Isaca CRISC Exam Dumps

Which of the following will BEST help to ensure key risk indicators (KRIs) provide value to  risk owners?

A. Ongoing training
B. Timely notification 
C. Return on investment (ROI)
D. Cost minimization

Answer: B

An organization is participating in an industry benchmarking study that involves providing customer transaction records for analysis Which of the following is the MOST importantcontrol to ensure the privacy of customer information?

A. Nondisclosure agreements (NDAs) 
B. Data anonymization 
C. Data cleansing 
D. Data encryption

Answer: C

Which of the following approaches to bring your own device (BYOD) service delivery provides the BEST protection from data loss?

A. Enable data wipe capabilities
B. Penetration testing and session timeouts
C. Implement remote monitoring
D. Enforce strong passwords and data encryption

Answer: D

An organization wants to launch a campaign to advertise a new product Using data analytics, the campaign can be targeted to reach potential customers. Which of the following should be of GREATEST concern to the risk practitioner?

A. Data minimization
B. Accountability 
C. Accuracy 
D. Purpose limitation

Answer: D

An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented inprocedure manuals for use by the part-time employees. Which of the following BEST describes this situation?

A. Threat 
B. Risk
C. Vulnerability
D. Policy violation

Answer: B

A recent vulnerability assessment of a web-facing application revealed several weaknesses. Which of the following should be done NEXT to determine the risk exposure?

A. Code review 
B. Penetration test
C. Gap assessment
D. Business impact analysis (BIA)

Answer: B

Which of the following is the MOST effective way to reduce potential losses due to ongoing expense fraud?

A. Implement user access controls
B. Perform regular internal audits 
C. Develop and communicate fraud prevention policies 
D. Conduct fraud prevention awareness training.

Answer: A

Which of the following is the GREATEST benefit of identifying appropriate risk owners?

A. Accountability is established for risk treatment decisions
B. Stakeholders are consulted about risk treatment options 
C. Risk owners are informed of risk treatment options 
D. Responsibility is established for risk treatment decisions.

Answer: A

Which of the following is MOST important for senior management to review during an acquisition?

A. Risk appetite and tolerance 
B. Risk framework and methodology
C. Key risk indicator (KRI) thresholds
D. Risk communication plan

Answer: A

Which of the following is the MOST important objective from a cost perspective for considering aggregated risk responses in an organization?

A. Prioritize risk response options
B. Reduce likelihood.
C. Address more than one risk response
D. Reduce impact

Answer: C

Which of the following is MOST important to update when an organization's risk appetite changes?

A. Key risk indicators (KRIs) 
B. Risk reporting methodology
C. Key performance indicators (KPIs) 
D. Risk taxonomy

Answer: A

Which of the following is the BEST indicator of executive management's support for IT risk mitigation efforts?

A. The number of stakeholders involved in IT risk identification workshops 
B. The percentage of corporate budget allocated to IT risk activities
C. The percentage of incidents presented to the board 
D. The number of executives attending IT security awareness training

Answer: B

When a risk practitioner is determining a system's criticality. it is MOST helpful to review the associated:

A. process flow.
B. business impact analysis (BIA). 
C. service level agreement (SLA).
D. system architecture.

Answer: B

Which of the following is the MOST important consideration when communicating the risk associated with technology end-of-life to business owners?

A. Cost and benefit 
B. Security and availability 
C. Maintainability and reliability
D. Performance and productivity

Answer: A

Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?

A. Temporarily mitigate the OS vulnerabilities
B. Document and implement a patching process
C. Evaluate permanent fixes such as patches and upgrades
D. Identify the vulnerabilities and applicable OS patches

Answer: B

Which of the following is the MOST important concern when assigning multiple risk owners for an identified risk?

A. Accountability may not be clearly defined.
B. Risk ratings may be inconsistently applied.
C. Different risk taxonomies may be used.
D. Mitigation efforts may be duplicated.

Answer: A

Which of the following BEST enables risk-based decision making in support of a business continuity plan (BCP)?

A. Impact analysis
B. Control analysis
C. Root cause analysis 
D. Threat analysis

Answer: A

Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?

A. The program has not decreased threat counts.
B. The program has not considered business impact.
C. The program has been significantly revised
D. The program uses non-customized training modules.

Answer: D

Effective risk communication BEST benefits an organization by:

A. helping personnel make better-informed decisions
B. assisting the development of a risk register.
C. improving the effectiveness of IT controls.
D. increasing participation in the risk assessment process.

Answer: A

Following an acquisition, the acquiring company's risk practitioner has been asked to update the organization's IT risk profile What is the MOST important information to review from the acquired company to facilitate this task?

A. Internal and external audit reports 
B. Risk disclosures in financial statements
C. Risk assessment and risk register
D. Business objectives and strategies

Answer: C

Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board''

A. A summary of risk response plans with validation results
B. A report with control environment assessment results
C. A dashboard summarizing key risk indicators (KRIs)
D. A summary of IT risk scenarios with business cases

Answer: C

During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition phase?

A. Risk management framework adopted by each company 
B. Risk registers of both companies 
C. IT balanced scorecard of each company
D. Most recent internal audit findings from both companies

Answer: C

Which of the following is MOST important when conducting a post-implementation review as part of the system development life cycle (SDLC)?

A. Verifying that project objectives are met
B. Identifying project cost overruns
C. Leveraging an independent review team
D. Reviewing the project initiation risk matrix

Answer: A

Which of the following should be of GREATEST concern when reviewing the results of an independent control assessment to determine the effectiveness of a vendor's control environment?

A. The report was provided directly from the vendor.
B. The risk associated with multiple control gaps was accepted. 
C. The control owners disagreed with the auditor's recommendations.
D. The controls had recurring noncompliance.

Answer: A

The BEST key performance indicator (KPI) to measure the effectiveness of the security patching process is the percentage of patches installed:

A. by the security administration team.
B. successfully within the expected time frame.
C. successfully during the first attempt. 
D. without causing an unplanned system outage.

Answer: B

When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes

A. risk exposure in business terms
B. a detailed view of individual risk exposures
C. a summary of incidents that have impacted the organization.
D. recommendations by an independent risk assessor.

Answer: A

A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner's NEXT step?

A. Develop a mechanism for monitoring residual risk.
B. Update the risk register with the results. 
C. Prepare a business case for the response options. 
D. Identify resources for implementing responses.

Answer: C

Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?

A. To provide input to the organization's risk appetite 
B. To monitor the vendor's control effectiveness 
C. To verify the vendor's ongoing financial viability
D. To assess the vendor's risk mitigation plans

Answer: B

Which of the following is the BEST control to minimize the risk associated with scope creep in software development?

A. An established process for project change management
B. Retention of test data and results for review purposes 
C. Business managements review of functional requirements 
D. Segregation between development, test, and production

Answer: A

An organization has experienced several incidents of extended network outages that have exceeded tolerance. Which of the following should be the risk practitioner's FIRST step toaddress this situation?

A. Recommend additional controls to address the risk.
B. Update the risk tolerance level to acceptable thresholds.
C. Update the incident-related risk trend in the risk register.
D. Recommend a root cause analysis of the incidents.

Answer: D

The objective of aligning mitigating controls to risk appetite is to ensure that:

A. exposures are reduced to the fullest extent
B. exposures are reduced only for critical business systems
C. insurance costs are minimized 
D. the cost of controls does not exceed the expected loss.

Answer: D

Which of the following is the MAIN purpose of monitoring risk?

A. Communication 
B. Risk analysis 
C. Decision support 
D. Benchmarking

Answer: A

A risk practitioner is utilizing a risk heat map during a risk assessment. Risk events that are coded with the same color will have a similar:

A. risk score 
B. risk impact 
C. risk response 
D. risk likelihood.

Answer: B

When evaluating a number of potential controls for treating risk, it is MOST important to consider:

A. risk appetite and control efficiency.
B. inherent risk and control effectiveness.
C. residual risk and cost of control.
D. risk tolerance and control complexity.

Answer: C

Which of the following is MOST important to promoting a risk-aware culture?

A. Regular testing of risk controls
B. Communication of audit findings
C. Procedures for security monitoring 
D. Open communication of risk reporting

Answer: B

An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the riskassociated with these new entries has been;

A. mitigated
B. deferred
C. accepted.
D. transferred

Answer: C

An organization's control environment is MOST effective when:

A. controls perform as intended.
B. controls operate efficiently.
C. controls are implemented consistent
D. control designs are reviewed periodically

Answer: A

Which of the following is the MOST important step to ensure regulatory requirements are adequately addressed within an organization?

A. Obtain necessary resources to address regulatory requirements 
B. Develop a policy framework that addresses regulatory requirements
C. Perform a gap analysis against regulatory requirements.
D. Employ IT solutions that meet regulatory requirements.

Answer: B

When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:

A. information risk assessments with enterprise risk assessments.
B. key risk indicators (KRIs) with risk appetite of the business.
C. the control key performance indicators (KPIs) with audit findings.
D. control performance with risk tolerance of business owners.

Answer: B

Which of the following is the MOST important key performance indicator (KPI) to monitor the effectiveness of disaster recovery processes?

A. Percentage of IT systems recovered within the mean time to restore (MTTR) during the disaster recovery test
B. Percentage of issues arising from the disaster recovery test resolved on time 
C. Percentage of IT systems included in the disaster recovery test scope 
D. Percentage of IT systems meeting the recovery time objective (RTO) during the disaster recovery test

Answer: D

A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within theorganization Of the following, who should review the completed list and select the appropriate KRIs for implementation?

A. IT security managers
B. IT control owners 
C. IT auditors
D. IT risk owners

Answer: D

Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the followingwould BEST help to prioritize investment efforts?

A. Analyzing cyber intelligence reports 
B. Engaging independent cybersecurity consultants
C. Increasing the frequency of updates to the risk register
D. Reviewing the outcome of the latest security risk assessment

Answer: D

An organization's chief information officer (CIO) has proposed investing in a new. untested technology to take advantage of being first to market Senior management has concernsabout the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization's risk:

A. capacity. 
B. appetite.
C. management capability. 
D. treatment strategy.

Answer: B

Which of the following is MOST helpful in providing an overview of an organization's risk management program?

A. Risk management treatment plan
B. Risk assessment results
C. Risk management framework
D. Risk register

Answer: C

An organization is implementing encryption for data at rest to reduce the risk associatedwith unauthorized access. Which of the following MUST be considered to assess theresidual risk?

A. Data retention requirements 
B. Data destruction requirements 
C. Cloud storage architecture 
D. Key management 

Answer: D

Which of the following is a risk practitioner's BEST recommendation to address anorganization's need to secure multiple systems with limited IT resources?

A. Apply available security patches. 
B. Schedule a penetration test. 
C. Conduct a business impact analysis (BIA) 
D. Perform a vulnerability analysis. 

Answer: C

The PRIMARY advantage of involving end users in continuity planning is that they:

A. have a better understanding of specific business needs 
B. can balance the overall technical and business concerns 
C. can see the overall impact to the business 
D. are more objective than information security management. 

Answer: A

A bank recently incorporated Blockchain technology with the potential to impact known riskwithin the organization. Which of the following is the risk practitioner’s BEST course ofaction?

A. Determine whether risk responses are still adequate. 
B. Analyze and update control assessments with the new processes. 
C. Analyze the risk and update the risk register as needed. 
D. Conduct testing of the control that mitigate the existing risk. 

Answer: B

A financial institution has identified high risk of fraud in several business applications.Which of the following controls will BEST help reduce the risk of fraudulent internaltransactions?

A. Periodic user privileges review 
B. Log monitoring 
C. Periodic internal audits 
D. Segregation of duties 

Answer: B

Which of the following would be the GREATEST challenge when implementing a corporaterisk framework for a global organization?

A. Privacy risk controls 
B. Business continuity 
C. Risk taxonomy 
D. Management support 

Answer: A

After the implementation of internal of Things (IoT) devices, new risk scenarios wereidentified. What is the PRIMARY reason to report this information to risk owners?

A. To reevaluate continued use to IoT devices 
B. The add new controls to mitigate the risk 
C. The recommend changes to the IoT policy 
D. To confirm the impact to the risk profile 

Answer: D

Which of the following is MOST helpful in preventing risk events from materializing?

A. Prioritizing and tracking issues 
B. Establishing key risk indicators (KRIs) 
C. Reviewing and analyzing security incidents 
D. Maintaining the risk register 

Answer: A

Which of the following is a risk practitioner's MOST important responsibility in managingrisk acceptance that exceeds risk tolerance?

A. Verify authorization by senior management. 
B. Increase the risk appetite to align with the current risk level 
C. Ensure the acceptance is set to expire over lime 
D. Update the risk response in the risk register. 

Answer: A

Which of the following would be a risk practitioner's BEST course of action when a projectteam has accepted a risk outside the established risk appetite?

A. Reject the risk acceptance and require mitigating controls. 
B. Monitor the residual risk level of the accepted risk. 
C. Escalate the risk decision to the project sponsor for review. 
D. Document the risk decision in the project risk register. 

Answer: B

A multinational organization is considering implementing standard background checks to'all new employees A KEY concern regarding this approach

A. fail to identity all relevant issues. 
B. be too costly 
C. violate laws in other countries 
D. be too line consuming 

Answer: C

When developing a risk awareness training program, which of the following training topicswould BEST facilitate a thorough understanding of risk scenarios?

A. Mapping threats to organizational objectives 
B. Reviewing past audits 
C. Analyzing key risk indicators (KRIs) 
D. Identifying potential sources of risk 

Answer: D

Which of the following stakeholders are typically included as part of a line of defense withinthe three lines of defense model?

A. Board of directors 
B. Vendors 
C. Regulators 
D. Legal team 

Answer: A

Which of the following should be the PRIMARY goal of developing information securitymetrics?

A. Raising security awareness 
B. Enabling continuous improvement 
C. Identifying security threats 
D. Ensuring regulatory compliance 

Answer: B

Which of the following will BEST help to ensure new IT policies address the enterprise'srequirements?

A. involve IT leadership in the policy development process 
B. Require business users to sign acknowledgment of the poises 
C. involve business owners in the pokey development process 
D. Provide policy owners with greater enforcement authority 

Answer: B

A risk practitioner has just learned about new malware that has severely impacted industrypeers worldwide data loss?

A. Customer database manager 
B. Customer data custodian 
C. Data privacy officer 
D. Audit committee 

Answer: B

it was determined that replication of a critical database used by two business units failed.Which of the following should be of GREATEST concern1?

A. The underutilization of the replicated Iink 
B. The cost of recovering the data 
C. The lack of integrity of data 
D. The loss of data confidentiality 

Answer: C

The BEST way to mitigate the high cost of retrieving electronic evidence associated withpotential litigation is to implement policies and procedures for.

A. data logging and monitoring 
B. data mining and analytics 
C. data classification and labeling 
D. data retention and destruction 

Answer: C

Which type of indicators should be developed to measure the effectiveness of anorganization's firewall rule set?

A. Key risk indicators (KRIs) 
B. Key management indicators (KMIs) 
C. Key performance indicators (KPIs) 
D. Key control indicators (KCIs) 

Answer: D

Which of the following is MOST important to the effectiveness of key performanceindicators (KPIs)?

A. Relevance 
B. Annual review 
C. Automation 
D. Management approval 

Answer: D

Who should be PRIMARILY responsible for establishing an organization's IT risk culture?

A. Business process owner 
B. Executive management 
C. Risk management 
D. IT management 

Answer: B

The PRIMARY benefit of using a maturity model is that it helps to evaluate the:

A. capability to implement new processes 
B. evolution of process improvements 
C. degree of compliance with policies and procedures 
D. control requirements. 

Answer: B

Which of the following is the PRIMARY reason to adopt key control indicators (KCIs) in therisk monitoring and reporting process?

A. To provide data for establishing the risk profile 
B. To provide assurance of adherence to risk management policies 
C. To provide measurements on the potential for risk to occur 
D. To provide assessments of mitigation effectiveness 

Answer: D

Of the following, who is BEST suited to assist a risk practitioner in developing a relevant setof risk scenarios?

A. Internal auditor 
B. Asset owner 
C. Finance manager 
D. Control owner 

Answer: B

Which of the following would be the result of a significant increase in the motivation of amalicious threat actor?

A. Increase in mitigating control costs 
B. Increase in risk event impact 
C. Increase in risk event likelihood 
D. Increase in cybersecurity premium 

Answer: C

Which of the following is the BEST indicator of an effective IT security awareness program?

A. Decreased success rate of internal phishing tests 
B. Decreased number of reported security incidents 
C. Number of disciplinary actions issued for security violations 
D. Number of employees that complete security training

Answer: A

Which of the following is the MOST effective way to incorporate stakeholder concernswhen developing risk scenarios?

A. Evaluating risk impact 
B. Establishing key performance indicators (KPIs) 
C. Conducting internal audits 
D. Creating quarterly risk reports 

Answer: A