Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

CRISCFree trial

By isaca

Verified

25Q per page

Question 151

Which activity would BEST enable a risk manager to verify the scope of responsibilities for stakeholders in IT risk scenarios?

A: Tabletop exercise
B: Risk assessment
C: Vulnerability assessment
D: Interviews with IT staff

—

Question 152

Which of the following provides the MOST useful input when developing IT risk scenarios?

A: Recent external IT audit findings
B: Internal security events and incidents
C: History of IT risk policy noncompliance
D: Internal and external risk factors

—

Question 153

What is the PRIMARY purpose of reporting residual risk from two consecutive IT risk assessments to management?

A: To enable decisions regarding risk treatment plans
B: To prevent new risk from impacting the organization's information assets
C: To ensure management will adjust the acceptable level of risk
D: To monitor the effectiveness of controls over time

—

Question 154

Which of the following should be of MOST concern to a risk practitioner reviewing a recent audit report of an organization's data center?

A: Ownership of action plans has not been assigned
B: The data center is not fully redundant
C: Audit scope was not communicated to senior management
D: Key risk indicators (KRIs) are not leading indicators

—

Question 155

Which of the following is the BEST way to mitigate the risk of inappropriate access to personally identifiable information (PII) by third-party cloud service personnel?

A: Utilize data encryption standards throughout the information life cycle
B: Ensure security clearance is in place within the third-party hiring process
C: Choose a third-party provider in a jurisdiction with few privacy regulations
D: Include data security requirements in the service level agreement (SLA)

—

Question 156

An organization is participating in an industry benchmarking study that involves providing customer transaction records for analysis. Which of the following is the
MOST important control to ensure the privacy of customer information?

A: Data anonymization
B: Data cleansing
C: Data encryption
D: Nondisclosure agreements (NDAs)

—

Question 157

Which of the following is the BEST way to ensure adequate resources will be allocated to manage identified risk?

A: Assigning risk ownership to appropriate roles
B: Promoting an organizational culture of risk awareness
C: Reviewing risk ranking methodology
D: Prioritizing risk within each business unit

—

Question 158

An information security manager has advocated for the purchase of a data loss prevention (DLP) system to reduce the impact of a potential data breach. Which of the following is the BEST way for the risk practitioner to support this recommendation?

A: Map the DLP system to existing risk scenarios
B: Assign an IT owner for the DLP system
C: Quantify the costs of the risk mitigation effort
D: Determine the likelihood of potential loss

—

Question 159

As part of its vendor management program, an organization has commissioned an audit of a vendor's control framework for the purpose of implementing compensating controls into its environment. Which risk response option has been decided?

A: Transfer
B: Avoidance
C: Acceptance
D: Mitigation

—

Question 160

Which of the following would be MOST helpful to management when reviewing enterprise risk appetite and tolerance?

A: SWOT analysis results
B: Risk mitigation plans
C: Internal audit recommendations
D: Threat analysis results

—

Question 161

Which of the following are the MOST important inputs when determining the desired state of IT risk during gap analysis?

A: IT risk appetite and tolerance
B: IT risk strategy and organizational requirements
C: IT risk and control assessment results
D: IT vulnerability and penetration testing results

—

Question 162

Which of the following should be of GREATEST concern when reviewing the results of an independent control assessment to determine the effectiveness of a vendor's control environment?

A: The controls had recurring noncompliance
B: The report was provided directly from the vendor
C: The control owners disagreed with the auditor's recommendations
D: The risk associated with multiple control gaps was accepted

—

Question 163

What should be the PRIMARY objective for a risk practitioner performing a post-implementation review of an IT risk mitigation project?

A: Confirming that the project budget was not exceeded
B: Documenting project lessons learned
C: Validating that the risk mitigation project has been completed
D: Verifying that the risk level has been lowered

—

Question 164

A multinational organization is developing a risk awareness program to promote a unified risk culture across all regions. Which of the following will BEST enable the achievement of this objective?

A: Applying risk policies in a consistent manner across regions
B: Introducing the same control framework across regions
C: Centralizing the risk management function
D: Identifying jurisdictions of cross-border trading processes

—

Question 165

Which of the following will BEST help to ensure key risk indicators (KRIs) provide value to risk owners?

A: Ongoing training
B: Timely notification
C: Cost minimization
D: Return on investment (ROI)

—

Question 166

Which of the following is the MOST relevant information to include in a risk management strategy?

A: Data security regulations
B: Cost of controls
C: Peer benchmarks
D: Organizational goals

—

Question 167

A risk practitioner has been hired to establish risk management practices to be embedded across an organization. Which of the following should be the FIRST course of action?

A: Integrate risk management into operational procedures.
B: Engage key stakeholders in risk identification.
C: Implement risk management controls throughout the organization.
D: Establish an organization-wide risk taxonomy.

—

Question 168

An IT risk profile should be reviewed and updated when a new:

A: risk scenario has been developed.
B: vulnerability assessment tool is implemented.
C: IT asset has been procured.
D: audit finding has been issued.

—

Question 169

Which of the following is the GREATEST benefit of using key control indicators (KCIs)?

A: The ability to focus on key controls related to one strategic risk
B: Notification when the established risk appetite level has been reached
C: The ability to track key controls related to risk scenarios
D: Notification when the established risk tolerance level has been reached

—

Question 170

An organization recently restructured its leadership team and implemented emerging technologies. Which of the following MUST be validated to ensure risk is managed to an acceptable level?

A: Risk treatment decisions and approvals
B: Technology architecture and processes
C: External and internal risk factors
D: Risk appetite and risk tolerance

—

Question 171

The objective of aligning mitigating controls to risk appetite is to ensure that:

A: exposures are reduced to the fullest extent.
B: insurance costs are minimized.
C: exposures are reduced only for critical business systems.
D: the cost of controls does not exceed the expected loss.

—

Question 172

Which of the following is MOST important for a risk practitioner to include in a report for senior management on the risk related to the adoption of cloud computing?

A: Compliance with existing security controls
B: Results of a cost-benefit analysis
C: Comparison with competitive risk benchmarks
D: Alignment with organizational risk appetite

—

Question 173

Which of the following is the PRIMARY risk management responsibility of the third line of defense?

A: Providing assurance of the effectiveness of risk management activities
B: Providing advisory services on enterprise risk management
C: Providing benchmarking on other organizations' risk management programs
D: Providing guidance on the design of effective controls

—

Question 174

Which of the following should be the PRIMARY concern when changes to firewall rules do not follow change management requirements?

A: Inaccurate documentation
B: Potential business impact
C: Potential audit findings
D: Insufficient risk governance

—

Question 175

Which of the following will provide the BEST measure of compliance with IT policies?

A: Evaluate past policy review reports.
B: Test staff on their compliance responsibilities.
C: Perform penetration testing.
D: Conduct regular independent reviews.

—

Page 7 of 58 • Questions 151-175 of 1430

←

5 6 7 8 9

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!