Free preview mode
Enjoy the free questions and consider upgrading to gain full access!
CRISC
Free trial
Verified
Question 126
An organization is measuring the effectiveness of its change management program to reduce the number of unplanned production changes. Which of the following would be the BEST metric to determine if the program is performing as expected?
- A: Decrease in number of changes without a fallback plan
- B: Ratio of emergency fixes to total changes
- C: Decrease in the time to move changes to production
- D: Ratio of system changes to total changes
Question 127
An organization recently implemented a cybersecurity awareness program that includes anti-phishing exercises for all employees. What type of control is being utilized?
- A: Detective
- B: Preventive
- C: Compensating
- D: Deterrent
Question 128
Which of the following operational risks ensures that the provision of a quality product is not overshadowed by the production costs of that product?
- A: Information security risks
- B: Contract and product liability risks
- C: Project activity risks
- D: Profitability operational risks
Question 129
A recently purchased IT application does not meet project requirements. Of the following, who is accountable for the potential impact?
- A: Business analyst
- B: IT project team
- C: IT project management office
- D: Project sponsor
Question 130
Which of the following is the MOST effective approach for an organization to establish and promote a strong risk culture?
- A: Map risk management policies and procedures to business objectives
- B: Appoint a risk management steering committee with business representation
- C: Incorporate risk management objectives into job descriptions
- D: Obtain senior management commitment for organization-wide risk awareness
Question 131
Which of the following is the MOST important responsibility of an IT risk committee charged with overseeing IT risk management?
- A: Conduct regular surveys to assess organizational risk awareness
- B: Implement an industry-recognized IT risk management framework
- C: Ensure significant risk scenarios are elevated to the board
- D: Develop and communicate an IT risk RACI chart.
Question 132
Of the following, whose input is ESSENTIAL when developing risk scenarios for the implementation of a third-party mobile application that stores customer data?
- A: Business process owner
- B: IT vendor manager
- C: Information security manager
- D: IT compliance manager
Question 133
An organization's senior management is considering whether to acquire cyber insurance. Which of the following is the BEST way for the risk practitioner to enable management's decision?
- A: Provide data on the number of risk events from the last year
- B: Conduct a SWOT analysis
- C: Report on recent losses experienced by industry peers
- D: Perform a cost-benefit analysis
Question 134
Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?
- A: Document and implement a patching process
- B: Identify the vulnerabilities and applicable OS patches
- C: Temporarily mitigate the OS vulnerabilities
- D: Evaluate permanent fixes such as patches and upgrades
Question 135
Which of the following should be the PRIMARY basis for prioritizing two risk scenarios related to network service disruption that have the same impact?
- A: Recovery time objectives (RTOs)
- B: Recovery point objectives (RPOs)
- C: Mean time between failures (MTBF)
- D: Mean time to restore (MTTR)
Question 136
In order to efficiently execute a risk response action plan, it is MOST important for the emergency response team members to understand:
- A: system architecture in target areas
- B: business objectives of the organization
- C: defined roles and responsibilities
- D: IT management policies and procedures
Question 137
Which of the following is the MOST important consideration when communicating the risk associated with technology end-of-life to business owners?
- A: Cost and benefit
- B: Performance and productivity
- C: Maintainability and reliability
- D: Security and availability
Question 138
Which of the following should be the PRIMARY basis for the development of an IT risk scenario?
- A: IT risk registers
- B: IT objectives
- C: IT risk owner input
- D: IT threats and vulnerabilities
Question 139
An organization has just implemented changes to close an identified vulnerability that impacted a critical business process. What should be the NEXT course of action?
- A: Update the risk register
- B: Review the risk tolerance
- C: Perform a business impact analysis (BIA)
- D: Redesign the heat map.
Question 140
Which of the following is the MOST critical factor to consider when determining an organization's risk appetite?
- A: Budget for implementing security
- B: Business maturity
- C: Fiscal management practices
- D: Management culture
Question 141
Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the following would BEST help to prioritize investment efforts?
- A: Reviewing the outcome of the latest security risk assessment
- B: Increasing the frequency of updates to the risk register
- C: Engaging independent cybersecurity consultants
- D: Analyzing cyber intelligence reports
Question 142
A vendor manager reports that a previously compliant service provider had issues with its most recent security audit. Which of the following is the MOST important course of action?
- A: Determine whether credits are due under the service level agreement (SLA)
- B: Schedule an independent audit of the vendor
- C: Ensure that the vendor remediates all identified issues
- D: Determine whether any of the issues could impact the business
Question 143
Which of the following is a corrective control?
- A: Requiring management approval
- B: Isolating an infected host from the network
- C: Encrypting data within a system
- D: Logging activity on a system
Question 144
Which of the following elements of a risk register is MOST useful to share with key stakeholders to influence informed decision-making?
- A: Threat source
- B: Risk owner
- C: Control owner
- D: Mitigation plan
Question 145
Which of the following elements is MOST essential when creating risk scenarios?
- A: Identified vulnerabilities
- B: Business impact and cost analysis
- C: Historical organizational and industry risk factors
- D: A comprehensive control framework
Question 146
When presenting risk, the BEST method to ensure that the risk is measurable against the organization's risk appetite is through the use of a:
- A: technology strategy plan
- B: cause-and-effect diagram
- C: risk map
- D: maturity model
Question 147
What would be MOST helpful to ensuring the effective implementation of a new cybersecurity program?
- A: Creating metrics to report the number of security incidents
- B: Hiring subject matter experts for the program
- C: Assigning clear ownership of the program
- D: Establishing a budget for additional resources
Question 148
Which of the following is MOST likely to be identified from an information systems audit report?
- A: Data ownership
- B: Resiliency
- C: Vulnerabilities
- D: Regulatory requirements
Question 149
Which of the following would MOST effectively mitigate the risk of data loss when production data is being used in a testing environment?
- A: Data obfuscation
- B: Database encryption
- C: Access management
- D: Data cleansing and normalization
Question 150
Which of the following MOST effectively enables senior management to communicate risk appetite?
- A: Budget and resource allocation
- B: Risk awareness training
- C: Policies and procedures
- D: Risk heat map
Free preview mode
Enjoy the free questions and consider upgrading to gain full access!