Free preview mode
Enjoy the free questions and consider upgrading to gain full access!
CRISC
Free trial
Verified
Question 26
Which of the following provides the BEST evidence that risk responses are effective?
- A: Compliance breaches are addressed in a timely manner
- B: Risk with low impact is accepted
- C: Risk ownership is identified and assigned
- D: Residual risk is within risk tolerance
Question 27
A risk practitioner has just learned about new malware that has severely impacted industry peers worldwide. Which of the following should be done FIRST?
- A: Notify executive management.
- B: Update the IT risk register.
- C: Design IT risk mitigation plans.
- D: Analyze the impact to the organization.
Question 28
Which of the following is the MAIN purpose of monitoring risk?
- A: Benchmarking
- B: Risk analysis
- C: Decision support
- D: Communication
Question 29
What is the PRIMARY benefit of risk monitoring?
- A: It facilitates communication of threat levels.
- B: It provides statistical evidence of control efficiency.
- C: It facilitates risk-aware decision making.
- D: It reduces the number of audit findings.
Question 30
An organization's control environment is MOST effective when:
- A: controls operate efficiently.
- B: controls are implemented consistently.
- C: controls perform as intended.
- D: control designs are reviewed periodically.
Question 31
When reviewing the business continuity plan (BCP) of an online sales order system, a risk practitioner notices that the recovery time objective (RTO) has a shorter time than what is defined in the disaster recovery plan (DRP). Which of the following is the BEST way for the risk practitioner to address this concern?
- A: Update the risk register to reflect the discrepancy.
- B: Adopt the RTO defined in the BCP.
- C: Adopt the RTO defined in the DRP.
- D: Communicate the discrepancy to the DR manager for follow-up.
Question 32
Which of the following should be the PRIMARY consideration when assessing the risk of using Internet of Things (IoT) devices to collect and process personally identifiable information (PII)?
- A: Costs and benefits
- B: Security features and support
- C: Local laws and regulations
- D: Business strategies and needs
Question 33
During a risk assessment of a financial institution, a risk practitioner discovers that tellers can initiate and approve transactions of significant value. This team is also responsible for ensuring transactions are recorded and balances are reconciled by the end of the day. Which of the following is the risk practitioner's BEST recommendation to mitigate the associated risk?
- A: Require a code of ethics.
- B: Implement continuous monitoring.
- C: Implement segregation of duties.
- D: Require a second level of approval.
Question 34
Marie has identified a risk event in her project that needs a mitigation response. Her response actually creates a new risk event that must now be analyzed and planned for. What term is given to this newly created risk event?
- A: Residual risk
- B: Secondary risk
- C: Infinitive risk
- D: Populated risk
Question 35
Due to a change in business processes, an identified risk scenario no longer requires mitigation. Which of the following is the MOST important reason the risk should remain in the risk register?
- A: To track historical risk assessment results
- B: To prevent the risk scenario in the current environment
- C: To monitor for potential changes to the risk scenario
- D: To support regulatory requirements
Question 36
Reviewing which of the following provides the BEST indication of an organization's risk tolerance?
- A: Risk sharing strategy
- B: Risk assessments
- C: Risk transfer agreements
- D: Risk policies
Question 37
Which of the following is MOST helpful in defining an early-warning threshold associated with insufficient network bandwidth?
- A: Bandwidth used during business hours
- B: Average bandwidth usage
- C: Total bandwidth usage
- D: Peak bandwidth usage
Question 38
When developing a risk awareness training program, which of the following training topics would BEST facilitate a thorough understanding of risk scenarios?
- A: Mapping threats to organizational objectives
- B: Reviewing past audits
- C: Analyzing key risk indicators (KRIs)
- D: Identifying potential sources of risk
Question 39
Which of the following would provide the MOST objective assessment of the effectiveness of an organization's security controls?
- A: A third-party audit
- B: Internal penetration testing
- C: Security operations center review
- D: An internal audit
Question 40
Which of the following is the MOST important information to be communicated during security awareness training?
- A: Corporate risk profile
- B: Recent security incidents
- C: Management's expectations
- D: The current risk management capability
Question 41
Which of the following is the GREATEST critical success factor (CSF) of an IT risk management program?
- A: Identifying enterprise risk events
- B: Conducting focus group meetings with key stakeholders
- C: Aligning with business objectives
- D: Identifying IT risk scenarios
Question 42
Which of the following should be the risk practitioner's FIRST course of action when an organization has decided to expand into new product areas?
- A: Review existing risk scenarios with stakeholders.
- B: Present a business case for new controls to stakeholders.
- C: Revise the organization's risk and control policy.
- D: Identify any new business objectives with stakeholders.
Question 43
Which of the following BEST supports the management of identified risk scenarios?
- A: Using key risk indicators (KRIs)
- B: Maintaining a risk register
- C: Collecting risk event data
- D: Defining risk parameters
Question 44
A risk practitioner observed that a high number of policy exceptions were approved by senior management. Which of the following is the risk practitioner's BEST course of action to determine root cause?
- A: Perform control testing.
- B: Review policy change history.
- C: Review the risk profile.
- D: Interview the control owner.
Question 45
Which one of the following is the only output for the qualitative risk analysis process?
- A: Project management plan
- B: Risk register updates
- C: Organizational process assets
- D: Enterprise environmental factors
Question 46
An organization has decided to use an external auditor to review the control environment of an outsourced service provider. The BEST control criteria to evaluate the provider would be based on:
- A: the service provider's existing controls.
- B: guidance provided by the external auditor.
- C: a recognized industry control framework.
- D: the organization's specific control requirements.
Question 47
A global company's business continuity plan (BCP) requires the transfer of its customer information systems to an overseas cloud service provider in the event of a disaster. Which of the following should be the MOST important risk consideration?
- A: The lack of a service level agreement (SLA) in the vendor contract
- B: The cloud computing environment is shared with another company
- C: The organizational culture differences between each country
- D: The difference in the management practices between each company
Question 48
Which of the following will MOST effectively align IT controls with corporate risk tolerance?
- A: Benchmarks against industry leading practices
- B: Internal policies approved by stakeholders
- C: Key performance indicators (KPIs) approved by stakeholders
- D: Risk management framework
Question 49
Which of the following is MOST likely to be impacted as a result of a new policy which allows staff members to remotely connect to the organization's IT systems via personal or public computers?
- A: Risk tolerance
- B: Risk appetite
- C: Inherent risk
- D: Key risk indicator (KRI)
Question 50
Which of the following is the MOST important success factor when introducing risk management in an organization?
- A: Establishing executive management support
- B: Implementing a risk register
- C: Assigning risk ownership
- D: Defining a risk mitigation strategy and plan
Free preview mode
Enjoy the free questions and consider upgrading to gain full access!