Free preview mode
Enjoy the free questions and consider upgrading to gain full access!
CRISC
Free trial
Verified
Question 51
When developing risk scenarios using a list of generic scenarios based on industry best practices, it is MOST important to:
- A: assess generic risk scenarios with business users.
- B: validate the generic risk scenarios for relevance.
- C: select the maximum possible risk scenarios from the list.
- D: identify common threats causing generic ask scenarios.
Question 52
The MOST significant benefit of using a consistent risk ranking methodology across an organization is that it enables:
- A: assignment of risk to the appropriate owners.
- B: allocation of available resources.
- C: risk to be expressed in quantifiable terms.
- D: clear understanding of risk levels.
Question 53
Which of the following is MOST important for a risk practitioner to consider when evaluating plans for changes to IT services?
- A: User acceptance testing (UAT)
- B: Impact assessment of the change
- C: Change communication plan
- D: Change testing schedule
Question 54
Which of the following should be the FIRST step to investigate an IT monitoring system that has a decreasing alert rate?
- A: Adjust the sensitivity to trigger more alerts.
- B: Determine the root cause for the change in alert rate.
- C: Conduct regression testing to ensure alerts can be triggered.
- D: Review and adjust the timing of the reporting window.
Question 55
When formulating a social media policy to address information leakage, which of the following is the MOST important concern to address?
- A: Using social media to maintain contact with business associates
- B: Using social media for personal purposes during working hours
- C: Sharing company information on social media
- D: Sharing personal information on social media
Question 56
Which of the following should be the risk practitioner's FIRST course of action when an organization plans to adopt a cloud computing strategy?
- A: Perform a controls assessment.
- B: Request a budget for implementation.
- C: Conduct a threat analysis.
- D: Create a cloud computing policy.
Question 57
Which element of an organization's risk register is MOST important to update following the commissioning of a new financial reporting system?
- A: The owner of the financial reporting process
- B: The list of relevant financial controls
- C: Key risk indicators (KRIs)
- D: The risk rating of affected financial processes
Question 58
Which of the following is the BEST way to address a board's concern about the organization's cybersecurity posture?
- A: Update security risk scenarios
- B: Create a new security risk officer role
- C: Assess security capabilities against an industry framework
- D: Contract with a third party to perform vulnerability testing
Question 59
Which of the following is MOST influential when management makes risk response decisions?
- A: Detection risk
- B: Risk appetite
- C: Audit risk
- D: Residual risk
Question 60
Which of the following would MOST likely drive the need to review and update key performance indicators (KPIs) for critical IT assets?
- A: Changes in service level objectives
- B: Findings from continuous monitoring
- C: The outsourcing of related IT processes
- D: Outcomes of periodic risk assessments
Question 61
Which of the following is the MOST important component of effective security incident response?
- A: A documented communications plan
- B: Identification of attack sources
- C: Network time protocol synchronization
- D: Early detection of breaches
Question 62
An organization has an approved bring your own device (BYOD) policy. Which of the following would BEST mitigate the security risk associated with the inappropriate use of enterprise applications on the devices?
- A: Enable a remote wipe capability for BYOD devices.
- B: Periodically review applications on BYOD devices.
- C: Include BYOD in organizational awareness programs.
- D: Implement BYOD mobile device management (MDM) controls.
Question 63
When is the BEST time to identify risk associated with major projects to determine a mitigation plan?
- A: Project execution phase
- B: Project closing phase
- C: Project planning phase
- D: Project initiation phase
Question 64
Which of the following is a risk practitioner's BEST recommendation to address an organization's need to secure multiple systems with limited IT resources?
- A: Perform a vulnerability analysis.
- B: Schedule a penetration test.
- C: Apply available security patches.
- D: Conduct a business impact analysis (BIA).
Question 65
Which of the following is MOST important to include in a risk assessment of an emerging technology?
- A: Key controls
- B: Risk and control ownership
- C: Risk response plans
- D: Impact and likelihood ratings
Question 66
Which of the following would MOST electively reduce risk associated with an increased volume of online transactions on a retailer website?
- A: Transaction limits
- B: Scalable infrastructure
- C: A hot backup site
- D: Website activity monitoring
Question 67
Which of the following is MOST important to consider when determining the value of an asset during the risk identification process?
- A: The vulnerability profile of the asset
- B: The size of the asset's user base
- C: The criticality of the asset
- D: The monetary value of the asset
Question 68
Risk acceptance of an exception to a security control would MOST likely be justified when:
- A: the end-user license agreement has expired.
- B: automation cannot be applied to the control.
- C: the control is difficult to enforce in practice.
- D: business benefits exceed the loss exposure.
Question 69
Which of the following standard operating procedure (SOP) statements BEST illustrates appropriate risk register maintenance?
- A: Remove risk that management has decided to accept.
- B: Remove risk only following a significant change in the risk environment.
- C: Remove risk when mitigation results in residual risk within tolerance levels.
- D: Remove risk that has been mitigated by third-party transfer.
Question 70
It is MOST important that security controls for a new system be documented in:
- A: the security policy
- B: testing requirements
- C: system requirements
- D: the implementation plan
Question 71
Which of the following is MOST important to review when determining whether a potential IT service provider's control environment is effective?
- A: Control self-assessment (CSA)
- B: Service level agreements (SLAs)
- C: Key performance indicators (KPIs)
- D: Independent audit report
Question 72
Which of the following will BEST help to ensure the continued effectiveness of the IT risk management function within an organization experiencing high employee turnover?
- A: Change and release management
- B: Well documented policies and procedures
- C: Risk and issue tracking
- D: An IT strategy committee
Question 73
The PRIMARY purpose of using a framework for risk analysis is to:
- A: help define risk tolerance
- B: help develop risk scenarios
- C: improve consistency
- D: improve accountability.
Question 74
Within the three lines of defense model, the accountability for the system of internal controls resides with:
- A: enterprise risk management (ERM).
- B: the risk practitioner.
- C: the chief information officer (CIO).
- D: the board of directors.
Question 75
Before assigning sensitivity levels to information, it is MOST important to:
- A: define the information classification policy.
- B: conduct a sensitivity analysis.
- C: identify information custodians.
- D: define recovery time objectives (RTOs).
Free preview mode
Enjoy the free questions and consider upgrading to gain full access!