Summer Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtreat

CRISC Certified in Risk and Information Systems Control Questions and Answers

Questions 4

Which of the following would MOST effectively reduce the potential for inappropriate exposure of vulnerabilities documented in an organization's risk register?

Options:

A.

Limit access to senior management only.

B.

Encrypt the risk register.

C.

Implement role-based access.

D.

Require users to sign a confidentiality agreement.

Buy Now
Questions 5

A risk practitioner is defining metrics for security threats that were not identified by antivirus software. Which type of metric is being developed?

Options:

A.

Key control indicator (KCI)

B.

Key risk indicator (KRI)

C.

Operational level agreement (OLA)

D.

Service level agreement (SLA)

Buy Now
Questions 6

The results of a risk assessment reveal risk scenarios with high impact and low likelihood of occurrence. Which of the following would be the BEST action to address these scenarios?

Options:

A.

Assemble an incident response team.

B.

Create a disaster recovery plan (DRP).

C.

Develop a risk response plan.

D.

Initiate a business impact analysis (BIA).

Buy Now
Questions 7

Which of the following is the MOST reliable validation of a new control?

Options:

A.

Approval of the control by senior management

B.

Complete and accurate documentation of control objectives

C.

Control owner attestation of control effectiveness

D.

Internal audit review of control design

Buy Now
Questions 8

When classifying and prioritizing risk responses, the areas to address FIRST are those with:

Options:

A.

low cost effectiveness ratios and high risk levels

B.

high cost effectiveness ratios and low risk levels.

C.

high cost effectiveness ratios and high risk levels

D.

low cost effectiveness ratios and low risk levels.

Buy Now
Questions 9

Which of the following is a risk practitioner's BEST recommendation regarding disaster recovery management (DRM) for Software as a Service (SaaS) providers?

Options:

A.

Conduct inoremental backups of data in the SaaS environment to a local data center.

B.

Implement segregation of duties between multiple SaaS solution providers.

C.

Codify availability requirements in the SaaS provider's contract.

D.

Conduct performance benchmarking against other SaaS service providers.

Buy Now
Questions 10

Which of the following should be accountable for ensuring that media containing financial information are adequately destroyed per an organization's data disposal policy?

Options:

A.

Compliance manager

B.

Data architect

C.

Data owner

D.

Chief information officer (CIO)

Buy Now
Questions 11

Which of the following is the BEST key performance indicator (KPI) to measure the ability to deliver uninterrupted IT services?

Options:

A.

Mean time between failures (MTBF)

B.

Mean time to recover (MTTR)

C.

Planned downtime

D.

Unplanned downtime

Buy Now
Questions 12

Which of the following is the BEST way to prevent the loss of highly sensitive data when disposing of storage media?

Options:

A.

Physical destruction

B.

Degaussing

C.

Data anonymization

D.

Data deletion

Buy Now
Questions 13

Which of the following is MOST important to determine as a result of a risk assessment?

Options:

A.

Process ownership

B.

Risk appetite statement

C.

Risk tolerance levels

D.

Risk response options

Buy Now
Questions 14

Which of the following BEST enables senior management lo compare the ratings of risk scenarios?

Options:

A.

Key risk indicators (KRIs)

B.

Key performance indicators (KPIs)

C.

Control self-assessment (CSA)

D.

Risk heat map

Buy Now
Questions 15

Which of the following should be initiated when a high number of noncompliant conditions are observed during review of a control procedure?

Options:

A.

Disciplinary action

B.

A control self-assessment

C.

A review of the awareness program

D.

Root cause analysis

Buy Now
Questions 16

What is the PRIMARY reason an organization should include background checks on roles with elevated access to production as part of its hiring process?

Options:

A.

Reduce internal threats

B.

Reduce exposure to vulnerabilities

C.

Eliminate risk associated with personnel

D.

Ensure new hires have the required skills

Buy Now
Questions 17

Which of the following is the PRIMARY benefit of integrating risk and security requirements in an organization's enterprise architecture (EA)?

Options:

A.

Adherence to legal and compliance requirements

B.

Reduction in the number of test cases in the acceptance phase

C.

Establishment of digital forensic architectures

D.

Consistent management of information assets

Buy Now
Questions 18

An organization has outsourced a critical process involving highly regulated data to a third party with servers located in a foreign country. Who is accountable for the confidentiality of this data?

Options:

A.

Third-party data custodian

B.

Data custodian

C.

Regional office executive

D.

Data owner

Buy Now
Questions 19

Which of the following provides the MOST useful information to trace the impact of aggregated risk across an organization's technical environment?

Options:

A.

Business case documentation

B.

Organizational risk appetite statement

C.

Enterprise architecture (EA) documentation

D.

Organizational hierarchy

Buy Now
Questions 20

Of the following, whose input is ESSENTIAL when developing risk scenarios for the implementation of a third-party mobile application that stores customer data?

Options:

A.

Information security manager

B.

IT vendor manager

C.

Business process owner

D.

IT compliance manager

Buy Now
Questions 21

A risk practitioner is reviewing a vendor contract and finds there is no clause to control privileged access to the organization's systems by vendor employees. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Contact the control owner to determine if a gap in controls exists.

B.

Add this concern to the risk register and highlight it for management review.

C.

Report this concern to the contracts department for further action.

D.

Document this concern as a threat and conduct an impact analysis.

Buy Now
Questions 22

Prior to selecting key performance indicators (KPIs), itis MOST important to ensure:

Options:

A.

trending data is available.

B.

process flowcharts are current.

C.

measurement objectives are defined.

D.

data collection technology is available.

Buy Now
Questions 23

A risk practitioner has been asked to evaluate the adoption of a third-party blockchain integration platform based on the value added by the platform and the organization's risk appetite. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Conduct a risk assessment with stakeholders.

B.

Conduct third-party resilience tests.

C.

Update the risk register with the process changes.

D.

Review risk related to standards and regulations.

Buy Now
Questions 24

The cost of maintaining a control has grown to exceed the potential loss. Which of the following BEST describes this situation?

Options:

A.

Insufficient risk tolerance

B.

Optimized control management

C.

Effective risk management

D.

Over-controlled environment

Buy Now
Questions 25

Which of the following is MOST important to consider when assessing the likelihood that a recently discovered software vulnerability will be exploited?

Options:

A.

The skill level required of a threat actor

B.

The amount of personally identifiable information (PH) disclosed

C.

The ability to detect and trace the threat action

D.

The amount of data that might be exposed by a threat action

Buy Now
Questions 26

An organization has just implemented changes to close an identified vulnerability that impacted a critical business process. What should be the NEXT course of action?

Options:

A.

Redesign the heat map.

B.

Review the risk tolerance.

C.

Perform a business impact analysis (BIA)

D.

Update the risk register.

Buy Now
Questions 27

Which of the following is the MOST important reason to restrict access to the risk register on a need-to-know basis?

Options:

A.

It contains vulnerabilities and threats.

B.

The risk methodology is intellectual property.

C.

Contents may be used as auditable findings.

D.

Risk scenarios may be misinterpreted.

Buy Now
Questions 28

A poster has been displayed in a data center that reads. "Anyone caught taking photographs in the data center may be subject to disciplinary action." Which of the following control types has been implemented?

Options:

A.

Corrective

B.

Detective

C.

Deterrent

D.

Preventative

Buy Now
Questions 29

A risk assessment has revealed that the probability of a successful cybersecurity attack is increasing. The potential loss could exceed the organization's risk appetite. Which of the following ould be the MOST effective course of action?

Options:

A.

Re-evaluate the organization's risk appetite.

B.

Outsource the cybersecurity function.

C.

Purchase cybersecurity insurance.

D.

Review cybersecurity incident response procedures.

Buy Now
Questions 30

Which of the following is a risk practitioner's BEST recommendation upon learning that an employee inadvertently disclosed sensitive data to a vendor?

Options:

A.

Enroll the employee in additional security training.

B.

Invoke the incident response plan.

C.

Conduct an internal audit.

D.

Instruct the vendor to delete the data.

Buy Now
Questions 31

A data center has recently been migrated to a jurisdiction where heavy fines will be imposed should leakage of customer personal data occur. Assuming no other changes to the operating environment, which factor should be updated to reflect this situation as an input to scenario development for this particular risk event?

Options:

A.

Risk likelihood

B.

Risk impact

C.

Risk capacity

D.

Risk appetite

Buy Now
Questions 32

Which of the following is the MOST useful information an organization can obtain from external sources about emerging threats?

Options:

A.

Solutions for eradicating emerging threats

B.

Cost to mitigate the risk resulting from threats

C.

Indicators for detecting the presence of threatsl)

D.

Source and identity of attackers

Buy Now
Questions 33

An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner's FIRST course of action?

Options:

A.

Determine whether the impact is outside the risk appetite.

B.

Report the ineffective control for inclusion in the next audit report.

C.

Request a formal acceptance of risk from senior management.

D.

Deploy a compensating control to address the identified deficiencies.

Buy Now
Questions 34

Which of the following is the BEST way to ensure ongoing control effectiveness?

Options:

A.

Establishing policies and procedures

B.

Periodically reviewing control design

C.

Measuring trends in control performance

D.

Obtaining management control attestations

Buy Now
Questions 35

Which of the following is the GREATEST benefit of updating the risk register to include outcomes from a risk assessment?

Options:

A.

It maintains evidence of compliance with risk policy.

B.

It facilitates timely risk-based decisions.

C.

It validates the organization's risk appetite.

D.

It helps to mitigate internal and external risk factors.

Buy Now
Questions 36

Which of the following BEST enables an organization to determine whether risk management is aligned with its goals and objectives?

Options:

A.

The organization has approved policies that provide operational boundaries.

B.

Organizational controls are in place to effectively manage risk appetite.

C.

Environmental changes that impact risk are continually evaluated.

D.

The organization has an approved enterprise architecture (EA) program.

Buy Now
Questions 37

Zero Trust architecture is designed and deployed with adherence to which of the following basic tenets?

Options:

A.

Incoming traffic must be inspected before connection is established.

B.

Security frameworks and libraries should be leveraged.

C.

Digital identities should be implemented.

D.

All communication is secured regardless of network location.

Buy Now
Questions 38

Which of the following is the PRIMARY consideration when establishing an organization's risk management methodology?

Options:

A.

Business context

B.

Risk tolerance level

C.

Resource requirements

D.

Benchmarking information

Buy Now
Questions 39

Which of the following facilitates a completely independent review of test results for evaluating control effectiveness?

Options:

A.

Segregation of duties

B.

Three lines of defense

C.

Compliance review

D.

Quality assurance review

Buy Now
Questions 40

What should be the PRIMARY driver for periodically reviewing and adjusting key risk indicators (KRIs)?

Options:

A.

Risk impact

B.

Risk likelihood

C.

Risk appropriate

D.

Control self-assessments (CSAs)

Buy Now
Questions 41

Which of the following is an IT business owner's BEST course of action following an unexpected increase in emergency changes?

Options:

A.

Evaluating the impact to control objectives

B.

Conducting a root cause analysis

C.

Validating the adequacy of current processes

D.

Reconfiguring the IT infrastructure

Buy Now
Questions 42

Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system?

Options:

A.

Data owner

B.

Control owner

C.

Risk owner

D.

System owner

Buy Now
Questions 43

The PRIMARY advantage of involving end users in continuity planning is that they:

Options:

A.

have a better understanding of specific business needs

B.

can balance the overall technical and business concerns

C.

can see the overall impact to the business

D.

are more objective than information security management.

Buy Now
Questions 44

Which of the following is a KEY consideration for a risk practitioner to communicate to senior management evaluating the introduction of artificial intelligence (Al) solutions into the organization?

Options:

A.

Al requires entirely new risk management processes.

B.

Al potentially introduces new types of risk.

C.

Al will result in changes to business processes.

D.

Third-party Al solutions increase regulatory obligations.

Buy Now
Questions 45

During a risk treatment plan review, a risk practitioner finds the approved risk action plan has not been completed However, there were other risk mitigation actions implemented. Which of the fallowing is the BEST course of action?

Options:

A.

Review the cost-benefit of mitigating controls

B.

Mark the risk status as unresolved within the risk register

C.

Verify the sufficiency of mitigating controls with the risk owner

D.

Update the risk register with implemented mitigating actions

Buy Now
Questions 46

Analyzing trends in key control indicators (KCIs) BEST enables a risk practitioner to proactively identify impacts on an organization's:

Options:

A.

risk classification methods

B.

risk-based capital allocation

C.

risk portfolio

D.

risk culture

Buy Now
Questions 47

Which of the following is MOST useful when communicating risk to management?

Options:

A.

Risk policy

B.

Audit report

C.

Risk map

D.

Maturity model

Buy Now
Questions 48

An organization recently received an independent security audit report of its cloud service provider that indicates significant control weaknesses. What should be done NEXT in response to this report?

Options:

A.

Migrate all data to another compliant service provider.

B.

Analyze the impact of the provider's control weaknesses to the business.

C.

Conduct a follow-up audit to verify the provider's control weaknesses.

D.

Review the contract to determine if penalties should be levied against the provider.

Buy Now
Questions 49

A vulnerability assessment of a vendor-supplied solution has revealed that the software is susceptible to cross-site scripting and SQL injection attacks. Which of the following will BEST mitigate this issue?

Options:

A.

Monitor the databases for abnormal activity

B.

Approve exception to allow the software to continue operating

C.

Require the software vendor to remediate the vulnerabilities

D.

Accept the risk and let the vendor run the software as is

Buy Now
Questions 50

Which of the following is the BEST way for an organization to enable risk treatment decisions?

Options:

A.

Allocate sufficient funds for risk remediation.

B.

Promote risk and security awareness.

C.

Establish clear accountability for risk.

D.

Develop comprehensive policies and standards.

Buy Now
Questions 51

Which of the following should be done FIRST when developing a data protection management plan?

Options:

A.

Perform a cost-benefit analysis.

B.

Identify critical data.

C.

Establish a data inventory.

D.

Conduct a risk analysis.

Buy Now
Questions 52

An organizations chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a denial-of-service (DoS) attack. In this situation, the risk practitioner's BEST course of action is to:

Options:

A.

identify key risk indicators (KRls) for ongoing monitoring

B.

validate the CTO's decision with the business process owner

C.

update the risk register with the selected risk response

D.

recommend that the CTO revisit the risk acceptance decision.

Buy Now
Questions 53

Which of the following BEST confirms the existence and operating effectiveness of information systems controls?

Options:

A.

Self-assessment questionnaires completed by management

B.

Review of internal audit and third-party reports

C.

Management review and sign-off on system documentation

D.

First-hand direct observation of the controls in operation

Buy Now
Questions 54

Which of the following is the BEST key performance indicator (KPI) for determining how well an IT policy is aligned to business requirements?

Options:

A.

Total cost to support the policy

B.

Number of exceptions to the policy

C.

Total cost of policy breaches

D.

Number of inquiries regarding the policy

Buy Now
Questions 55

Which of the following statements in an organization's current risk profile report is cause for further action by senior management?

Options:

A.

Key performance indicator (KPI) trend data is incomplete.

B.

New key risk indicators (KRIs) have been established.

C.

Key performance indicators (KPIs) are outside of targets.

D.

Key risk indicators (KRIs) are lagging.

Buy Now
Questions 56

Which of the following is MOST important for a risk practitioner to ensure once a risk action plan has been completed?

Options:

A.

The risk owner has validated outcomes.

B.

The risk register has been updated.

C.

The control objectives are mapped to risk objectives.

D.

The requirements have been achieved.

Buy Now
Questions 57

An organization has identified that terminated employee accounts are not disabled or deleted within the time required by corporate policy. Unsure of the reason, the organization has decided to monitor the situation for three months to obtain more information. As a result of this decision, the risk has been:

Options:

A.

avoided.

B.

accepted.

C.

mitigated.

D.

transferred.

Buy Now
Questions 58

A recent audit identified high-risk issues in a business unit though a previous control self-assessment (CSA) had good results. Which of the following is the MOST likely reason for the difference?

Options:

A.

The audit had a broader scope than the CSA.

B.

The CSA was not sample-based.

C.

The CSA did not test control effectiveness.

D.

The CSA was compliance-based, while the audit was risk-based.

Buy Now
Questions 59

Which of the following would be MOST helpful to a risk practitioner when ensuring that mitigated risk remains within acceptable limits?

Options:

A.

Building an organizational risk profile after updating the risk register

B.

Ensuring risk owners participate in a periodic control testing process

C.

Designing a process for risk owners to periodically review identified risk

D.

Implementing a process for ongoing monitoring of control effectiveness

Buy Now
Questions 60

Which of the following is the MOST effective way to integrate risk and compliance management?

Options:

A.

Embedding risk management into compliance decision-making

B.

Designing corrective actions to improve risk response capabilities

C.

Embedding risk management into processes that are aligned with business drivers

D.

Conducting regular self-assessments to verify compliance

Buy Now
Questions 61

Which of the following approaches would BEST help to identify relevant risk scenarios?

Options:

A.

Engage line management in risk assessment workshops.

B.

Escalate the situation to risk leadership.

C.

Engage internal audit for risk assessment workshops.

D.

Review system and process documentation.

Buy Now
Questions 62

While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:

Options:

A.

control is ineffective and should be strengthened

B.

risk is inefficiently controlled.

C.

risk is efficiently controlled.

D.

control is weak and should be removed.

Buy Now
Questions 63

An organization planning to transfer and store its customer data with an offshore cloud service provider should be PRIMARILY concerned with:

Options:

A.

data aggregation

B.

data privacy

C.

data quality

D.

data validation

Buy Now
Questions 64

An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern?

Options:

A.

Potential increase in regulatory scrutiny

B.

Potential system downtime

C.

Potential theft of personal information

D.

Potential legal risk

Buy Now
Questions 65

Upon learning that the number of failed back-up attempts continually exceeds the current risk threshold, the risk practitioner should:

Options:

A.

inquire about the status of any planned corrective actions

B.

keep monitoring the situation as there is evidence that this is normal

C.

adjust the risk threshold to better reflect actual performance

D.

initiate corrective action to address the known deficiency

Buy Now
Questions 66

A business unit is implementing a data analytics platform to enhance its customer relationship management (CRM) system primarily to process data that has been provided by its customers. Which of the following presents the GREATEST risk to the organization's reputation?

Options:

A.

Third-party software is used for data analytics.

B.

Data usage exceeds individual consent.

C.

Revenue generated is not disclosed to customers.

D.

Use of a data analytics system is not disclosed to customers.

Buy Now
Questions 67

An organization is unable to implement a multi-factor authentication requirement until the next fiscal year due to budget constraints. Consequently, a policy exception must be submitted. Which of the following is MOST important to include in the analysis of the exception?

Options:

A.

Sections of the policy that may justify not implementing the requirement

B.

Risk associated with the inability to implement the requirement

C.

Budget justification to implement the new requirement during the current year

D.

Industry best practices with respect to implementation of the proposed control

Buy Now
Questions 68

Which of the following is MOST important for developing effective key risk indicators (KRIs)?

Options:

A.

Engaging sponsorship by senior management

B.

Utilizing data and resources internal to the organization

C.

Including input from risk and business unit management

D.

Developing in collaboration with internal audit

Buy Now
Questions 69

Which of the following BEST enables the risk profile to serve as an effective resource to support business objectives?

Options:

A.

Engaging external risk professionals to periodically review the risk

B.

Prioritizing global standards over local requirements in the risk profile

C.

Updating the risk profile with risk assessment results

D.

Assigning quantitative values to qualitative metrics in the risk register

Buy Now
Questions 70

When presenting risk, the BEST method to ensure that the risk is measurable against the organization's risk appetite is through the use of a:

Options:

A.

risk map

B.

cause-and-effect diagram

C.

maturity model

D.

technology strategy plan.

Buy Now
Questions 71

Which stakeholders are PRIMARILY responsible for determining enterprise IT risk appetite?

Options:

A.

Audit and compliance management

B.

The chief information officer (CIO) and the chief financial officer (CFO)

C.

Enterprise risk management and business process owners

D.

Executive management and the board of directors

Buy Now
Questions 72

An organization is measuring the effectiveness of its change management program to reduce the number of unplanned production changes. Which of the following would be the BEST metric to determine if the program is performing as expected?

Options:

A.

Decrease in the time to move changes to production

B.

Ratio of emergency fixes to total changes

C.

Ratio of system changes to total changes

D.

Decrease in number of changes without a fallback plan

Buy Now
Questions 73

Which of the following is MOST important to the effective monitoring of key risk indicators (KRIS)?

Options:

A.

Updating the threat inventory with new threats

B.

Automating log data analysis

C.

Preventing the generation of false alerts

D.

Determining threshold levels

Buy Now
Questions 74

An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?

Options:

A.

Project Charlie

B.

Project Bravo

C.

Project Alpha

D.

Project Delta

Buy Now
Questions 75

From a risk management perspective, which of the following is the PRIMARY benefit of using automated system configuration validation tools?

Options:

A.

Residual risk is reduced.

B.

Staff costs are reduced.

C.

Operational costs are reduced.

D.

Inherent risk is reduced.

Buy Now
Questions 76

Which of the following will BEST help ensure that risk factors identified during an information systems review are addressed?

Options:

A.

Informing business process owners of the risk

B.

Reviewing and updating the risk register

C.

Assigning action items and deadlines to specific individuals

D.

Implementing new control technologies

Buy Now
Questions 77

Which of the following is MOST likely to be impacted as a result of a new policy which allows staff members to remotely connect to the organization's IT systems via personal or public computers?

Options:

A.

Risk appetite

B.

Inherent risk

C.

Key risk indicator (KRI)

D.

Risk tolerance

Buy Now
Questions 78

A risk practitioner is reporting on an increasing trend of ransomware attacks in the industry. Which of the following information is MOST important to include to enable an informed response decision by key stakeholders?

Options:

A.

Methods of attack progression

B.

Losses incurred by industry peers

C.

Most recent antivirus scan reports

D.

Potential impact of events

Buy Now
Questions 79

Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?

Options:

A.

An updated risk register

B.

Risk assessment results

C.

Technical control validation

D.

Control testing results

Buy Now
Questions 80

The PRIMARY purpose of using control metrics is to evaluate the:

Options:

A.

amount of risk reduced by compensating controls.

B.

amount of risk present in the organization.

C.

variance against objectives.

D.

number of incidents.

Buy Now
Questions 81

Which of the following would be MOST relevant to stakeholders regarding ineffective control implementation?

Options:

A.

Threat to IT

B.

Number of control failures

C.

Impact on business

D.

Risk ownership

Buy Now
Questions 82

An external security audit has reported multiple findings related to control noncompliance. Which of the following would be MOST important for the risk practitioner to communicate to senior management?

Options:

A.

A recommendation for internal audit validation

B.

Plans for mitigating the associated risk

C.

Suggestions for improving risk awareness training

D.

The impact to the organization’s risk profile

Buy Now
Questions 83

Who should be responsible for implementing and maintaining security controls?

Options:

A.

End user

B.

Internal auditor

C.

Data owner

D.

Data custodian

Buy Now
Questions 84

Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis?

Options:

A.

Quantitative analysis might not be possible.

B.

Risk factors might not be relevant to the organization

C.

Implementation costs might increase.

D.

Inherent risk might not be considered.

Buy Now
Questions 85

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an anti-virus program?

Options:

A.

Frequency of anti-virus software updates

B.

Number of alerts generated by the anti-virus software

C.

Number of false positives detected over a period of time

D.

Percentage of IT assets with current malware definitions

Buy Now
Questions 86

Which of the following is MOST important when developing risk scenarios?

Options:

A.

The scenarios are based on industry best practice.

B.

The scenarios focus on current vulnerabilities.

C.

The scenarios are relevant to the organization.

D.

The scenarios include technical consequences.

Buy Now
Questions 87

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process?

Options:

A.

Percentage of vulnerabilities remediated within the agreed service level

B.

Number of vulnerabilities identified during the period

C.

Number of vulnerabilities re-opened during the period

D.

Percentage of vulnerabilities escalated to senior management

Buy Now
Questions 88

A risk owner has accepted a high-impact risk because the control was adversely affecting process efficiency. Before updating the risk register, it is MOST important for the risk practitioner to:

Options:

A.

ensure suitable insurance coverage is purchased.

B.

negotiate with the risk owner on control efficiency.

C.

reassess the risk to confirm the impact.

D.

obtain approval from senior management.

Buy Now
Questions 89

Quantifying the value of a single asset helps the organization to understand the:

Options:

A.

overall effectiveness of risk management

B.

consequences of risk materializing

C.

necessity of developing a risk strategy,

D.

organization s risk threshold.

Buy Now
Questions 90

Which of the following is the BEST way to determine software license compliance?

Options:

A.

List non-compliant systems in the risk register.

B.

Conduct periodic compliance reviews.

C.

Review whistleblower reports of noncompliance.

D.

Monitor user software download activity.

Buy Now
Questions 91

Which of the following is MOST important for an organization that wants to reduce IT operational risk?

Options:

A.

Increasing senior management's understanding of IT operations

B.

Increasing the frequency of data backups

C.

Minimizing complexity of IT infrastructure

D.

Decentralizing IT infrastructure

Buy Now
Questions 92

The PRIMARY reason for periodically monitoring key risk indicators (KRIs) is to:

Options:

A.

rectify errors in results of KRIs.

B.

detect changes in the risk profile.

C.

reduce costs of risk mitigation controls.

D.

continually improve risk assessments.

Buy Now
Questions 93

A control owner identifies that the organization's shared drive contains personally identifiable information (Pll) that can be accessed by all personnel. Which of the following is the MOST effective risk response?

Options:

A.

Protect sensitive information with access controls.

B.

Implement a data loss prevention (DLP) solution.

C.

Re-communicate the data protection policy.

D.

Implement a data encryption solution.

Buy Now
Questions 94

The MOST significant benefit of using a consistent risk ranking methodology across an organization is that it enables:

Options:

A.

allocation of available resources

B.

clear understanding of risk levels

C.

assignment of risk to the appropriate owners

D.

risk to be expressed in quantifiable terms

Buy Now
Questions 95

Which of the following can be used to assign a monetary value to risk?

Options:

A.

Annual loss expectancy (ALE)

B.

Business impact analysis

C.

Cost-benefit analysis

D.

Inherent vulnerabilities

Buy Now
Questions 96

Which of the following is the FIRST step when developing a business case to drive the adoption of a risk remediation project by senior management?

Options:

A.

Calculating the cost

B.

Analyzing cost-effectiveness

C.

Determining the stakeholders

D.

Identifying the objectives

Buy Now
Questions 97

Which of the following is the MOST important objective of embedding risk management practices into the initiation phase of the project management life cycle?

Options:

A.

To deliver projects on time and on budget

B.

To assess inherent risk

C.

To include project risk in the enterprise-wide IT risk profit.

D.

To assess risk throughout the project

Buy Now
Questions 98

Which of the following is MOST important for an organization to have in place when developing a risk management framework?

Options:

A.

A strategic approach to risk including an established risk appetite

B.

A risk-based internal audit plan for the organization

C.

A control function within the risk management team

D.

An organization-wide risk awareness training program

Buy Now
Questions 99

When assessing the maturity level of an organization's risk management framework, which of the following deficiencies should be of GREATEST concern to a risk practitioner?

Options:

A.

Unclear organizational risk appetite

B.

Lack of senior management participation

C.

Use of highly customized control frameworks

D.

Reliance on qualitative analysis methods

Buy Now
Questions 100

Which of the following is MOST important when defining controls?

Options:

A.

Identifying monitoring mechanisms

B.

Including them in the risk register

C.

Aligning them with business objectives

D.

Prototyping compensating controls

Buy Now
Questions 101

Of the following, who should be responsible for determining the inherent risk rating of an application?

Options:

A.

Application owner

B.

Senior management

C.

Risk practitioner

D.

Business process owner

Buy Now
Questions 102

Which of the following is the MOST relevant information to include in a risk management strategy?

Options:

A.

Quantified risk triggers

B.

Cost of controls

C.

Regulatory requirements

D.

Organizational goals

Buy Now
Questions 103

A bank is experiencing an increasing incidence of customer identity theft. Which of the following is the BEST way to mitigate this risk?

Options:

A.

Implement monitoring techniques.

B.

Implement layered security.

C.

Outsource to a local processor.

D.

Conduct an awareness campaign.

Buy Now
Questions 104

An organization's HR department has implemented a policy requiring staff members to take a minimum of five consecutive days leave per year to mitigate the risk of malicious insider activities. Which of the following is the BEST key performance indicator (KPI) of the effectiveness of this policy?

Options:

A.

Number of malicious activities occurring during staff members leave

B.

Percentage of staff members seeking exception to the policy

C.

Percentage of staff members taking leave according to the policy

D.

Financial loss incurred due to malicious activities during staff members' leave

Buy Now
Questions 105

Which of the following is MOST influential when management makes risk response decisions?

Options:

A.

Risk appetite

B.

Audit risk

C.

Residual risk

D.

Detection risk

Buy Now
Questions 106

The effectiveness of a control has decreased. What is the MOST likely effect on the associated risk?

Options:

A.

The risk impact changes.

B.

The risk classification changes.

C.

The inherent risk changes.

D.

The residual risk changes.

Buy Now
Questions 107

An organization has recently updated its disaster recovery plan (DRP). Which of the following would be the GREATEST risk if the new plan is not tested?

Options:

A.

External resources may need to be involved.

B.

Data privacy regulations may be violated.

C.

Recovery costs may increase significantly.

D.

Service interruptions may be longer than anticipated.

Buy Now
Questions 108

The risk associated with inadvertent disclosure of database records from a public cloud service provider (CSP) would MOST effectively be reduced by:

Options:

A.

encrypting the data

B.

including a nondisclosure clause in the CSP contract

C.

assessing the data classification scheme

D.

reviewing CSP access privileges

Buy Now
Questions 109

An organization has received notification that it is a potential victim of a cybercrime that may have compromised sensitive customer data. What should be The FIRST course of action?

Options:

A.

Invoke the incident response plan.

B.

Determine the business impact.

C.

Conduct a forensic investigation.

D.

Invoke the business continuity plan (BCP).

Buy Now
Questions 110

To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:

Options:

A.

risk mitigation approach

B.

cost-benefit analysis.

C.

risk assessment results.

D.

vulnerability assessment results

Buy Now
Questions 111

Which of the following activities should be performed FIRST when establishing IT risk management processes?

Options:

A.

Collect data of past incidents and lessons learned.

B.

Conduct a high-level risk assessment based on the nature of business.

C.

Identify the risk appetite of the organization.

D.

Assess the goals and culture of the organization.

Buy Now
Questions 112

A global organization has implemented an application that does not address all privacy requirements across multiple jurisdictions. Which of the following risk responses has the organization adopted with regard to privacy requirements?

Options:

A.

Risk avoidance

B.

Risk transfer

C.

Risk mitigation

D.

Risk acceptance

Buy Now
Questions 113

The BEST way to improve a risk register is to ensure the register:

Options:

A.

is updated based upon significant events.

B.

documents possible countermeasures.

C.

contains the risk assessment completion date.

D.

is regularly audited.

Buy Now
Questions 114

Which of the following is the MOST common concern associated with outsourcing to a service provider?

Options:

A.

Lack of technical expertise

B.

Combining incompatible duties

C.

Unauthorized data usage

D.

Denial of service attacks

Buy Now
Questions 115

Which of the following BEST protects an organization against breaches when using a software as a service (SaaS) application?

Options:

A.

Control self-assessment (CSA)

B.

Security information and event management (SIEM) solutions

C.

Data privacy impact assessment (DPIA)

D.

Data loss prevention (DLP) tools

Buy Now
Questions 116

Which of the following is MOST important for a risk practitioner to verify when evaluating the effectiveness of an organization's existing controls?

Options:

A.

Senior management has approved the control design.

B.

Inherent risk has been reduced from original levels.

C.

Residual risk remains within acceptable levels.

D.

Costs for control maintenance are reasonable.

Buy Now
Questions 117

The PRIMARY reason for tracking the status of risk mitigation plans is to ensure:

Options:

A.

the proposed controls are implemented as scheduled.

B.

security controls are tested prior to implementation.

C.

compliance with corporate policies.

D.

the risk response strategy has been decided.

Buy Now
Questions 118

Which of the following is the MOST important consideration for protecting data assets m a Business application system?

Options:

A.

Application controls are aligned with data classification lutes

B.

Application users are periodically trained on proper data handling practices

C.

Encrypted communication is established between applications and data servers

D.

Offsite encrypted backups are automatically created by the application

Buy Now
Questions 119

A department allows multiple users to perform maintenance on a system using a single set of credentials. A risk practitioner determined this practice to be high-risk. Which of the following is the MOST effective way to mitigate this risk?

Options:

A.

Single sign-on

B.

Audit trail review

C.

Multi-factor authentication

D.

Data encryption at rest

Buy Now
Questions 120

An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program. Which of the following is MOST useful for this purpose?

Options:

A.

Balanced scorecard

B.

Capability maturity level

C.

Internal audit plan

D.

Control self-assessment (CSA)

Buy Now
Questions 121

Management has required information security awareness training to reduce the risk associated with credential compromise. What is the BEST way to assess the effectiveness of the training?

Options:

A.

Conduct social engineering testing.

B.

Audit security awareness training materials.

C.

Administer an end-of-training quiz.

D.

Perform a vulnerability assessment.

Buy Now
Questions 122

Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Options:

A.

Including trend analysis of risk metrics

B.

Using an aggregated view of organizational risk

C.

Relying on key risk indicator (KRI) data

D.

Ensuring relevance to organizational goals

Buy Now
Questions 123

Which of the following is the PRIMARY risk management responsibility of the second line of defense?

Options:

A.

Monitoring risk responses

B.

Applying risk treatments

C.

Providing assurance of control effectiveness

D.

Implementing internal controls

Buy Now
Questions 124

Which of the following is the BEST way to assess the effectiveness of an access management process?

Options:

A.

Comparing the actual process with the documented process

B.

Reviewing access logs for user activity

C.

Reconciling a list of accounts belonging to terminated employees

D.

Reviewing for compliance with acceptable use policy

Buy Now
Questions 125

Which of the following scenarios represents a threat?

Options:

A.

Connecting a laptop to a free, open, wireless access point (hotspot)

B.

Visitors not signing in as per policy

C.

Storing corporate data in unencrypted form on a laptop

D.

A virus transmitted on a USB thumb drive

Buy Now
Questions 126

The PRIMARY objective for requiring an independent review of an organization's IT risk management process should be to:

Options:

A.

assess gaps in IT risk management operations and strategic focus.

B.

confirm that IT risk assessment results are expressed as business impact.

C.

verify implemented controls to reduce the likelihood of threat materialization.

D.

ensure IT risk management is focused on mitigating potential risk.

Buy Now
Questions 127

Which of the following will BEST help in communicating strategic risk priorities?

Options:

A.

Heat map

B.

Business impact analysis (BIA)

C.

Balanced Scorecard

D.

Risk register

Buy Now
Questions 128

An organization uses a vendor to destroy hard drives. Which of the following would BEST reduce the risk of data leakage?

Options:

A.

Require the vendor to degauss the hard drives

B.

Implement an encryption policy for the hard drives.

C.

Require confirmation of destruction from the IT manager.

D.

Use an accredited vendor to dispose of the hard drives.

Buy Now
Questions 129

An organization is conducting a review of emerging risk. Which of the following is the BEST input for this exercise?

Options:

A.

Audit reports

B.

Industry benchmarks

C.

Financial forecasts

D.

Annual threat reports

Buy Now
Questions 130

Which of the following provides the BEST evidence that a selected risk treatment plan is effective?

Options:

A.

Identifying key risk indicators (KRIs)

B.

Evaluating the return on investment (ROI)

C.

Evaluating the residual risk level

D.

Performing a cost-benefit analysis

Buy Now
Questions 131

The design of procedures to prevent fraudulent transactions within an enterprise resource planning (ERP) system should be based on:

Options:

A.

stakeholder risk tolerance.

B.

benchmarking criteria.

C.

suppliers used by the organization.

D.

the control environment.

Buy Now
Questions 132

Which of the following will help ensure the elective decision-making of an IT risk management committee?

Options:

A.

Key stakeholders are enrolled as members

B.

Approved minutes ate forwarded to senior management

C.

Committee meets at least quarterly

D.

Functional overlap across the business is minimized

Buy Now
Questions 133

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an antivirus program?

Options:

A.

Percentage of IT assets with current malware definitions

B.

Number of false positives defected over a period of time

C.

Number of alerts generated by the anti-virus software

D.

Frequency of anti-vinjs software updates

Buy Now
Questions 134

Which of the following is the MOST important consideration when implementing ethical remote work monitoring?

Options:

A.

Monitoring is only conducted between official hours of business

B.

Employees are informed of how they are bong monitored

C.

Reporting on nonproductive employees is sent to management on a scheduled basis

D.

Multiple data monitoring sources are integrated into security incident response procedures

Buy Now
Questions 135

To reduce costs, an organization is combining the second and third tines of defense in a new department that reports to a recently appointed C-level executive. Which of the following is the GREATEST concern with this situation?

Options:

A.

The risk governance approach of the second and third lines of defense may differ.

B.

The independence of the internal third line of defense may be compromised.

C.

Cost reductions may negatively impact the productivity of other departments.

D.

The new structure is not aligned to the organization's internal control framework.

Buy Now
Questions 136

When developing risk treatment alternatives for a Business case, it is MOST helpful to show risk reduction based on:

Options:

A.

cost-benefit analysis.

B.

risk appetite.

C.

regulatory guidelines

D.

control efficiency

Buy Now
Questions 137

Which type of indicators should be developed to measure the effectiveness of an organization's firewall rule set?

Options:

A.

Key risk indicators (KRIs)

B.

Key management indicators (KMIs)

C.

Key performance indicators (KPIs)

D.

Key control indicators (KCIs)

Buy Now
Questions 138

When developing a new risk register, a risk practitioner should focus on which of the following risk management activities?

Options:

A.

Risk management strategy planning

B.

Risk monitoring and control

C.

Risk identification

D.

Risk response planning

Buy Now
Questions 139

Accountability for a particular risk is BEST represented in a:

Options:

A.

risk register

B.

risk catalog

C.

risk scenario

D.

RACI matrix

Buy Now
Questions 140

Which of the following is MOST helpful in aligning IT risk with business objectives?

Options:

A.

Introducing an approved IT governance framework

B.

Integrating the results of top-down risk scenario analyses

C.

Performing a business impact analysis (BlA)

D.

Implementing a risk classification system

Buy Now
Questions 141

An organization has outsourced its billing function to an external service provider. Who should own the risk of customer data leakage caused by the service provider?

Options:

A.

The service provider

B.

Vendor risk manager

C.

Legal counsel

D.

Business process owner

Buy Now
Questions 142

Which of the following is MOST important to communicate to senior management during the initial implementation of a risk management program?

Options:

A.

Regulatory compliance

B.

Risk ownership

C.

Best practices

D.

Desired risk level

Buy Now
Questions 143

Which of the following would require updates to an organization's IT risk register?

Options:

A.

Discovery of an ineffectively designed key IT control

B.

Management review of key risk indicators (KRls)

C.

Changes to the team responsible for maintaining the register

D.

Completion of the latest internal audit

Buy Now
Questions 144

Which of the following BEST informs decision-makers about the value of a notice and consent control for the collection of personal information?

Options:

A.

A comparison of the costs of notice and consent control options

B.

Examples of regulatory fines incurred by industry peers for noncompliance

C.

A report of critical controls showing the importance of notice and consent

D.

A cost-benefit analysis of the control versus probable legal action

Buy Now
Questions 145

A global organization is planning to collect customer behavior data through social media advertising. Which of the following is the MOST important business risk to be considered?

Options:

A.

Regulatory requirements may differ in each country.

B.

Data sampling may be impacted by various industry restrictions.

C.

Business advertising will need to be tailored by country.

D.

The data analysis may be ineffective in achieving objectives.

Buy Now
Questions 146

An organization is implementing internet of Things (loT) technology to control temperature and lighting in its headquarters. Which of the following should be of GREATEST concern?

Options:

A.

Insufficient network isolation

B.

impact on network performance

C.

insecure data transmission protocols

D.

Lack of interoperability between sensors

Buy Now
Questions 147

Which of the following is the BEST indication of a mature organizational risk culture?

Options:

A.

Corporate risk appetite is communicated to staff members.

B.

Risk owners understand and accept accountability for risk.

C.

Risk policy has been published and acknowledged by employees.

D.

Management encourages the reporting of policy breaches.

Buy Now
Questions 148

Which of the following is MOST helpful in preventing risk events from materializing?

Options:

A.

Prioritizing and tracking issues

B.

Establishing key risk indicators (KRIs)

C.

Reviewing and analyzing security incidents

D.

Maintaining the risk register

Buy Now
Questions 149

Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents:

Options:

A.

a threat.

B.

a vulnerability.

C.

an impact

D.

a control.

Buy Now
Questions 150

Which of the following is the MOST important factor when deciding on a control to mitigate risk exposure?

Options:

A.

Relevance to the business process

B.

Regulatory compliance requirements

C.

Cost-benefit analysis

D.

Comparison against best practice

Buy Now
Questions 151

Which of the following should be the MOST important consideration for senior management when developing a risk response strategy?

Options:

A.

Cost of controls

B.

Risk tolerance

C.

Risk appetite

D.

Probability definition

Buy Now
Questions 152

Which of the following is MOST important when considering risk in an enterprise risk management (ERM) process?

Options:

A.

Financial risk is given a higher priority.

B.

Risk with strategic impact is included.

C.

Security strategy is given a higher priority.

D.

Risk identified by industry benchmarking is included.

Buy Now
Questions 153

Senior management has asked the risk practitioner for the overall residual risk level for a process that contains numerous risk scenarios. Which of the following should be provided?

Options:

A.

The sum of residual risk levels for each scenario

B.

The loss expectancy for aggregated risk scenarios

C.

The highest loss expectancy among the risk scenarios

D.

The average of anticipated residual risk levels

Buy Now
Questions 154

An organization discovers significant vulnerabilities in a recently purchased commercial off-the-shelf software product which will not be corrected until the next release. Which of the following is the risk manager's BEST course of action?

Options:

A.

Review the risk of implementing versus postponing with stakeholders.

B.

Run vulnerability testing tools to independently verify the vulnerabilities.

C.

Review software license to determine the vendor's responsibility regarding vulnerabilities.

D.

Require the vendor to correct significant vulnerabilities prior to installation.

Buy Now
Questions 155

Which of the following BEST indicates the condition of a risk management program?

Options:

A.

Number of risk register entries

B.

Number of controls

C.

Level of financial support

D.

Amount of residual risk

Buy Now
Questions 156

Which of the following is the FIRST step when conducting a business impact analysis (BIA)?

Options:

A.

Identifying critical information assets

B.

Identifying events impacting continuity of operations;

C.

Creating a data classification scheme

D.

Analyzing previous risk assessment results

Buy Now
Questions 157

Who should be PRIMARILY responsible for establishing an organization's IT risk culture?

Options:

A.

Business process owner

B.

Executive management

C.

Risk management

D.

IT management

Buy Now
Questions 158

Which of the following is the PRIMARY purpose of periodically reviewing an organization's risk profile?

Options:

A.

Align business objectives with risk appetite.

B.

Enable risk-based decision making.

C.

Design and implement risk response action plans.

D.

Update risk responses in the risk register

Buy Now
Questions 159

Which of the following is MOST important to compare against the corporate risk profile?

Options:

A.

Industry benchmarks

B.

Risk tolerance

C.

Risk appetite

D.

Regulatory compliance

Buy Now
Questions 160

Which of the following should be implemented to BEST mitigate the risk associated with infrastructure updates?

Options:

A.

Role-specific technical training

B.

Change management audit

C.

Change control process

D.

Risk assessment

Buy Now
Questions 161

Which of the following would BEST indicate to senior management that IT processes are improving?

Options:

A.

Changes in the number of intrusions detected

B.

Changes in the number of security exceptions

C.

Changes in the position in the maturity model

D.

Changes to the structure of the risk register

Buy Now
Questions 162

Vulnerabilities have been detected on an organization's systems. Applications installed on these systems will not operate if the underlying servers are updated. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Recommend the business change the application.

B.

Recommend a risk treatment plan.

C.

Include the risk in the next quarterly update to management.

D.

Implement compensating controls.

Buy Now
Questions 163

The PRIMARY objective of a risk identification process is to:

Options:

A.

evaluate how risk conditions are managed.

B.

determine threats and vulnerabilities.

C.

estimate anticipated financial impact of risk conditions.

D.

establish risk response options.

Buy Now
Questions 164

Which of the following BEST indicates that an organization has implemented IT performance requirements?

Options:

A.

Service level agreements (SLA)

B.

Vendor references

C.

Benchmarking data

D.

Accountability matrix

Buy Now
Questions 165

Which of the following BEST indicates the effectiveness of anti-malware software?

Options:

A.

Number of staff hours lost due to malware attacks

B.

Number of downtime hours in business critical servers

C.

Number of patches made to anti-malware software

D.

Number of successful attacks by malicious software

Buy Now
Questions 166

When developing a risk awareness training program, which of the following training topics would BEST facilitate a thorough understanding of risk scenarios?

Options:

A.

Mapping threats to organizational objectives

B.

Reviewing past audits

C.

Analyzing key risk indicators (KRIs)

D.

Identifying potential sources of risk

Buy Now
Questions 167

Which of the following should be the PRIMARY focus of an IT risk awareness program?

Options:

A.

Ensure compliance with the organization's internal policies

B.

Cultivate long-term behavioral change.

C.

Communicate IT risk policy to the participants.

D.

Demonstrate regulatory compliance.

Buy Now
Questions 168

A financial institution has identified high risk of fraud in several business applications. Which of the following controls will BEST help reduce the risk of fraudulent internal transactions?

Options:

A.

Periodic user privileges review

B.

Log monitoring

C.

Periodic internal audits

D.

Segregation of duties

Buy Now
Questions 169

The acceptance of control costs that exceed risk exposure MOST likely demonstrates:

Options:

A.

corporate culture alignment

B.

low risk tolerance

C.

high risk tolerance

D.

corporate culture misalignment.

Buy Now
Questions 170

A change management process has recently been updated with new testing procedures. What is the NEXT course of action?

Options:

A.

Monitor processes to ensure recent updates are being followed.

B.

Communicate to those who test and promote changes.

C.

Conduct a cost-benefit analysis to justify the cost of the control.

D.

Assess the maturity of the change management process.

Buy Now
Questions 171

Which of the following is the BEST evidence that risk management is driving business decisions in an organization?

Options:

A.

Compliance breaches are addressed in a timely manner.

B.

Risk ownership is identified and assigned.

C.

Risk treatment options receive adequate funding.

D.

Residual risk is within risk tolerance.

Buy Now
Questions 172

Of the following, who is accountable for ensuing the effectiveness of a control to mitigate risk?

Options:

A.

Control owner

B.

Risk manager

C.

Control operator

D.

Risk treatment owner

Buy Now
Questions 173

What are the MOST essential attributes of an effective Key control indicator (KCI)?

Options:

A.

Flexibility and adaptability

B.

Measurability and consistency

C.

Robustness and resilience

D.

Optimal cost and benefit

Buy Now
Questions 174

A violation of segregation of duties is when the same:

Options:

A.

user requests and tests the change prior to production.

B.

user authorizes and monitors the change post-implementation.

C.

programmer requests and tests the change prior to production.

D.

programmer writes and promotes code into production.

Buy Now
Questions 175

Who should be accountable for monitoring the control environment to ensure controls are effective?

Options:

A.

Risk owner

B.

Security monitoring operations

C.

Impacted data owner

D.

System owner

Buy Now
Questions 176

A maturity model is MOST useful to an organization when it:

Options:

A.

benchmarks against other organizations

B.

defines a qualitative measure of risk

C.

provides a reference for progress

D.

provides risk metrics.

Buy Now
Questions 177

Which of the following would be MOST helpful when communicating roles associated with the IT risk management process?

Options:

A.

Skills matrix

B.

Job descriptions

C.

RACI chart

D.

Organizational chart

Buy Now
Questions 178

A newly hired risk practitioner finds that the risk register has not been updated in the past year. What is the risk practitioner's BEST course of action?

Options:

A.

Identify changes in risk factors and initiate risk reviews.

B.

Engage an external consultant to redesign the risk management process.

C.

Outsource the process for updating the risk register.

D.

Implement a process improvement and replace the old risk register.

Buy Now
Questions 179

Which of the following BEST enables an organization to determine whether external emerging risk factors will impact the organization's risk profile?

Options:

A.

Control identification and mitigation

B.

Adoption of a compliance-based approach

C.

Prevention and detection techniques

D.

Scenario analysis and stress testing

Buy Now
Questions 180

During testing, a risk practitioner finds the IT department's recovery time objective (RTO) for a key system does not align with the enterprise's business continuity plan (BCP). Which of the following should be done NEXT?

Options:

A.

Report the gap to senior management

B.

Consult with the IT department to update the RTO

C.

Complete a risk exception form.

D.

Consult with the business owner to update the BCP

Buy Now
Questions 181

Which of the following would BEST ensure that identified risk scenarios are addressed?

Options:

A.

Reviewing the implementation of the risk response

B.

Creating a separate risk register for key business units

C.

Performing real-time monitoring of threats

D.

Performing regular risk control self-assessments

Buy Now
Questions 182

Risk management strategies are PRIMARILY adopted to:

Options:

A.

take necessary precautions for claims and losses.

B.

achieve acceptable residual risk levels.

C.

avoid risk for business and IT assets.

D.

achieve compliance with legal requirements.

Buy Now
Questions 183

What is the BEST information to present to business control owners when justifying costs related to controls?

Options:

A.

Loss event frequency and magnitude

B.

The previous year's budget and actuals

C.

Industry benchmarks and standards

D.

Return on IT security-related investments

Buy Now
Questions 184

The MAIN purpose of conducting a control self-assessment (CSA) is to:

Options:

A.

gain a better understanding of the control effectiveness in the organization

B.

gain a better understanding of the risk in the organization

C.

adjust the controls prior to an external audit

D.

reduce the dependency on external audits

Buy Now
Questions 185

A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:

Options:

A.

conduct a gap analysis against compliance criteria.

B.

identify necessary controls to ensure compliance.

C.

modify internal assurance activities to include control validation.

D.

collaborate with management to meet compliance requirements.

Buy Now
Questions 186

To implement the MOST effective monitoring of key risk indicators (KRIs), which of the following needs to be in place?

Options:

A.

Threshold definition

B.

Escalation procedures

C.

Automated data feed

D.

Controls monitoring

Buy Now
Questions 187

Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?

Options:

A.

Testing the transmission of credit card numbers

B.

Reviewing logs for unauthorized data transfers

C.

Configuring the DLP control to block credit card numbers

D.

Testing the DLP rule change control process

Buy Now
Questions 188

Which of the following would BEST help an enterprise prioritize risk scenarios?

Options:

A.

Industry best practices

B.

Placement on the risk map

C.

Degree of variances in the risk

D.

Cost of risk mitigation

Buy Now
Questions 189

Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Options:

A.

Using an aggregated view of organizational risk

B.

Ensuring relevance to organizational goals

C.

Relying on key risk indicator (KRI) data Including

D.

Trend analysis of risk metrics

Buy Now
Questions 190

The MOST important characteristic of an organization s policies is to reflect the organization's:

Options:

A.

risk assessment methodology.

B.

risk appetite.

C.

capabilities

D.

asset value.

Buy Now
Questions 191

An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk?

Options:

A.

Perform a risk assessment

B.

Disable user access.

C.

Develop an access control policy.

D.

Perform root cause analysis.

Buy Now
Questions 192

Risk mitigation procedures should include:

Options:

A.

buying an insurance policy.

B.

acceptance of exposures

C.

deployment of counter measures.

D.

enterprise architecture implementation.

Buy Now
Questions 193

A risk practitioner is organizing a training session lo communicate risk assessment methodologies to ensure a consistent risk view within the organization Which of the following i< the MOST important topic to cover in this training?

Options:

A.

Applying risk appetite

B.

Applying risk factors

C.

Referencing risk event data

D.

Understanding risk culture

Buy Now
Questions 194

An organization is planning to engage a cloud-based service provider for some of its data-intensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?

Options:

A.

Service level agreement

B.

Customer service reviews

C.

Scope of services provided

D.

Right to audit the provider

Buy Now
Questions 195

A risk practitioner has identified that the organization's secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?

Options:

A.

Business continuity director

B.

Disaster recovery manager

C.

Business application owner

D.

Data center manager

Buy Now
Questions 196

A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:

Options:

A.

reduces risk to an acceptable level

B.

quantifies risk impact

C.

aligns with business strategy

D.

advances business objectives.

Buy Now
Questions 197

The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner s BEST recommendation?

Options:

A.

Perform a root cause analysis

B.

Perform a code review

C.

Implement version control software.

D.

Implement training on coding best practices

Buy Now
Questions 198

Which of the following is MOST helpful in identifying new risk exposures due to changes in the business environment?

Options:

A.

Standard operating procedures

B.

SWOT analysis

C.

Industry benchmarking

D.

Control gap analysis

Buy Now
Questions 199

In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization's risk profile?

Options:

A.

The control catalog

B.

The asset profile

C.

Business objectives

D.

Key risk indicators (KRls)

Buy Now
Questions 200

A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?

Options:

A.

Implement a tool to create and distribute violation reports

B.

Raise awareness of encryption requirements for sensitive data.

C.

Block unencrypted outgoing emails which contain sensitive data.

D.

Implement a progressive disciplinary process for email violations.

Buy Now
Questions 201

Which of the following would be MOST useful when measuring the progress of a risk response action plan?

Options:

A.

Percentage of mitigated risk scenarios

B.

Annual loss expectancy (ALE) changes

C.

Resource expenditure against budget

D.

An up-to-date risk register

Buy Now
Questions 202

Which of the following is the MOST important foundational element of an effective three lines of defense model for an organization?

Options:

A.

A robust risk aggregation tool set

B.

Clearly defined roles and responsibilities

C.

A well-established risk management committee

D.

Well-documented and communicated escalation procedures

Buy Now
Questions 203

Which of the following is the BEST key performance indicator (KPI) to measure the maturity of an organization's security incident handling process?

Options:

A.

The number of security incidents escalated to senior management

B.

The number of resolved security incidents

C.

The number of newly identified security incidents

D.

The number of recurring security incidents

Buy Now
Questions 204

Which of the following is the BEST way to validate the results of a vulnerability assessment?

Options:

A.

Perform a penetration test.

B.

Review security logs.

C.

Conduct a threat analysis.

D.

Perform a root cause analysis.

Buy Now
Questions 205

The acceptance of control costs that exceed risk exposure is MOST likely an example of:

Options:

A.

low risk tolerance.

B.

corporate culture misalignment.

C.

corporate culture alignment.

D.

high risk tolerance

Buy Now
Questions 206

Which of the following is the MOST important outcome of reviewing the risk management process?

Options:

A.

Assuring the risk profile supports the IT objectives

B.

Improving the competencies of employees who performed the review

C.

Determining what changes should be made to IS policies to reduce risk

D.

Determining that procedures used in risk assessment are appropriate

Buy Now
Questions 207

Which of the following is the MOST important requirement for monitoring key risk indicators (KRls) using log analysis?

Options:

A.

Obtaining logs m an easily readable format

B.

Providing accurate logs m a timely manner

C.

Collecting logs from the entire set of IT systems

D.

implementing an automated log analysis tool

Buy Now
Questions 208

Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?

Options:

A.

Identification of controls gaps that may lead to noncompliance

B.

Prioritization of risk action plans across departments

C.

Early detection of emerging threats

D.

Accurate measurement of loss impact

Buy Now
Questions 209

A key risk indicator (KRI) is reported to senior management on a periodic basis as exceeding thresholds, but each time senior management has decided to take no action to reduce the risk. Which of the following is the MOST likely reason for senior management's response?

Options:

A.

The underlying data source for the KRI is using inaccurate data and needs to be corrected.

B.

The KRI is not providing useful information and should be removed from the KRI inventory.

C.

The KRI threshold needs to be revised to better align with the organization s risk appetite

D.

Senior management does not understand the KRI and should undergo risk training.

Buy Now
Questions 210

Which of the following would BEST help to ensure that identified risk is efficiently managed?

Options:

A.

Reviewing the maturity of the control environment

B.

Regularly monitoring the project plan

C.

Maintaining a key risk indicator for each asset in the risk register

D.

Periodically reviewing controls per the risk treatment plan

Buy Now
Questions 211

Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario?

Options:

A.

Assess the vulnerability management process.

B.

Conduct a control serf-assessment.

C.

Conduct a vulnerability assessment.

D.

Reassess the inherent risk of the target.

Buy Now
Questions 212

IT management has asked for a consolidated view into the organization's risk profile to enable project prioritization and resource allocation. Which of the following materials would

be MOST helpful?

Options:

A.

IT risk register

B.

List of key risk indicators

C.

Internal audit reports

D.

List of approved projects

Buy Now
Questions 213

Which of the following would be MOST important for a risk practitioner to provide to the internal audit department during the audit planning process?

Options:

A.

Closed management action plans from the previous audit

B.

Annual risk assessment results

C.

An updated vulnerability management report

D.

A list of identified generic risk scenarios

Buy Now
Questions 214

Which of the following is the MOST effective key performance indicator (KPI) for change management?

Options:

A.

Percentage of changes with a fallback plan

B.

Number of changes implemented

C.

Percentage of successful changes

D.

Average time required to implement a change

Buy Now
Questions 215

Which of the following will BEST quantify the risk associated with malicious users in an organization?

Options:

A.

Business impact analysis

B.

Risk analysis

C.

Threat risk assessment

D.

Vulnerability assessment

Buy Now
Questions 216

A rule-based data loss prevention {DLP) tool has recently been implemented to reduce the risk of sensitive data leakage. Which of the following is MOST likely to change as a result of this implementation?

Options:

A.

Risk likelihood

B.

Risk velocity

C.

Risk appetite

D.

Risk impact

Buy Now
Questions 217

Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?

Options:

A.

To build an organizational risk-aware culture

B.

To continuously improve risk management processes

C.

To comply with legal and regulatory requirements

D.

To identify gaps in risk management practices

Buy Now
Questions 218

Which of the following is the BEST way to identify changes to the risk landscape?

Options:

A.

Internal audit reports

B.

Access reviews

C.

Threat modeling

D.

Root cause analysis

Buy Now
Questions 219

Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?

Options:

A.

Perform an m-depth code review with an expert

B.

Validate functionality by running in a test environment

C.

Implement a service level agreement.

D.

Utilize the change management process.

Buy Now
Questions 220

Which of the following is the MOST important consideration when developing an organization's risk taxonomy?

Options:

A.

Leading industry frameworks

B.

Business context

C.

Regulatory requirements

D.

IT strategy

Buy Now
Questions 221

A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:

Options:

A.

map findings to objectives.

B.

provide quantified detailed analysis

C.

recommend risk tolerance thresholds.

D.

quantify key risk indicators (KRls).

Buy Now
Questions 222

Calculation of the recovery time objective (RTO) is necessary to determine the:

Options:

A.

time required to restore files.

B.

point of synchronization

C.

priority of restoration.

D.

annual loss expectancy (ALE).

Buy Now
Questions 223

Which of the following would BEST help minimize the risk associated with social engineering threats?

Options:

A.

Enforcing employees’ sanctions

B.

Conducting phishing exercises

C.

Enforcing segregation of dunes

D.

Reviewing the organization's risk appetite

Buy Now
Questions 224

Which of the following is the BEST way to determine the ongoing efficiency of control processes?

Options:

A.

Perform annual risk assessments.

B.

Interview process owners.

C.

Review the risk register.

D.

Analyze key performance indicators (KPIs).

Buy Now
Questions 225

Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?

Options:

A.

Continuous monitoring

B.

A control self-assessment

C.

Transaction logging

D.

Benchmarking against peers

Buy Now
Questions 226

Which of the following is the MOST important key performance indicator (KPI) to establish in the service level agreement (SLA) for an outsourced data center?

Options:

A.

Percentage of systems included in recovery processes

B.

Number of key systems hosted

C.

Average response time to resolve system incidents

D.

Percentage of system availability

Buy Now
Questions 227

A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?

Options:

A.

The organization's strategic risk management projects

B.

Senior management roles and responsibilities

C.

The organizations risk appetite and tolerance

D.

Senior management allocation of risk management resources

Buy Now
Questions 228

Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?

Options:

A.

Encrypted storage of data

B.

Links to source data

C.

Audit trails for updates and deletions

D.

Check totals on data records and data fields

Buy Now
Questions 229

Which of the following is MOST important when developing key performance indicators (KPIs)?

Options:

A.

Alignment to risk responses

B.

Alignment to management reports

C.

Alerts when risk thresholds are reached

D.

Identification of trends

Buy Now
Questions 230

Which of the following would be considered a vulnerability?

Options:

A.

Delayed removal of employee access

B.

Authorized administrative access to HR files

C.

Corruption of files due to malware

D.

Server downtime due to a denial of service (DoS) attack

Buy Now
Questions 231

Which of the following tools is MOST effective in identifying trends in the IT risk profile?

Options:

A.

Risk self-assessment

B.

Risk register

C.

Risk dashboard

D.

Risk map

Buy Now
Questions 232

Which of the following is the MOST important data source for monitoring key risk indicators (KRIs)?

Options:

A.

Directives from legal and regulatory authorities

B.

Audit reports from internal information systems audits

C.

Automated logs collected from different systems

D.

Trend analysis of external risk factors

Buy Now
Questions 233

Who is the MOST appropriate owner for newly identified IT risk?

Options:

A.

The manager responsible for IT operations that will support the risk mitigation efforts

B.

The individual with authority to commit organizational resources to mitigate the risk

C.

A project manager capable of prioritizing the risk remediation efforts

D.

The individual with the most IT risk-related subject matter knowledge

Buy Now
Questions 234

Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?

Options:

A.

A control self-assessment

B.

A third-party security assessment report

C.

Internal audit reports from the vendor

D.

Service level agreement monitoring

Buy Now
Questions 235

Which of the following is the PRIMARY factor in determining a recovery time objective (RTO)?

Options:

A.

Cost of offsite backup premises

B.

Cost of downtime due to a disaster

C.

Cost of testing the business continuity plan

D.

Response time of the emergency action plan

Buy Now
Questions 236

Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?

Options:

A.

Number of tickets for provisioning new accounts

B.

Average time to provision user accounts

C.

Password reset volume per month

D.

Average account lockout time

Buy Now
Questions 237

An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:

Options:

A.

chief risk officer.

B.

project manager.

C.

chief information officer.

D.

business process owner.

Buy Now
Questions 238

Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?

Options:

A.

Maintain and review the classified data inventor.

B.

Implement mandatory encryption on data

C.

Conduct an awareness program for data owners and users.

D.

Define and implement a data classification policy

Buy Now
Questions 239

Which of the following would BEST provide early warning of a high-risk condition?

Options:

A.

Risk register

B.

Risk assessment

C.

Key risk indicator (KRI)

D.

Key performance indicator (KPI)

Buy Now
Questions 240

A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?

Options:

A.

An increase in attempted distributed denial of service (DDoS) attacks

B.

An increase in attempted website phishing attacks

C.

A decrease in achievement of service level agreements (SLAs)

D.

A decrease in remediated web security vulnerabilities

Buy Now
Questions 241

A risk practitioner is assisting with the preparation of a report on the organization s disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?

Options:

A.

The percentage of systems meeting recovery target times has increased.

B.

The number of systems tested in the last year has increased.

C.

The number of systems requiring a recovery plan has increased.

D.

The percentage of systems with long recovery target times has decreased.

Buy Now
Questions 242

An organization has allowed its cyber risk insurance to lapse while seeking a new insurance provider. The risk practitioner should report to management that the risk has been:

Options:

A.

transferred

B.

mitigated.

C.

accepted

D.

avoided

Buy Now
Questions 243

Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

Options:

A.

Risk tolerance is decreased.

B.

Residual risk is increased.

C.

Inherent risk is increased.

D.

Risk appetite is decreased

Buy Now
Questions 244

IT risk assessments can BEST be used by management:

Options:

A.

for compliance with laws and regulations

B.

as a basis for cost-benefit analysis.

C.

as input for decision-making

D.

to measure organizational success.

Buy Now
Questions 245

An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?

Options:

A.

Develop a compensating control.

B.

Allocate remediation resources.

C.

Perform a cost-benefit analysis.

D.

Identify risk responses

Buy Now
Questions 246

Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

Options:

A.

a gap analysis

B.

a root cause analysis.

C.

an impact assessment.

D.

a vulnerability assessment.

Buy Now
Questions 247

Which of the following should be the HIGHEST priority when developing a risk response?

Options:

A.

The risk response addresses the risk with a holistic view.

B.

The risk response is based on a cost-benefit analysis.

C.

The risk response is accounted for in the budget.

D.

The risk response aligns with the organization's risk appetite.

Buy Now
Questions 248

Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?

Options:

A.

Digital signatures

B.

Encrypted passwords

C.

One-time passwords

D.

Digital certificates

Buy Now
Questions 249

Which of the following is the BEST course of action to reduce risk impact?

Options:

A.

Create an IT security policy.

B.

Implement corrective measures.

C.

Implement detective controls.

D.

Leverage existing technology

Buy Now
Questions 250

Which of the following is MOST effective against external threats to an organizations confidential information?

Options:

A.

Single sign-on

B.

Data integrity checking

C.

Strong authentication

D.

Intrusion detection system

Buy Now
Questions 251

The head of a business operations department asks to review the entire IT risk register. Which of the following would be the risk manager s BEST approach to this request before sharing the register?

Options:

A.

Escalate to senior management

B.

Require a nondisclosure agreement.

C.

Sanitize portions of the register

D.

Determine the purpose of the request

Buy Now
Questions 252

During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?

Options:

A.

Data validation

B.

Identification

C.

Authentication

D.

Data integrity

Buy Now
Questions 253

Which of the following attributes of a key risk indicator (KRI) is MOST important?

Options:

A.

Repeatable

B.

Automated

C.

Quantitative

D.

Qualitative

Buy Now
Questions 254

Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?

Options:

A.

Vulnerability and threat analysis

B.

Control remediation planning

C.

User acceptance testing (UAT)

D.

Control self-assessment (CSA)

Buy Now
Questions 255

The analysis of which of the following will BEST help validate whether suspicious network activity is malicious?

Options:

A.

Logs and system events

B.

Intrusion detection system (IDS) rules

C.

Vulnerability assessment reports

D.

Penetration test reports

Buy Now
Questions 256

When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?

Options:

A.

Assess management's risk tolerance.

B.

Recommend management accept the low-risk scenarios.

C.

Propose mitigating controls

D.

Re-evaluate the risk scenarios associated with the control

Buy Now
Questions 257

The PRIMARY objective for selecting risk response options is to:

Options:

A.

reduce risk 10 an acceptable level.

B.

identify compensating controls.

C.

minimize residual risk.

D.

reduce risk factors.

Buy Now
Questions 258

Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?

Options:

A.

Changes in control design

B.

A decrease in the number of key controls

C.

Changes in control ownership

D.

An increase in residual risk

Buy Now
Questions 259

During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:

Options:

A.

compensating controls are in place.

B.

a control mitigation plan is in place.

C.

risk management is effective.

D.

residual risk is accepted.

Buy Now
Questions 260

Which of the following would be- MOST helpful to understand the impact of a new technology system on an organization's current risk profile?

Options:

A.

Hire consultants specializing m the new technology.

B.

Review existing risk mitigation controls.

C.

Conduct a gap analysis.

D.

Perform a risk assessment.

Buy Now
Questions 261

A review of an organization s controls has determined its data loss prevention {DLP) system is currently failing to detect outgoing emails containing credit card data. Which of the following would be MOST impacted?

Options:

A.

Key risk indicators (KRls)

B.

Inherent risk

C.

Residual risk

D.

Risk appetite

Buy Now
Questions 262

A contract associated with a cloud service provider MUST include:

Options:

A.

ownership of responsibilities.

B.

a business recovery plan.

C.

provision for source code escrow.

D.

the providers financial statements.

Buy Now
Questions 263

The MOST effective way to increase the likelihood that risk responses will be implemented is to:

Options:

A.

create an action plan

B.

assign ownership

C.

review progress reports

D.

perform regular audits.

Buy Now
Questions 264

Which of the following is the BEST method for assessing control effectiveness?

Options:

A.

Ad hoc control reporting

B.

Control self-assessment

C.

Continuous monitoring

D.

Predictive analytics

Buy Now
Questions 265

Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:

Options:

A.

minimize the number of risk scenarios for risk assessment.

B.

aggregate risk scenarios identified across different business units.

C.

build a threat profile of the organization for management review.

D.

provide a current reference to stakeholders for risk-based decisions.

Buy Now
Questions 266

An unauthorized individual has socially engineered entry into an organization's secured physical premises. Which of the following is the BEST way to prevent future occurrences?

Options:

A.

Employ security guards.

B.

Conduct security awareness training.

C.

Install security cameras.

D.

Require security access badges.

Buy Now
Questions 267

Which of the following is the MOST cost-effective way to test a business continuity plan?

Options:

A.

Conduct interviews with key stakeholders.

B.

Conduct a tabletop exercise.

C.

Conduct a disaster recovery exercise.

D.

Conduct a full functional exercise.

Buy Now
Questions 268

Which of the following would be a risk practitioners’ BEST recommendation for preventing cyber intrusion?

Options:

A.

Establish a cyber response plan

B.

Implement data loss prevention (DLP) tools.

C.

Implement network segregation.

D.

Strengthen vulnerability remediation efforts.

Buy Now
Questions 269

An organization has asked an IT risk practitioner to conduct an operational risk assessment on an initiative to outsource the organization's customer service operations overseas. Which of the following would MOST significantly impact management's decision?

Options:

A.

Time zone difference of the outsourcing location

B.

Ongoing financial viability of the outsourcing company

C.

Cross-border information transfer restrictions in the outsourcing country

D.

Historical network latency between the organization and outsourcing location

Buy Now
Questions 270

An organization has decided to implement a new Internet of Things (loT) solution. Which of the following should be done FIRST when addressing security concerns associated with this new technology?

Options:

A.

Develop new loT risk scenarios.

B.

Implement loT device monitoring software.

C.

Introduce controls to the new threat environment.

D.

Engage external security reviews.

Buy Now
Questions 271

When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes

Options:

A.

risk exposure in business terms

B.

a detailed view of individual risk exposures

C.

a summary of incidents that have impacted the organization.

D.

recommendations by an independent risk assessor.

Buy Now
Questions 272

Which of the following potential scenarios associated with the implementation of a new database technology presents the GREATEST risk to an organization?

Options:

A.

The organization may not have a sufficient number of skilled resources.

B.

Application and data migration cost for backups may exceed budget.

C.

Data may not be recoverable due to system failures.

D.

The database system may not be scalable in the future.

Buy Now
Questions 273

Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)?

Options:

A.

KRIs assist in the preparation of the organization's risk profile.

B.

KRIs signal that a change in the control environment has occurred.

C.

KRIs provide a basis to set the risk appetite for an organization

D.

KRIs provide an early warning that a risk threshold is about to be reached.

Buy Now
Questions 274

Which component of a software inventory BEST enables the identification and mitigation of known vulnerabilities?

Options:

A.

Software version

B.

Assigned software manager

C.

Software support contract expiration

D.

Software licensing information

Buy Now
Questions 275

Which of the following is MOST important for mitigating ethical risk when establishing accountability for control ownership?

Options:

A.

Ensuring processes are documented to enable effective control execution

B.

Ensuring regular risk messaging is Included in business communications from leadership

C.

Ensuring schedules and deadlines for control-related deliverables are strictly monitored

D.

Ensuring performance metrics balance business goals with risk appetite

Buy Now
Questions 276

Of the following, who is BEST suited to assist a risk practitioner in developing a relevant set of risk scenarios?

Options:

A.

Internal auditor

B.

Asset owner

C.

Finance manager

D.

Control owner

Buy Now
Questions 277

Which of the following BEST reduces the risk associated with the theft of a laptop containing sensitive information?

Options:

A.

Cable lock

B.

Data encryption

C.

Periodic backup

D.

Biometrics access control

Buy Now
Questions 278

Which of the following would BEST enable a risk-based decision when considering the use of an emerging technology for data processing?

Options:

A.

Gap analysis

B.

Threat assessment

C.

Resource skills matrix

D.

Data quality assurance plan

Buy Now
Questions 279

The MAIN reason for prioritizing IT risk responses is to enable an organization to:

Options:

A.

determine the risk appetite.

B.

determine the budget.

C.

define key performance indicators (KPIs).

D.

optimize resource utilization.

Buy Now
Questions 280

Which of the following is MOST important for senior management to review during an acquisition?

Options:

A.

Risk appetite and tolerance

B.

Risk framework and methodology

C.

Key risk indicator (KRI) thresholds

D.

Risk communication plan

Buy Now
Questions 281

When of the following standard operating procedure (SOP) statements BEST illustrates appropriate risk register maintenance?

Options:

A.

Remove risk that has been mitigated by third-party transfer

B.

Remove risk that management has decided to accept

C.

Remove risk only following a significant change in the risk environment

D.

Remove risk when mitigation results in residual risk within tolerance levels

Buy Now
Questions 282

Which of the following BEST enables risk-based decision making in support of a business continuity plan (BCP)?

Options:

A.

Impact analysis

B.

Control analysis

C.

Root cause analysis

D.

Threat analysis

Buy Now
Questions 283

Which of the following, who should be PRIMARILY responsible for performing user entitlement reviews?

Options:

A.

IT security manager

B.

IT personnel

C.

Data custodian

D.

Data owner

Buy Now
Questions 284

When developing risk scenario using a list of generic scenarios based on industry best practices, it is MOST imported to:

Options:

A.

Assess generic risk scenarios with business users.

B.

Validate the generic risk scenarios for relevance.

C.

Select the maximum possible risk scenarios from the list.

D.

Identify common threats causing generic risk scenarios

Buy Now
Questions 285

The MAJOR reason to classify information assets is

Options:

A.

maintain a current inventory and catalog of information assets

B.

determine their sensitivity and critical

C.

establish recovery time objectives (RTOs)

D.

categorize data into groups

Buy Now
Questions 286

The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for.

Options:

A.

data logging and monitoring

B.

data mining and analytics

C.

data classification and labeling

D.

data retention and destruction

Buy Now
Questions 287

An organization's business gap analysis reveals the need for a robust IT risk strategy. Which of the following should be the risk practitioner's PRIMARY consideration when participating in development of the new strategy?

Options:

A.

Scale of technology

B.

Risk indicators

C.

Risk culture

D.

Proposed risk budget

Buy Now
Questions 288

Which of the following is the BEST indication that key risk indicators (KRls) should be revised?

Options:

A.

A decrease in the number of critical assets covered by risk thresholds

B.

An Increase In the number of risk threshold exceptions

C.

An increase in the number of change events pending management review

D.

A decrease In the number of key performance indicators (KPls)

Buy Now
Questions 289

Which of the following BEST helps to identify significant events that could impact an organization?

Options:

A.

Control analysis

B.

Vulnerability analysis

C.

Scenario analysis

D.

Heat map analysis

Buy Now
Questions 290

Which of the following would provide the MOST reliable evidence of the effectiveness of security controls implemented for a web application?

Options:

A.

Penetration testing

B.

IT general controls audit

C.

Vulnerability assessment

D.

Fault tree analysis

Buy Now
Questions 291

A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner's NEXT step?

Options:

A.

Develop a mechanism for monitoring residual risk.

B.

Update the risk register with the results.

C.

Prepare a business case for the response options.

D.

Identify resources for implementing responses.

Buy Now
Questions 292

Which of the following should be the PRIMARY basis for prioritizing risk responses?

Options:

A.

The impact of the risk

B.

The replacement cost of the business asset

C.

The cost of risk mitigation controls

D.

The classification of the business asset

Buy Now
Questions 293

Which of the following would be of GREATEST concern regarding an organization's asset management?

Options:

A.

Lack of a mature records management program

B.

Lack of a dedicated asset management team

C.

Decentralized asset lists

D.

Incomplete asset inventory

Buy Now
Questions 294

Which of the following is the PRIMARY objective of establishing an organization's risk tolerance and appetite?

Options:

A.

To align with board reporting requirements

B.

To assist management in decision making

C.

To create organization-wide risk awareness

D.

To minimize risk mitigation efforts

Buy Now
Questions 295

An internal audit report reveals that a legacy system is no longer supported Which of the following is the risk practitioner's MOST important action before recommending a risk response'

Options:

A.

Review historical application down me and frequency

B.

Assess the potential impact and cost of mitigation

C.

identify other legacy systems within the organization

D.

Explore the feasibility of replacing the legacy system

Buy Now
Questions 296

Which of the following is the BEST approach for an organization in a heavily regulated industry to comprehensively test application functionality?

Options:

A.

Use production data in a non-production environment

B.

Use masked data in a non-production environment

C.

Use test data in a production environment

D.

Use anonymized data in a non-production environment

Buy Now
Questions 297

Which of the following is MOST important to promoting a risk-aware culture?

Options:

A.

Regular testing of risk controls

B.

Communication of audit findings

C.

Procedures for security monitoring

D.

Open communication of risk reporting

Buy Now
Questions 298

Which of the following will BEST help to ensure new IT policies address the enterprise's requirements?

Options:

A.

involve IT leadership in the policy development process

B.

Require business users to sign acknowledgment of the poises

C.

involve business owners in the pokey development process

D.

Provide policy owners with greater enforcement authority

Buy Now
Questions 299

Which of the following is MOST important for maintaining the effectiveness of an IT risk register?

Options:

A.

Removing entries from the register after the risk has been treated

B.

Recording and tracking the status of risk response plans within the register

C.

Communicating the register to key stakeholders

D.

Performing regular reviews and updates to the register

Buy Now
Questions 300

An organization has experienced a cyber-attack that exposed customer personally identifiable information (Pll) and caused extended outages of network services. Which of the following stakeholders are MOST important to include in the cyber response team to determine response actions?

Options:

A.

Security control owners based on control failures

B.

Cyber risk remediation plan owners

C.

Risk owners based on risk impact

D.

Enterprise risk management (ERM) team

Buy Now
Questions 301

Which of the following would BEST facilitate the implementation of data classification requirements?

Options:

A.

Implementing a data toss prevention (DLP) solution

B.

Assigning a data owner

C.

Scheduling periodic audits

D.

Implementing technical controls over the assets

Buy Now
Questions 302

An organization's chief information officer (CIO) has proposed investing in a new. untested technology to take advantage of being first to market Senior management has concerns about the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization's risk:

Options:

A.

capacity.

B.

appetite.

C.

management capability.

D.

treatment strategy.

Buy Now
Questions 303

What should be the PRIMARY consideration related to data privacy protection when there are plans for a business initiative to make use of personal information?

Options:

A.

Do not collect or retain data that is not needed.

B.

Redact data where possible.

C.

Limit access to the personal data.

D.

Ensure all data is encrypted at rest and during transit.

Buy Now
Questions 304

An organization is considering outsourcing user administration controls tor a critical system. The potential vendor has offered to perform quarterly sett-audits of its controls instead of having annual independent audits. Which of the following should be of GREATEST concern to me risk practitioner?

Options:

A.

The controls may not be properly tested

B.

The vendor will not ensure against control failure

C.

The vendor will not achieve best practices

D.

Lack of a risk-based approach to access control

Buy Now
Questions 305

What is the MAIN benefit of using a top-down approach to develop risk scenarios?

Options:

A.

It describes risk events specific to technology used by the enterprise.

B.

It establishes the relationship between risk events and organizational objectives.

C.

It uses hypothetical and generic risk events specific to the enterprise.

D.

It helps management and the risk practitioner to refine risk scenarios.

Buy Now
Questions 306

Which of the following would be a risk practitioner's GREATEST concern with the use of a vulnerability scanning tool?

Options:

A.

Increased time to remediate vulnerabilities

B.

Inaccurate reporting of results

C.

Increased number of vulnerabilities

D.

Network performance degradation

Buy Now
Questions 307

When is the BEST to identify risk associated with major project to determine a mitigation plan?

Options:

A.

Project execution phase

B.

Project initiation phase

C.

Project closing phase

D.

Project planning phase

Buy Now
Questions 308

As pan of business continuity planning, which of the following is MOST important to include m a business impact analysis (BlA)?

Options:

A.

An assessment of threats to the organization

B.

An assessment of recovery scenarios

C.

industry standard framework

D.

Documentation of testing procedures

Buy Now
Questions 309

Following an acquisition, the acquiring company's risk practitioner has been asked to update the organization's IT risk profile What is the MOST important information to review from the acquired company to facilitate this task?

Options:

A.

Internal and external audit reports

B.

Risk disclosures in financial statements

C.

Risk assessment and risk register

D.

Business objectives and strategies

Buy Now
Questions 310

An organization has operations in a location that regularly experiences severe weather events. Which of the following would BEST help to mitigate the risk to operations?

Options:

A.

Prepare a cost-benefit analysis to evaluate relocation.

B.

Prepare a disaster recovery plan (DRP).

C.

Conduct a business impact analysis (BIA) for an alternate location.

D.

Develop a business continuity plan (BCP).

Buy Now
Questions 311

Before assigning sensitivity levels to information it is MOST important to:

Options:

A.

define recovery time objectives (RTOs).

B.

define the information classification policy

C.

conduct a sensitivity analyse

D.

Identify information custodians

Buy Now
Questions 312

Which of the following is the BEST way to determine whether system settings are in alignment with control baselines?

Options:

A.

Configuration validation

B.

Control attestation

C.

Penetration testing

D.

Internal audit review

Buy Now
Questions 313

During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition phase?

Options:

A.

Risk management framework adopted by each company

B.

Risk registers of both companies

C.

IT balanced scorecard of each company

D.

Most recent internal audit findings from both companies

Buy Now
Questions 314

An organization is considering the adoption of an aggressive business strategy to achieve desired growth From a risk management perspective what should the risk practitioner do NEXT?

Options:

A.

Identify new threats resorting from the new business strategy

B.

Update risk awareness training to reflect current levels of risk appetite and tolerance

C.

Inform the board of potential risk scenarios associated with aggressive business strategies

D.

Increase the scale for measuring impact due to threat materialization

Buy Now
Questions 315

Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?

Options:

A.

To provide input to the organization's risk appetite

B.

To monitor the vendor's control effectiveness

C.

To verify the vendor's ongoing financial viability

D.

To assess the vendor's risk mitigation plans

Buy Now
Questions 316

When reviewing the business continuity plan (BCP) of an online sales order system, a risk practitioner notices that the recovery time objective (RTO) has a shorter lime than what is defined in the disaster recovery plan (DRP). Which of the following is the BEST way for the risk practitioner to address this concern?

Options:

A.

Adopt the RTO defined in the BCR

B.

Update the risk register to reflect the discrepancy.

C.

Adopt the RTO defined in the DRP.

D.

Communicate the discrepancy to the DR manager for follow-up.

Buy Now
Questions 317

Which of the following is the BEST method to maintain a common view of IT risk within an organization?

Options:

A.

Collecting data for IT risk assessment

B.

Establishing and communicating the IT risk profile

C.

Utilizing a balanced scorecard

D.

Performing and publishing an IT risk analysis

Buy Now
Questions 318

Which of the following would BEST mitigate an identified risk scenario?

Options:

A.

Conducting awareness training

B.

Executing a risk response plan

C.

Establishing an organization's risk tolerance

D.

Performing periodic audits

Buy Now
Questions 319

Which of the following is MOST helpful in providing an overview of an organization's risk management program?

Options:

A.

Risk management treatment plan

B.

Risk assessment results

C.

Risk management framework

D.

Risk register

Buy Now
Questions 320

A control process has been implemented in response to a new regulatory requirement, but has significantly reduced productivity. Which of the following is the BEST way to resolve this concern?

Options:

A.

Absorb the loss in productivity.

B.

Request a waiver to the requirements.

C.

Escalate the issue to senior management

D.

Remove the control to accommodate business objectives.

Buy Now
Questions 321

Which of the following is the PRIMARY reason for sharing risk assessment reports with senior stakeholders?

Options:

A.

To support decision-making for risk response

B.

To hold risk owners accountable for risk action plans

C.

To secure resourcing for risk treatment efforts

D.

To enable senior management to compile a risk profile

Buy Now
Questions 322

Which of the following is MOST important information to review when developing plans for using emerging technologies?

Options:

A.

Existing IT environment

B.

IT strategic plan

C.

Risk register

D.

Organizational strategic plan

Buy Now
Questions 323

Which of the following s MOST likely to deter an employee from engaging in inappropriate use of company owned IT systems?

Options:

A.

A centralized computer security response team

B.

Regular performance reviews and management check-ins

C.

Code of ethics training for all employees

D.

Communication of employee activity monitoring

Buy Now
Questions 324

A risk practitioner is utilizing a risk heat map during a risk assessment. Risk events that are coded with the same color will have a similar:

Options:

A.

risk score

B.

risk impact

C.

risk response

D.

risk likelihood.

Buy Now
Questions 325

A zero-day vulnerability has been discovered in a globally used brand of hardware server that allows hackers to gain

access to affected IT systems. Which of the following is MOST likely to change as a result of this situation?

Options:

A.

Control effectiveness

B.

Risk appetite

C.

Risk likelihood

D.

Key risk indicator (KRI)

Buy Now
Questions 326

Which organization is implementing a project to automate the purchasing process, including the modification of approval controls. Which of the following tasks is lie responsibility of the risk practitioner*?

Options:

A.

Verify that existing controls continue to properly mitigate defined risk

B.

Test approval process controls once the project is completed

C.

Update the existing controls for changes in approval processes from this project

D.

Perform a gap analysis of the impacted control processes

Buy Now
Questions 327

Which of the following issues found during the review of a newly created disaster recovery plan (DRP) should be of MOST concern?

Options:

A.

Some critical business applications are not included in the plan

B.

Several recovery activities will be outsourced

C.

The plan is not based on an internationally recognized framework

D.

The chief information security officer (CISO) has not approved the plan

Buy Now
Questions 328

Which of the following contributes MOST to the effective implementation of risk responses?

Options:

A.

Clear understanding of the risk

B.

Comparable industry risk trends

C.

Appropriate resources

D.

Detailed standards and procedures

Buy Now
Questions 329

A risk practitioner has identified that the agreed recovery time objective (RTO) with a Software as a Service (SaaS) provider is longer than the business expectation. Which ot the following is the risk practitioner's BEST course of action?

Options:

A.

Collaborate with the risk owner to determine the risk response plan.

B.

Document the gap in the risk register and report to senior management.

C.

Include a right to audit clause in the service provider contract.

D.

Advise the risk owner to accept the risk.

Buy Now
Questions 330

Which of the following is the PRIMARY benefit of stakeholder involvement in risk scenario development?

Options:

A.

Ability to determine business impact

B.

Up-to-date knowledge on risk responses

C.

Decision-making authority for risk treatment

D.

Awareness of emerging business threats

Buy Now
Questions 331

Which of the following is the GREATEST benefit of a three lines of defense structure?

Options:

A.

An effective risk culture that empowers employees to report risk

B.

Effective segregation of duties to prevent internal fraud

C.

Clear accountability for risk management processes

D.

Improved effectiveness and efficiency of business operations

Buy Now
Questions 332

Which of the following BEST facilitates the identification of appropriate key performance indicators (KPIs) for a risk management program?

Options:

A.

Reviewing control objectives

B.

Aligning with industry best practices

C.

Consulting risk owners

D.

Evaluating KPIs in accordance with risk appetite

Buy Now
Questions 333

Which of the following is MOST important to update when an organization's risk appetite changes?

Options:

A.

Key risk indicators (KRIs)

B.

Risk reporting methodology

C.

Key performance indicators (KPIs)

D.

Risk taxonomy

Buy Now
Questions 334

A company has recently acquired a customer relationship management (CRM) application from a certified software vendor. Which of the following will BE ST help lo prevent technical vulnerabilities from being exploded?

Options:

A.

implement code reviews and Quality assurance on a regular basis

B.

Verity me software agreement indemnifies the company from losses

C.

Review the source coda and error reporting of the application

D.

Update the software with the latest patches and updates

Buy Now
Questions 335

The following is the snapshot of a recently approved IT risk register maintained by an organization's information security department.

After implementing countermeasures listed in ‘’Risk Response Descriptions’’ for each of the Risk IDs, which of the following component of the register MUST change?

Options:

A.

Risk Impact Rating

B.

Risk Owner

C.

Risk Likelihood Rating

D.

Risk Exposure

Buy Now
Questions 336

Which of the following is the MOST important consideration for effectively maintaining a risk register?

Options:

A.

An IT owner is assigned for each risk scenario.

B.

The register is updated frequently.

C.

The register is shared with executive management.

D.

Compensating controls are identified.

Buy Now
Questions 337

Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data?

Options:

A.

The cost associated with incident response activities

The composition and number of records in the information asset

B.

The maximum levels of applicable regulatory fines

C.

The length of time between identification and containment of the incident

Buy Now
Questions 338

Which of the following will BEST help to ensure the continued effectiveness of the IT risk management function within an organization experiencing high employee turnover?

Options:

A.

Well documented policies and procedures

B.

Risk and issue tracking

C.

An IT strategy committee

D.

Change and release management

Buy Now
Questions 339

Which of the blowing is MOST important when implementing an organization s security policy?

Options:

A.

Obtaining management support

B.

Benchmarking against industry standards

C.

Assessing compliance requirements

D.

Identifying threats and vulnerabilities

Buy Now
Questions 340

An organization has an approved bring your own device (BYOD) policy. Which of the following would BEST mitigate the security risk associated with the inappropriate use of enterprise applications on the devices?

Options:

A.

Periodically review application on BYOD devices

B.

Include BYOD in organizational awareness programs

C.

Implement BYOD mobile device management (MDM) controls.

D.

Enable a remote wee capability for BYOD devices

Buy Now
Questions 341

An organization has made a decision to purchase a new IT system. During when phase of the system development life cycle (SDLC) will identified risk MOST likely lead to architecture and design trade-offs?

Options:

A.

Acquisition

B.

Implementation

C.

Initiation

D.

Operation and maintenance

Buy Now
Questions 342

Which of the following should be of MOST concern to a risk practitioner reviewing an organization risk register after the completion of a series of risk assessments?

Options:

A.

Several risk action plans have missed target completion dates.

B.

Senior management has accepted more risk than usual.

C.

Risk associated with many assets is only expressed in qualitative terms.

D.

Many risk scenarios are owned by the same senior manager.

Buy Now
Questions 343

Which of the following is the BEST approach to mitigate the risk associated with a control deficiency?

Options:

A.

Perform a business case analysis

B.

Implement compensating controls.

C.

Conduct a control sell-assessment (CSA)

D.

Build a provision for risk

Buy Now
Questions 344

The MAIN purpose of selecting a risk response is to.

Options:

A.

ensure compliance with local regulatory requirements

B.

demonstrate the effectiveness of risk management practices.

C.

ensure organizational awareness of the risk level

D.

mitigate the residual risk to be within tolerance

Buy Now
Questions 345

Which of the following activities BEST facilitates effective risk management throughout the organization?

Options:

A.

Reviewing risk-related process documentation

B.

Conducting periodic risk assessments

C.

Performing a business impact analysis (BIA)

D.

Performing frequent audits

Buy Now
Questions 346

Which of the following is the BEST course of action when an organization wants to reduce likelihood in order to reduce a risk level?

Options:

A.

Monitor risk controls.

B.

Implement preventive measures.

C.

Implement detective controls.

D.

Transfer the risk.

Buy Now
Questions 347

An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?

Options:

A.

Business benefits of shadow IT

B.

Application-related expresses

C.

Classification of the data

D.

Volume of data

Buy Now
Questions 348

Which of the following provides the BEST assurance of the effectiveness of vendor security controls?

Options:

A.

Review vendor control self-assessments (CSA).

B.

Review vendor service level agreement (SLA) metrics.

C.

Require independent control assessments.

D.

Obtain vendor references from existing customers.

Buy Now
Questions 349

Which of the following is the PRIMARY reason for a risk practitioner to review an organization's IT asset inventory?

Options:

A.

To plan for the replacement of assets at the end of their life cycles

B.

To assess requirements for reducing duplicate assets

C.

To understand vulnerabilities associated with the use of the assets

D.

To calculate mean time between failures (MTBF) for the assets

Buy Now
Questions 350

An organization wants to launch a campaign to advertise a new product Using data analytics, the campaign can be targeted to reach potential customers. Which of the following should be of GREATEST concern to the risk practitioner?