QUESTION 348
Which of the following risk register updates is MOST important for senior management to review?
A. Avoiding a risk that was previously accepted
B. Extending the date of a future action plan by two months C. Retiring a risk scenario no longer used
D. Changing a risk owner
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 349
A risk practitioner is assisting with the preparation of a report on the organization’s disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?
A. The percentage of systems meeting recovery target times has increased B. The number of systems requiring a recovery plan has increased
C. The number of systems tested in the last year has increased
D. The percentage of systems with long recovery target times has decreased
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 350
While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:
A. control is ineffective and should be strengthened B. risk is inefficiently controlled
C. risk is efficiently controlled
D. control is weak and should be removed
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 351
Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?
A. Frequency of failure of control
B. Contingency plan for residual risk C. Cost-benefit analysis of automation D. Impact due to failure of control
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 352
Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?
A. Conduct an awareness program for data owners and users B. Maintain and review the classified data inventory
C. Implement mandatory encryption on data
D. Define and implement a data classification policy
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 353
The MOST effective approach to prioritize risk scenarios is by:
A. assessing impact to the strategic plan
B. soliciting input from risk management experts C. aligning with industry best practices
D. evaluating the cost of risk response
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 354
Which of the following is the MAIN reason to continuously monitor IT-related risk?
A. To ensure risk levels are within acceptable limits of the organization’s risk appetite and risk tolerance B. To redefine the risk appetite and risk tolerance levels based on changes in risk factors
C. To help identify root causes of incidents and recommend suitable long-term solutions
D. To update the risk register to reflect changes in levels of identified and new IT-related risk
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 355
An organization operates in an environment where reduced time-to-market for new software products is a top business priority. Which of the following should be the risk practitioner’s GREATEST concern?
A. Email infrastructure does not have proper rollback plans
B. Sufficient resources are not assigned to IT development projects
C. The corporate email system does not identify and store phishing emails D. Customer support help desk staff does not have adequate training
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 356
Which of the following is MOST effective in continuous risk management process improvement?
A. Policy updates
B. Periodic assessments C. Awareness training D. Change management
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 357
When reviewing a risk response strategy, senior management’s PRIMARY focus should be placed on the:
A. investment portfolio
B. alignment with risk appetite
C. key performance indicators (KPIs) D. cost-benefit analysis
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 358
Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?
A. An increase in control vulnerabilities
B. An increase in inherent risk
C. A decrease in control layering effectiveness D. An increase in the level of residual risk
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 359
Which of the following is the MOST relevant input to an organization’s risk profile?
A. External audit’s risk assessment
B. Management’s risk self-assessment
C. Internal audit’s risk assessment
D. Information security’s vulnerability assessment
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 360
Which of the following would BEST help to ensure that identified risk is efficiently managed?
A. Reviewing the maturity of the control environment
B. Maintaining a key risk indicator for each asset in the risk register C. Regularly monitoring the project plan
D. Periodically reviewing controls per the risk treatment plan
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 361
IT management has asked for a consolidated view into the organization’s risk profile to enable project prioritization and resource allocation. Which of the following materials would be MOST helpful?
A. List of key risk indicators B. Internal audit reports
C. IT risk register
D. List of approved projects
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 362
In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data?
A. Evaluating each of the data sources for vulnerabilities B. Establishing an intellectual property agreement
C. Benchmarking to industry best practice
D. Periodically reviewing big data strategies
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 363
Which of the following is the MOST important consideration when multiple risk practitioners capture risk scenarios in a single risk register? A. Using a consistent method for risk assessment
B. Developing risk escalation and reporting procedures C. Maintaining up-to-date risk treatment plans
D. Aligning risk ownership and control ownership
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 364
Which of the following approaches will BEST help to ensure the effectiveness of risk awareness training?
A. Reviewing content with senior management B. Using reputable third-party training programs C. Piloting courses with focus groups
D. Creating modules for targeted audiences
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 365
Which of the following changes would be reflected in an organization’s risk profile after the failure of a critical patch implementation?
A. Inherent risk is increased. B. Risk tolerance is decreased. C. Risk appetite is decreased. D. Residual risk is increased.
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 366
Which of the following is the GREATEST benefit of analyzing logs collected from different systems?
A. Developing threats are detected earlier. B. Forensic investigations are facilitated. C. Security violations can be identified.
D. A record of incidents is maintained.
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 367
Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?
A. Average time to provision user accounts
B. Password reset volume per month
C. Number of tickers for provisioning new accounts D. Average account lockout time
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 368
The head of a business operations department asks to review the entire IT risk register. Which of the following would be the risk manager’s BEST approach to this request before sharing the register?
A. Determine the purpose of the request. B. Require a nondisclosure agreement. C. Sanitize portions of the register.
D. Escalate to senior management.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 369
A risk practitioner has identified that the organization’s secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?
A. Business continuity director B. Business application owner C. Disaster recovery manager D. Data center manager
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 370
Which of the following is MOST useful when communicating risk to management?
A. Risk policy
B. Risk map
C. Maturity model D. Audit report
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 371
Which of the following should be the PRIMARY input when designing IT controls?
A. Internal and external risk reports
B. Outcome of control self-assessments C. Benchmark of industry standards
D. Recommendations from IT risk experts
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 372
A key risk indicator (KRI) is reported to senior management on a periodic basis as exceeding thresholds, but each time senior management has decided to take no action to reduce the risk. Which of the following is the MOST likely reason for senior management’s response?
A. The underlying data source for the KRI is using inaccurate data and needs to be corrected. B. The KRI threshold needs to be revised to better align with the organization’s risk appetite. C. Senior management does not understand the KRI and should undergo risk training.
D. The KRI is not providing useful information and should be removed from the KRI inventory.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 373
Which of the following should be the HIGHEST priority when developing a risk response?
A. The risk response is accounted for in the budget.
B. The risk response aligns with the organization’s risk appetite. C. The risk response is based on a cost-benefit analysis.
D. The risk response addresses the risk with a holistic view.
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 374
The MAIN purpose of having a documented risk profile is to:
A. enable well-informed decision making.
B. comply with external and internal requirements. C. keep the risk register up-to-date.
D. prioritize investment projects.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 375
Which of the following is the MOST important foundational element of an effective three lines of defense model for an organization?
A. A well-established risk management committee
B. A robust risk aggregation tool set
C. Well-documented and communicated escalation procedures D. Clearly defined roles and responsibilities
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 376
Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?
A. Return on investment
B. Risk mitigation budget
C. Cost-benefit analysis
D. Business impact analysis
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 377
Which of the following is MOST critical to the design of relevant risk scenarios?
A. The scenarios are linked to probable organizational situations. B. The scenarios are based on past incidents.
C. The scenarios are aligned with risk management capabilities.
D. The scenarios are mapped to incident management capabilities.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 378
An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan. Which of the following is the risk practitioner’s BEST course of action?
A. Revert the implemented mitigation measures until approval is obtained. B. Validate the adequacy of the implemented risk mitigation measures.
C. Report the observation to the chief risk officer (CRO).
D. Update the risk register with the implemented risk mitigation actions.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 379
Which of the following should be the risk practitioner’s PRIMARY focus when determining whether controls are adequate to mitigate risk?
A. Cost-benefit analysis B. Sensitivity analysis C. Level of residual risk D. Risk appetite
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 380
Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?
A. Leveraging existing metrics
B. Optimizing risk treatment decisions C. Obtaining buy-in from risk owners D. Improving risk awareness
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 381
Which of the following is MOST critical when designing controls?
A. Involvement of process owner B. Involvement of internal audit
C. Identification of key risk indicators D. Quantitative impact of the risk
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 382
An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST?
A. The risk owner who also owns the business service enabled by this infrastructure
B. The site manager who is required to provide annual risk assessments under the contract
C. The data center manager who is also employed under the managed hosting services contract D. The chief information officer (CIO) who is responsible for the hosted services
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 383
What can be determined from the risk scenario chart?
A. The multiple risk factors addressed by a chosen response B. Relative positions on the risk map
C. Capability of enterprise to implement
D. Risk treatment options
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 384
A management team is on an aggressive mission to launch a new product to penetrate new markets and overlooks IT risk factors, threats, and vulnerabilities. This scenario BEST demonstrates an organization’s risk:
A. management. B. analysis.
C. culture.
D. tolerance.
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 385
The risk associated with an asset before controls are applied can be expressed as:
A. the likelihood of a given threat.
B. the magnitude of an impact.
C. a function of the likelihood and impact.
D. a function of the cost and effectiveness of controls.
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 386
Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:
A. a vulnerability assessment. B. a root cause analysis.
C. an impact assessment.
D. a gap analysis.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 387
When using a third party to perform penetration testing, which of the following is the MOST important control to minimize operational impact?
A. Require the vendor to have liability insurance.
B. Perform a background check on the vendor.
C. Require the vendor to sign a nondisclosure agreement. D. Clearly define the project scope.
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 388
Which of the following is the BEST way to promote adherence to the risk tolerance level set by management?
A. Avoiding risks that could materialize into substantial losses B. Increasing organizational resources to mitigate risks
C. Defining expectations in the enterprise risk policy
D. Communicating external audit results
Correct Answer: C
Section: Volume D Explanation
Explanation/Reference:
QUESTION 389
An external security audit has reported multiple findings related to control noncompliance. Which of the following would be MOST important for the risk practitioner to communicate to senior management?
A. Plans for mitigating the associated risk
B. Suggestions for improving risk awareness training C. A recommendation for internal audit validation
D. The impact to the organization’s risk profile
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 390
A risk practitioner is organizing a training session to communicate risk assessment methodologies to ensure a consistent risk view within the organization. Which of the following is the MOST important topic to cover in this training?
A. Applying risk factors
B. Applying risk appetite
C. Understanding risk culture D. Referencing risk event data
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 391
A risk practitioner recently discovered that sensitive data from the production environment is required for testing purposes in non-production environments. Which of
the following is the BEST recommendation to address this situation?
A. Mask data before being transferred to the test environment. B. Implement equivalent security in the test environment.
C. Enable data encryption in the test environment.
D. Prevent the use of production data for test purposes.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 392
Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?
A. Control chart
B. Trend analysis
C. Sensitivity analysis D. Decision tree
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 393
After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?
A. The risk practitioner
B. The risk owner
C. The control owner
D. The business process owner
Correct Answer: A Section: Volume D
Explanation Explanation/Reference:
QUESTION 394
Which of the following is the MOST important requirement for monitoring key risk indicators (KRIs) using log analysis?
A. Collecting logs from the entire set of IT systems B. Providing accurate logs in a timely manner
C. Implementing an automated log analysis tool
D. Obtaining logs in an easily readable format
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 395
Who is the MOST appropriate owner for newly identified IT risk?
A. The manager responsible for IT operations that will support the risk mitigation efforts B. The individual with the most IT risk-related subject matter knowledge
C. The individual with authority to commit organizational resources to mitigate the risk D. A project manager capable of prioritizing the risk remediation efforts
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 396
Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?
A. Customer database manager
B. Audit committee
C. Data privacy officer
D. Customer data custodian
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 397
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?
A. Percentage of issues related as a result of DRP testing
B. Number of users that participated in the DRP testing
C. Number of issues identified during DRP testing
D. Percentage of applications that met the RTO during DRP testing
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 398
Whose risk tolerance matters MOST when making a risk decision?
A. Customers who would be affected by a breach
B. The information security manager
C. The business process owner of the exposed assets D. Auditors, regulators, and standards organizations
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 399
Management has required information security awareness training to reduce the risk associated with credential compromise. What is the BEST way to assess the effectiveness of the training?
A. Conduct social engineering testing.
B. Perform a vulnerability assessment.
C. Audit security awareness training materials. D. Administer an end-of-training quiz.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 400
Which of the following is the MOST important characteristic of an effective risk management program?
A. Risk response plans are documented.
B. Key risk indicators are defined.
C. Risk ownership is assigned.
D. Controls are mapped to key risk scenarios.
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 401
Which of the following is the PRIMARY reason to perform ongoing risk assessments?
A. The risk environment is subject to change.
B. The information security budget must be justified.
C. Emerging risk must be continuously reported to management.
D. New system vulnerabilities emerge at frequent intervals.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 402
Which of the following is the PRIMARY objective of providing an aggregated view of IT risk to business management?
A. To provide consistent and clear terminology
B. To allow for proper review of risk tolerance
C. To identify dependencies for reporting risk
D. To enable consistent data on risk to be obtained
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 403
An organization has completed a project to implement encryption on all databases that host customer data. Which of the following elements of the risk register should be updated to reflect this change?
A. Risk tolerance B. Inherent risk C. Risk appetite D. Risk likelihood
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 404
A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?
A. Action plans to address risk scenarios requiring treatment B. The team that performed the risk assessment
C. An assigned risk manager to provide oversight
D. The methodology used to perform the risk assessment
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 405
Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system. These scenarios will be owned by the system manager. Which of the following would be the BEST method to use when developing the scenarios?
A. Bottom-up approach
B. Cause-and-effect diagram C. Top-down approach
D. Delphi technique
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 406
Which of the following is the MOST important element of a successful risk awareness training program?
A. Mapping to a recognized standard
B. Providing metrics for measurement C. Customizing content for the audience D. Providing incentives to participants
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 407
Whether the results of risk analysis should be presented in quantitative or qualitative terms should be based PRIMARILY on the:
A. specific risk analysis framework being used. B. results of the risk assessment.
C. requirements of management.
D. organizational risk tolerance.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 408
Which of the following will BEST quantify the risk associated with malicious users in an organization?
A. Business impact analysis B. Threat risk assessment C. Vulnerability assessment D. Risk analysis
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 409
IT risk assessments can BEST be used by management:
A. to measure organizational success.
B. as input for decision-making.
C. as a basis for cost-benefit analysis.
D. for compliance with laws and regulations.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 410
Which of the following risk management practices BEST facilitates the incorporation of IT risk scenarios into the enterprise-wide risk register?
A. Key risk indicators (KRIs) are developed for key IT risk scenarios.
B. IT risk scenarios are developed in the context of organizational objectives.
C. IT risk scenarios are assessed by the enterprise risk management team.
D. Risk appetites for IT risk scenarios are approved by key business stakeholders.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 411
Which of the following would be the BEST recommendation if the level of risk in the IT risk profile has decreased and is now below management’s risk appetite?
A. Decrease the number of related risk scenarios. B. Optimize the control environment.
C. Realign risk appetite to the current risk level. D. Reduce the risk management budget.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 412
Which of the following is the MOST important key performance indicator (KPI) to establish in the service agreement (SLA) for an outsourced data center?
A. Number of key systems hosted
B. Percentage of system availability
C. Average response time to resolve system incidents
D. Percentage of systems included in recovery processes
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 413
A trusted third party service provider has determined that the risk of a client’s systems being hacked is low. Which of the following would be the client’s BEST course of action?
A. Perform an independent audit of the third party.
B. Accept the risk based on the third party’s risk assessment. C. Perform their own risk assessment.
D. Implement additional controls to address the risk.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 414
In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date?
A. Risk questionnaire B. Risk register
C. Compliance manual
D. Management assertion
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 415
Which of the following should be the PRIMARY focus of a risk owner once a decision is made to mitigate a risk?
A. Determining processes for monitoring the effectiveness of the controls B. Confirming to management the controls reduce the likelihood of the risk C. Updating the risk register to include the risk mitigation plan
D. Ensuring that control design reduces risk to an acceptable level
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 416
Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?
A. It compares performance levels of IT assets to value delivered.
B. It provides input to business managers when preparing a business case for new IT projects. C. It facilitates the alignment of strategic IT objectives to business objectives.
D. It helps assess the effects of IT decisions on risk exposure.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 417
Which of the following roles would provide the MOST important input when identifying IT risk scenarios?
A. Operational risk managers
B. Internal auditors
C. Information security managers D. Business process owners
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 418
Accountability for a particular risk is BEST represented in a:
A. risk register. B. RACI matrix. C. risk catalog. D. risk scenario.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 419
Which of the following should be included in a risk scenario to be used for risk analysis?
A. Residual risk B. Risk tolerance C. Risk appetite D. Threat type
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 420
The PRIMARY objective for selecting risk response options is to:
A. minimize residual risk.
B. reduce risk factors.
C. reduce risk to an acceptable level. D. identify compensating controls.
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 421
A PRIMARY function of the risk register is to provide supporting information for the development of an organization’s risk:
A. map.
B. process. C. profile. D. strategy.
Correct Answer: C
Section: Volume D Explanation
Explanation/Reference:
QUESTION 422
A data processing center operates in a jurisdiction where new regulations have significantly increased penalties for data breaches. Which of the following elements of the risk register is MOST important to update to reflect this change?
A. Risk impact B. Risk trend
C. Risk appetite D. Risk likelihood
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 423
Which of the following would BEST help identify the owner for each risk scenario in a risk register?
A. Allocating responsibility for risk factors equally to asset owners. B. Determining resource dependency of assets.
C. Mapping identified risk factors to specific business processes. D. Determining which departments contribute most to risk.
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 424
To effectively support business decisions, an IT risk register MUST:
A. reflect the results of risk assessments.
B. effectively support a business maturity model. C. be available to operational risk groups.
D. be reviewed by the IT steering committee.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 425
Which of the following is the STRONGEST indication that controls implemented as part of a risk action plan are not effective?
A. A security breach occurs.
B. Internal audit identifies recurring exceptions.
C. Changes are put into production without management approval. D. A sample is used to validate the action plan.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 426
Which of the following issues regarding an organization's IT incident response plan would be the GREATEST concern?
A. The incident response capability is outsourced.
B. Teams are not operational until an incident occurs.
C. Not all employees have attended incident response training. D. Roles and responsibilities are not clearly defined.
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 427
Prudent business practice requires that risk appetite not exceed:
A. risk capacity. B. inherent risk. C. risk tolerance. D. residual risk.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 428
Which of the following should an organization perform to forecast the effects of a disaster?
A. Analyze capability maturity model gaps. B. Define recovery time objectives (RTO).
C. Develop a business impact analysis (BIA). D. Simulate a disaster recovery.
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 429
Mapping open risk issues to an enterprise risk heat map BEST facilitates:
A. risk ownership. B. risk identification. C. risk response.
D. control monitoring.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 430
Which of the following is the MOST important topic to cover in a risk awareness training program for all staff?
A. The risk department’s roles and responsibilities.
B. Policy compliance requirements and exceptions process. C. The organization’s information security risk profile.
D. Internal and external information security incidents.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 431
Which of the following should be a risk practitioner's NEXT action after identifying a high probability of data loss in a system?
A. Conduct a control assessment.
B. Purchase cyber insurance from a third party. C. Increase the frequency of incident reporting. D. Enhance the security awareness program.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 432
The PRIMARY objective for requiring an independent review of an organizations IT risk management process should be to:
A. ensure IT risk management is focused on mitigating potential risk.
B. confirm that IT risk assessment results are expressed as business impact. C. assess gaps in IT risk management operations and strategic focus.
D. verify implemented controls to reduce the likelihood of threat materialization.
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 433
After the implementation of Internet of Things (IoT) devices, new risk scenarios were identified. What is the PRIMARY reason to report this information to risk owners?
A. To reevaluate continued use of IoT devices. B. To recommend changes to the IoT policy. C. To confirm the impact to the risk profile.
D. To add new controls to mitigate the risk.
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 434
An organization has just started accepting credit card payments from customers via the corporate website. Which of the following is MOST likely to increase as a result of this new initiative?
A. Risk appetite B. Residual risk C. Risk tolerance D. Inherent risk
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 435
An application runs a scheduled job that compiles financial data from multiple business systems and updates the financial reporting system. If this job runs too long, it can delay financial reporting. Which of the following is the risk practitioner's BEST recommendation?
A. Implement database activity and capacity monitoring.
B. Consider providing additional system resource to this job.
C. Ensure the enterprise has a process to detect such situations. D. Ensure the business is aware of the risk.
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 436
Which of the following is the BEST indication that an organization is following a mature risk management process?
A. Executive management receives periodic risk awareness training.
B. Attributes of each risk scenario have been documented within the risk register.
C. The risk register is frequently utilized for decision-making.
D. A dashboard has been developed for senior management to provide real-time risk values.
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 437
Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?
A. Obtain an objective view of process gaps and systemic errors. B. Ensure the risk profile is defined and communicated.
C. Validate the threat management process.
D. Obtain objective assessment of the control environment.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 438
Which of the following activities should be performed FIRST when establishing IT risk management processes?
A. Conduct a high-level risk assessment based on the nature of business. B. Collect data of past incidents and lessons learned.
C. Identify the risk appetite of the organization.
D. Assess the goals and culture of the organization.
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 439
Which of the following is the BEST way to validate whether controls to reduce user device vulnerabilities have been implemented according to management’s action plan?
A. Survey device owners.
B. Review awareness training assessment results. C. Re-scan the user environment.
D. Require annual end user policy acceptance.
Correct Answer: C Section: Volume D
Explanation Explanation/Reference:
QUESTION 440
The FIRST task when developing a business continuity plan should be to:
A. identify critical business functions and resources.
B. determine data backup and recovery availability at an alternate site.
C. define roles and responsibilities for implementation.
D. identify recovery time objectives (RTOs) for critical business applications.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 441
Which of the following is the BEST indicator of the effectiveness of IT risk management processes?
A. Time between when IT risk scenarios are identified and the enterprise’s response. B. Percentage of business users completing risk training.
C. Percentage of high-risk scenarios for which risk action plans have been developed. D. Number of key risk indicators (KRIs) defined.
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 442
Which of the following should be a risk practitioner's NEXT step upon learning the organization is not in compliance with a specific legal regulation?
A. Assess the likelihood and magnitude of the associated risk.
B. Identify mitigation activities and compensating controls.
C. Notify senior compliance executives of the associated risk. D. Determine the penalties for lack of compliance.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 443
What is the GREATEST concern with maintaining decentralized risk registers instead of a consolidated risk register?
A. Aggregated risk may exceed the enterprise’s risk appetite and tolerance.
B. Duplicate resources may be used to manage risk registers.
C. Standardization of risk management practices may be difficult to enforce.
D. Risk analysis may be inconsistent due to non-uniform impact and likelihood scales.
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 444
Who should be accountable for monitoring the control environment to ensure controls are effective?
A. Risk owner
B. Security monitoring operations C. Impacted data owner
D. System owner
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 445
Who is accountable for risk treatment?
A. Risk owner
B. Risk mitigation manager
C. Enterprise risk management team D. Business process owner
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 446
Which of the following BEST enables the risk profile to serve as an effective resource to support business objectives?
A. Updating the risk profile with risk assessment results.
B. Assigning quantitative values to qualitative metrics in the risk register. C. Engaging external risk professionals to periodically review the risk.
D. Prioritizing global standards over local requirements in the risk profile.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 447
A global organization is planning to collect customer behavior data through social media advertising. Which of the following is the MOST important business risk to be considered?
A. Regulatory requirements may differ in each country.
B. Business advertising will need to be tailored by country.
C. The data analysis may be ineffective in achieving objectives.
D. Data sampling may be impacted by various industry restrictions.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 448
An organization has introduced risk ownership to establish clear accountability for each process. To ensure effective risk ownership, it is MOST important that:
A. risk owners have decision-making authority.
B. senior management has oversight of the process.
C. segregation of duties exists between risk and process owners. D. process ownership aligns with IT system ownership.
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 449
A peer review of a risk assessment finds that a relevant threat community was not included. Mitigation of the risk will require substantial changes to a software application. Which of the following is the BEST course of action?
A. Ask the business to make a budget request to remediate the problem. B. Research the types of attacks the threat can present.
C. Determine the impact of the missing threat.
D. Build a business case to remediate the fix.
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 450
Which of the following is MOST important when developing key risk indicators (KRIs)?
A. Availability of qualitative data.
B. Alignment with regulatory requirements. C. Property set thresholds.
D. Alignment with industry benchmarks.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 451
Which of the following provides the MOST up-to-date information about the effectiveness of an organization's overall IT control environment?
A. Periodic penetration testing.
B. Key performance indicators (KPIs). C. Internal audit findings.
D. Risk heat maps.
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 452
Which of the following would be a risk practitioner's GREATEST concern related to the monitoring of key risk indicators (KRIs)?
A. Logs are retained for a longer duration than the data retention policy requires. B. Logs are encrypted during transmission from the system to analysis tools.
C. Logs are modified before analysis is conducted.
D. Logs are collected from a small number of systems.
Correct Answer: D
Section: Volume D Explanation
Explanation/Reference:
QUESTION 453
The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:
A. new vulnerabilities identified. B. recurring vulnerabilities.
C. vulnerabilities remediated. D. vulnerability scans.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 454
Which of the following is the PRIMARY purpose of analyzing log data collected from systems?
A. To identify risk that may materialize.
B. To facilitate incident investigation.
C. To detect changes in risk ownership.
D. To prevent incidents caused by materialized risk.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 455
Which of the following BEST indicates the condition of a risk management program?
A. Number of controls.
B. Amount of residual risk.
C. Number of risk register entries. D. Level of financial support.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 456
The PRIMARY purpose of IT control status reporting is to:
A. assist internal audit in evaluating and initiating remediation efforts. B. ensure compliance with IT governance strategy.
C. facilitate the comparison of the current and desired states.
D. benchmark IT controls with industry standards.
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 457
Which of the following is MOST important to ensure when continuously monitoring the performance of a client-facing application?
A. Performance information in the log is encrypted. B. Control owners approve control changes.
C. Objectives are confirmed with the business owner. D. End-user acceptance testing has been conducted.
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 458
Controls should be defined during the design phase of system development because:
A. technical specifications are defined during this phase.
B. structured programming techniques require that controls be designed before coding begins. C. its more cost-effective to determine controls in the early design phase.
D. structured analysis techniques exclude identification of controls.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 459
Which of the following will BEST support management reporting on risk?
A. A risk register.
B. Key performance indicators. C. Control self-assessment.
D. Risk policy requirements.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 460
To reduce costs, an organization is combining the second and third lines of defense in a new department that reports to a recently appointed C-level executive. Which of the following is the GREATEST concern with this situation?
A. The risk governance approach of the second and third lines of defense may differ. B. The independence of the internal third line of defense may be compromised.
C. The new structure is not aligned to the organization’s internal control framework.
D. Cost reductions may negatively impact the productivity of other departments.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 461
Which of the following is MOST important to have in place to ensure the effectiveness of risk and security metrics reporting?
A. Organizational reporting process. B. Incident reporting procedures.
C. Regularly scheduled audits.
D. Incident management policy.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 462
Which of the following is the MOST appropriate key risk indicator (KRI) for backup media that is recycled monthly?
A. Time required for backup restoration testing. B. Change in size of data backed up.
C. Successful completion of backup operations. D. Percentage of failed restore tests.
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 463
When establishing an enterprise IT risk management program, it is MOST important to:
A. review alignment with the organization’s strategy.
B. understand the organization’s information security policy. C. validate the organization’s data classification scheme.
D. report identified IT risk scenarios to senior management.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 464
Which of the following is the BEST way to determine software license compliance?
A. Conduct periodic compliance reviews.
B. List non-compliant systems in the risk register. C. Monitor user software download activity.
D. Review whistleblower reports of noncompliance.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 465
Which of the following is the GREATEST benefit of updating the risk register to include outcomes from a risk assessment?
A. It facilitates timely risk-based decisions.
B. It helps to mitigate internal and external risk factors. C. It validates the organization’s risk appetite.
D. It maintains evidence of compliance with risk policy.
Correct Answer: A Section: Volume D
Explanation Explanation/Reference:
QUESTION 466
A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?
A. The alternative site does not reside on the same fault no matter how far the distance apart. B. The contingency plan provides for backup media to be taken to the alternative site.
C. The contingency plan for high priority applications does not involve a shared cold site.
D. The alternative site is a hot site with equipment ready to resume processing immediately.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 467
Which of the following BEST contributes to the implementation of an effective risk response action plan?
A. A business impact analysis.
B. An IT tactical plan.
C. Disaster recovery and continuity testing. D. Assigned roles and responsibilities.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 468
Which of the following is the MOST important reason to test new controls?
A. To verify controls work as intended.
B. To justify the cost of control investment.
C. To identify exceptions that elevate risk.
D. To ensure an accurate and up-to-date controls register.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 469
A new international data privacy regulation requires personal data to be disposed after the specified retention period, which is different from the local regulatory requirement. Which of the following is the risk practitioner's BEST recommendation to resolve the disparity?
A. Adopt the international standard.
B. Adopt the standard determined by legal counsel.
C. Adopt the local standard.
D. Adopt the least stringent standard determined by the risk committee.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 470
Which of the following should be the MAIN consideration when validating an organization’s risk appetite?
A. Cost of risk mitigation options. B. Maturity of the risk culture.
C. Capacity to withstand loss.
D. Comparison against regulations.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 471
A risk practitioner notices a risk scenario associated with data loss at the organization’s cloud provider is assigned to the provider. Who should the risk scenario be reassigned to?
A. Chief risk officer
B. Vendor manager
C. Data owner
D. Senior management
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 472
Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy?
A. Information security director B. Internal audit director
C. Chief information officer
D. Chief financial officer
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 473
Which of the following is MOST important for an organization that wants to reduce IT operational risk?
A. Decentralizing IT infrastructure.
B. Increasing the frequency of data backups.
C. Increasing senior management’s understanding of IT operations. D. Minimizing complexity of IT infrastructure.
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 474
An IT organization is replacing the customer relationship management (CRM) system. Who should own the risk associated with customer data leakage caused by insufficient IT security controls for the new system?
A. Chief risk officer
B. IT controls manager
C. Chief information security officer D. Business process owner
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 475
Which of the following is the BEST key performance indicator (KPI) for determining how well an IT policy is aligned to business requirements?
A. Total cost of policy breaches.
B. Total cost to support the policy.
C. Number of exceptions to the policy.
D. Number of inquiries regarding the policy.
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 476
The PRIMARY purpose of a maturity model is to compare the:
A. current state of key processes to their desired state. B. organization to peers.
C. organization to industry best practices.
D. actual KPIs with target KPIs.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 477
Which of the following is the MAIN reason for analyzing risk scenarios?
A. Establishing a risk appetite
B. Identifying additional risk scenarios C. Updating the heat map
D. Assessing loss expectancy
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 478
Which of the following would be the BEST justification to invest in the development of a governance, risk, and compliance (GRC) solution?
A. Facilitating risk-aware decision making by stakeholders. B. Demonstrating management commitment to mitigate risk. C. Closing audit findings on a timely basis.
D. Ensuring compliance to industry standards.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 479
Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are:
A. authorized to select risk mitigation options. B. independent from the business operations. C. accountable for the affected processes.
D. members of senior management.
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 480
Which of the following should be the FIRST consideration when a business unit wants to use personal information for a purpose other than for which it was originally collected?
A. Informed consent
B. Data breach protection
C. Cross border controls
D. Business impact analysis (BIA)
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 481
Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness?
A. To raise awareness of operational issues
B. To identify control vulnerabilities
C. To measure business exposure to risk
D. To monitor the achievement of set objectives
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 482
Which of the following BEST indicates whether security awareness training is effective?
A. Course evaluation
B. User behavior after training C. User self-assessment
D. Quality of training materials
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 483
A service provider is managing a client’s servers. During an audit of the service, a noncompliant control is discovered that will not be resolved before the next audit because the client cannot afford the downtime required to correct the issue. The service provider’s MOST appropriate action would be to:
A. develop a risk remediation plan overriding the client’s decision.
B. ask the client to document the formal risk acceptance for the provider. C. insist that the remediation occur for the benefit of other customers.
D. make a note for this item in the next audit explaining the situation.
Correct Answer: B
Section: Volume D Explanation
Explanation/Reference:
Certified in Risk and Information Systems Control CRISC Questions + Answers Part 8
-
answerhappygod
- Site Admin
- Posts: 899603
- Joined: Mon Aug 02, 2021 8:13 am