Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

CRISCFree trial

By isaca

Verified

25Q per page

Question 176

A risk assessment has identified concerns about vulnerabilities associated with an Internet-facing application. Which of the following is the risk practitioner's BEST recommendation?

A: Review the configurations.
B: Verify the access controls.
C: Perform a penetration test.
D: Determine compensating controls.

—

Question 177

Which of the following is the PRIMARY objective of engaging key stakeholders in the IT risk assessment process?

A: Increasing the quality of analysis
B: Ensuring proper budget allocation for risk remediation
C: Building a risk aware culture
D: Reducing the time required for risk analysis

—

Question 178

Which of the following would be of GREATEST concern to a risk practitioner following an annual review of the risk monitoring process?

A: There is a lack of reporting when a key risk indicator (KRI) exceeds its thresholds.
B: The list of stakeholders for alert notifications is outdated.
C: There is a significant number of manual risk monitoring processes.
D: The frequency of reporting to management is misaligned with corporate standards.

—

Question 179

An organization wants to launch a campaign to advertise a new product. Using data analytics, the campaign can be targeted to reach potential customers. Which of the following should be of GREATEST concern to the risk practitioner?

A: Purpose limitation
B: Data minimization
C: Accuracy
D: Accountability

—

Question 180

What is the BEST information to present to business risk owners when justifying costs related to controls?

A: Compliance with security policy
B: The previous year's budget and actuals
C: Industry benchmarks
D: Loss event frequency and magnitude

—

Question 181

An organization has outsourced a critical process involving highly regulated data to a third party with servers located in a foreign country. Who is accountable for the confidentiality of this data?

A: Regional office executive
B: Data owner
C: Data custodian
D: Third-party data custodian

—

Question 182

Which of the following is a risk practitioner's BEST course of action if a risk assessment identifies a risk that is extremely unlikely but would have a severe impact should it occur?

A: Address the risk by analyzing treatment options.
B: Rate the risk as high priority based on the severe impact.
C: Ignore the risk due to the extremely low likelihood.
D: Obtain management's consent to accept the risk.

—

Question 183

Which of the following is MOST important for senior management to review during an acquisition?

A: Key risk indicator (KRI) thresholds
B: Risk framework and methodology
C: Risk communication plan
D: Risk appetite and tolerance

—

Question 184

Which of the following is MOST likely to be impacted when a global organization is required by law to implement a new data protection regulation across its operations?

A: Risk ownership assignments
B: Threat profile
C: Vulnerability assessment results
D: Risk profile

—

Question 185

Which of the following is the PRIMARY reason to conduct risk assessments at periodic intervals?

A: To promote a risk-aware culture among staff
B: To ensure emerging risk is identified and monitored
C: To ensure risk trend data is collected and reported
D: To establish the maturity level of risk assessment processes

—

Question 186

A risk practitioner is utilizing a risk heat map during a risk assessment. Risk events that are coded with the same color will have a similar:

A: risk response.
B: risk impact.
C: risk likelihood.
D: risk score.

—

Question 187

Which of the following is the BEST way to ensure controls are maintained consistently across the environment?

A: Performing a gap analysis on process deviations
B: Conducting annual control assessments
C: Monitoring key risk indicators (KRIs)
D: Training operational staff on risk control procedures

—

Question 188

Which of the following is MOST important to promoting a risk-aware culture?

A: Communication of audit findings
B: Open communication of risk reporting
C: Procedures for security monitoring
D: Regular testing of risk controls

—

Question 189

Mary is the project manager for the BLB project. She has instructed the project team to assemble, to review the risks. She has included the schedule management plan as an input for the quantitative risk analysis process. Why is the schedule management plan needed for quantitative risk analysis?

A: Mary will schedule when the identified risks are likely to happen and affect the project schedule.
B: Mary will utilize the schedule controls and the nature of the schedule for the quantitative analysis of the schedule.
C: Mary will use the schedule management plan to schedule the risk identification meetings throughout the remaining project.
D: Mary will utilize the schedule controls to determine how risks may be allowed to change the project schedule.

—

Question 190

When a risk practitioner is determining a system's criticality, it is MOST helpful to review the associated:

A: process flow.
B: business impact analysis (BIA).
C: system architecture.
D: service level agreement (SLA).

—

Question 191

Which of the following would be a risk practitioner's GREATEST concern with the use of a vulnerability scanning tool?

A: Increased time to remediate vulnerabilities
B: Inaccurate reporting of results
C: Increased number of vulnerabilities
D: Network performance degradation

—

Question 192

Which of the following is the MOST important key performance indicator (KPI) to monitor the effectiveness of disaster recovery processes?

A: Percentage of issues arising from the disaster recovery test resolved on time
B: Percentage of IT systems included in the disaster recovery test scope
C: Percentage of IT systems recovered within the mean time to restore (MTTR) during the disaster recovery test
D: Percentage of IT systems meeting the recovery time objective (RTO) during the disaster recovery test

—

Question 193

Which of the following BEST enables an organization to develop a comprehensive key performance indicator (KPI) strategy to measure all key controls?

A: Use KPIs that can be financially quantified.
B: Align control performance goals to KPIs.
C: Minimize the number of lagging performance indicators.
D: Ensure controls have their own KPIs.

—

Question 194

An organization has outsourced its accounts payable function to an external service provider that does not have an effective business continuity pian (BCP) in place. Who owns the associated risk?

A: Service provider
B: Business continuity manager
C: Business process owner
D: The vendor's risk manager

—

Question 195

Which of the following would BEST enable senior management to make informed decisions about the effectiveness of existing controls to mitigate risk?

A: Quantitative analysis of total control cost in monetary terms
B: Quantitative measurement of the controls' ability to reduce the likelihood of risk events occurring
C: Qualitative assessment of control effectiveness by surveying control owners
D: Qualitative measurement of the impact on business operations should a risk event occur

—

Question 196

During a risk assessment, a risk practitioner learns that an IT risk factor is adequately mitigated by compensating controls in an associated business process.
Which of the following would enable the MOST effective management of the residual risk?

A: Recommend additional IT controls to further reduce residual risk.
B: Request that ownership of the compensating controls is reassigned to IT.
C: Schedule periodic reviews of the compensating controls' effectiveness.
D: Report the use of compensating controls to senior management.

—

Question 197

What should be the PRIMARY objective of updating a risk awareness program in response to a steady rise in cybersecurity threats across the industry?

A: To reduce the risk of insider threats that could compromise security practices
B: To increase familiarity and understanding of potential security incidents
C: To ensure compliance with risk management policies and procedures
D: To lower the organization's risk appetite and tolerance levels

—

Question 198

Which of the following is the MOST important reason for a risk practitioner to identify stakeholders for each IT risk scenario?

A: To ensure enterprise-wide risk management
B: To identity key risk indicators (KRIs)
C: To enable a comprehensive view of risk
D: To establish control ownership

—

Question 199

Which of the following control detects problem before it can occur?

A: Deterrent control
B: Detective control
C: Compensation control
D: Preventative control

—

Question 200

What is the PRIMARY role of the application owner when changes are being introduced into an existing environment?

A: Updating control procedures and documentation
B: Notifying owners of affected systems after the changes are implemented
C: Determining possible losses due to downtime during the changes
D: Approving the proposed changes based on impact analysis

—

Page 8 of 58 • Questions 176-200 of 1430

←

6 7 8 9 10

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!