Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

CRISCFree trial

By isaca

Verified

25Q per page

Question 251

You are working as the project manager of the ABS project. The project is for establishing a computer network in a school premises. During the project execution, the school management asks to make the campus Wi-Fi enabled. You know that this may impact the project adversely. You have discussed the change request with other stakeholders. What will be your NEXT step?

A: Update project management plan.
B: Issue a change request.
C: Analyze the impact.
D: Update risk management plan.

—

Question 252

Which of the following will BEST ensure that controls adequately support business goals and objectives?

A: Using the risk management process
B: Enforcing strict disciplinary procedures in case of noncompliance
C: Adopting internationally accepted controls
D: Reviewing results of the annual company external audit

—

Question 253

Which of the following is MOST helpful in providing a high-level overview of current IT risk severity?

A: Risk mitigation plans
B: Risk appetite statement
C: Heat map
D: Key risk indicators (KRIs)

—

Question 254

A legacy application used for a critical business function relies on software that has reached the end of extended support. Which of the following is the MOST effective control to manage this application?

A: Increase the frequency of regular system and data backups.
B: Segment the application within the existing network.
C: Apply patches for a newer version of the application.
D: Subscribe to threat intelligence to monitor external attacks.

—

Question 255

A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access. Who is responsible for ensuring the control is designed to effectively address risk?

A: Control tester
B: Risk manager
C: Risk owner
D: Control owner

—

Question 256

The cost of maintaining a control has grown to exceed the potential loss. Which of the following BEST describes this situation?

A: Effective risk management
B: Optimized control management
C: Over-controlled environment
D: Insufficient risk tolerance

—

Question 257

When implementing an IT risk management program, which of the following is the BEST time to evaluate current control effectiveness?

A: Before defining a framework
B: During the risk assessment
C: When evaluating risk response
D: When updating the risk register

—

Question 258

Which of the following key performance indicators (KPIs) would BEST measure the risk of a service outage when using a Software as a Service (SaaS) vendor?

A: Frequency and number of new software releases
B: Frequency of business continuity plan (BCP) testing
C: Frequency and duration of unplanned downtime
D: Number of IT support staff available after business hours

—

Question 259

An organization has asked an IT risk practitioner to conduct an operational risk assessment on an initiative to outsource the organization’s customer service operations overseas. Which of the following would MOST significantly impact management’s decision?

A: Time zone difference of the outsourcing location
B: Ongoing financial viability of the outsourcing company
C: Historical network latency between the organization and outsourcing location
D: Cross-border information transfer restrictions in the outsourcing country

—

Question 260

Which of the following should be the GREATEST concern to a risk practitioner when process documentation is incomplete?

A: Inability to identify the risk owner
B: Inability to identify process experts
C: Inability to allocate resources efficiently
D: Inability to complete the risk register

—

Question 261

After entering a large number of low-risk scenarios into the risk register, it is MOST important for the risk practitioner to:

A: reconfirm risk tolerance levels.
B: analyze changes to aggregate risk.
C: prepare a follow-up risk assessment.
D: recommend acceptance of the risk scenarios.

—

Question 262

When classifying and prioritizing risk responses, the areas to address FIRST are those with:

A: low cost effectiveness ratios and low risk levels.
B: high cost effectiveness ratios and low risk levels.
C: low cost effectiveness ratios and high risk levels.
D: high cost effectiveness ratios and high risk levels.

—

Question 263

Which of the following controls will BEST mitigate risk associated with excessive access privileges?

A: Frequent password expiration
B: Segregation of duties
C: Entitlement reviews
D: Review of user access logs

—

Question 264

Which of the following provides the MOST comprehensive information when developing a risk profile for a system?

A: Risk assessment results
B: Key performance indicators (KPIs)
C: A mapping of resources to business processes
D: Results of a business impact analysis (BIA)

—

Question 265

An organization retains footage from its data center security camera for 30 days when the policy requires 90-day retention. The business owner challenges whether the situation is worth remediating. Which of the following is the risk manager’s BEST response?

A: Evaluate the risk as a measure of probable loss.
B: Identify the regulatory bodies that may highlight this gap.
C: Verify if competitors comply with a similar policy.
D: Highlight news articles about data breaches.

—

Question 266

Which of the following should be accountable for ensuring that media containing financial information are adequately destroyed per an organization’s data disposal policy?

A: Data owner
B: Chief information officer (CIO)
C: Data architect
D: Compliance manager

—

Question 267

The MOST important measure of the effectiveness of risk management in project implementation is the percentage of projects:

A: introduced into production without high-risk issues.
B: having the risk register updated regularly.
C: having an action plan to remediate overdue issues.
D: having key risk indicators (KRIs) established to measure risk.

—

Question 268

A zero-day vulnerability has been discovered in a globally used brand of hardware server that allows hackers to gain access to affected IT systems. Which of the following is MOST likely to change as a result of this situation?

A: Control effectiveness
B: Risk appetite
C: Key risk indicator (KRI)
D: Risk likelihood

—

Question 269

Which of the following would provide the MOST helpful input to develop risk scenarios associated with hosting an organization’s key IT applications in a cloud environment?

A: Conducting a risk workshop with key stakeholders
B: Reviewing the results of independent audits
C: Performing a due diligence review
D: Performing a site visit to the cloud provider’s data center

—

Question 270

Which of the following would present the GREATEST challenge for a risk practitioner during a merger of two organizations?

A: Disparate platforms for governance, risk, and compliance (GRC) systems
B: Variances between organizational risk appetites
C: Dissimilar organizational risk acceptance protocols
D: Different taxonomies to categorize risk scenarios

—

Question 271

Which of the following is the PRIMARY accountability for a control owner?

A: Ensure the control operates effectively.
B: Identify and assess control weaknesses.
C: Own the associated risk the control is mitigating.
D: Communicate risk to senior management.

—

Question 272

Risk appetite should be PRIMARILY driven by which of the following?

A: Stakeholder requirements
B: Enterprise security architecture roadmap
C: Business impact analysis (BIA)
D: Legal and regulatory requirements

—

Question 273

Which of the following is the MOST important outcome of a business impact analysis (BIA)?

A: Reduction of security and business continuity threats
B: Completion of the business continuity plan (BCP)
C: Understanding and prioritization of critical processes
D: Identification of regulatory consequences

—

Question 274

Which component of a software inventory BEST enables the identification and mitigation of known vulnerabilities?

A: Software licensing information
B: Software version
C: Software support contract expiration
D: Assigned software manager

—

Question 275

Which of the following BEST reduces the risk associated with the theft of a laptop containing sensitive information?

A: Data encryption
B: Biometrics access control
C: Periodic backup
D: Cable lock

—

Page 11 of 58 • Questions 251-275 of 1430

←

9 10 11 12 13

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!