CRISC
Free trial
Verified
Question 1
Which of the following is the MOST important reason to maintain key risk indicators (KRIs)?
- A: In order to avoid risk
- B: Complex metrics require fine-tuning
- C: Risk reports need to be timely
- D: Threats and vulnerabilities change over time
Question 2
Which of the following controls is an example of non-technical controls?
- A: Access control
- B: Physical security
- C: Intrusion detection system
- D: Encryption
Question 3
Which of the following is the MOST important consideration when developing risk strategies?
- A: Long-term organizational goals
- B: Organization's industry sector
- C: Concerns of the business process owners
- D: History of risk events
Question 4
Which of the following would BEST facilitate the implementation of data classification requirements?
- A: Implementing technical controls over the assets
- B: Implementing a data loss prevention (DLP) solution
- C: Scheduling periodic audits
- D: Assigning a data owner
Question 5
An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning ownership of the associated risk entries?
- A: The volume of risk scenarios is too large.
- B: Risk scenarios are not applicable.
- C: The risk analysis for each scenario is incomplete.
- D: Risk aggregation has not been completed.
Question 6
An organization's business process requires the verbal verification of personal information in an environment where other customers may overhear this information. Which of the following is the MOST significant risk?
- A: The customer may view the process negatively.
- B: The information could be used for identity theft.
- C: The process could result in intellectual property theft.
- D: The process could result in compliance violations.
Question 7
An organization has initiated a project to launch an IT-based service to customers and take advantage of being the first to market. Which of the following should be of GREATEST concern to senior management?
- A: The project is likely to deliver the product late.
- B: More time has been allotted for testing.
- C: A new project manager is handling the project.
- D: The cost of the project will exceed the allotted budget.
Question 8
Which of the following is the MOST important objective of embedding risk management practices into the initiation phase of the project management life cycle?
- A: To deliver projects on time and on budget
- B: To assess inherent risk
- C: To assess risk throughout the project
- D: To include project risk in the enterprise-wide IT risk profile
Question 9
Which of the following is the MOST significant indicator of the need to perform a penetration test?
- A: An increase in the number of infrastructure changes
- B: An increase in the number of security incidents
- C: An increase in the number of high-risk audit findings
- D: An increase in the percentage of turnover in IT personnel
Question 10
Which of the following provides the MOST reliable information to ensure a newly acquired company has appropriate IT controls in place?
- A: Vulnerability assessment
- B: Information system audit
- C: Penetration testing
- D: IT risk assessment
Question 11
Print jobs containing confidential information are sent to a shared network printer located in a secure room. Which of the following is the BEST control to prevent the inappropriate disclosure of confidential information?
- A: Ensuring printer parameters are properly configured
- B: Using video surveillance in the printer room
- C: Using physical controls to access the printer room
- D: Requiring a printer access code for each user
Question 12
Which of the following would be MOST helpful when communicating roles associated with the IT risk management process?
- A: Skills matrix
- B: RACI chart
- C: Organizational chart
- D: Job descriptions
Question 13
Fred is the project manager of a large project in his organization. Fred needs to begin planning the risk management plan with the project team and key stakeholders. Which plan risk management process tool and technique should Fred use to plan risk management?
- A: Information gathering techniques
- B: Data gathering and representation techniques
- C: Planning meetings and analysis
- D: Variance and trend analysis
Question 14
The PRIMARY benefit of conducting a risk workshop using a top-down approach instead of a bottom-up approach is the ability to:
- A: incorporate subject matter expertise.
- B: identify specific project risk.
- C: understand risk associated with complex processes.
- D: obtain a holistic view of IT strategy risk.
Question 15
A bank recently incorporated blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner's
BEST course of action?
- A: Analyze and update control assessments with the new processes.
- B: Conduct testing of the controls that mitigate the existing risk.
- C: Determine whether risk responses are still adequate.
- D: Analyze the risk and update the risk register as needed.
Question 16
Of the following, who is BEST suited to assist a risk practitioner in developing a relevant set of risk scenarios?
- A: Control owner
- B: Internal auditor
- C: Asset owner
- D: Finance manager
Question 17
The risk associated with an asset after controls are applied can be expressed as:
- A: the likelihood of a given threat.
- B: the magnitude of an impact.
- C: a function of the likelihood and impact.
- D: a function of the cost and effectiveness of controls.
Question 18
A risk practitioner notices a trend of noncompliance with an IT-related control. Which of the following would BEST assist in making a recommendation to management?
- A: Reviewing the IT policy with the risk owner
- B: Reviewing the roles and responsibilities of control process owners
- C: Assessing noncompliance with control best practices
- D: Assessing the degree to which the control hinders business objectives
Question 19
Which key performance indicator (KPI) BEST measures the effectiveness of an organization's disaster recovery program?
- A: Number of service level agreement (SLA) violations.
- B: Percentage of critical systems recovered within the recovery time objective (RTO).
- C: Percentage of recovery issues identified during the exercise.
- D: Number of total systems recovered within the recovery point objective (RPO).
Question 20
The PRIMARY advantage of involving end users in continuity planning is that they:
- A: can see the overall impact to the business.
- B: have a better understanding of specific business needs.
- C: can balance the overall technical and business concerns.
- D: are more objective than information security management.
Question 21
Which of the following is the PRIMARY risk management responsibility of the second line of defense?
- A: Applying risk treatments
- B: Providing assurance of control effectiveness
- C: Implementing internal controls
- D: Monitoring risk responses
Question 22
Which of the following is the BEST way to ensure ongoing control effectiveness?
- A: Periodically reviewing control design
- B: Establishing policies and procedures
- C: Measuring trends in control performance
- D: Obtaining management control attestations
Question 23
Who should have the authority to approve an exception to a control?
- A: Information security manager
- B: Risk manager
- C: Control owner
- D: Risk owner
Question 24
Which of the following is a responsibility of the second line of defense in the three lines of defense model?
- A: Owning risk scenarios and bearing the consequences of loss
- B: Alerting operational management to emerging issues
- C: Implementing corrective actions to address deficiencies
- D: Performing duties independently to provide assurance
Question 25
To mitigate the risk of using a spreadsheet to analyze financial data, IT has engaged a third-party vendor to deploy a standard application to automate the process. Which of the following parties should own the risk associated with calculation errors?
- A: Third-party provider
- B: Business owner
- C: IT department
- D: Risk manager
Free preview mode
Enjoy the free questions and consider upgrading to gain full access!