions 346

Controls should be defined during the design phase of system development because:

Options:

A.

it is more cost-effective to determine controls in the early design phase.

B.

structured analysis techniques exclude identification of controls.

C.

structured programming techniques require that controls be designed before coding begins.

D.

technical specifications are defined during this phase.

Buy Now
Questions 347

Which of the following BEST enables a proactive approach to minimizing the potential impact of unauthorized data disclosure?

Options:

A.

Cyber insurance

B.

Data backups

C.

Incident response plan

D.

Key risk indicators (KRIs)

Buy Now
Questions 348

Which of the following would be a risk practitioner’s GREATEST concern related to the monitoring of key risk indicators (KRIs)?

Options:

A.

Logs are retained for longer than required.

B.

Logs are reviewed annually.

C.

Logs are stored in a multi-tenant cloud environment.

D.

Logs are modified before analysis is conducted.

Buy Now
Questions 349

Which of the following presents the GREATEST risk to change control in business application development over the complete life cycle?

Options:

A.

Emphasis on multiple application testing cycles

B.

Lack of an integrated development environment (IDE) tool

C.

Introduction of requirements that have not been approved

D.

Bypassing quality requirements before go-live

Buy Now
Questions 350

A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner's BEST course of action when a compensating control needs to be applied?

Options:

A.

Obtain the risk owner's approval.

B.

Record the risk as accepted in the risk register.

C.

Inform senior management.

D.

update the risk response plan.

Buy Now
Questions 351

Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?

Options:

A.

Encrypted storage of data

B.

Links to source data

C.

Audit trails for updates and deletions

D.

Check totals on data records and data fields

Buy Now
Questions 352

Which of the following BEST balances the costs and benefits of managing IT risk*?

Options:

A.

Prioritizing and addressing risk in line with risk appetite. Eliminating risk through preventive and detective controls

B.

Considering risk that can be shared with a third party

C.

Evaluating the probability and impact of risk scenarios

Buy Now
Questions 353

The risk associated with data loss from a website which contains sensitive customer information is BEST owned by:

Options:

A.

the third-party website manager

B.

the business process owner

C.

IT security

D.

the compliance manager

Buy Now
Questions 354

Which of the following controls would BEST reduce the likelihood of a successful network attack through social engineering?

Options:

A.

Automated controls

B.

Security awareness training

C.

Multifactor authentication

D.

Employee sanctions

Buy Now
Questions 355

What is the GREATEST concern with maintaining decentralized risk registers instead of a consolidated risk register?

Options:

A.

Aggregated risk may exceed the enterprise's risk appetite and tolerance.

B.

Duplicate resources may be used to manage risk registers.

C.

Standardization of risk management practices may be difficult to enforce.

D.

Risk analysis may be inconsistent due to non-uniform impact and likelihood scales.

Buy Now
Questions 356

Options:

A.

Ensure compliance with local legislation because it has a higher priority.

B.

Conduct a risk assessment and develop mitigation options.

C.

Terminate the current cloud contract and migrate to a local cloud provider.

D.

Accept the risk because foreign legislation does not apply to the organization.

Buy Now
Questions 357

Which of the following BEST provides an early warning that network access of terminated employees is not being revoked in accordance with the service level agreement (SLA)?

Options:

A.

Updating multi-factor authentication

B.

Monitoring key access control performance indicators

C.

Analyzing access control logs for suspicious activity

D.

Revising the service level agreement (SLA)

Buy Now
Questions 358

Which of the following will BEST help in communicating strategic risk priorities?

Options:

A.

Heat map

B.

Business impact analysis (BIA)

C.

Balanced Scorecard

D.

Risk register

Buy Now
Questions 359

Which of the following is MOST important to update following a change in organizational risk appetite and tolerance?

Options:

A.

Business impact assessment (BIA)

B.

Key performance indicators (KPIs)

C.

Risk profile

D.

Industry benchmark analysis

Buy Now
Questions 360

Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents:

Options:

A.

a threat.

B.

a vulnerability.

C.

an impact

D.

a control.

Buy Now
Questions 361

An organization wants to launch a campaign to advertise a new product Using data analytics, the campaign can be targeted to reach potential customers. Which of the following should be of GREATEST concern to the risk practitioner?

Options:

A.

Data minimization

B.

Accountability

C.

Accuracy

D.

Purpose limitation

Buy Now
Questions 362

Which of the following is the PRIMARY purpose of a risk register?

Options:

A.

It guides management in determining risk appetite.

B.

It provides management with a risk inventory.

C.

It aligns risk scenarios to business objectives.

D.

It monitors the performance of risk and control owners.

Buy Now
Questions 363

An organization has decided to commit to a business activity with the knowledge that the risk exposure is higher than the risk appetite. Which of the following is the risk practitioner's MOST important action related to this decision?

Options:

A.

Recommend risk remediation

B.

Change the level of risk appetite

C.

Document formal acceptance of the risk

D.

Reject the business initiative

Buy Now
Questions 364

Which element of an organization's risk register is MOST important to update following the commissioning of a new financial reporting system?

Options:

A.

Key risk indicators (KRIs)

B.

The owner of the financial reporting process

C.

The risk rating of affected financial processes

D.

The list of relevant financial controls

Buy Now
Questions 365

An organization is reviewing a contract for a Software as a Service (SaaS) sales application with a 99.9% uptime service level agreement (SLA). Which of the following BEST describes ownership of availability risk?

Options:

A.

The risk is shared by both organizations.

B.

The liability for the risk is owned by the cloud provider.

C.

The risk is transferred to the cloud provider.

D.

The liability for the risk is owned by the sales department.

Buy Now
Questions 366

The PRIMARY objective of testing the effectiveness of a new control before implementation is to:

Options:

A.

ensure that risk is mitigated by the control.

B.

measure efficiency of the control process.

C.

confirm control alignment with business objectives.

D.

comply with the organization's policy.

Buy Now
Questions 367

What information is MOST helpful to asset owners when classifying organizational assets for risk assessment?

Options:

A.

Potential loss to tie business due to non-performance of the asset

B.

Known emerging environmental threats

C.

Known vulnerabilities published by the asset developer

D.

Cost of replacing the asset with a new asset providing similar services

Buy Now
Questions 368

A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to:

Options:

A.

include detailed deviations from industry benchmarks,

B.

include a summary linking information to stakeholder needs,

C.

include a roadmap to achieve operational excellence,

D.

publish the report on-demand for stakeholders.

Buy Now
Questions 369

Which of the following is the MOST important benefit of reporting risk assessment results to senior management?

Options:

A.

Promotion of a risk-aware culture

B.

Compilation of a comprehensive risk register

C.

Alignment of business activities

D.

Facilitation of risk-aware decision making

Buy Now
Questions 370

Which of the following is MOST important to understand when developing key risk indicators (KRIs)?

Options:

A.

KRI thresholds

B.

Integrity of the source data

C.

Control environment

D.

Stakeholder requirements

Buy Now
Questions 371

Which of the following BEST reduces the likelihood of fraudulent activity that occurs through use of a digital wallet?

Options:

A.

Require multi-factor authentication (MFA) to access the digital wallet.

B.

Use a digital key to encrypt the contents of the wallet.

C.

Enable audit logging on the digital wallet's device.

D.

Require public key infrastructure (PKI) to authorize transactions.

Buy Now
Questions 372

Which of the following would MOST effectively reduce the potential for inappropriate exposure of vulnerabilities documented in an organization's risk register?

Options:

A.

Limit access to senior management only.

B.

Encrypt the risk register.

C.

Implement role-based access.

D.

Require users to sign a confidentiality agreement.

Buy Now
Questions 373

A bank recently incorporated blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

reflect the results of risk assessments.

B.

be available to all stakeholders.

C.

effectively support a business maturity model.

D.

be reviewed by the IT steering committee.

Buy Now
Questions 374

Which of the following is the BEST method to identify unnecessary controls?

Options:

A.

Evaluating the impact of removing existing controls

B.

Evaluating existing controls against audit requirements

C.

Reviewing system functionalities associated with business processes

D.

Monitoring existing key risk indicators (KRIs)

Buy Now
Questions 375

A risk practitioner has reviewed new international regulations and realizes the new regulations will affect the organization. Which of the following should be the risk practitioner's NEXT course of

action?

Options:

A.

Conduct a peer response assessment.

B.

Update risk scenarios in the risk register.

C.

Reevaluate the risk management program.

D.

Ensure applications are compliant.

Buy Now
Questions 376

An organization plans to implement a new Software as a Service (SaaS) speech-to-text solution Which of the following is MOST important to mitigate risk associated with data privacy?

Options:

A.

Secure encryption protocols are utilized.

B.

Multi-factor authentication is set up for users.

C.

The solution architecture is approved by IT.

D.

A risk transfer clause is included in the contact

Buy Now
Questions 377

Who is ULTIMATELY accountable for risk treatment?

Options:

A.

Risk owner

B.

Enterprise risk management (ERM)

C.

Risk practitioner

D.

Control owner

Buy Now
Questions 378

Which risk response strategy could management apply to both positive and negative risk that has been identified?

Options:

A.

Transfer

B.

Accept

C.

Exploit

D.

Mitigate

Buy Now
Questions 379

Which of the following is the MOST important consideration when selecting digital signature software?

Options:

A.

Availability

B.

Nonrepudiation

C.

Accuracy

D.

Completeness

Buy Now
Questions 380

During an organization's simulated phishing email campaign, which of the following is the BEST indicator of a mature security awareness program?

Options:

A.

A high number of participants reporting the email

B.

A high number of participants deleting the email

C.

A low number of participants with questions for the help desk

D.

A low number of participants opening the email

Buy Now
Questions 381

Which of the following is the PRIMARY benefit of using a risk profile?

Options:

A.

It promotes a security-aware culture.

B.

It enables vulnerability analysis.

C.

It enhances internal risk reporting.

D.

It provides risk information to auditors.

Buy Now
Questions 382

A risk practitioner's BEST guidance to help an organization develop relevant risk scenarios is to ensure the scenarios are:

Options:

A.

based on industry trends.

B.

mapped to incident response plans.

C.

related to probable events.

D.

aligned with risk management capabilities.

Buy Now
Questions 383

A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

Options:

A.

identification.

B.

treatment.

C.

communication.

D.

assessment

Buy Now
Questions 384

Which of the following will help ensure the elective decision-making of an IT risk management committee?

Options:

A.

Key stakeholders are enrolled as members

B.

Approved minutes ate forwarded to senior management

C.

Committee meets at least quarterly

D.

Functional overlap across the business is minimized

Buy Now
Questions 385

Read" rights to application files in a controlled server environment should be approved by the:

Options:

A.

business process owner.

B.

database administrator.

C.

chief information officer.

D.

systems administrator.

Buy Now
Questions 386

Which of the following is the MOST critical consideration when awarding a project to a third-party service provider whose servers are located offshore?

Options:

A.

Difficulty of monitoring compliance due to geographical distance

B.

Cost implications due to installation of network intrusion detection systems (IDSs)

C.

Delays in incident communication

D.

Potential impact on data governance

Buy Now
Questions 387

A multinational organization is considering implementing standard background checks to' all new employees A KEY concern regarding this approach

Options:

A.

fail to identity all relevant issues.

B.

be too costly

C.

violate laws in other countries

D.

be too line consuming

Buy Now
Questions 388

Which of the following is a drawback in the use of quantitative risk analysis?

Options:

A.

It assigns numeric values to exposures of assets.

B.

It requires more resources than other methods

C.

It produces the results in numeric form.

D.

It is based on impact analysis of information assets.

Buy Now
Questions 389

Options:

A.

Key performance indicators (KPIs)

B.

Key risk indicator (KRI) thresholds

C.

Risk trends

D.

Risk objectives

Buy Now
Questions 390

Which of the following is the BEST approach for performing a business impact analysis (BIA) of a supply-chain management application?

Options:

A.

Reviewing the organization's policies and procedures

B.

Interviewing groups of key stakeholders

C.

Circulating questionnaires to key internal stakeholders

D.

Accepting IT personnel s view of business issues

Buy Now
Questions 391

Which of the following is MOST important to the integrity of a security log?

Options:

A.

Least privilege access

B.

Inability to edit

C.

Ability to overwrite

D.

Encryption

Buy Now
Questions 392

An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner's FIRST course of action?

Options:

A.

Determine whether the impact is outside the risk appetite.

B.

Request a formal acceptance of risk from senior management.

C.

Report the ineffective control for inclusion in the next audit report.

D.

Deploy a compensating control to address the identified deficiencies.

Buy Now
Questions 393

After the implementation of internal of Things (IoT) devices, new risk scenarios were identified. What is the PRIMARY reason to report this information to risk owners?

Options:

A.

To reevaluate continued use to IoT devices

B.

The add new controls to mitigate the risk

C.

The recommend changes to the IoT policy

D.

To confirm the impact to the risk profile

Buy Now
Questions 394

Which of the following provides the BEST indication that existing controls are effective?

Options:

A.

Control testing

B.

Control logging

C.

Control documentation

D.

Control design

Buy Now
Questions 395

Which of the following is the BEST way to assess the effectiveness of an access management process?

Options:

A.

Comparing the actual process with the documented process

B.

Reviewing access logs for user activity

C.

Reconciling a list of accounts belonging to terminated employees

D.

Reviewing for compliance with acceptable use policy

Buy Now
Questions 396

The BEST criteria when selecting a risk response is the:

Options:

A.

capability to implement the response

B.

importance of IT risk within the enterprise

C.

effectiveness of risk response options

D.

alignment of response to industry standards

Buy Now
Questions 397

When establishing an enterprise IT risk management program, it is MOST important to:

Options:

A.

review alignment with the organizations strategy.

B.

understand the organization's information security policy.

C.

validate the organization's data classification scheme.

D.

report identified IT risk scenarios to senior management.

Buy Now
Questions 398

Which of the following is the PRIMARY benefit of implementing key control indicators (KCIs)?

Options:

A.

Confirming the adequacy of recovery plans.

B.

Improving compliance with control standards.

C.

Providing early detection of control degradation.

D.

Reducing the number of incidents.

Buy Now
Questions 399

When developing a new risk register, a risk practitioner should focus on which of the following risk management activities?

Options:

A.

Risk management strategy planning

B.

Risk monitoring and control

C.

Risk identification

D.

Risk response planning

Buy Now
Questions 400

An organization is participating in an industry benchmarking study that involves providing customer transaction records for analysis Which of the following is the MOST important control to ensure the privacy of customer information?

Options:

A.

Nondisclosure agreements (NDAs)

B.

Data anonymization

C.

Data cleansing

D.

Data encryption

Buy Now
Questions 401

Whose risk tolerance matters MOST when making a risk decision?

Options:

A.

Customers who would be affected by a breach

B.

Auditors, regulators and standards organizations

C.

The business process owner of the exposed assets

D.

The information security manager

Buy Now
Questions 402

Which of the following is the BEST key performance indicator (KPI) for determining how well an IT policy is aligned to business requirements?

Options:

A.

Total cost to support the policy

B.

Number of exceptions to the policy

C.

Total cost of policy breaches

D.

Number of inquiries regarding the policy

Buy Now
Questions 403

An unauthorized individual has socially engineered entry into an organization's secured physical premises. Which of the following is the BEST way to prevent future occurrences?

Options:

A.

Employ security guards.

B.

Conduct security awareness training.

C.

Install security cameras.

D.

Require security access badges.

Buy Now
Questions 404

A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:

Options:

A.

map findings to objectives.

B.

provide quantified detailed analysis

C.

recommend risk tolerance thresholds.

D.

quantify key risk indicators (KRls).

Buy Now
Questions 405

Which of the following is the MOST appropriate key risk indicator (KRI) for backup media that is recycled monthly?

Options:

A.

Time required for backup restoration testing

B.

Change in size of data backed up

C.

Successful completion of backup operations

D.

Percentage of failed restore tests

Buy Now
Questions 406

Which of the following BEST mitigates ethical risk?

Options:

A.

Ethics committees

B.

Contingency scenarios

C.

Awareness of consequences for violations

D.

Routine changes in senior management

Buy Now
Questions 407

An upward trend in which of the following metrics should be of MOST concern?

Options:

A.

Number of business change management requests

B.

Number of revisions to security policy

C.

Number of security policy exceptions approved

D.

Number of changes to firewall rules

Buy Now
Questions 408

When assigning control ownership, it is MOST important to verify that the owner has accountability for:

Options:

A.

Control effectiveness.

B.

The budget for control implementation.

C.

Assessment of control risk.

D.

Internal control audits.

Buy Now
Questions 409

When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:

Options:

A.

information risk assessments with enterprise risk assessments.

B.

key risk indicators (KRIs) with risk appetite of the business.

C.

the control key performance indicators (KPIs) with audit findings.

D.

control performance with risk tolerance of business owners.

Buy Now
Questions 410

An organization has contracted with a cloud service provider to support the deployment of a new product. Of the following, who should own the associated risk?

Options:

A.

The head of enterprise architecture (EA)

B.

The IT risk manager

C.

The information security manager

D.

The product owner

Buy Now
Questions 411

Which of the following should be included in a risk scenario to be used for risk analysis?

Options:

A.

Risk appetite

B.

Threat type

C.

Risk tolerance

D.

Residual risk

Buy Now
Questions 412

Which of the following is the STRONGEST indication an organization has ethics management issues?

Options:

A.

Employees do not report IT risk issues for fear of consequences.

B.

Internal IT auditors report to the chief information security officer (CISO).

C.

Employees face sanctions for not signing the organization's acceptable use policy.

D.

The organization has only two lines of defense.

Buy Now
Questions 413

Which of the following would provide the BEST evidence of an effective internal control environment/?

Options:

A.

Risk assessment results

B.

Adherence to governing policies

C.

Regular stakeholder briefings

D.

Independent audit results

Buy Now
Questions 414

Which of the following is the BEST indicator of executive management's support for IT risk mitigation efforts?

Options:

A.

The number of stakeholders involved in IT risk identification workshops

B.

The percentage of corporate budget allocated to IT risk activities

C.

The percentage of incidents presented to the board

D.

The number of executives attending IT security awareness training

Buy Now
Questions 415

An organization has opened a subsidiary in a foreign country. Which of the following would be the BEST way to measure the effectiveness of the subsidiary's IT systems controls?

Options:

A.

Implement IT systems in alignment with business objectives.

B.

Review metrics and key performance indicators (KPIs).

C.

Review design documentation of IT systems.

D.

Evaluate compliance with legal and regulatory requirements.

Buy Now
Questions 416

Which of the following should be the HIGHEST priority when developing a risk response?

Options:

A.

The risk response addresses the risk with a holistic view.

B.

The risk response is based on a cost-benefit analysis.

C.

The risk response is accounted for in the budget.

D.

The risk response aligns with the organization's risk appetite.

Buy Now
Questions 417

What should a risk practitioner do FIRST upon learning a risk treatment owner has implemented a different control than what was specified in the IT risk action plan?

Options:

A.

Seek approval from the control owner.

B.

Update the action plan in the risk register.

C.

Reassess the risk level associated with the new control.

D.

Validate that the control has an established testing method.

Buy Now
Questions 418

Which of the following BEST prevents control gaps in the Zero Trust model when implementing in the environment?

Options:

A.

Relying on multiple solutions for Zero Trust

B.

Utilizing rapid development during implementation

C.

Establishing a robust technical architecture

D.

Starting with a large initial scope

Buy Now
Questions 419

To enable effective integration of IT risk scenarios and enterprise risk management (ERM), it is MOST important to have a consistent approach to reporting:

Options:

A.

Key risk indicators (KRIs).

B.

Risk velocity.

C.

Risk response plans and owners.

D.

Risk impact and likelihood.

Buy Now
Questions 420

After mapping generic risk scenarios to organizational security policies, the NEXT course of action should be to:

Options:

A.

record risk scenarios in the risk register for analysis.

B.

validate the risk scenarios for business applicability.

C.

reduce the number of risk scenarios to a manageable set.

D.

perform a risk analysis on the risk scenarios.

Buy Now
Questions 421

An organization's decision to remain noncompliant with certain laws or regulations is MOST likely influenced by:

Options:

A.

The region in which the organization operates.

B.

Established business culture.

C.

Risk appetite set by senior management.

D.

Identified business process controls.

Buy Now
Questions 422

Which of the following provides the MOST helpful information in identifying risk in an organization?

Options:

A.

Risk registers

B.

Risk analysis

C.

Risk scenarios

D.

Risk responses

Buy Now
Questions 423

Which of the following is MOST helpful to facilitate the decision of recovery priorities in a disaster situation?

Options:

A.

Business Impact Analysis (BIA)

B.

Key Risk Indicators (KRIs)

C.

Recovery Point Objective (RPO)

D.

Risk Scenario Analysis

Buy Now
Questions 424

An organization is developing a risk universe to create a holistic view of its overall risk profile. Which of the following is the GREATEST barrier to achieving the initiative's objectives?

Options:

A.

Lack of cross-functional risk assessment workshops within the organization

B.

Lack of common understanding of the organization's risk culture

C.

Lack of quantitative methods to aggregate the total risk exposure

D.

Lack of an integrated risk management system to aggregate risk scenarios

Buy Now
Questions 425

What is MOST important for the risk practitioner to understand when creating an initial IT risk register?

Options:

A.

Enterprise architecture (EA)

B.

Control environment

C.

IT objectives

D.

Organizational objectives

Buy Now
Questions 426

Which of the following practices would be MOST effective in protecting personality identifiable information (Ptl) from unauthorized access m a cloud environment?

Options:

A.

Apply data classification policy

B.

Utilize encryption with logical access controls

C.

Require logical separation of company data

D.

Obtain the right to audit

Buy Now
Questions 427

Which of the following is the MOST significant indicator of the need to perform a penetration test?

Options:

A.

An increase in the number of high-risk audit findings

B.

An increase in the number of security incidents

C.

An increase in the percentage of turnover in IT personnel

D.

An increase in the number of infrastructure changes

Buy Now
Questions 428

What is the MAIN benefit of using a top-down approach to develop risk scenarios?

Options:

A.

It describes risk events specific to technology used by the enterprise.

B.

It establishes the relationship between risk events and organizational objectives.

C.

It uses hypothetical and generic risk events specific to the enterprise.

D.

It helps management and the risk practitioner to refine risk scenarios.

Buy Now
Questions 429

Which of the following is the GREATEST concern if user acceptance testing (UAT) is not conducted when implementing a new application?

Options:

A.

The probability of application defects will increase

B.

Data confidentiality could be compromised

C.

Increase in the use of redundant processes

D.

The application could fail to meet defined business requirements

Buy Now
Questions 430

Which of the following is the MOST important course of action for a risk practitioner when reviewing the results of control performance monitoring?

Options:

A.

Evaluate changes to the organization's risk profile.

B.

Validate whether the controls effectively mitigate risk.

C.

Confirm controls achieve regulatory compliance.

D.

Analyze appropriateness of key performance indicators (KPIs).

Buy Now
Questions 431

A risk owner has accepted a high-impact risk because the control was adversely affecting process efficiency. Before updating the risk register, it is MOST important for the risk practitioner to:

Options:

A.

ensure suitable insurance coverage is purchased.

B.

negotiate with the risk owner on control efficiency.

C.

reassess the risk to confirm the impact.

D.

obtain approval from senior management.

Buy Now
Questions 432

A business impact analysis (BIA) enables an organization to determine appropriate IT risk mitigation actions by:

Options:

A.

validating whether critical IT risk has been addressed.

B.

assigning accountability for IT risk to business functions.

C.

identifying IT assets that support key business processes.

D.

defining the requirements for an IT risk-aware culture

Buy Now
Questions 433

Which of the following methods is an example of risk mitigation?

Options:

A.

Not providing capability for employees to work remotely

B.

Outsourcing the IT activities and infrastructure

C.

Enforcing change and configuration management processes

D.

Taking out insurance coverage for IT-related incidents

Buy Now
Questions 434

Which of the following represents a vulnerability?

Options:

A.

An identity thief seeking to acquire personal financial data from an organization

B.

Media recognition of an organization's market leadership in its industry

C.

A standard procedure for applying software patches two weeks after release

D.

An employee recently fired for insubordination

Buy Now
Questions 435

Which of the following is the BEST way to identify changes to the risk landscape?

Options:

A.

Internal audit reports

B.

Access reviews

C.

Threat modeling

D.

Root cause analysis

Buy Now
Questions 436

Which of the following is MOST important to consider when determining the risk associated with re-identification of obfuscated personal data?

Options:

A.

The type of shared data

B.

The level of residual risk after data loss prevention (DLP) controls are implemented

C.

The monetary value of the unique records that could be re-identified

D.

The impact to affected stakeholders

Buy Now
Questions 437

During the internal review of an accounts payable process, a risk practitioner determines that the transaction approval limits configured in the system are not being enforced. Which of the following should be done NEXT?

Options:

A.

Identify the extent of the approval limit violations.

B.

Notify senior management of the system deficiency.

C.

Update the risk register with higher risk likelihood of violation.

D.

Remind users of the importance of adhering to approval limits.

Buy Now
Questions 438

After the review of a risk record, internal audit questioned why the risk was lowered from medium to low. Which of the following is the BEST course of action in responding to this inquiry?

Options:

A.

Obtain industry benchmarks related to the specific risk.

B.

Provide justification for the lower risk rating.

C.

Notify the business at the next risk briefing.

D.

Reopen the risk issue and complete a full assessment.

Buy Now
Questions 439

Which of the following BEST mitigates the risk of sensitive personal data leakage from a software development environment?

Options:

A.

Tokenized personal data only in test environments

B.

Data loss prevention tools (DLP) installed in passive mode

C.

Anonymized personal data in non-production environments

D.

Multi-factor authentication for access to non-production environments

Buy Now
Questions 440

Which of the following is the MOST important reason for a risk practitioner to identify stakeholders for each IT risk scenario?

Options:

A.

To ensure enterprise-wide risk management

B.

To establish control ownership

C.

To enable a comprehensive view of risk

D.

To identify key risk indicators (KRIs)

Buy Now
Questions 441

Which of the following is a risk practitioner's BEST course of action upon learning that regulatory authorities have concerns with an emerging technology the organization is considering?

Options:

A.

Redesign key risk indicators (KRIs).

B.

Update risk responses.

C.

Conduct a SWOT analysis.

D.

Perform a threat assessment.

Buy Now
Questions 442

Winch of the following can be concluded by analyzing the latest vulnerability report for the it infrastructure?

Options:

A.

Likelihood of a threat

B.

Impact of technology risk

C.

Impact of operational risk

D.

Control weakness

Buy Now
Questions 443

Which of the following should a risk practitioner review FIRST when evaluating risk events associated with the organization's data flow model?

Options:

A.

Results of data classification activities

B.

Recent changes to enterprise architecture (EA)

C.

High-level network diagrams

D.

Notes from interviews with the data owners

Buy Now
Questions 444

During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?

Options:

A.

Data validation

B.

Identification

C.

Authentication

D.

Data integrity

Buy Now
Questions 445

A key performance indicator (KPI) shows that a process is operating inefficiently, even though no control issues were noted during the most recent risk assessment. Which of the following should be done FIRST?

Options:

A.

Implement new controls.

B.

Recalibrate the key performance indicator (KPI).

C.

Redesign the process.

D.

Re-evaluate the existing control design.

Buy Now
Questions 446

Which of the following would be the BEST recommendation if the level of risk in the IT risk profile has decreased and is now below management's risk appetite?

Options:

A.

Optimize the control environment.

B.

Realign risk appetite to the current risk level.

C.

Decrease the number of related risk scenarios.

D.

Reduce the risk management budget.

Buy Now
Questions 447

Which of the following practices MOST effectively safeguards the processing of personal data?

Options:

A.

Personal data attributed to a specific data subject is tokenized.

B.

Data protection impact assessments are performed on a regular basis.

C.

Personal data certifications are performed to prevent excessive data collection.

D.

Data retention guidelines are documented, established, and enforced.

Buy Now
Questions 448

Which of the following is MOST important requirement to include in a Software as a Service (SaaS) vendor contract to ensure data is protected?

Options:

A.

The vendor must provide periodic independent assurance reports.

B.

The vendor must host data in a specific geographic location.

C.

The vendor must be held liable for regulatory fines for failure to protect data.

D.

The vendor must participate in an annual vendor performance review.

Buy Now
Questions 449

An organization’s board of directors is concerned about recent data breaches in the news and wants to assess its exposure to similar scenarios. Which of the following is the BEST course of action?

Options:

A.

Evaluate the organization's existing data protection controls.

B.

Reassess the risk appetite and tolerance levels of the business.

C.

Evaluate the sensitivity of data that the business needs to handle.

D.

Review the organization’s data retention policy and regulatory requirements.

Buy Now
Questions 450

An IT organization is replacing the customer relationship management (CRM) system. Who should own the risk associated with customer data leakage caused by insufficient IT security controls for the new system?

Options:

A.

Chief information security officer

B.

Business process owner

C.

Chief risk officer

D.

IT controls manager

Buy Now
Questions 451

Which of the following is the MOST useful information for a risk practitioner when planning response activities after risk identification?

Options:

A.

Risk register

B.

Risk appetite

C.

Risk priorities

D.

Risk heat maps

Buy Now
Questions 452

Which of the following is the GREATEST concern when using artificial intelligence (AI) language models?

Options:

A.

The model could be hacked or exploited.

B.

The model could be used to generate inaccurate content.

C.

Staff could become overly reliant on the model.

D.

It could lead to biased recommendations.

Buy Now
Questions 453

A maturity model will BEST indicate:

Options:

A.

confidentiality and integrity.

B.

effectiveness and efficiency.

C.

availability and reliability.

D.

certification and accreditation.

Buy Now
Questions 454

When a high number of approved exceptions are observed during a review of a control procedure, an organization should FIRST initiate a review of the:

Options:

A.

Relevant policies.

B.

Threat landscape.

C.

Awareness program.

D.

Risk heat map.

Buy Now
Questions 455

The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for:

Options:

A.

data classification and labeling.

B.

data logging and monitoring.

C.

data retention and destruction.

D.

data mining and analytics.

Buy Now
Questions 456

Warning banners on login screens for laptops provided by an organization to its employees are an example of which type of control?

Options:

A.

Corrective

B.

Preventive

C.

Detective

D.

Deterrent

Buy Now
Questions 457

IT management has asked for a consolidated view into the organization's risk profile to enable project prioritization and resource allocation. Which of the following materials would

be MOST helpful?

Options:

A.

IT risk register

B.

List of key risk indicators

C.

Internal audit reports

D.

List of approved projects

Buy Now
Questions 458

Which of the following would present the GREATEST challenge when assigning accountability for control ownership?

Options:

A.

Weak governance structures

B.

Senior management scrutiny

C.

Complex regulatory environment

D.

Unclear reporting relationships

Buy Now
Questions 459

Which of the following would BEST assist in reconstructing the sequence of events following a security incident across multiple IT systems in the organization's network?

Options:

A.

Network monitoring infrastructure

B.

Centralized vulnerability management

C.

Incident management process

D.

Centralized log management

Buy Now
Questions 460

Which of the following is the BEST indicator of the effectiveness of a control action plan's implementation?

Options:

A.

Increased number of controls

B.

Reduced risk level

C.

Increased risk appetite

D.

Stakeholder commitment

Buy Now
Questions 461

Which of the following is MOST important to consider when assessing the likelihood that a recently discovered software vulnerability will be exploited?

Options:

A.

The skill level required of a threat actor

B.

The amount of personally identifiable information (PH) disclosed

C.

The ability to detect and trace the threat action

D.

The amount of data that might be exposed by a threat action

Buy Now
Questions 462

When developing IT risk scenarios, it is MOST important to consider:

Options:

A.

The industry's threat profile.

B.

Incidents occurring at similar organizations.

C.

System performance thresholds.

D.

Organizational objectives.

Buy Now
Questions 463

Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs?

Options:

A.

Ensuring availability of resources for log analysis

B.

Implementing log analysis tools to automate controls

C.

Ensuring the control is proportional to the risk

D.

Building correlations between logs collected from different sources

Buy Now
Questions 464

An organization is considering allowing users to access company data from their personal devices. Which of the following is the MOST important factor when assessing the risk?

Options:

A.

Classification of the data

B.

Type of device

C.

Remote management capabilities

D.

Volume of data

Buy Now
Questions 465

A risk practitioner has just learned about new malware that has severely impacted industry peers worldwide data loss?

Options:

A.

Customer database manager

B.

Customer data custodian

C.

Data privacy officer

D.

Audit committee

Buy Now
Questions 466

Which of the following MUST be assessed before considering risk treatment options for a scenario with significant impact?

Options:

A.

Risk magnitude

B.

Incident probability

C.

Risk appetite

D.

Cost-benefit analysis

Buy Now
Questions 467

Which of the following is the PRIMARY objective of a risk awareness program?

Options:

A.

To demonstrate senior management support

B.

To enhance organizational risk culture

C.

To increase awareness of risk mitigation controls

D.

To clearly define ownership of risk

Buy Now
Questions 468

An organization maintains independent departmental risk registers that are not automatically aggregated. Which of the following is the GREATEST concern?

Options:

A.

Management may be unable to accurately evaluate the risk profile.

B.

Resources may be inefficiently allocated.

C.

The same risk factor may be identified in multiple areas.

D.

Multiple risk treatment efforts may be initiated to treat a given risk.

Buy Now
Questions 469

A vulnerability assessment of a vendor-supplied solution has revealed that the software is susceptible to cross-site scripting and SQL injection attacks. Which of the following will BEST mitigate this issue?

Options:

A.

Monitor the databases for abnormal activity

B.

Approve exception to allow the software to continue operating

C.

Require the software vendor to remediate the vulnerabilities

D.

Accept the risk and let the vendor run the software as is

Buy Now
Questions 470

An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern?

Options:

A.

Potential increase in regulatory scrutiny

B.

Potential system downtime

C.

Potential theft of personal information

D.

Potential legal risk

Buy Now
Questions 471

An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?

Options:

A.

Business benefits of shadow IT

B.

Application-related expresses

C.

Classification of the data

D.

Volume of data

Buy Now
Questions 472

To minimize risk in a software development project, when is the BEST time to conduct a risk analysis?

Options:

A.

During the business requirement definitions phase

B.

Before periodic steering committee meetings

C.

At each stage of the development life cycle

D.

During the business case development

Buy Now
Questions 473

Which of the following is the MOST useful information an organization can obtain from external sources about emerging threats?

Options:

A.

Solutions for eradicating emerging threats

B.

Cost to mitigate the risk resulting from threats

C.

Indicators for detecting the presence of threatsl)

D.

Source and identity of attackers

Buy Now
Questions 474

An organization's IT team has proposed the adoption of cloud computing as a cost-saving measure for the business. Which of the following should be of GREATEST concern to the risk practitioner?

Options:

A.

Due diligence for the recommended cloud vendor has not been performed.

B.

The business can introduce new Software as a Service (SaaS) solutions without IT approval.

C.

The maintenance of IT infrastructure has been outsourced to an Infrastructure as a Service (laaS) provider.

D.

Architecture responsibilities may not be clearly defined.

Buy Now
Questions 475

Which of the following would be MOST helpful when estimating the likelihood of negative events?

Options:

A.

Business impact analysis

B.

Threat analysis

C.

Risk response analysis

D.

Cost-benefit analysis

Buy Now
Questions 476

Which of the following would cause the GREATEST concern for a risk practitioner reviewing the IT risk scenarios recorded in an organization’s IT risk register?

Options:

A.

Some IT risk scenarios have multi-year risk action plans.

B.

Several IT risk scenarios are missing assigned owners.

C.

Numerous IT risk scenarios have been granted risk acceptances.

D.

Many IT risk scenarios are categorized as avoided.

Buy Now
Questions 477

Which of the following is the BEST indication that an organization's risk management program has not reached the desired maturity level?

Options:

A.

Significant increases in risk mitigation budgets

B.

Large fluctuations in risk ratings between assessments

C.

A steady increase in the time to recover from incidents

D.

A large number of control exceptions

Buy Now
Questions 478

Which of the following BEST mitigates the risk of violating privacy laws when transferring personal information lo a supplier?

Options:

A.

Encrypt the data while in transit lo the supplier

B.

Contractually obligate the supplier to follow privacy laws.

C.

Require independent audits of the supplier's control environment

D.

Utilize blockchain during the data transfer

Buy Now
Questions 479

Which of the following is the MOST appropriate key control indicator (KCI) to help an organization prevent successful cyber risk events on the external-facing infrastructure?

Options:

A.

Increasing number of threat actors

B.

Increasing number of intrusion detection system (IDS) false positive alerts

C.

Increasing percentage of unpatched demilitarized zone (DMZ) servers

D.

Increasing trend of perimeter attacks

Buy Now
Questions 480

The MOST important measure of the effectiveness of risk management in project implementation is the percentage of projects:

Options:

A.

introduced into production without high-risk issues.

B.

having the risk register updated regularly.

C.

having key risk indicators (KRIs) established to measure risk.

D.

having an action plan to remediate overdue issues.

Buy Now
Questions 481

From a risk management perspective, the PRIMARY objective of using maturity models is to enable:

Options:

A.

solution delivery.

B.

resource utilization.

C.

strategic alignment.

D.

performance evaluation.

Buy Now
Questions 482

An organization mandates the escalation of a service ticket when a key application is offline for 5 minutes or more due to potential risk exposure. The risk practitioner has been asked by management to prepare a report of application offline times using both 3- and 5-minute thresholds. What does the 3-minute threshold represent?

Options:

A.

Recovery Time Objective (RTO)

B.

Key Risk Indicator (KRI)

C.

Recovery Point Objective (RPO)

D.

Key Performance Indicator (KPI)

Buy Now
Questions 483

A business unit is implementing a data analytics platform to enhance its customer relationship management (CRM) system primarily to process data that has been provided by its customers. Which of the following presents the GREATEST risk to the organization's reputation?

Options:

A.

Third-party software is used for data analytics.

B.

Data usage exceeds individual consent.

C.

Revenue generated is not disclosed to customers.

D.

Use of a data analytics system is not disclosed to customers.

Buy Now
Questions 484

Optimized risk management is achieved when risk is reduced:

Options:

A.

with strategic initiatives.

B.

to meet risk appetite.

C.

within resource availability.

D.

below risk appetite.

Buy Now
Questions 485

Which of the following is MOST important to review when determining whether a potential IT service provider’s control environment is effective?

Options:

A.

Independent audit report

B.

Control self-assessment

C.

MOST important to update when an

D.

Service level agreements (SLAs)

Buy Now
Questions 486

Which of the following should be considered FIRST when creating a comprehensive IT risk register?

Options:

A.

Risk management budget

B.

Risk mitigation policies

C.

Risk appetite

D.

Risk analysis techniques

Buy Now
Questions 487

A threat intelligence team has identified an indicator of compromise related to an advanced persistent threat (APT) actor. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Review the most recent vulnerability scanning report.

B.

Determine the business criticality of the asset.

C.

Determine the adequacy of existing security controls.

D.

Review prior security incidents related to the asset.

Buy Now
Questions 488

An organization recently invested in an identity and access management (IAM) solution to manage user activities across corporate mobile devices. Which of the following is MOST important to update in the risk register?

Options:

A.

Inherent risk

B.

Risk appetite

C.

Risk tolerance

D.

Residual risk

Buy Now
Questions 489

Which of the following is MOST helpful in providing an overview of an organization's risk management program?

Options:

A.

Risk management treatment plan

B.

Risk assessment results

C.

Risk management framework

D.

Risk register

Buy Now
Questions 490

Which of the following should be the MOST important consideration when determining controls necessary for a highly critical information system?

Options:

A.

The number of threats to the system

B.

The organization's available budget

C.

The number of vulnerabilities to the system

D.

The level of acceptable risk to the organization

Buy Now
Questions 491

Reviewing historical risk events is MOST useful for which of the following processes within the risk management life cycle?

Options:

A.

Risk monitoring

B.

Risk mitigation

C.

Risk aggregation

D.

Risk assessment

Buy Now
Questions 492

Which of the following is the MOST effective way to mitigate identified risk scenarios?

Options:

A.

Assign ownership of the risk response plan

B.

Provide awareness in early detection of risk.

C.

Perform periodic audits on identified risk.

D.

areas Document the risk tolerance of the organization.

Buy Now
Questions 493

Which of the following is the MOST important information to cover a business continuity awareness Ira nine, program for all employees of the organization?

Options:

A.

Recovery time objectives (RTOs)

B.

Segregation of duties

C.

Communication plan

D.

Critical asset inventory

Buy Now
Questions 494

A recently purchased IT application does not meet project requirements. Of the following, who is accountable for the potential impact?

Options:

A.

Business analyst

B.

Project sponsor

C.

IT project team

D.

IT project management office (PMO)

Buy Now
Questions 495

Which of the following is MOST important to determine as a result of a risk assessment?

Options:

A.

Process ownership

B.

Risk appetite statement

C.

Risk tolerance levels

D.

Risk response options

Buy Now
Questions 496

An organization has decided to outsource a web application, and customer data will be stored in the vendor's public cloud. To protect customer data, it is MOST important to ensure which of the following?

Options:

A.

The organization's incident response procedures have been updated.

B.

The vendor stores the data in the same jurisdiction.

C.

Administrative access is only held by the vendor.

D.

The vendor's responsibilities are defined in the contract.

Buy Now
Questions 497

A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?

Options:

A.

The contingency plan provides for backup media to be taken to the alternative site.

B.

The contingency plan for high priority applications does not involve a shared cold site.

C.

The alternative site is a hot site with equipment ready to resume processing immediately.

D.

The alternative site does not reside on the same fault no matter how far the distance apart.

Buy Now
Questions 498

Which of the following BEST indicates that additional or improved controls ate needed m the environment?

Options:

A.

Management, has decreased organisational risk appetite

B.

The risk register and portfolio do not include all risk scenarios

C.

merging risk scenarios have been identified

D.

Risk events and losses exceed risk tolerance

Buy Now
Questions 499

Which of the following would be the result of a significant increase in the motivation of a malicious threat actor?

Options:

A.

Increase in mitigating control costs

B.

Increase in risk event impact

C.

Increase in risk event likelihood

D.

Increase in cybersecurity premium

Buy Now
Questions 500

Who is accountable for risk treatment?

Options:

A.

Enterprise risk management team

B.

Risk mitigation manager

C.

Business process owner

D.

Risk owner

Buy Now
Questions 501

Options:

A.

Internal email communications are not encrypted.

B.

Data transmission within the corporate network is not encrypted.

C.

Internally created documents are not automatically classified.

D.

Data transmission across public networks is not encrypted.

Buy Now
Questions 502

Following an acquisition, the acquiring company's risk practitioner has been asked to update the organization's IT risk profile What is the MOST important information to review from the acquired company to facilitate this task?

Options:

A.

Internal and external audit reports

B.

Risk disclosures in financial statements

C.

Risk assessment and risk register

D.

Business objectives and strategies

Buy Now
Questions 503

When developing a risk awareness training program, which of the following is the BEST way to promote a risk-aware culture?

Options:

A.

Emphasize individual responsibility for managing risk.

B.

Communicate incident escalation procedures.

C.

Illustrate methods to identify threats and vulnerabilities.

D.

Challenge the effectiveness of business processes.

Buy Now
Questions 504

Which of the following is the MOST important consideration when prioritizing risk response?

Options:

A.

Requirements for regulatory obligations.

B.

Cost of control implementation.

C.

Effectiveness of risk treatment.

D.

Number of risk response options.

Buy Now
Questions 505

Which types of controls are BEST used to minimize the risk associated with a vulnerability?

Options:

A.

Detective

B.

Preventive

C.

Deterrent

D.

Directive

Buy Now
Questions 506

Which of the following would BEST help to ensure that suspicious network activity is identified?

Options:

A.

Analyzing intrusion detection system (IDS) logs

B.

Analyzing server logs

C.

Using a third-party monitoring provider

D.

Coordinating events with appropriate agencies

Buy Now
Questions 507

Which key performance efficiency IKPI) BEST measures the effectiveness of an organization's disaster recovery program?

Options:

A.

Number of service level agreement (SLA) violations

B.

Percentage of recovery issues identified during the exercise

C.

Number of total systems recovered within tie recovery point objective (RPO)

D.

Percentage of critical systems recovered within tie recovery time objective (RTO)

Buy Now
Questions 508

Which of the following controls BEST helps to ensure that transaction data reaches its destination?

Options:

A.

Securing the network from attacks

B.

Providing acknowledgments from receiver to sender

C.

Digitally signing individual messages

D.

Encrypting data-in-transit

Buy Now
Questions 509

Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?

Options:

A.

Obtain objective assessment of the control environment.

B.

Ensure the risk profile is defined and communicated.

C.

Validate the threat management process.

D.

Obtain an objective view of process gaps and systemic errors.

Buy Now
Questions 510

The acceptance of control costs that exceed risk exposure is MOST likely an example of:

Options:

A.

low risk tolerance.

B.

corporate culture misalignment.

C.

corporate culture alignment.

D.

high risk tolerance

Buy Now
Questions 511

Which of the following is the PRIMARY reason for a risk practitioner to examine a post-implementation review report for a control automation tool?

Options:

A.

To verify that budget for the project is managed effectively

B.

To confirm compliance with project management methodology

C.

To ensure the risk is managed to an acceptable level

D.

To ensure audit findings are addressed in a timely manner

Buy Now
Questions 512

When reviewing the business continuity plan (BCP) of an online sales order system, a risk practitioner notices that the recovery time objective (RTO) has a shorter lime than what is defined in the disaster recovery plan (DRP). Which of the following is the BEST way for the risk practitioner to address this concern?

Options:

A.

Adopt the RTO defined in the BCR

B.

Update the risk register to reflect the discrepancy.

C.

Adopt the RTO defined in the DRP.

D.

Communicate the discrepancy to the DR manager for follow-up.

Buy Now
Questions 513

An organization becomes aware that IT security failed to detect a coordinated

cyber attack on its data center. Which of the following is the BEST course of

action?

Options:

A.

Perform a business impact analysis (BIA).

B.

Identify compensating controls

C.

Conduct a root cause analysis.

D.

Revise key risk indicator (KRI) thresholds.

Buy Now
Questions 514

Which of the following is the MOST important data source for monitoring key risk indicators (KRIs)?

Options:

A.

Directives from legal and regulatory authorities

B.

Audit reports from internal information systems audits

C.

Automated logs collected from different systems

D.

Trend analysis of external risk factors

Buy Now
Questions 515

A new policy has been published to forbid copying of data onto removable media. Which type of control has been implemented?

Options:

A.

Preventive

B.

Detective

C.

Directive

D.

Deterrent

Buy Now
Questions 516

Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?

Options:

A.

To build an organizational risk-aware culture

B.

To continuously improve risk management processes

C.

To comply with legal and regulatory requirements

D.

To identify gaps in risk management practices

Buy Now
Questions 517

An IT risk practitioner is evaluating an organization's change management controls over the last six months. The GREATEST concern would be an increase in:

Options:

A.

rolled back changes below management's thresholds.

B.

change-related exceptions per month.

C.

the average implementation time for changes.

D.

number of user stories approved for implementation.

Buy Now
Questions 518

Which of the following controls BEST enables an organization to ensure a complete and accurate IT asset inventory?

Options:

A.

Prohibiting the use of personal devices for business

B.

Performing network scanning for unknown devices

C.

Requesting an asset list from business owners

D.

Documenting asset configuration baselines

Buy Now
Questions 519

The PRIMARY objective for requiring an independent review of an organization's IT risk management process should be to:

Options:

A.

assess gaps in IT risk management operations and strategic focus.

B.

confirm that IT risk assessment results are expressed as business impact.

C.

verify implemented controls to reduce the likelihood of threat materialization.

D.

ensure IT risk management is focused on mitigating potential risk.

Buy Now
Questions 520

Which of the following is the MOST important key performance indicator (KPI) to establish in the service level agreement (SLA) for an outsourced data center?

Options:

A.

Percentage of systems included in recovery processes

B.

Number of key systems hosted

C.

Average response time to resolve system incidents

D.

Percentage of system availability

Buy Now
Questions 521

When a risk practitioner is determining a system's criticality. it is MOST helpful to review the associated:

Options:

A.

process flow.

B.

business impact analysis (BIA).

C.

service level agreement (SLA).

D.

system architecture.

Buy Now
Questions 522

The BEST use of key risk indicators (KRIs) is to provide:

Options:

A.

Early indication of increasing exposure to a specific risk.

B.

Lagging indication of major information security incidents.

C.

Early indication of changes to required risk response.

D.

Insight into the performance of a monitored process.

Buy Now
Questions 523

When a risk practitioner is building a key risk indicator (KRI) from aggregated data, it is CRITICAL that the data is derived from:

Options:

A.

business process owners.

B.

representative data sets.

C.

industry benchmark data.

D.

data automation systems.

Buy Now
Exam Code: CRISC
Exam Name: Certified in Risk and Information Systems Control
Last Update: Aug 30, 2025
Questions: 1745
CRISC pdf

CRISC PDF

$25.5  $84.99
CRISC Engine

CRISC Testing Engine

$30  $99.99
CRISC PDF + Engine

CRISC PDF + Testing Engine

$40.5  $134.99