Certified in Risk and Information Systems Control CRISC Questions + Answers Part 7
Posted: Thu Mar 03, 2022 7:47 am
QUESTION 251
To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:
A. risk assessment results
B. cost-benefit analysis
C. vulnerability assessment results D. risk mitigation approach
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 252
The BEST control to mitigate the risk associated with project scope creep is to:
A. consult with senior management on a regular basis B. apply change management procedures
C. ensure extensive user involvement
D. deploy CASE tools in software development
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 253
Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the
loss of credit card data?
A. Reviewing logs for unauthorized data transfers
B. Configuring the DLP control to block credit card numbers C. Testing the transmission of credit card numbers
D. Testing the DLP rule change control process
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
Reference: https://www.esecurityplanet.com/network ... n-dlp.html
QUESTION 254
An organization has been notified that a dis grunted, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization?
A. A brute force attack has been detected
B. An external vulnerability scan has been detected C. An increase in support request has been observed D. Authentication logs have been disabled
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 255
An organization has granted a vendor access to its data in order to analyze customer behavior. Which of the following would be the MOST effective control to mitigate the risk of customer data leakage?
A. Restrict access to customer data on a “need to know” basis B. Enforce criminal background checks
C. Mask customer data fields
D. Require vendor to sign a confidentiality agreement
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 256
The MAIN purpose of conducting a control self-assessment (CSA) is to:
A. reduce the dependency on external audits
B. gain a better understanding of the risk in the organization
C. gain a better understanding of the control effectiveness in the organization D. adjust the controls prior to an external audit
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 257
An organization is considering modifying its system to enable acceptance of credit card payments. To reduce the risk of data exposure, which of the following should the organization do FIRST?
A. Implement additional controls B. Conduct a risk assessment C. Update the risk register
D. Update the security strategy
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 258
Which of the following would present the GREATEST challenge when assigning accountability for control ownership?
A. Unclear reporting relationships B. Weak governance structures
C. Senior management scrutiny
D. Complex regulatory environment
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 259
If preventive controls cannot be implemented due to technology limitations, which of the following should be done FIRST to reduce risk?
A. Redefine the business process to reduce the risk B. Evaluate alternative controls
C. Develop a plan to upgrade technology
D. Define a process for monitoring risk
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 260
The PRIMARY benefit of conducting continuous monitoring of access controls is the ability to identify.
A. possible noncompliant activities that lead to data disclosure B. leading or lagging key risk indicators (KRIs)
C. inconsistencies between security policies and procedures D. unknown threats to undermine existing access controls
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
Reference: https://www.isaca.org/Journal/archives/ ... oring.aspx QUESTION 261
The PRIMARY reason, a risk practitioner would be interested in an internal audit report is to:
A. maintain a risk register based on noncompliances B. plan awareness programs for business managers C. assist in the development of a risk profile
D. evaluate maturity of the risk management process
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 262
Which of the following is the PRIMARY consideration when establishing an organization’s risk management methodology?
A. Risk tolerance level
B. Benchmarking information C. Resource requirements D. Business context
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 263
Which of the following is the BEST metric to demonstrate the effectiveness of an organization’s change management process?
A. Average time to complete changes
B. Increase in the number of emergency changes
C. Percent of unauthorized changes
D. Increase in the frequency of changes
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 264
Which of the following is the BEST course of action to reduce risk impact?
A. Create an IT security policy
B. Implement detective controls C. Implement corrective measures D. Leverage existing technology
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 265
Which of the following BEST indicates the effectiveness of an organization’s data loss prevention (DLP) program?
A. Reduction in financial impact associated with data loss incidents B. Reduction in the number of false positives and false negatives
C. Reduction in the number of approved exceptions to the DLP policy D. Reduction in the severity of detected data loss events
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 266
Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?
A. Develop risk awareness training B. Monitor employee usage
C. Identify the potential risk
D. Assess the potential risk
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
Reference: https://www.isaca.org/Journal/archives/ ... ology.aspx
QUESTION 267
An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?
A. Avoid
B. Transfer C. Accept D. Mitigate
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 268
Which of the following should be the PRIMARY focus of an IT risk awareness program?
A. Cultivate long-term behavioral change
B. Demonstrate regulatory compliance
C. Ensure compliance with the organization’s internal policies D. Communicate IT risk policy to the participants
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 269
Which of the following is the MOST important benefit of key risk indicators (KRIs)?
A. Assisting in continually optimizing risk governance B. Providing an early warning to take proactive actions C. Enabling the documentation and analysis of trends D. Ensuring compliance with regulatory requirements
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 270
Which of the following would BEST help minimize the risk associated with social engineering threats?
A. Reviewing the organization’s risk appetite B. Enforcing employee sanctions
C. Enforcing segregation of duties
D. Conducting phishing exercises
Correct Answer: D
Section: Volume D Explanation
Explanation/Reference:
QUESTION 271
An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:
A. communicate the consequences for violations B. implement industry best practices
C. reduce the organization’s risk appetite
D. reduce the risk to an acceptable level
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 272
Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario?
A. Assess the vulnerability management process B. Conduct a control self-assessment
C. Reassess the inherent risk of the target
D. Conduct a vulnerability assessment
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 273
The compensating control that MOST effectively addresses the risk associated with piggybacking into a restricted area without a dead-man door is:
A. using two-factor authentication
B. using biometric door locks
C. requiring employees to wear ID badges D. security awareness training
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 274
During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:
A. a control mitigation plan is in place B. residual risk is accepted
C. compensating controls are in place D. risk management is effective
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 275
An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner’s FIRST course of action?
A. Deploy a compensating control to address the identified deficiencies B. Report the ineffective control for inclusion in the next audit report
C. Determine if the impact is outside the risk appetite
D. Request a formal acceptance of risk from senior management
Correct Answer: A Section: Volume D
Explanation Explanation/Reference:
QUESTION 276
Which of the following is the GREATEST advantage of implementing a risk management program?
A. Promoting a risk-aware culture B. Improving security governance C. Enabling risk-aware decisions D. Reducing residual risk
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 277
Which of the following should be of MOST concern to a risk practitioner reviewing findings from a recent audit of an organization’s data center?
A. Ownership of an audit finding has not been assigned
B. The data center is not fully redundant
C. Audit findings were not communicated to senior management
D. Key risk indicators (KRIs) for the data center do not include critical components
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 278
A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?
A. Chief risk officer (CRO)
B. Business continuity manager (BCM) C. Human resources manager (HRM) D. Chief information officer (CIO)
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 279
When developing risk scenarios, it is MOST important to ensure they are:
A. structured and reportable
B. flexible and scalable
C. relevant and realistic
D. comprehensive and detailed
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 280
Which of the following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?
A. Conduct user acceptance testing
B. Perform a post-implementation review
C. Interview process owners
D. Review the key performance indicators (KPIs)
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 281
An organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard. Which risk treatment was adopted by the organization?
A. Acceptance B. Transfer
C. Mitigation D. Avoidance
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 282
Which of the following is the BEST method to maintain a common view of IT risk within an organization?
A. Establishing and communicating the IT risk profile B. Performing and publishing an IT risk analysis
C. Collecting data for IT risk assessment
D. Utilizing a balanced scorecard
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 283
The FIRST step for a startup company when developing a disaster recovery plan should be to identify:
A. current vulnerabilities
B. a suitable alternate site C. recovery time objectives
D. critical business processes
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 284
An organization has outsourced an application to a Software as a Service (SaaS) provider. The risk associated with the use of this service should be owned by the:
A. service provider’s IT manager
B. service provider’s risk manager
C. organization’s business process manager D. organization’s vendor manager
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 285
Which of the following should be done FIRST when a new risk scenario has been identified?
A. Assess the risk awareness program B. Assess the risk training program
C. Identify the risk owner
D. Estimate the residual risk
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 286
Which of the following controls would BEST decrease exposure if a password is compromised?
A. Passwords have format restrictions B. Passwords are masked
C. Password changes are mandated D. Passwords are encrypted
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 287
An organization has engaged a third party to provide an Internet gateway encryption service that protects sensitive data uploaded to a cloud service. This is an example of risk:
A. transfer
B. acceptance C. mitigation D. avoidance
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 288
After mapping generic risk scenarios to organizational security policies, the NEXT course of action should be to:
A. record risk scenarios in the risk register for analysis
B. validate the risk scenarios for business applicability
C. reduce the number of risk scenarios to a manageable set D. perform a risk analysis on the risk scenarios
Correct Answer: B
Section: Volume D Explanation
Explanation/Reference:
QUESTION 289
A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner’s GREATEST concern?
A. Aggregate risk approaching the tolerance threshold B. Vulnerabilities are not being mitigated
C. Security policies are not being reviewed periodically D. Risk owners are focusing more on efficiency
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 290
Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?
A. Internal audit reports from the vendor B. A control self-assessment
C. A third-party security assessment report D. Service level agreement monitoring
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 291
Which of the following is a detective control?
A. Limit check
B. Access control software C. Periodic access review D. Rerun procedures
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 292
Improvements in the design and implementation of a control will MOST likely result in an update to:
A. risk tolerance B. risk appetite C. inherent risk D. residual risk
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 293
A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to:
A. include a roadmap to achieve operational excellence
B. include a summary linking information to stakeholder needs C. publish the report on-demand for stakeholders
D. include detailed deviations from industry benchmarks
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 294
An organization’s internal auditors have identified a new IT control deficiency in the organization’s identity and access management (IAM) system. It is most important for the risk practitioner to:
A. perform a follow-up risk assessment to quantify the risk impact B. verify that applicable risk owners understand the risk
C. implement compensating controls to address the deficiency
D. recommend replacement of the deficient system
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 295
The BEST method to align an organization’s business continuity plan (BCP) and disaster recovery plan (DRP) with core business needs to:
A. outsource the maintenance of the BCP and DRP to a third party
B. include BCP and DRP responsibilities as part of the new employee training C. execute periodic walk-throughs of the BCP and DRP
D. update the business impact analysis (BIA) for significant business changes
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 296
Which of the following is the BEST method to identify unnecessary controls?
A. Evaluating existing controls against audit requirements
B. Reviewing system functionalities associated with business processes
C. Monitoring existing key risk indicators (KRIs)
D. Evaluating the impact of removing existing controls
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 297
During a control review, the control owner states that an existing control has deteriorated over time. What is the BEST recommendation to the control owner?
A. Escalate the issue to senior management
B. Discuss risk mitigation options with the risk owner
C. Certify the control after documenting the concern
D. Implement compensating controls to reduce residual risk
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 298
Which of the following approaches to bring you own device (BYOD) service delivery provides the BEST protection from data loss?
A. Penetration testing and session timeouts
B. Implement remote monitoring
C. Enforce strong passwords and data encryption D. Enable data wipe capabilities
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 299
Which of the following is the MOST effective way to incorporate stakeholder concerns when developing risk scenarios?
A. Evaluating risk impact
B. Creating quarterly risk reports
C. Establishing key performance indicators D. Conducting internal audits
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 300
Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register?
A. Corporate incident escalation protocols are established B. The organization-wide control budget is expanded
C. Exposure is integrated into the organization’s risk profile D. Risk appetite cascades to business unit management
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 301
Risk management strategies are PRIMARILY adopted to:
A. achieve compliance with legal requirements
B. take necessary precautions for claims and losses C. avoid risk for business and IT assets
D. achieve acceptable residual risk levels
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 302
Which of the following is the GREATEST risk associated with using unmasked data for testing purposes?
A. Confidentiality B. Integrity
C. Availability
D. Accountability
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 303
Which of the following is a KEY outcome of risk ownership?
A. Risk-related information is communicated B. Risk responsibilities are addressed
C. Risk-oriented tasks are defined
D. Business process risk is analyzed
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 304
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process?
A. Percentage of vulnerabilities remediated within the agreed service level B. Number of vulnerabilities identified during the period
C. Number of vulnerabilities re-opened during the period
D. Percentage of vulnerabilities escalated to senior management
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 305
An organization has allowed its cyber risk insurance to lapse while seeking a new insurance provider. The risk practitioner should report to management that the risk has been:
A. accepted B. mitigated C. transferred D. avoided
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 306
Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis?
A. Inherent risk might not be considered
B. Implementation costs might increase
C. Risk factors might not be relevant to the organization D. Quantitative analysis might not be possible
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 307
An organization is considering acquiring a new line of business and wants to develop new IT risk scenarios to guide its decisions. Which of the following would add the MOST value to the new risk scenarios?
A. Audit findings
B. Expected losses
C. Cost-benefit analysis D. Organizational threats
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 308
For the first time, the procurement department has requested that IT grant remote access to third-party suppliers. Which of the following is the BEST course of action for IT in responding to the request?
A. Propose a solution after analyzing IT risk
B. Design and implement key authentication controls
C. Design and implement a secure remote access process D. Adequate internal standards to fit the new business case
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 309
Which of the following is the BEST control to detect an advanced persistent threat (APT)? A. Monitoring social media activities
B. Conducting regular penetration tests
C. Utilizing antivirus systems and firewalls D. Implementing automated log monitoring
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 310
To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:
A. clearly define the project scope
B. perform background checks on the vendor
C. notify network administrators before testing
D. require the vendor to sign a nondisclosure agreement
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 311
Which of the following is the BEST indication of an effective risk management program?
A. Risk action plans are approved by senior management B. Mitigating controls are designed and implemented
C. Residual risk is within the organizational risk appetite D. Risk is recorded and tracked in the risk register
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 312
Participants in a risk workshop have become focused on the financial cost to mitigate risk rather than choosing the most appropriate response. Which of the following is the BEST way to address this type of issue in the long term?
A. Review the risk register and risk scenarios
B. Calculate annualized loss expectancy of risk scenarios C. Raise the maturity of organizational risk management D. Perform a return on investment analysis
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 313
In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities. The risk practitioner’s BEST recommendation to further reduce the impact of ransomware attacks would be to implement:
A. encryption for data at rest
B. encryption for data in motion
C. two-factor authentication
D. continuous data backup controls
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 314
An organization uses a vendor to destroy hard drives. Which of the following would BEST reduce the risk of data leakage?
A. Implement an encryption policy for the hard drives B. Require the vendor to degauss the hard drives
C. Use an accredited vendor to dispose of the hard drives D. Require confirmation of destruction from the IT manager
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 315
When evaluating enterprise IT risk management, it is MOST important to:
A. create new control processes to reduce identified IT risk scenarios B. review alignment with the organization’s investment plan
C. report identified IT risk scenarios to senior management
D. confirm the organization’s risk appetite and tolerance
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 316
Which of the following should be management’s PRIMARY consideration when approving risk response action plans?
A. Prioritization for implementing the action plans
B. Ability of the action plans to address multiple risk scenarios C. Ease of implementing the risk treatment solution
D. Changes in residual risk after implementing the plans
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 317
An unauthorized individual has socially engineered entry into an organization’s secured physical premises. Which of the following is the BEST way to prevent future occurrences?
A. Require security access badges
B. Employ security guards
C. Install security cameras
D. Conduct security awareness training
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 318
Which of the following is the BEST way to identify changes to the risk landscape?
A. Access reviews
B. Root cause analysis C. Internal audit reports D. Threat modeling
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 319
Which of the following elements of a risk register is MOST likely to change as a result of change in management’s risk appetite?
A. Risk likelihood and impact
B. Risk velocity
C. Inherent risk
D. Key risk indicator (KRI) thresholds
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 320
Which of the following is the BEST method to ensure a terminated employee’s access to IT systems is revoked upon departure from the organization?
A. Login attempts are reconciled to a list of terminated employees
B. A process to remove employee access during the exit interview is implemented
C. The human resources (HR) system automatically revokes system access
D. A list of terminated employees is generated for reconciliation against current IT access
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 321
Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?
A. Gather scenarios from senior management
B. Derive scenarios from IT risk policies and standards
C. Benchmark scenarios against industry peers
D. Map scenarios to a recognized risk management framework
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 322
Which of the following BEST measures the efficiency of an incident response process?
A. Number of incidents lacking responses
B. Number of incidents escalated to management
C. Average time between changes and updating of escalation matrix D. Average gap between actual and agreed response times
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 323
An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?
A. Develop a compensating control B. Identify risk responses
C. Allocate remediation resources D. Perform a cost-benefit analysis
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 324
Which of the following statements BEST describes risk appetite?
A. Acceptable variation between risk thresholds and business objectives B. The amount of risk an organization is willing to accept
C. The effective management of risk and internal control environments D. The acceptable variation relative to the achievement of objectives
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 325
A contract associated with a cloud service provider MUST include:
A. a business recovery plan
B. ownership of responsibilities
C. provision for source code escrow D. the provider’s financial statements
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 326
Establishing an organizational code of conduct is an example of which type of control?
A. Directive
B. Preventive
C. Detective
D. Compensating
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 327
Which of the following is the MOST important data source for monitoring key risk indicators (KRIs)?
A. Audit reports from internal information systems audits B. Directives from legal and regulatory authorities
C. Trend analysis of external risk factors
D. Automated logs collected from different systems
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 328
Which of the following roles is BEST suited to help a risk practitioner understand the impact of IT-related events on business objectives?
A. Process owners
B. IT management
C. Senior management D. Internal audit
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 329
It is MOST appropriate for changes to be promoted to production after they are:
A. approved by the business owner
B. tested by business owners
C. communicated to business management D. initiated by business users
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 330
Which of the following BEST enables the identification of trends in risk levels?
A. Measurements for key risk indicators (KRIs) are repeatable
B. Qualitative definitions for key risk indicators (KRIs) are used
C. Quantitative measurements are used for key risk indicators (KRIs)
D. Correlation between risk levels and key risk indicators (KRIs) is positive
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 331
A review of an organization’s controls has determined its data loss prevention (DLP) system is currently failing to detect outgoing emails containing credit card data.
Which of the following would be MOST impacted?
A. Risk appetite
B. Residual risk
C. Key risk indicators (KRIs) D. Inherent risk
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 332
During an IT department reorganization, the manager of a risk mitigation action plan was replaced. The new manager has begun implementing a new control after identifying a more effective option. Which of the following is the risk practitioner’s BEST course of action?
A. Communicate the decision to the risk owner for approval B. Identify an owner for the new control
C. Modify the action plan in the risk register
D. Seek approval from the previous action plan manager
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 333
Following a significant change to a business process, a risk practitioner believes the associated risk has been reduced. The risk practitioner should advise the risk owner to FIRST:
A. reallocate risk response resources B. review the key risk indicators
C. conduct a risk analysis
D. update the risk register
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 334
Which of the following would be considered a vulnerability?
A. Delayed removal of employee access
B. Corruption of files due to malware
C. Authorized administrative access to HR files
D. Server downtime due to a denial of service (DoS) attack
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 335
Which of the following tools is MOST effective in identifying trends in the IT risk profile?
A. Risk dashboard
B. Risk register
C. Risk self-assessment D. Risk map
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 336
A newly hired risk practitioner finds that the risk register has not been updated in the past year. What is the risk practitioner’s BEST course of action?
A. Implement a process improvement and replace the old risk register
B. Outsource the process for updating the risk register
C. Identify changes in risk factors and initiate risk reviews
D. Engage an external consultant to redesign the risk management process
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 337
Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?
A. Control self-assessment (CSA) B. Vulnerability and threat analysis C. User acceptance testing (UAT) D. Control remediation planning
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 338
Which of the following provides the BEST evidence of the effectiveness of an organization’s account provisioning process?
A. User provisioning
B. Security log monitoring
C. Entitlement reviews
D. Role-based access controls
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 339
A risk practitioner has been asked to advise management on developing a log collection and correlation strategy. Which of the following should be the MOST important consideration when developing this strategy?
A. Ensuring the inclusion of all computing resources as log sources B. Ensuring time synchronization of log sources
C. Ensuring read-write access to all log sources
D. Ensuring the inclusion of external threat intelligence log sources
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 340
Which of the following is the MOST important consideration when developing an organization’s risk taxonomy?
A. IT strategy
B. Leading industry frameworks C. Business context
D. Regulatory requirements
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 341
Which of the following can be interpreted from a single data point on a risk heat map?
A. Risk appetite B. Risk magnitude C. Risk response D. Risk tolerance
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 342
Which of the following is MOST helpful in identifying new risk exposures due to changes in the business environment?
A. Industry benchmarking
B. Standard operating procedures C. Control gap analysis
D. SWOT analysis
Correct Answer: D Section: Volume D
Explanation Explanation/Reference:
QUESTION 343
Which of the following helps ensure compliance with a non-repudiation policy requirement for electronic transactions?
A. Digital signatures
B. Digital certificates
C. One-time passwords D. Encrypted passwords
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 344
Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?
A. A control self-assessment B. Benchmarking against peers C. Transaction logging
D. Continuous monitoring
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 345
Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system? A. Control owner
B. Risk owner
C. Data owner D. System owner
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 346
A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology?
A. Business process owner B. Chief financial officer
C. Chief risk officer
D. IT system owner
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 347
Which of the following BEST provides an early warning that network access of terminated employees is not being revoked in accordance with the service level agreement (SLA)?
A. Monitoring key access control performance indicators B. Updating multi-factor authentication
C. Analyzing access control logs for suspicious activity D. Revising the service level agreement (SLA)
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:
A. risk assessment results
B. cost-benefit analysis
C. vulnerability assessment results D. risk mitigation approach
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 252
The BEST control to mitigate the risk associated with project scope creep is to:
A. consult with senior management on a regular basis B. apply change management procedures
C. ensure extensive user involvement
D. deploy CASE tools in software development
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 253
Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the
loss of credit card data?
A. Reviewing logs for unauthorized data transfers
B. Configuring the DLP control to block credit card numbers C. Testing the transmission of credit card numbers
D. Testing the DLP rule change control process
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
Reference: https://www.esecurityplanet.com/network ... n-dlp.html
QUESTION 254
An organization has been notified that a dis grunted, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization?
A. A brute force attack has been detected
B. An external vulnerability scan has been detected C. An increase in support request has been observed D. Authentication logs have been disabled
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 255
An organization has granted a vendor access to its data in order to analyze customer behavior. Which of the following would be the MOST effective control to mitigate the risk of customer data leakage?
A. Restrict access to customer data on a “need to know” basis B. Enforce criminal background checks
C. Mask customer data fields
D. Require vendor to sign a confidentiality agreement
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 256
The MAIN purpose of conducting a control self-assessment (CSA) is to:
A. reduce the dependency on external audits
B. gain a better understanding of the risk in the organization
C. gain a better understanding of the control effectiveness in the organization D. adjust the controls prior to an external audit
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 257
An organization is considering modifying its system to enable acceptance of credit card payments. To reduce the risk of data exposure, which of the following should the organization do FIRST?
A. Implement additional controls B. Conduct a risk assessment C. Update the risk register
D. Update the security strategy
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 258
Which of the following would present the GREATEST challenge when assigning accountability for control ownership?
A. Unclear reporting relationships B. Weak governance structures
C. Senior management scrutiny
D. Complex regulatory environment
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 259
If preventive controls cannot be implemented due to technology limitations, which of the following should be done FIRST to reduce risk?
A. Redefine the business process to reduce the risk B. Evaluate alternative controls
C. Develop a plan to upgrade technology
D. Define a process for monitoring risk
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 260
The PRIMARY benefit of conducting continuous monitoring of access controls is the ability to identify.
A. possible noncompliant activities that lead to data disclosure B. leading or lagging key risk indicators (KRIs)
C. inconsistencies between security policies and procedures D. unknown threats to undermine existing access controls
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
Reference: https://www.isaca.org/Journal/archives/ ... oring.aspx QUESTION 261
The PRIMARY reason, a risk practitioner would be interested in an internal audit report is to:
A. maintain a risk register based on noncompliances B. plan awareness programs for business managers C. assist in the development of a risk profile
D. evaluate maturity of the risk management process
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 262
Which of the following is the PRIMARY consideration when establishing an organization’s risk management methodology?
A. Risk tolerance level
B. Benchmarking information C. Resource requirements D. Business context
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 263
Which of the following is the BEST metric to demonstrate the effectiveness of an organization’s change management process?
A. Average time to complete changes
B. Increase in the number of emergency changes
C. Percent of unauthorized changes
D. Increase in the frequency of changes
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 264
Which of the following is the BEST course of action to reduce risk impact?
A. Create an IT security policy
B. Implement detective controls C. Implement corrective measures D. Leverage existing technology
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 265
Which of the following BEST indicates the effectiveness of an organization’s data loss prevention (DLP) program?
A. Reduction in financial impact associated with data loss incidents B. Reduction in the number of false positives and false negatives
C. Reduction in the number of approved exceptions to the DLP policy D. Reduction in the severity of detected data loss events
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 266
Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?
A. Develop risk awareness training B. Monitor employee usage
C. Identify the potential risk
D. Assess the potential risk
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
Reference: https://www.isaca.org/Journal/archives/ ... ology.aspx
QUESTION 267
An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?
A. Avoid
B. Transfer C. Accept D. Mitigate
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 268
Which of the following should be the PRIMARY focus of an IT risk awareness program?
A. Cultivate long-term behavioral change
B. Demonstrate regulatory compliance
C. Ensure compliance with the organization’s internal policies D. Communicate IT risk policy to the participants
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 269
Which of the following is the MOST important benefit of key risk indicators (KRIs)?
A. Assisting in continually optimizing risk governance B. Providing an early warning to take proactive actions C. Enabling the documentation and analysis of trends D. Ensuring compliance with regulatory requirements
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 270
Which of the following would BEST help minimize the risk associated with social engineering threats?
A. Reviewing the organization’s risk appetite B. Enforcing employee sanctions
C. Enforcing segregation of duties
D. Conducting phishing exercises
Correct Answer: D
Section: Volume D Explanation
Explanation/Reference:
QUESTION 271
An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:
A. communicate the consequences for violations B. implement industry best practices
C. reduce the organization’s risk appetite
D. reduce the risk to an acceptable level
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 272
Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario?
A. Assess the vulnerability management process B. Conduct a control self-assessment
C. Reassess the inherent risk of the target
D. Conduct a vulnerability assessment
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 273
The compensating control that MOST effectively addresses the risk associated with piggybacking into a restricted area without a dead-man door is:
A. using two-factor authentication
B. using biometric door locks
C. requiring employees to wear ID badges D. security awareness training
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 274
During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:
A. a control mitigation plan is in place B. residual risk is accepted
C. compensating controls are in place D. risk management is effective
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 275
An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner’s FIRST course of action?
A. Deploy a compensating control to address the identified deficiencies B. Report the ineffective control for inclusion in the next audit report
C. Determine if the impact is outside the risk appetite
D. Request a formal acceptance of risk from senior management
Correct Answer: A Section: Volume D
Explanation Explanation/Reference:
QUESTION 276
Which of the following is the GREATEST advantage of implementing a risk management program?
A. Promoting a risk-aware culture B. Improving security governance C. Enabling risk-aware decisions D. Reducing residual risk
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 277
Which of the following should be of MOST concern to a risk practitioner reviewing findings from a recent audit of an organization’s data center?
A. Ownership of an audit finding has not been assigned
B. The data center is not fully redundant
C. Audit findings were not communicated to senior management
D. Key risk indicators (KRIs) for the data center do not include critical components
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 278
A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?
A. Chief risk officer (CRO)
B. Business continuity manager (BCM) C. Human resources manager (HRM) D. Chief information officer (CIO)
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 279
When developing risk scenarios, it is MOST important to ensure they are:
A. structured and reportable
B. flexible and scalable
C. relevant and realistic
D. comprehensive and detailed
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 280
Which of the following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?
A. Conduct user acceptance testing
B. Perform a post-implementation review
C. Interview process owners
D. Review the key performance indicators (KPIs)
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 281
An organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard. Which risk treatment was adopted by the organization?
A. Acceptance B. Transfer
C. Mitigation D. Avoidance
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 282
Which of the following is the BEST method to maintain a common view of IT risk within an organization?
A. Establishing and communicating the IT risk profile B. Performing and publishing an IT risk analysis
C. Collecting data for IT risk assessment
D. Utilizing a balanced scorecard
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 283
The FIRST step for a startup company when developing a disaster recovery plan should be to identify:
A. current vulnerabilities
B. a suitable alternate site C. recovery time objectives
D. critical business processes
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 284
An organization has outsourced an application to a Software as a Service (SaaS) provider. The risk associated with the use of this service should be owned by the:
A. service provider’s IT manager
B. service provider’s risk manager
C. organization’s business process manager D. organization’s vendor manager
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 285
Which of the following should be done FIRST when a new risk scenario has been identified?
A. Assess the risk awareness program B. Assess the risk training program
C. Identify the risk owner
D. Estimate the residual risk
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 286
Which of the following controls would BEST decrease exposure if a password is compromised?
A. Passwords have format restrictions B. Passwords are masked
C. Password changes are mandated D. Passwords are encrypted
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 287
An organization has engaged a third party to provide an Internet gateway encryption service that protects sensitive data uploaded to a cloud service. This is an example of risk:
A. transfer
B. acceptance C. mitigation D. avoidance
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 288
After mapping generic risk scenarios to organizational security policies, the NEXT course of action should be to:
A. record risk scenarios in the risk register for analysis
B. validate the risk scenarios for business applicability
C. reduce the number of risk scenarios to a manageable set D. perform a risk analysis on the risk scenarios
Correct Answer: B
Section: Volume D Explanation
Explanation/Reference:
QUESTION 289
A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner’s GREATEST concern?
A. Aggregate risk approaching the tolerance threshold B. Vulnerabilities are not being mitigated
C. Security policies are not being reviewed periodically D. Risk owners are focusing more on efficiency
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 290
Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?
A. Internal audit reports from the vendor B. A control self-assessment
C. A third-party security assessment report D. Service level agreement monitoring
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 291
Which of the following is a detective control?
A. Limit check
B. Access control software C. Periodic access review D. Rerun procedures
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 292
Improvements in the design and implementation of a control will MOST likely result in an update to:
A. risk tolerance B. risk appetite C. inherent risk D. residual risk
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 293
A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to:
A. include a roadmap to achieve operational excellence
B. include a summary linking information to stakeholder needs C. publish the report on-demand for stakeholders
D. include detailed deviations from industry benchmarks
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 294
An organization’s internal auditors have identified a new IT control deficiency in the organization’s identity and access management (IAM) system. It is most important for the risk practitioner to:
A. perform a follow-up risk assessment to quantify the risk impact B. verify that applicable risk owners understand the risk
C. implement compensating controls to address the deficiency
D. recommend replacement of the deficient system
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 295
The BEST method to align an organization’s business continuity plan (BCP) and disaster recovery plan (DRP) with core business needs to:
A. outsource the maintenance of the BCP and DRP to a third party
B. include BCP and DRP responsibilities as part of the new employee training C. execute periodic walk-throughs of the BCP and DRP
D. update the business impact analysis (BIA) for significant business changes
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 296
Which of the following is the BEST method to identify unnecessary controls?
A. Evaluating existing controls against audit requirements
B. Reviewing system functionalities associated with business processes
C. Monitoring existing key risk indicators (KRIs)
D. Evaluating the impact of removing existing controls
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 297
During a control review, the control owner states that an existing control has deteriorated over time. What is the BEST recommendation to the control owner?
A. Escalate the issue to senior management
B. Discuss risk mitigation options with the risk owner
C. Certify the control after documenting the concern
D. Implement compensating controls to reduce residual risk
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 298
Which of the following approaches to bring you own device (BYOD) service delivery provides the BEST protection from data loss?
A. Penetration testing and session timeouts
B. Implement remote monitoring
C. Enforce strong passwords and data encryption D. Enable data wipe capabilities
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 299
Which of the following is the MOST effective way to incorporate stakeholder concerns when developing risk scenarios?
A. Evaluating risk impact
B. Creating quarterly risk reports
C. Establishing key performance indicators D. Conducting internal audits
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 300
Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register?
A. Corporate incident escalation protocols are established B. The organization-wide control budget is expanded
C. Exposure is integrated into the organization’s risk profile D. Risk appetite cascades to business unit management
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 301
Risk management strategies are PRIMARILY adopted to:
A. achieve compliance with legal requirements
B. take necessary precautions for claims and losses C. avoid risk for business and IT assets
D. achieve acceptable residual risk levels
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 302
Which of the following is the GREATEST risk associated with using unmasked data for testing purposes?
A. Confidentiality B. Integrity
C. Availability
D. Accountability
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 303
Which of the following is a KEY outcome of risk ownership?
A. Risk-related information is communicated B. Risk responsibilities are addressed
C. Risk-oriented tasks are defined
D. Business process risk is analyzed
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 304
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process?
A. Percentage of vulnerabilities remediated within the agreed service level B. Number of vulnerabilities identified during the period
C. Number of vulnerabilities re-opened during the period
D. Percentage of vulnerabilities escalated to senior management
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 305
An organization has allowed its cyber risk insurance to lapse while seeking a new insurance provider. The risk practitioner should report to management that the risk has been:
A. accepted B. mitigated C. transferred D. avoided
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 306
Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis?
A. Inherent risk might not be considered
B. Implementation costs might increase
C. Risk factors might not be relevant to the organization D. Quantitative analysis might not be possible
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 307
An organization is considering acquiring a new line of business and wants to develop new IT risk scenarios to guide its decisions. Which of the following would add the MOST value to the new risk scenarios?
A. Audit findings
B. Expected losses
C. Cost-benefit analysis D. Organizational threats
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 308
For the first time, the procurement department has requested that IT grant remote access to third-party suppliers. Which of the following is the BEST course of action for IT in responding to the request?
A. Propose a solution after analyzing IT risk
B. Design and implement key authentication controls
C. Design and implement a secure remote access process D. Adequate internal standards to fit the new business case
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 309
Which of the following is the BEST control to detect an advanced persistent threat (APT)? A. Monitoring social media activities
B. Conducting regular penetration tests
C. Utilizing antivirus systems and firewalls D. Implementing automated log monitoring
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 310
To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:
A. clearly define the project scope
B. perform background checks on the vendor
C. notify network administrators before testing
D. require the vendor to sign a nondisclosure agreement
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 311
Which of the following is the BEST indication of an effective risk management program?
A. Risk action plans are approved by senior management B. Mitigating controls are designed and implemented
C. Residual risk is within the organizational risk appetite D. Risk is recorded and tracked in the risk register
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 312
Participants in a risk workshop have become focused on the financial cost to mitigate risk rather than choosing the most appropriate response. Which of the following is the BEST way to address this type of issue in the long term?
A. Review the risk register and risk scenarios
B. Calculate annualized loss expectancy of risk scenarios C. Raise the maturity of organizational risk management D. Perform a return on investment analysis
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 313
In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities. The risk practitioner’s BEST recommendation to further reduce the impact of ransomware attacks would be to implement:
A. encryption for data at rest
B. encryption for data in motion
C. two-factor authentication
D. continuous data backup controls
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 314
An organization uses a vendor to destroy hard drives. Which of the following would BEST reduce the risk of data leakage?
A. Implement an encryption policy for the hard drives B. Require the vendor to degauss the hard drives
C. Use an accredited vendor to dispose of the hard drives D. Require confirmation of destruction from the IT manager
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 315
When evaluating enterprise IT risk management, it is MOST important to:
A. create new control processes to reduce identified IT risk scenarios B. review alignment with the organization’s investment plan
C. report identified IT risk scenarios to senior management
D. confirm the organization’s risk appetite and tolerance
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 316
Which of the following should be management’s PRIMARY consideration when approving risk response action plans?
A. Prioritization for implementing the action plans
B. Ability of the action plans to address multiple risk scenarios C. Ease of implementing the risk treatment solution
D. Changes in residual risk after implementing the plans
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 317
An unauthorized individual has socially engineered entry into an organization’s secured physical premises. Which of the following is the BEST way to prevent future occurrences?
A. Require security access badges
B. Employ security guards
C. Install security cameras
D. Conduct security awareness training
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 318
Which of the following is the BEST way to identify changes to the risk landscape?
A. Access reviews
B. Root cause analysis C. Internal audit reports D. Threat modeling
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 319
Which of the following elements of a risk register is MOST likely to change as a result of change in management’s risk appetite?
A. Risk likelihood and impact
B. Risk velocity
C. Inherent risk
D. Key risk indicator (KRI) thresholds
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 320
Which of the following is the BEST method to ensure a terminated employee’s access to IT systems is revoked upon departure from the organization?
A. Login attempts are reconciled to a list of terminated employees
B. A process to remove employee access during the exit interview is implemented
C. The human resources (HR) system automatically revokes system access
D. A list of terminated employees is generated for reconciliation against current IT access
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 321
Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?
A. Gather scenarios from senior management
B. Derive scenarios from IT risk policies and standards
C. Benchmark scenarios against industry peers
D. Map scenarios to a recognized risk management framework
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 322
Which of the following BEST measures the efficiency of an incident response process?
A. Number of incidents lacking responses
B. Number of incidents escalated to management
C. Average time between changes and updating of escalation matrix D. Average gap between actual and agreed response times
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 323
An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?
A. Develop a compensating control B. Identify risk responses
C. Allocate remediation resources D. Perform a cost-benefit analysis
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 324
Which of the following statements BEST describes risk appetite?
A. Acceptable variation between risk thresholds and business objectives B. The amount of risk an organization is willing to accept
C. The effective management of risk and internal control environments D. The acceptable variation relative to the achievement of objectives
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 325
A contract associated with a cloud service provider MUST include:
A. a business recovery plan
B. ownership of responsibilities
C. provision for source code escrow D. the provider’s financial statements
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 326
Establishing an organizational code of conduct is an example of which type of control?
A. Directive
B. Preventive
C. Detective
D. Compensating
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 327
Which of the following is the MOST important data source for monitoring key risk indicators (KRIs)?
A. Audit reports from internal information systems audits B. Directives from legal and regulatory authorities
C. Trend analysis of external risk factors
D. Automated logs collected from different systems
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 328
Which of the following roles is BEST suited to help a risk practitioner understand the impact of IT-related events on business objectives?
A. Process owners
B. IT management
C. Senior management D. Internal audit
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 329
It is MOST appropriate for changes to be promoted to production after they are:
A. approved by the business owner
B. tested by business owners
C. communicated to business management D. initiated by business users
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 330
Which of the following BEST enables the identification of trends in risk levels?
A. Measurements for key risk indicators (KRIs) are repeatable
B. Qualitative definitions for key risk indicators (KRIs) are used
C. Quantitative measurements are used for key risk indicators (KRIs)
D. Correlation between risk levels and key risk indicators (KRIs) is positive
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 331
A review of an organization’s controls has determined its data loss prevention (DLP) system is currently failing to detect outgoing emails containing credit card data.
Which of the following would be MOST impacted?
A. Risk appetite
B. Residual risk
C. Key risk indicators (KRIs) D. Inherent risk
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 332
During an IT department reorganization, the manager of a risk mitigation action plan was replaced. The new manager has begun implementing a new control after identifying a more effective option. Which of the following is the risk practitioner’s BEST course of action?
A. Communicate the decision to the risk owner for approval B. Identify an owner for the new control
C. Modify the action plan in the risk register
D. Seek approval from the previous action plan manager
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 333
Following a significant change to a business process, a risk practitioner believes the associated risk has been reduced. The risk practitioner should advise the risk owner to FIRST:
A. reallocate risk response resources B. review the key risk indicators
C. conduct a risk analysis
D. update the risk register
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 334
Which of the following would be considered a vulnerability?
A. Delayed removal of employee access
B. Corruption of files due to malware
C. Authorized administrative access to HR files
D. Server downtime due to a denial of service (DoS) attack
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 335
Which of the following tools is MOST effective in identifying trends in the IT risk profile?
A. Risk dashboard
B. Risk register
C. Risk self-assessment D. Risk map
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 336
A newly hired risk practitioner finds that the risk register has not been updated in the past year. What is the risk practitioner’s BEST course of action?
A. Implement a process improvement and replace the old risk register
B. Outsource the process for updating the risk register
C. Identify changes in risk factors and initiate risk reviews
D. Engage an external consultant to redesign the risk management process
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 337
Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?
A. Control self-assessment (CSA) B. Vulnerability and threat analysis C. User acceptance testing (UAT) D. Control remediation planning
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 338
Which of the following provides the BEST evidence of the effectiveness of an organization’s account provisioning process?
A. User provisioning
B. Security log monitoring
C. Entitlement reviews
D. Role-based access controls
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 339
A risk practitioner has been asked to advise management on developing a log collection and correlation strategy. Which of the following should be the MOST important consideration when developing this strategy?
A. Ensuring the inclusion of all computing resources as log sources B. Ensuring time synchronization of log sources
C. Ensuring read-write access to all log sources
D. Ensuring the inclusion of external threat intelligence log sources
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 340
Which of the following is the MOST important consideration when developing an organization’s risk taxonomy?
A. IT strategy
B. Leading industry frameworks C. Business context
D. Regulatory requirements
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
QUESTION 341
Which of the following can be interpreted from a single data point on a risk heat map?
A. Risk appetite B. Risk magnitude C. Risk response D. Risk tolerance
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 342
Which of the following is MOST helpful in identifying new risk exposures due to changes in the business environment?
A. Industry benchmarking
B. Standard operating procedures C. Control gap analysis
D. SWOT analysis
Correct Answer: D Section: Volume D
Explanation Explanation/Reference:
QUESTION 343
Which of the following helps ensure compliance with a non-repudiation policy requirement for electronic transactions?
A. Digital signatures
B. Digital certificates
C. One-time passwords D. Encrypted passwords
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
QUESTION 344
Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?
A. A control self-assessment B. Benchmarking against peers C. Transaction logging
D. Continuous monitoring
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 345
Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system? A. Control owner
B. Risk owner
C. Data owner D. System owner
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 346
A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology?
A. Business process owner B. Chief financial officer
C. Chief risk officer
D. IT system owner
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
QUESTION 347
Which of the following BEST provides an early warning that network access of terminated employees is not being revoked in accordance with the service level agreement (SLA)?
A. Monitoring key access control performance indicators B. Updating multi-factor authentication
C. Analyzing access control logs for suspicious activity D. Revising the service level agreement (SLA)
Correct Answer: A Section: Volume D Explanation
Explanation/Reference: