$0.00
Isaca CRISC Exam Dumps
Certified in Risk and Information Systems Control
Total Questions : 1020
Update Date : November 10, 2024
PDF + Test Engine
$65 $95
Test Engine
$55 $85
PDF Only
$45 $75
Last Week CRISC Exam Results
193
Customers Passed Isaca CRISC Exam
99%
Average Score In Real CRISC Exam
95%
Questions came from our CRISC dumps.
Choosing the Right Path for Your CRISC Exam Preparation
Welcome to PassExamHub's comprehensive study guide for the Certified in Risk and Information Systems Control exam. Our CRISC dumps is designed to equip you with the knowledge and resources you need to confidently prepare for and succeed in the CRISC certification exam.
What Our Isaca CRISC Study Material Offers
PassExamHub's CRISC dumps PDF is carefully crafted to provide you with a comprehensive and effective learning experience. Our study material includes:
In-depth Content: Our study guide covers all the key concepts, topics, and skills you need to master for the CRISC exam. Each topic is explained in a clear and concise manner, making it easy to understand even the most complex concepts.
Online Test Engine: Test your knowledge and build your confidence with a wide range of practice questions that simulate the actual exam format. Our test engine cover every exam objective and provide detailed explanations for both correct and incorrect answers.
Exam Strategies: Get valuable insights into exam-taking strategies, time management, and how to approach different types of questions.
Real-world Scenarios: Gain practical insights into applying your knowledge in real-world scenarios, ensuring you're well-prepared to tackle challenges in your professional career.
Why Choose PassExamHub?
Expertise: Our CRISC exam questions answers are developed by experienced Isaca certified professionals who have a deep understanding of the exam objectives and industry best practices.
Comprehensive Coverage: We leave no stone unturned in covering every topic and skill that could appear on the CRISC exam, ensuring you're fully prepared.
Engaging Learning: Our content is presented in a user-friendly and engaging format, making your study sessions enjoyable and effective.
Proven Success: Countless students have used our study materials to achieve their CRISC certifications and advance their careers.
Start Your Journey Today!
Embark on your journey to Certified in Risk and Information Systems Control success with PassExamHub. Our study material is your trusted companion in preparing for the CRISC exam and unlocking exciting career opportunities.
Related Exams
Isaca CRISC Sample Question Answers
Question # 1Which of the following will BEST help to ensure key risk indicators (KRIs) provide value to risk owners?
A. Ongoing training
B. Timely notification
C. Return on investment (ROI)
D. Cost minimization
Question # 2
An organization is participating in an industry benchmarking study that involves providing customer transaction records for analysis Which of the following is the MOST importantcontrol to ensure the privacy of customer information?
A. Nondisclosure agreements (NDAs)
B. Data anonymization
C. Data cleansing
D. Data encryption
Question # 3
Which of the following approaches to bring your own device (BYOD) service delivery provides the BEST protection from data loss?
A. Enable data wipe capabilities
B. Penetration testing and session timeouts
C. Implement remote monitoring
D. Enforce strong passwords and data encryption
Question # 4
An organization wants to launch a campaign to advertise a new product Using data analytics, the campaign can be targeted to reach potential customers. Which of the following should be of GREATEST concern to the risk practitioner?
A. Data minimization
B. Accountability
C. Accuracy
D. Purpose limitation
Question # 5
An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented inprocedure manuals for use by the part-time employees. Which of the following BEST describes this situation?
A. Threat
B. Risk
C. Vulnerability
D. Policy violation
Question # 6
A recent vulnerability assessment of a web-facing application revealed several weaknesses. Which of the following should be done NEXT to determine the risk exposure?
A. Code review
B. Penetration test
C. Gap assessment
D. Business impact analysis (BIA)
Question # 7
Which of the following is the MOST effective way to reduce potential losses due to ongoing expense fraud?
A. Implement user access controls
B. Perform regular internal audits
C. Develop and communicate fraud prevention policies
D. Conduct fraud prevention awareness training.
Question # 8
Which of the following is the GREATEST benefit of identifying appropriate risk owners?
A. Accountability is established for risk treatment decisions
B. Stakeholders are consulted about risk treatment options
C. Risk owners are informed of risk treatment options
D. Responsibility is established for risk treatment decisions.
Question # 9
Which of the following is MOST important for senior management to review during an acquisition?
A. Risk appetite and tolerance
B. Risk framework and methodology
C. Key risk indicator (KRI) thresholds
D. Risk communication plan
Question # 10
Which of the following is the MOST important objective from a cost perspective for considering aggregated risk responses in an organization?
A. Prioritize risk response options
B. Reduce likelihood.
C. Address more than one risk response
D. Reduce impact
Question # 11
Which of the following is MOST important to update when an organization's risk appetite changes?
A. Key risk indicators (KRIs)
B. Risk reporting methodology
C. Key performance indicators (KPIs)
D. Risk taxonomy
Question # 12
Which of the following is the BEST indicator of executive management's support for IT risk mitigation efforts?
A. The number of stakeholders involved in IT risk identification workshops
B. The percentage of corporate budget allocated to IT risk activities
C. The percentage of incidents presented to the board
D. The number of executives attending IT security awareness training
Question # 13
When a risk practitioner is determining a system's criticality. it is MOST helpful to review the associated:
A. process flow.
B. business impact analysis (BIA).
C. service level agreement (SLA).
D. system architecture.
Question # 14
Which of the following is the MOST important consideration when communicating the risk associated with technology end-of-life to business owners?
A. Cost and benefit
B. Security and availability
C. Maintainability and reliability
D. Performance and productivity
Question # 15
Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?
A. Temporarily mitigate the OS vulnerabilities
B. Document and implement a patching process
C. Evaluate permanent fixes such as patches and upgrades
D. Identify the vulnerabilities and applicable OS patches
Question # 16
Which of the following is the MOST important concern when assigning multiple risk owners for an identified risk?
A. Accountability may not be clearly defined.
B. Risk ratings may be inconsistently applied.
C. Different risk taxonomies may be used.
D. Mitigation efforts may be duplicated.
Question # 17
Which of the following BEST enables risk-based decision making in support of a business continuity plan (BCP)?
A. Impact analysis
B. Control analysis
C. Root cause analysis
D. Threat analysis
Question # 18
Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?
A. The program has not decreased threat counts.
B. The program has not considered business impact.
C. The program has been significantly revised
D. The program uses non-customized training modules.
Question # 19
Effective risk communication BEST benefits an organization by:
A. helping personnel make better-informed decisions
B. assisting the development of a risk register.
C. improving the effectiveness of IT controls.
D. increasing participation in the risk assessment process.
Question # 20
Following an acquisition, the acquiring company's risk practitioner has been asked to update the organization's IT risk profile What is the MOST important information to review from the acquired company to facilitate this task?
A. Internal and external audit reports
B. Risk disclosures in financial statements
C. Risk assessment and risk register
D. Business objectives and strategies
Question # 21
Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board''
A. A summary of risk response plans with validation results
B. A report with control environment assessment results
C. A dashboard summarizing key risk indicators (KRIs)
D. A summary of IT risk scenarios with business cases
Question # 22
During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition phase?
A. Risk management framework adopted by each company
B. Risk registers of both companies
C. IT balanced scorecard of each company
D. Most recent internal audit findings from both companies
Question # 23
Which of the following is MOST important when conducting a post-implementation review as part of the system development life cycle (SDLC)?
A. Verifying that project objectives are met
B. Identifying project cost overruns
C. Leveraging an independent review team
D. Reviewing the project initiation risk matrix
Question # 24
Which of the following should be of GREATEST concern when reviewing the results of an independent control assessment to determine the effectiveness of a vendor's control environment?
A. The report was provided directly from the vendor.
B. The risk associated with multiple control gaps was accepted.
C. The control owners disagreed with the auditor's recommendations.
D. The controls had recurring noncompliance.
Question # 25
The BEST key performance indicator (KPI) to measure the effectiveness of the security patching process is the percentage of patches installed:
A. by the security administration team.
B. successfully within the expected time frame.
C. successfully during the first attempt.
D. without causing an unplanned system outage.
Question # 26
When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes
A. risk exposure in business terms
B. a detailed view of individual risk exposures
C. a summary of incidents that have impacted the organization.
D. recommendations by an independent risk assessor.
Question # 27
A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner's NEXT step?
A. Develop a mechanism for monitoring residual risk.
B. Update the risk register with the results.
C. Prepare a business case for the response options.
D. Identify resources for implementing responses.
Question # 28
Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?
A. To provide input to the organization's risk appetite
B. To monitor the vendor's control effectiveness
C. To verify the vendor's ongoing financial viability
D. To assess the vendor's risk mitigation plans
Question # 29
Which of the following is the BEST control to minimize the risk associated with scope creep in software development?
A. An established process for project change management
B. Retention of test data and results for review purposes
C. Business managements review of functional requirements
D. Segregation between development, test, and production
Question # 30
An organization has experienced several incidents of extended network outages that have exceeded tolerance. Which of the following should be the risk practitioner's FIRST step toaddress this situation?
A. Recommend additional controls to address the risk.
B. Update the risk tolerance level to acceptable thresholds.
C. Update the incident-related risk trend in the risk register.
D. Recommend a root cause analysis of the incidents.
Question # 31
The objective of aligning mitigating controls to risk appetite is to ensure that:
A. exposures are reduced to the fullest extent
B. exposures are reduced only for critical business systems
C. insurance costs are minimized
D. the cost of controls does not exceed the expected loss.
Question # 32
Which of the following is the MAIN purpose of monitoring risk?
A. Communication
B. Risk analysis
C. Decision support
D. Benchmarking
Question # 33
A risk practitioner is utilizing a risk heat map during a risk assessment. Risk events that are coded with the same color will have a similar:
A. risk score
B. risk impact
C. risk response
D. risk likelihood.
Question # 34
When evaluating a number of potential controls for treating risk, it is MOST important to consider:
A. risk appetite and control efficiency.
B. inherent risk and control effectiveness.
C. residual risk and cost of control.
D. risk tolerance and control complexity.
Question # 35
Which of the following is MOST important to promoting a risk-aware culture?
A. Regular testing of risk controls
B. Communication of audit findings
C. Procedures for security monitoring
D. Open communication of risk reporting
Question # 36
An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the riskassociated with these new entries has been;
A. mitigated
B. deferred
C. accepted.
D. transferred
Question # 37
An organization's control environment is MOST effective when:
A. controls perform as intended.
B. controls operate efficiently.
C. controls are implemented consistent
D. control designs are reviewed periodically
Question # 38
Which of the following is the MOST important step to ensure regulatory requirements are adequately addressed within an organization?
A. Obtain necessary resources to address regulatory requirements
B. Develop a policy framework that addresses regulatory requirements
C. Perform a gap analysis against regulatory requirements.
D. Employ IT solutions that meet regulatory requirements.
Question # 39
When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:
A. information risk assessments with enterprise risk assessments.
B. key risk indicators (KRIs) with risk appetite of the business.
C. the control key performance indicators (KPIs) with audit findings.
D. control performance with risk tolerance of business owners.
Question # 40
Which of the following is the MOST important key performance indicator (KPI) to monitor the effectiveness of disaster recovery processes?
A. Percentage of IT systems recovered within the mean time to restore (MTTR) during the disaster recovery test
B. Percentage of issues arising from the disaster recovery test resolved on time
C. Percentage of IT systems included in the disaster recovery test scope
D. Percentage of IT systems meeting the recovery time objective (RTO) during the disaster recovery test
Question # 41
A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within theorganization Of the following, who should review the completed list and select the appropriate KRIs for implementation?
A. IT security managers
B. IT control owners
C. IT auditors
D. IT risk owners
Question # 42
Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the followingwould BEST help to prioritize investment efforts?
A. Analyzing cyber intelligence reports
B. Engaging independent cybersecurity consultants
C. Increasing the frequency of updates to the risk register
D. Reviewing the outcome of the latest security risk assessment
Question # 43
An organization's chief information officer (CIO) has proposed investing in a new. untested technology to take advantage of being first to market Senior management has concernsabout the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization's risk:
A. capacity.
B. appetite.
C. management capability.
D. treatment strategy.
Question # 44
Which of the following is MOST helpful in providing an overview of an organization's risk management program?
A. Risk management treatment plan
B. Risk assessment results
C. Risk management framework
D. Risk register
Question # 45
An organization is implementing encryption for data at rest to reduce the risk associatedwith unauthorized access. Which of the following MUST be considered to assess theresidual risk?
A. Data retention requirements
B. Data destruction requirements
C. Cloud storage architecture
D. Key management
Question # 46
Which of the following is a risk practitioner's BEST recommendation to address anorganization's need to secure multiple systems with limited IT resources?
A. Apply available security patches.
B. Schedule a penetration test.
C. Conduct a business impact analysis (BIA)
D. Perform a vulnerability analysis.
Question # 47
The PRIMARY advantage of involving end users in continuity planning is that they:
A. have a better understanding of specific business needs
B. can balance the overall technical and business concerns
C. can see the overall impact to the business
D. are more objective than information security management.
Question # 48
A bank recently incorporated Blockchain technology with the potential to impact known riskwithin the organization. Which of the following is the risk practitioner’s BEST course ofaction?
A. Determine whether risk responses are still adequate.
B. Analyze and update control assessments with the new processes.
C. Analyze the risk and update the risk register as needed.
D. Conduct testing of the control that mitigate the existing risk.
Question # 49
A financial institution has identified high risk of fraud in several business applications.Which of the following controls will BEST help reduce the risk of fraudulent internaltransactions?
A. Periodic user privileges review
B. Log monitoring
C. Periodic internal audits
D. Segregation of duties
Question # 50
Which of the following would be the GREATEST challenge when implementing a corporaterisk framework for a global organization?
A. Privacy risk controls
B. Business continuity
C. Risk taxonomy
D. Management support
Question # 51
After the implementation of internal of Things (IoT) devices, new risk scenarios wereidentified. What is the PRIMARY reason to report this information to risk owners?
A. To reevaluate continued use to IoT devices
B. The add new controls to mitigate the risk
C. The recommend changes to the IoT policy
D. To confirm the impact to the risk profile
Question # 52
Which of the following is MOST helpful in preventing risk events from materializing?
A. Prioritizing and tracking issues
B. Establishing key risk indicators (KRIs)
C. Reviewing and analyzing security incidents
D. Maintaining the risk register
Question # 53
Which of the following is a risk practitioner's MOST important responsibility in managingrisk acceptance that exceeds risk tolerance?
A. Verify authorization by senior management.
B. Increase the risk appetite to align with the current risk level
C. Ensure the acceptance is set to expire over lime
D. Update the risk response in the risk register.
Question # 54
Which of the following would be a risk practitioner's BEST course of action when a projectteam has accepted a risk outside the established risk appetite?
A. Reject the risk acceptance and require mitigating controls.
B. Monitor the residual risk level of the accepted risk.
C. Escalate the risk decision to the project sponsor for review.
D. Document the risk decision in the project risk register.
Question # 55
A multinational organization is considering implementing standard background checks to'all new employees A KEY concern regarding this approach
A. fail to identity all relevant issues.
B. be too costly
C. violate laws in other countries
D. be too line consuming
Question # 56
When developing a risk awareness training program, which of the following training topicswould BEST facilitate a thorough understanding of risk scenarios?
A. Mapping threats to organizational objectives
B. Reviewing past audits
C. Analyzing key risk indicators (KRIs)
D. Identifying potential sources of risk
Question # 57
Which of the following stakeholders are typically included as part of a line of defense withinthe three lines of defense model?
A. Board of directors
B. Vendors
C. Regulators
D. Legal team
Question # 58
Which of the following should be the PRIMARY goal of developing information securitymetrics?
A. Raising security awareness
B. Enabling continuous improvement
C. Identifying security threats
D. Ensuring regulatory compliance
Question # 59
Which of the following will BEST help to ensure new IT policies address the enterprise'srequirements?
A. involve IT leadership in the policy development process
B. Require business users to sign acknowledgment of the poises
C. involve business owners in the pokey development process
D. Provide policy owners with greater enforcement authority
Question # 60
A risk practitioner has just learned about new malware that has severely impacted industrypeers worldwide data loss?
A. Customer database manager
B. Customer data custodian
C. Data privacy officer
D. Audit committee
Question # 61
it was determined that replication of a critical database used by two business units failed.Which of the following should be of GREATEST concern1?
A. The underutilization of the replicated Iink
B. The cost of recovering the data
C. The lack of integrity of data
D. The loss of data confidentiality
Question # 62
The BEST way to mitigate the high cost of retrieving electronic evidence associated withpotential litigation is to implement policies and procedures for.
A. data logging and monitoring
B. data mining and analytics
C. data classification and labeling
D. data retention and destruction
Question # 63
Which type of indicators should be developed to measure the effectiveness of anorganization's firewall rule set?
A. Key risk indicators (KRIs)
B. Key management indicators (KMIs)
C. Key performance indicators (KPIs)
D. Key control indicators (KCIs)
Question # 64
Which of the following is MOST important to the effectiveness of key performanceindicators (KPIs)?
A. Relevance
B. Annual review
C. Automation
D. Management approval
Question # 65
Who should be PRIMARILY responsible for establishing an organization's IT risk culture?
A. Business process owner
B. Executive management
C. Risk management
D. IT management
Question # 66
The PRIMARY benefit of using a maturity model is that it helps to evaluate the:
A. capability to implement new processes
B. evolution of process improvements
C. degree of compliance with policies and procedures
D. control requirements.
Question # 67
Which of the following is the PRIMARY reason to adopt key control indicators (KCIs) in therisk monitoring and reporting process?
A. To provide data for establishing the risk profile
B. To provide assurance of adherence to risk management policies
C. To provide measurements on the potential for risk to occur
D. To provide assessments of mitigation effectiveness
Question # 68
Of the following, who is BEST suited to assist a risk practitioner in developing a relevant setof risk scenarios?
A. Internal auditor
B. Asset owner
C. Finance manager
D. Control owner
Question # 69
Which of the following would be the result of a significant increase in the motivation of amalicious threat actor?
A. Increase in mitigating control costs
B. Increase in risk event impact
C. Increase in risk event likelihood
D. Increase in cybersecurity premium
Question # 70
Which of the following is the BEST indicator of an effective IT security awareness program?
A. Decreased success rate of internal phishing tests
B. Decreased number of reported security incidents
C. Number of disciplinary actions issued for security violations
D. Number of employees that complete security training
Question # 71
Which of the following is the MOST effective way to incorporate stakeholder concernswhen developing risk scenarios?
A. Evaluating risk impact
B. Establishing key performance indicators (KPIs)
C. Conducting internal audits
D. Creating quarterly risk reports
Question # 72
Which of the following would BEST facilitate the implementation of data classificationrequirements?
A. Assigning a data owner
B. Implementing technical control over the assets
C. Implementing a data loss prevention (DLP) solution
D. Scheduling periodic audits
Question # 73
An organization is conducting a review of emerging risk. Which of the following is the BESTinput for this exercise?
A. Audit reports
B. Industry benchmarks
C. Financial forecasts
D. Annual threat reports
Question # 74
An organization moved its payroll system to a Software as a Service (SaaS) application. Anew data privacy regulation stipulates that data can only be processed within the countrywhere it is collected. Which of the following should be done FIRST when addressing thissituation?
A. Analyze data protection methods.
B. Understand data flows.
C. Include a right-to-audit clause.
D. Implement strong access controls.
Question # 75
Recovery the objectives (RTOs) should be based on
A. minimum tolerable downtime
B. minimum tolerable loss of data.
C. maximum tolerable downtime.
D. maximum tolerable loss of data
Question # 76
Which of the following contributes MOST to the effective implementation of risk responses?
A. Clear understanding of the risk
B. Comparable industry risk trends
C. Appropriate resources
D. Detailed standards and procedures
Question # 77
An employee lost a personal mobile device that may contain sensitive corporateinformation. What should be the risk practitioner's recommendation?
A. Conduct a risk analysis.
B. Initiate a remote data wipe.
C. Invoke the incident response plan
D. Disable the user account.
Question # 78
Which of the following is MOST helpful to understand the consequences of an IT riskevent?
A. Fault tree analysis
B. Historical trend analysis
C. Root cause analysis
D. Business impact analysis (BIA)
Question # 79
A company has recently acquired a customer relationship management (CRM) applicationfrom a certified software vendor. Which of the following will BE ST help lo prevent technicalvulnerabilities from being exploded?
A. implement code reviews and Quality assurance on a regular basis
B. Verity me software agreement indemnifies the company from losses
C. Review the source coda and error reporting of the application
D. Update the software with the latest patches and updates
Question # 80
Which of the following should be the PRIMARY focus of an IT risk awareness program?
A. Ensure compliance with the organization's internal policies
B. Cultivate long-term behavioral change.
C. Communicate IT risk policy to the participants.
D. Demonstrate regulatory compliance.
Question # 81
Which of the following would be the GREATEST concern for an IT risk practitioner when anemployees.....
A. The organization's structure has not been updated
B. Unnecessary access permissions have not been removed.
C. Company equipment has not been retained by IT
D. Job knowledge was not transferred to employees m the former department
Question # 82
Which of the following is the FIRST step when conducting a business impact analysis(BIA)?
A. Identifying critical information assets
B. Identifying events impacting continuity of operations;
C. Creating a data classification scheme
D. Analyzing previous risk assessment results
Question # 83
Which of the following would BEST mitigate an identified risk scenario?
A. Conducting awareness training
B. Executing a risk response plan
C. Establishing an organization's risk tolerance
D. Performing periodic audits
Question # 84
Which of the following is the BEST way to help ensure risk will be managed properly after abusiness process has been re-engineered?
A. Reassessing control effectiveness of the process
B. Conducting a post-implementation review to determine lessons learned
C. Reporting key performance indicators (KPIs) for core processes
D. Establishing escalation procedures for anomaly events
Question # 85
Which of the following should be management's PRIMARY focus when key risk indicators(KRIs) begin to rapidly approach defined thresholds?
A. Designing compensating controls
B. Determining if KRIs have been updated recently
C. Assessing the effectiveness of the incident response plan
D. Determining what has changed in the environment
Question # 86
Senior management has asked the risk practitioner for the overall residual risk level for aprocess that contains numerous risk scenarios. Which of the following should be provided?
A. The sum of residual risk levels for each scenario
B. The loss expectancy for aggregated risk scenarios
C. The highest loss expectancy among the risk scenarios
D. The average of anticipated residual risk levels
Question # 87
Legal and regulatory risk associated with business conducted over the Internet is driven by:
A. the jurisdiction in which an organization has its principal headquarters
B. international law and a uniform set of regulations.
C. the laws and regulations of each individual country
D. international standard-setting bodies.
Question # 88
An organization is considering outsourcing user administration controls tor a critical system.The potential vendor has offered to perform quarterly sett-audits of its controls instead ofhaving annual independent audits. Which of the following should be of GREATESTconcern to me risk practitioner?
A. The controls may not be properly tested
B. The vendor will not ensure against control failure
C. The vendor will not achieve best practices
D. Lack of a risk-based approach to access control
Question # 89
An organization has an approved bring your own device (BYOD) policy. Which of thefollowing would BEST mitigate the security risk associated with the inappropriate use ofenterprise applications on the devices?
A. Periodically review application on BYOD devices
B. Include BYOD in organizational awareness programs
C. Implement BYOD mobile device management (MDM) controls.
D. Enable a remote wee capability for BYOD devices
Question # 90
To reduce costs, an organization is combining the second and third tines of defense in anew department that reports to a recently appointed C-level executive. Which of thefollowing is the GREATEST concern with this situation?
A. The risk governance approach of the second and third lines of defense may differ.
B. The independence of the internal third line of defense may be compromised.
C. Cost reductions may negatively impact the productivity of other departments.
D. The new structure is not aligned to the organization's internal control framework.
Question # 91
When documenting a risk response, which of the following provides the STRONGESTevidence to support the decision?
A. Verbal majority acceptance of risk by committee
B. List of compensating controls
C. IT audit follow-up responses
D. A memo indicating risk acceptance
Question # 92
An organization maintains independent departmental risk registers that are notautomatically aggregated. Which of the following is the GREATEST concern?
A. Management may be unable to accurately evaluate the risk profile.
B. Resources may be inefficiently allocated.
C. The same risk factor may be identified in multiple areas.
D. Multiple risk treatment efforts may be initiated to treat a given risk.
Question # 93
Which of the following is MOST important for an organization to update following a changein legislation requiring notification to individuals impacted by data breaches?
A. Insurance coverage
B. Security awareness training
C. Policies and standards
D. Risk appetite and tolerance
Question # 94
A risk practitioner is preparing a report to communicate changes in the risk and controlenvironment. The BEST way to engage stakeholder attention is to:
A. include detailed deviations from industry benchmarks,
B. include a summary linking information to stakeholder needs,
C. include a roadmap to achieve operational excellence,
D. publish the report on-demand for stakeholders.
Question # 95
A risk practitioner identifies a database application that has been developed andimplemented by the business independently of IT. Which of the following is the BESTcourse of action?
A. Escalate the concern to senior management.
B. Document the reasons for the exception.
C. Include the application in IT risk assessments.
D. Propose that the application be transferred to IT.
Question # 96
Which of the following practices would be MOST effective in protecting personalityidentifiable information (Ptl) from unauthorized access m a cloud environment?
A. Apply data classification policy
B. Utilize encryption with logical access controls
C. Require logical separation of company data
D. Obtain the right to audit
Question # 97
Which of the following would MOST likely require a risk practitioner to update the riskregister?
A. An alert being reported by the security operations center.
B. Development of a project schedule for implementing a risk response
C. Completion of a project for implementing a new control
D. Engagement of a third party to conduct a vulnerability scan
Question # 98
Which of the following is the BEST way to determine the potential organizational impact ofemerging privacy regulations?
A. Evaluate the security architecture maturity.
B. Map the new requirements to the existing control framework.
C. Charter a privacy steering committee.
D. Conduct a privacy impact assessment (PIA).
Question # 99
Which of the following is the MOST comprehensive resource for prioritizing theimplementation of information systems controls?
A. Data classification policy
B. Emerging technology trends
C. The IT strategic plan
D. The risk register
Question # 100
An organization discovers significant vulnerabilities in a recently purchased commercial offthe-shelf software product which will not be corrected until the next release. Which of thefollowing is the risk manager's BEST course of action?
A. Review the risk of implementing versus postponing with stakeholders.
B. Run vulnerability testing tools to independently verify the vulnerabilities.
C. Review software license to determine the vendor's responsibility regardingvulnerabilities.
D. Require the vendor to correct significant vulnerabilities prior to installation.
Question # 101
Which of the following would present the MOST significant risk to an organization whenupdating the incident response plan?
A. Obsolete response documentation
B. Increased stakeholder turnover
C. Failure to audit third-party providers
D. Undefined assignment of responsibility
Question # 102
Which of the blowing is MOST important when implementing an organization s securitypolicy?
A. Obtaining management support
B. Benchmarking against industry standards
C. Assessing compliance requirements
D. Identifying threats and vulnerabilities
Copyright © PassExamHub. All rights reserved.