Free preview mode
Enjoy the free questions and consider upgrading to gain full access!
CRISC
Free trial
Verified
Question 201
Which of the following is the BEST way to evaluate the risk awareness of control owners?
- A: Conduct surveys and trend the results over time.
- B: Mandate risk awareness training for control owners.
- C: Include control owners in top-down risk workshops.
- D: Include control owners in risk committee meetings and risk reporting.
Question 202
Which of the following is the MOST effective key risk indicator (KRI) for monitoring problem management?
- A: Average duration to resolve incidents
- B: Time between recurring incidents
- C: Number of recurring incidents
- D: Average time to identify incidents
Question 203
From a risk management perspective, which of the following is the PRIMARY purpose of conducting a root cause analysis following an incident?
- A: To satisfy senior management expectations for incident response
- B: To reduce incident response times defined in service level agreements (SLAs)
- C: To minimize the likelihood of future occurrences
- D: To ensure risk has been reduced to acceptable levels
Question 204
Which of the following is MOST critical for a risk practitioner to continuously monitor to support senior management's risk-related decision making?
- A: Industry best practices in risk management
- B: Types of losses experienced by peer organizations
- C: The organization's risk profile
- D: Threat intelligence sources
Question 205
Risk avoidance is the BEST risk treatment strategy when:
- A: proposed mitigation strategies are not technically feasible.
- B: insurance can be obtained only with substantial premiums.
- C: transfer and mitigation options cost more than they save.
- D: the residual risk is outside the organizational risk appetite.
Question 206
Which of the following is the MOST important objective from a cost perspective for considering aggregated risk responses in an organization?
- A: Reduce likelihood
- B: Address more than one risk response
- C: Prioritize risk response options
- D: Reduce impact
Question 207
Which of the following provides the MOST useful information for regular reporting to senior management on the control environment's effectiveness?
- A: Capability maturity model
- B: Key risk indicators (KRIs)
- C: Balanced scorecard
- D: Key performance indicators (KPIs)
Question 208
The IT risk profile is PRIMARILY a communication tool for:
- A: external stakeholders.
- B: senior management.
- C: internal audit.
- D: regulators.
Question 209
Which of the following BEST promotes alignment between IT risk management and enterprise risk management?
- A: Using the same risk ranking methodology across IT and the business
- B: Obtaining senior management approval for IT policies and procedures
- C: Including IT risk scenarios in the organization's risk register
- D: Expressing risk treatment initiatives in financial terms
Question 210
Which of the following BEST describes the utility of a risk?
- A: The finance incentive behind the risk
- B: The potential opportunity of the risk
- C: The mechanics of how a risk works
- D: The usefulness of the risk to individuals or groups
Question 211
Which of the following is MOST important for an IT risk practitioner to update once risk mitigation action plans have been verified as completed?
- A: Risk rating
- B: Control inventory
- C: Risk impact
- D: Control ownership
Question 212
To obtain support from senior management for an increase in the risk mitigation budget, it is BEST to prioritize risk scenarios in the risk register based on:
- A: open audit issues.
- B: residual risk.
- C: risk owner seniority.
- D: inherent risk.
Question 213
Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?
- A: To assess the vendor's risk mitigation plans
- B: To verify the vendor's ongoing financial viability
- C: To monitor the vendor's control effectiveness
- D: To provide input to the organization's risk appetite
Question 214
Using key risk indicators (KRIs) to illustrate changes in the risk profile PRIMARILY helps to:
- A: assign ownership of emerging risk scenarios.
- B: identify threats to emerging technologies.
- C: communicate risk trends to stakeholders.
- D: highlight noncompliance with the risk policy.
Question 215
An organization's chief information officer (CIO) has proposed investing in a new, untested technology to take advantage of being first to market. Senior management has concerns about the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization's risk:
- A: management capability
- B: capacity
- C: treatment strategy
- D: appetite
Question 216
A hospital's Internet of Things (IoT) bio-medical devices were recently hacked. Which of the following methods would BEST assist in identifying the control deficiencies?
- A: SWOT analysis
- B: Countermeasure analysis
- C: Business impact analysis (BIA)
- D: Gap analysis
Question 217
A financial organization is considering a project to implement the use of blockchain technology. To help ensure the organization's management team can make informed decisions on the project, which of the following should the risk practitioner reassess?
- A: Risk tolerance
- B: Risk classification
- C: Business impact analysis (BIA)
- D: Risk profile
Question 218
Which of the following should be a risk practitioner's NEXT step after learning of an incident that has affected a competitor?
- A: Develop risk scenarios.
- B: Implement compensating controls.
- C: Activate the incident response plan.
- D: Update the risk register.
Question 219
Which of the following is the PRIMARY responsibility of a risk owner?
- A: Determining risk appetite and tolerance
- B: Developing relevant control procedures
- C: Deciding responses to identified risk
- D: Implementing risk action plans
Question 220
Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board?
- A: A summary of IT risk scenarios with business cases
- B: A summary of risk response plans with validation results
- C: A report with control environment assessment results
- D: A dashboard summarizing key risk indicators (KRIs)
Question 221
A risk assessment has determined that an organization is highly susceptible to a vulnerability in its IT infrastructure. Which of the following is MOST important to communicate to the board?
- A: Open source intelligence reports on successful attacks
- B: Impact to the organization if the vulnerability is exploited
- C: Results of the most recent penetration test
- D: Results of a root cause analysis of the vulnerability
Question 222
External auditors have found that management has not effectively monitored key security technologies that support regulatory objectives. Which type of indicator would BEST enable the organization to identify and correct this situation?
- A: Key management indicator (KMI)
- B: Key control indicator (KCI)
- C: Key performance indicator (KPI)
- D: Key risk indicator (KRI)
Question 223
An organization has outsourced its customer management database to an external service provider. Of the following, who should be accountable for ensuring customer data privacy?
- A: The organization's business process owner
- B: The organization's information security manager
- C: The organization's vendor management officer
- D: The vendor's risk manager
Question 224
Due to budget constraints, an organization cannot implement encryption to all databases. Which of the following is the MOST useful information to identify high- risk databases where encryption should be applied?
- A: Business impact assessment (BIA)
- B: Unsupported database list
- C: Penetration test results
- D: Data classification scheme
Question 225
Which of the following is MOST important to include in a report for senior management after resolving a significant IT incident?
- A: Incident resolution time and likelihood of recurrence
- B: A list of impacted business functions and estimated business loss
- C: Details of resolution methods and assessment of the incident
- D: A detailed information security root cause analysis
Free preview mode
Enjoy the free questions and consider upgrading to gain full access!