Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

CRISCFree trial

By isaca

Verified

25Q per page

Question 76

Which of the following risk-related information is MOST valuable to senior management when formulating an IT strategic plan?

A: Risk mitigation plans
B: IT risk appetite statement
C: Emerging IT risk scenarios
D: Key risk indicators (KRIs)

—

Question 77

What information related to a system vulnerability would be MOST useful to management in making an effective risk-based decision?

A: Consequences if the vulnerability is exploited
B: Availability of patches to mitigate the vulnerability
C: Vulnerability scanning tools currently in place
D: Risk mitigation plans for the vulnerability

—

Question 78

Which of the following is MOST helpful to understand the consequences of an IT risk event?

A: Fault tree analysis
B: Root cause analysis
C: Business impact analysis (BIA)
D: Historical trend analysis

—

Question 79

An organization striving to be on the leading edge in regard to risk monitoring would MOST likely implement:

A: a tool for monitoring critical activities and controls
B: procedures to monitor the operation of controls
C: real-time monitoring of risk events and control exceptions
D: monitoring activities for all critical assets.

—

Question 80

Which of the following is MOST important for an organization to update following a change in legislation requiring notification to individuals impacted by data breaches?

A: Security awareness training
B: Policies and standards
C: Risk appetite and tolerance
D: Insurance coverage

—

Question 81

Which of the following is the PRIMARY responsibility of the first line of defense related to computer-enabled fraud?

A: Ensuring that risk and control assessments consider fraud
B: Implementing processes to detect and deter fraud
C: Providing oversight of risk management processes
D: Monitoring the results of actions taken to mitigate fraud

—

Question 82

Which of the following is the BEST way to quantify the likelihood of risk materialization?

A: Balanced scorecard
B: Business impact analysis (BIA)
C: Threat and vulnerability assessment
D: Compliance assessments

—

Question 83

In order to determine if a risk is under-controlled, the risk practitioner will need to:

A: determine the sufficiency of the IT risk budget
B: monitor and evaluate IT performance
C: identify risk management best practices
D: understand the risk tolerance

—

Question 84

A third-party vendor has offered to perform user access provisioning and termination. Which of the following control accountabilities is BEST retained within the organization?

A: Reviewing access control lists
B: Performing user access recertification
C: Authorizing user access requests
D: Terminating inactive user access

—

Question 85

The PRIMARY reason for prioritizing risk scenarios is to:

A: facilitate risk response decisions.
B: support risk response tracking.
C: assign risk ownership.
D: provide an enterprise-wide view of risk.

—

Question 86

A risk practitioner has been asked to evaluate the adoption of a third-party blockchain integration platform based on the value added by the platform and the organization's risk appetite. Which of the following is the risk practitioner's BEST course of action?

A: Update the risk register with the process changes.
B: Review risk related to standards and regulations.
C: Conduct a risk assessment with stakeholders.
D: Conduct third-party resilience tests.

—

Question 87

A company has recently acquired a customer relationship management (CRM) application from a certified software vendor. Which of the following will BEST help to prevent technical vulnerabilities from being exploited?

A: Verify the software agreement indemnifies the company from losses.
B: Update the software with the latest patches and updates.
C: Review the source code and error reporting of the application.
D: Implement code reviews and quality assurance on a regular basis.

—

Question 88

Which of the following MOST effectively limits the impact of a ransomware attack?

A: End user training
B: Cyber insurance
C: Data backups
D: Cryptocurrency reserve

—

Question 89

A risk practitioner is presenting the risk profile to management, indicating an increase in the number of successful network attacks. This information would be
MOST helpful to:

A: determine the availability of network resources.
B: justify additional controls.
C: justify investing in a log collection system.
D: determine the frequency of monitoring.

—

Question 90

Which of the following BEST helps to identify significant events that could impact an organization?

A: Vulnerability analysis
B: Scenario analysis
C: Heat map analysis
D: Control analysis

—

Question 91

A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner's NEXT step?

A: Identify resources for implementing responses.
B: Prepare a business case for the response options.
C: Update the risk register with the results.
D: Develop a mechanism for monitoring residual risk.

—

Question 92

Which of the following would present the MOST significant risk to an organization when updating the incident response plan?

A: Undefined assignment of responsibility
B: Obsolete response documentation
C: Increased stakeholder turnover
D: Failure to audit third-party providers

—

Question 93

An organization has provided legal text explaining the rights and expected behavior of users accessing a system from geographic locations that have strong privacy regulations. Which of the following control types has been applied?

A: Detective
B: Preventive
C: Compensating
D: Directive

—

Question 94

An organization will be impacted by a new data privacy regulation due to the location of its production facilities. What action should the risk practitioner take when evaluating the new regulation?

A: Perform an analysis of the new regulation to ensure current risk is identified.
B: Evaluate if the existing risk responses to the previous regulation are still adequate.
C: Assess the validity and perform update testing on data privacy controls.
D: Develop internal control assessments over data privacy for the new regulation.

—

Question 95

Which of the following is MOST helpful in preventing risk events from materializing?

A: Maintaining the risk register
B: Reviewing and analyzing security incidents
C: Establishing key risk indicators (KRIs)
D: Prioritizing and tracking issues

—

Question 96

Who is PRIMARILY accountable for risk treatment decisions?

A: Risk manager
B: Business manager
C: Data owner
D: Risk owner

—

Question 97

Which of the following is the GREATEST benefit of identifying appropriate risk owners?

A: Accountability is established for risk treatment decisions
B: Risk owners are informed of risk treatment options
C: Responsibility is established for risk treatment decisions
D: Stakeholders are consulted about risk treatment options

—

Question 98

The risk related to the abuse of administrator privileges can BEST be reduced by:

A: assigning the privileges to management only
B: implementing two-factor authentication
C: logging the activities performed with the privilege
D: signing the organization's acceptable use policy

—

Question 99

In the three lines of defense model, which of the following activities would be completed by the FIRST line of defense?

A: A risk practitioner executes an annual assessment of key controls that impact financial statements
B: Internal control activities are reviewed monthly by a risk management committee
C: Control owners review a monthly report on the operation of high-risk controls
D: Internal audit reviews high-risk areas to ensure controls are executed in a timely manner

—

Question 100

Which of these documents is MOST important to request from a cloud service provider during a vendor risk assessment?

A: Business impact analysis (BIA)
B: Service level agreement (SLA)
C: Independent audit report
D: Nondisclosure agreement (NDA)

—

Page 4 of 58 • Questions 76-100 of 1430

←

2 3 4 5 6

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!