Gain CRISC Certification With Real Questions and Answers

test2022-02-25T06:33:49+00:00

What is the best way to pass your CRISC Certification? Certified in Risk and Information Systems Control (CRISC) is a vendor-neutral certification that validates an individual’s skills in the fields of information system control and risk management. CRISC practice tests are designed to simulate a natural exam environment and are quite beneficial in ensuring memorable success in the CRISC exam. This free practice test can now be used to assess your preparation. Here you will find a complete CRISC exam dump to help you pass on the first try!

Take a free CRISC practice exam right now to see how prepared you are!

Page 1 of 25

1. Several network user accounts were recently created without the required management approvals .

Which of the following would be the risk practitioner's BEST recommendation to address this situation?

Conduct a comprehensive compliance review.

Develop incident response procedures for noncompliance.

Investigate the root cause of noncompliance.

Declare a security breach and Inform management.

2. Which of the following is the BEST reason to use qualitative measures to express residual risk levels related to emerging threats?

Qualitative measures require less ongoing monitoring.

Qualitative measures are better aligned to regulatory requirements.

Qualitative measures are better able to incorporate expert judgment.

Qualitative measures are easier to update.

3. Which of the following provides the BEST measurement of an organization's risk management maturity level?

Level of residual risk

The results of a gap analysis

IT alignment to business objectives

Key risk indicators (KRIs)

4. Which of the following would BEST assist in reconstructing the sequence of events following a security incident across multiple IT systems in the organization's network?

Network monitoring infrastructure

Centralized vulnerability management

Incident management process

Centralized log management

5. A payroll manager discovers that fields in certain payroll reports have been modified without authorization .

Which of the following control weaknesses could have contributed MOST to this problem?

The user requirements were not documented.

Payroll files were not under the control of a librarian.

The programmer had access to the production programs.

The programmer did not involve the user in testing.

6. Which of the following is MOST important when developing key performance indicators (KPIs)?

Alignment to risk responses

Alignment to management reports

Alerts when risk thresholds are reached

Identification of trends

7. Which of the following is the BEST approach when a risk practitioner has been asked by a business unit manager for special consideration during a risk assessment of a system?

Conduct an abbreviated version of the assessment.

Report the business unit manager for a possible ethics violation.

Perform the assessment as it would normally be done.

Recommend an internal auditor perform the review.

8. Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?

Control chart

Sensitivity analysis

Trend analysis

Decision tree

9. A key risk indicator (KRI) threshold has reached the alert level, indicating data leakage incidents are highly probable .

What should be the risk practitioner's FIRST course of action?

Update the KRI threshold.

Recommend additional controls.

Review incident handling procedures.

Perform a root cause analysis.

10. The MAIN reason for creating and maintaining a risk register is to:

assess effectiveness of different projects.

define the risk assessment methodology.

ensure assets have low residual risk.

account for identified key risk factors.

Page 2 of 25

11. Which of the following provides the MOST useful information when determining if a specific control should be implemented?

Business impact analysis (BIA)

Cost-benefit analysis

Attribute analysis

Root cause analysis

12. Which of the following is a detective control?

Limit check

Periodic access review

Access control software

Rerun procedures

13. Which of the following is the GREATEST concern when an organization uses a managed security service provider as a firewall administrator?

Exposure of log data

Lack of governance

Increased number of firewall rules

Lack of agreed-upon standards

14. From a risk management perspective, the PRIMARY objective of using maturity models is to enable:

solution delivery.

resource utilization.

strategic alignment.

performance evaluation.

15. When of the following 15 MOST important when developing a business case for a proposed security investment?

identification of control requirements

Alignment to business objectives

Consideration of new business strategies

inclusion of strategy for regulatory compliance

16. Which of the following is the MOST important data source for monitoring key risk indicators (KRIs)?

Directives from legal and regulatory authorities

Audit reports from internal information systems audits

Automated logs collected from different systems

Trend analysis of external risk factors

17. Which of the following is MOST critical when designing controls?

Involvement of internal audit

Involvement of process owner

Quantitative impact of the risk

Identification of key risk indicators

18. Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?

Sensitivity analysis

Level of residual risk

Cost-benefit analysis

Risk appetite

19. An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application .

Which of the following should be the NEXT course of action?

Invoke the disaster recovery plan during an incident.

Prepare a cost-benefit analysis of alternatives available

Implement redundant infrastructure for the application.

Reduce the recovery time by strengthening the response team.

20. In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities.

The risk practitioner's BEST recommendation to further reduce the impact of ransomware attacks would be to implement:

two-factor authentication.

continuous data backup controls.

encryption for data at rest.

encryption for data in motion.

Page 3 of 25

21. An organization's risk practitioner learns a new third-party system on the corporate network has introduced vulnerabilities that could compromise corporate IT systems .

What should the risk practitioner do FIRST?

Confirm the vulnerabilities with the third party

Identify procedures to mitigate the vulnerabilities.

Notify information security management.

Request IT to remove the system from the network.

22. Which of the following would BEST ensure that identified risk scenarios are addressed?

Reviewing the implementation of the risk response

Creating a separate risk register for key business units

Performing real-time monitoring of threats

Performing regular risk control self-assessments

23. Which of the following would be the GREATEST concern related to data privacy when implementing an Internet of Things (loT) solution that collects personally identifiable information (Pll)?

A privacy impact assessment has not been completed.

Data encryption methods apply to a subset of Pll obtained.

The data privacy officer was not consulted.

Insufficient access controls are used on the loT devices.

24. To minimize risk in a software development project, when is the BEST time to conduct a risk analysis?

During the business requirement definitions phase

Before periodic steering committee meetings

At each stage of the development life cycle

During the business case development

25. The PRIMARY objective of collecting information and reviewing documentation when performing periodic risk analysis should be to:

Identify new or emerging risk issues.

Satisfy audit requirements.

Survey and analyze historical risk data.

Understand internal and external threat agents.

26. An organization practices the principle of least privilege. To ensure access remains appropriate, application owners should be required to review user access rights on a regular basis by obtaining:

business purpose documentation and software license counts

an access control matrix and approval from the user's manager

documentation indicating the intended users of the application

security logs to determine the cause of invalid login attempts

27. When reviewing the business continuity plan (BCP) of an online sales order system, a risk practitioner notices that the recovery time objective (RTO) has a shorter lime than what is defined in the disaster recovery plan (DRP) .

Which of the following is the BEST way for the risk practitioner to address this concern?

Adopt the RTO defined in the BCR

Update the risk register to reflect the discrepancy.

Adopt the RTO defined in the DR

Communicate the discrepancy to the DR manager for follow-up.

28. The risk associated with a high-risk vulnerability in an application is owned by the:

security department.

business unit

vendor.

IT department.

29. Which of the following would BEST help an enterprise define and communicate its risk appetite?

Gap analysis

Risk assessment

Heat map

Risk register

30. Which of the following will BEST quantify the risk associated with malicious users in an organization?

Business impact analysis

Risk analysis

Threat risk assessment

Vulnerability assessment

Page 4 of 25

31. Which of The following is the MOST relevant information to include in a risk management strategy?

Quantified risk triggers

Cost of controls

Regulatory requirements

Organizational goals

32. During the control evaluation phase of a risk assessment, it is noted that multiple controls are ineffective .

Which of the following should be the risk practitioner's FIRST course of action?

Recommend risk remediation of the ineffective controls.

Compare the residual risk to the current risk appetite.

Determine the root cause of the control failures.

Escalate the control failures to senior management.

33. Which of the following is the GREATEST concern associated with the transmission of healthcare data across the internet?

Unencrypted data

Lack of redundant circuits

Low bandwidth connections

Data integrity

34. Which of the following should be the MAIN consideration when validating an organization's risk appetite?

Comparison against regulations

Maturity of the risk culture

Capacity to withstand loss

Cost of risk mitigation options

35. The BEST way to demonstrate alignment of the risk profile with business objectives is through:

risk scenarios.

risk tolerance.

risk policy.

risk appetite.

36. Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs?

Ensuring availability of resources for log analysis

Implementing log analysis tools to automate controls

Ensuring the control is proportional to the risk

Building correlations between logs collected from different sources

37. After the review of a risk record, internal audit questioned why the risk was lowered from medium to low .

Which of the following is the BEST course of action in responding to this inquiry?

Obtain industry benchmarks related to the specific risk.

Provide justification for the lower risk rating.

Notify the business at the next risk briefing.

Reopen the risk issue and complete a full assessment.

38. A risk practitioner is reporting on an increasing trend of ransomware attacks in the industry .

Which of the following information is MOST important to include to enable an informed response decision by key stakeholders?

Methods of attack progression

Losses incurred by industry peers

Most recent antivirus scan reports

Potential impact of events

39. An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system.

The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:

chief risk officer.

project manager.

chief information officer.

business process owner.

40. After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls.

The vendor has voluntarily shared the following set of assessments:

Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

External audit

Internal audit

Vendor performance scorecard

Regulatory examination

Page 5 of 25

41. Which of the following is the MOST important consideration when developing an organization's risk taxonomy?

Leading industry frameworks

Business context

Regulatory requirements

IT strategy

42. The MOST important reason to monitor key risk indicators (KRIs) is to help management:

identity early risk transfer strategies.

lessen the impact of realized risk.

analyze the chain of risk events.

identify the root cause of risk events.

43. An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program.

The PRIMARY goal of this program should be to:

reduce the risk to an acceptable level.

communicate the consequences for violations.

implement industry best practices.

reduce the organization's risk appetite

44. An organization is implementing internet of Things (loT) technology to control temperature and lighting in its headquarters .

Which of the following should be of GREATEST concern?

Insufficient network isolation

impact on network performance

insecure data transmission protocols

Lack of interoperability between sensors

45. An organization has detected unauthorized logins to its client database servers .

Which of the following should be of GREATEST concern?

Potential increase in regulatory scrutiny

Potential system downtime

Potential theft of personal information

Potential legal risk

46. Which of the following is the BEST indicator of the effectiveness of IT risk management processes?

Percentage of business users completing risk training

Percentage of high-risk scenarios for which risk action plans have been developed

Number of key risk indicators (KRIs) defined

Time between when IT risk scenarios are identified and the enterprise's response

47. Which of the following would be MOST helpful to an information security management team when allocating resources to mitigate exposures?

Relevant risk case studies

Internal audit findings

Risk assessment results

Penetration testing results

48. An organization must make a choice among multiple options to respond to a risk. The stakeholders cannot agree and decide to postpone the decision .

Which of the following risk responses has the organization adopted?

Transfer

Mitigation

Avoidance

Acceptance

49. Which of the following would be MOST beneficial as a key risk indicator (KRI)?

Current capital allocation reserves

Negative security return on investment (ROI)

Project cost variances

Annualized loss projections

50. Which of the following BEST facilities the alignment of IT risk management with enterprise risk management (ERM)?

Adopting qualitative enterprise risk assessment methods

Linking IT risk scenarios to technology objectives

linking IT risk scenarios to enterprise strategy

Adopting quantitative enterprise risk assessment methods

Page 6 of 25

51. Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?

Temporarily mitigate the OS vulnerabilities

Document and implement a patching process

Evaluate permanent fixes such as patches and upgrades

Identify the vulnerabilities and applicable OS patches

52. The PRIMARY objective of a risk identification process is to:

evaluate how risk conditions are managed.

determine threats and vulnerabilities.

estimate anticipated financial impact of risk conditions.

establish risk response options.

53. Which of the following would provide the MOST comprehensive information for updating an organization's risk register?

Results of the latest risk assessment

Results of a risk forecasting analysis

A review of compliance regulations

Findings of the most recent audit

54. Which of the following BEST indicates the effectiveness of anti-malware software?

Number of staff hours lost due to malware attacks

Number of downtime hours in business critical servers

Number of patches made to anti-malware software

Number of successful attacks by malicious software

55. Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are:

accountable for the affected processes.

members of senior management.

authorized to select risk mitigation options.

independent from the business operations.

56. Which of The following will BEST communicate the importance of risk mitigation initiatives to senior management?

Business case

Balanced scorecard

Industry standards

Heat map

57. Senior management has asked the risk practitioner for the overall residual risk level for a process that contains numerous risk scenarios .

Which of the following should be provided?

The sum of residual risk levels for each scenario

The loss expectancy for aggregated risk scenarios

The highest loss expectancy among the risk scenarios

The average of anticipated residual risk levels

58. Which of the following is the BEST key control indicator (KCI) for risk related to IT infrastructure failure?

Number of times the recovery plan is reviewed

Number of successful recovery plan tests

Percentage of systems with outdated virus protection

Percentage of employees who can work remotely

59. Which of the following provides the BEST evidence that a selected risk treatment plan is effective?

Identifying key risk indicators (KRIs)

Evaluating the return on investment (ROI)

Evaluating the residual risk level

Performing a cost-benefit analysis

60. Which of the following BEST measures the impact of business interruptions caused by an IT service outage?

Sustained financial loss

Cost of remediation efforts

Duration of service outage

Average time to recovery

Page 7 of 25

61. A large organization needs to report risk at all levels for a new centralized visualization project to reduce cost and improve performance .

Which of the following would MOST effectively represent the overall risk of the project to senior management?

Aggregated key performance indicators (KPls)

Key risk indicators (KRIs)

Centralized risk register

Risk heat map

62. During an internal IT audit, an active network account belonging to a former employee was identified .

Which of the following is the BEST way to prevent future occurrences?

Conduct a comprehensive review of access management processes.

Declare a security incident and engage the incident response team.

Conduct a comprehensive awareness session for system administrators.

Evaluate system administrators' technical skills to identify if training is required.

63. Which of the following elements of a risk register is MOST likely to change as a result of change in management's risk appetite?

Key risk indicator (KRI) thresholds

Inherent risk

Risk likelihood and impact

Risk velocity

64. Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?

Risk mitigation budget

Business Impact analysis

Cost-benefit analysis

Return on investment

65. An effective control environment is BEST indicated by controls that:

minimize senior management's risk tolerance.

manage risk within the organization's risk appetite.

reduce the thresholds of key risk indicators (KRIs).

are cost-effective to implement

66. Which of the following is the PRIMARY reason to perform ongoing risk assessments?

Emerging risk must be continuously reported to management.

New system vulnerabilities emerge at frequent intervals.

The risk environment is subject to change.

The information security budget must be justified.

67. A business unit is updating a risk register with assessment results for a key project .

Which of the following is MOST important to capture in the register?

The team that performed the risk assessment

An assigned risk manager to provide oversight

Action plans to address risk scenarios requiring treatment

The methodology used to perform the risk assessment

68. In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data?

Establishing an intellectual property agreement

Evaluating each of the data sources for vulnerabilities

Periodically reviewing big data strategies

Benchmarking to industry best practice

69. During implementation of an intrusion detection system (IDS) to monitor network traffic, a high number of alerts is reported.

The risk practitioner should recommend to:

reset the alert threshold based on peak traffic

analyze the traffic to minimize the false negatives

analyze the alerts to minimize the false positives

sniff the traffic using a network analyzer

70. Which of the following should be considered when selecting a risk response?

Risk scenarios analysis

Risk response costs

Risk factor awareness

Risk factor identification

Page 8 of 25

71. Which of the following would BEST mitigate the risk associated with reputational damage from inappropriate use of social media sites by employees?

Validating employee social media accounts and passwords

Monitoring Internet usage on employee workstations

Disabling social media access from the organization's technology

Implementing training and awareness programs

72. Which of the following is MOST important to the successful development of IT risk scenarios?

Cost-benefit analysis

Internal and external audit reports

Threat and vulnerability analysis

Control effectiveness assessment

73. A risk practitioner has been notified that an employee sent an email in error containing customers' personally identifiable information (Pll) .

Which of the following is the risk practitioner's BEST course of action?

Report it to the chief risk officer.

Advise the employee to forward the email to the phishing team.

follow incident reporting procedures.

Advise the employee to permanently delete the email.

74. A large organization is replacing its enterprise resource planning (ERP) system and has decided not to deploy the payroll module of the new system. Instead, the current payroll system will continue to be

used.

Of the following, who should own the risk if the ERP and payroll system fail to operate as expected?

The business owner

The ERP administrator

The project steering committee

The IT project manager

75. Which of the following is the MOST important component in a risk treatment plan?

Technical details

Target completion date

Treatment plan ownership

Treatment plan justification

76. Which of the following will BEST help an organization evaluate the control environment of several third-party vendors?

Review vendors' internal risk assessments covering key risk and controls.

Obtain independent control reports from high-risk vendors.

Review vendors performance metrics on quality and delivery of processes.

Obtain vendor references from third parties.

77. Which of the following is the BEST way for a risk practitioner to verify that management has addressed control issues identified during a previous external audit?

Interview control owners.

Observe the control enhancements in operation.

Inspect external audit documentation.

Review management's detailed action plans.

78. An audit reveals that there are changes in the environment that are not reflected in the risk profile .

Which of the following is the BEST course of action?

Review the risk identification process.

Inform the risk scenario owners.

Create a risk awareness communication plan.

Update the risk register.

79. After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?

The risk practitioner

The business process owner

The risk owner

The control owner

80. Which of the following should be the PRIMARY objective of a risk awareness training program?

To enable risk-based decision making

To promote awareness of the risk governance function

To clarify fundamental risk management principles

To ensure sufficient resources are available

Page 9 of 25

81. Which of the following is the MOST important consideration when determining whether to accept residual risk after security controls have been implemented on a critical system?

Cost versus benefit of additional mitigating controls

Annualized loss expectancy (ALE) for the system

Frequency of business impact

Cost of the Information control system

82. Winch of the following is the BEST evidence of an effective risk treatment plan?

The inherent risk is below the asset residual risk.

Remediation cost is below the asset business value

The risk tolerance threshold s above the asset residual

Remediation is completed within the asset recovery time objective (RTO)

83. Which of the following is the MOST appropriate action when a tolerance threshold is exceeded?

Communicate potential impact to decision makers.

Research the root cause of similar incidents.

Verify the response plan is adequate.

Increase human resources to respond in the interim.

84. Which of the following presents the GREATEST challenge for an IT risk practitioner who wants to report on trends in historical IT risk levels?

Qualitative measures for potential loss events

Changes in owners for identified IT risk scenarios

Changes in methods used to calculate probability

Frequent use of risk acceptance as a treatment option

85. When developing a new risk register, a risk practitioner should focus on which of the following risk management activities?

Risk management strategy planning

Risk monitoring and control

Risk identification

Risk response planning

86. Which of the following management action will MOST likely change the likelihood rating of a risk scenario related to remote network access?

Updating the organizational policy for remote access

Creating metrics to track remote connections

Implementing multi-factor authentication

Updating remote desktop software

87. Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

Risk tolerance is decreased.

Residual risk is increased.

Inherent risk is increased.

Risk appetite is decreased

88. it was determined that replication of a critical database used by two business units failed .

Which of the following should be of GREATEST concern1?

The underutilization of the replicated Iink

The cost of recovering the data

The lack of integrity of data

The loss of data confidentiality

89. Which of the following MUST be updated to maintain an IT risk register?

Expected frequency and potential impact

Risk tolerance

Enterprise-wide IT risk assessment

Risk appetite

90. An organization wants to grant remote access to a system containing sensitive data to an overseas third party .

Which of the following should be of GREATEST concern to management?

Transborder data transfer restrictions

Differences in regional standards

Lack of monitoring over vendor activities

Lack of after-hours incident management support

Page 10 of 25

91. What information is MOST helpful to asset owners when classifying organizational assets for risk assessment?

Potential loss to tie business due to non-performance of the asset

Known emerging environmental threats

Known vulnerabilities published by the asset developer

Cost of replacing the asset with a new asset providing similar services

92. The PRIMARY reason for establishing various Threshold levels for a set of key risk indicators (KRIs) is to:

highlight trends of developing risk.

ensure accurate and reliable monitoring.

take appropriate actions in a timely manner.

set different triggers for each stakeholder.

93. Which of the following should be the risk practitioner s FIRST course of action when an organization has decided to expand into new product areas?

Identify any new business objectives with stakeholders.

Present a business case for new controls to stakeholders.

Revise the organization's risk and control policy.

Review existing risk scenarios with stakeholders.

94. Which of the following risk register elements is MOST likely to be updated if the attack surface or exposure of an asset is reduced?

Likelihood rating

Control effectiveness

Assessment approach

Impact rating

95. Which of the following is a risk practitioner's BEST course of action upon learning that a control under internal review may no longer be necessary?

Obtain approval to retire the control.

Update the status of the control as obsolete.

Consult the internal auditor for a second opinion.

Verify the effectiveness of the original mitigation plan.

96. A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption .

Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?

Implement a tool to create and distribute violation reports

Raise awareness of encryption requirements for sensitive data.

Block unencrypted outgoing emails which contain sensitive data.

Implement a progressive disciplinary process for email violations.

97. Which of the following BEST confirms the existence and operating effectiveness of information systems controls?

Self-assessment questionnaires completed by management

Review of internal audit and third-party reports

Management review and sign-off on system documentation

First-hand direct observation of the controls in operation

98. Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?

Number of tickets for provisioning new accounts

Average time to provision user accounts

Password reset volume per month

Average account lockout time

99. Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?

A decrease in control layering effectiveness

An increase in inherent risk

An increase in control vulnerabilities

An increase in the level of residual risk

100. Which of the following is the PRIMARY reason for conducting peer reviews of risk analysis?

To enhance compliance with standards

To minimize subjectivity of assessments

To increase consensus among peers

To provide assessments for benchmarking

Page 11 of 25

101. The PRIMARY purpose of using a framework for risk analysis is to:

improve accountability

improve consistency

help define risk tolerance

help develop risk scenarios.

102. An organization maintains independent departmental risk registers that are not automatically aggregated .

Which of the following is the GREATEST concern?

Management may be unable to accurately evaluate the risk profile.

Resources may be inefficiently allocated.

The same risk factor may be identified in multiple areas.

Multiple risk treatment efforts may be initiated to treat a given risk.

103. Which of the following is the MOST important objective of establishing an enterprise risk management (ERM) function within an organization?

To have a unified approach to risk management across the organization

To have a standard risk management process for complying with regulations

To optimize risk management resources across the organization

To ensure risk profiles are presented in a consistent format within the organization

104. 1.The PRIMARY objective for selecting risk response options is to:

reduce risk 10 an acceptable level.

identify compensating controls.

minimize residual risk.

reduce risk factors.

105. Which of the following provides the BEST evidence that risk mitigation plans have been implemented effectively?

Self-assessments by process owners

Mitigation plan progress reports

Risk owner attestation

Change in the level of residual risk

106. Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Including trend analysis of risk metrics

Using an aggregated view of organizational risk

Relying on key risk indicator (KRI) data

Ensuring relevance to organizational goals

107. Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?

Perform an m-depth code review with an expert

Validate functionality by running in a test environment

Implement a service level agreement.

Utilize the change management process.

108. The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:

implement uniform controls for common risk scenarios.

ensure business unit risk is uniformly distributed.

build a risk profile for management review.

quantify the organization's risk appetite.

109. Which of the following would be MOST helpful when communicating roles associated with the IT risk management process?

Skills matrix

Job descriptions

RACI chart

Organizational chart

110. An organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard .

Which risk treatment was adopted by the organization?

Acceptance

Transfer

Mitigation

Avoidance

Page 12 of 25

111. Which of the following is the FIRST step when conducting a business impact analysis (BIA)?

Identifying critical information assets

Identifying events impacting continuity of operations;

Creating a data classification scheme

Analyzing previous risk assessment results

112. Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register?

Corporate incident escalation protocols are established.

Exposure is integrated into the organization's risk profile.

Risk appetite cascades to business unit management

The organization-wide control budget is expanded.

113. Which of the following would provide the BEST evidence of an effective internal control environment/?

Risk assessment results

Adherence to governing policies

Regular stakeholder briefings

Independent audit results

114. A risk manager has determined there is excessive risk with a particular technology.

Who is the BEST person to own the unmitigated risk of the technology?

IT system owner

Chief financial officer

Chief risk officer

Business process owner

115. The PRIMARY purpose of vulnerability assessments is to:

provide clear evidence that the system is sufficiently secure.

determine the impact of potential threats.

test intrusion detection systems (IDS) and response procedures.

detect weaknesses that could lead to system compromise.

116. Which of the following provides the BEST evidence that risk responses have been executed according to their risk action plans?

Risk policy review

Business impact analysis (B1A)

Control catalog

Risk register

117. Which of the following sources is MOST relevant to reference when updating security awareness training materials?

Risk management framework

Risk register

Global security standards

Recent security incidents reported by competitors

118. A monthly payment report is generated from the enterprise resource planning (ERP) software to validate data against the old and new payroll systems .

What is the BEST way to mitigate the risk associated with data integrity loss in the new payroll system after data migration?

Compare new system reports with functional requirements.

Compare encrypted data with checksums.

Compare results of user acceptance testing (UAT) with the testing criteria.

Compare processing output from both systems using the previous month's data.

119. The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for.

data logging and monitoring

data mining and analytics

data classification and labeling

data retention and destruction

120. An organization delegates its data processing to the internal IT team to manage information through its applications .

Which of the following is the role of the internal IT team in this situation?

Data controllers

Data processors

Data custodians

Data owners

Page 13 of 25

121. The PRIMARY benefit of using a maturity model is that it helps to evaluate the:

capability to implement new processes

evolution of process improvements

degree of compliance with policies and procedures

control requirements.

122. An organization plans to migrate sensitive information to a public cloud infrastructure .

Which of the following is the GREATEST security risk in this scenario?

Data may be commingled with other tenants' data.

System downtime does not meet the organization's thresholds.

The infrastructure will be managed by the public cloud administrator.

The cloud provider is not independently certified.

123. An employee lost a personal mobile device that may contain sensitive corporate information .

What should be the risk practitioner's recommendation?

Conduct a risk analysis.

Initiate a remote data wipe.

Invoke the incident response plan

Disable the user account.

124. Which of the following BEST assists in justifying an investment in automated controls?

Cost-benefit analysis

Alignment of investment with risk appetite

Elimination of compensating controls

Reduction in personnel costs

125. Which of the following will be MOST effective in uniquely identifying the originator of electronic transactions?

Digital signature

Edit checks

Encryption

Multifactor authentication

126. Which of the following is MOST important for developing effective key risk indicators (KRIs)?

Engaging sponsorship by senior management

Utilizing data and resources internal to the organization

Including input from risk and business unit management

Developing in collaboration with internal audit

127. Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness?

To measure business exposure to risk

To identify control vulnerabilities

To monitor the achievement of set objectives

To raise awareness of operational issues

128. Which of the following should an organization perform to forecast the effects of a disaster?

Develop a business impact analysis (BIA).

Define recovery time objectives (RTO).

Analyze capability maturity model gaps.

Simulate a disaster recovery.

129. An internal audit report reveals that not all IT application databases have encryption in place .

Which of the following information would be MOST important for assessing the risk impact?

The number of users who can access sensitive data

A list of unencrypted databases which contain sensitive data

The reason some databases have not been encrypted

The cost required to enforce encryption

130. An organization wants to assess the maturity of its internal control environment.

The FIRST step should be to:

validate control process execution.

determine if controls are effective.

identify key process owners.

conduct a baseline assessment.

Page 14 of 25

131. In an organization where each division manages risk independently, which of the following would BEST enable management of risk at the enterprise level?

A standardized risk taxonomy

A list of control deficiencies

An enterprise risk ownership policy

An updated risk tolerance metric

132. An organization's HR department has implemented a policy requiring staff members to take a minimum of five consecutive days leave per year to mitigate the risk of malicious insider activities .

Which of the following is the BEST key performance indicator (KPI) of the effectiveness of this policy?

Number of malicious activities occurring during staff members leave

Percentage of staff members seeking exception to the policy

Percentage of staff members taking leave according to the policy

Financial loss incurred due to malicious activities during staff members' leave

133. Who should have the authority to approve an exception to a control?

information security manager

Control owner

Risk owner

Risk manager

134. Which of the following is the PRIMARY risk management responsibility of the second line of defense?

Monitoring risk responses

Applying risk treatments

Providing assurance of control effectiveness

Implementing internal controls

135. Which of the following is the MOST important enabler of effective risk management?

User awareness of policies and procedures

Implementation of proper controls

Senior management support

Continuous monitoring of threats and vulnerabilities

136. Which element of an organization's risk register is MOST important to update following the commissioning of a new financial reporting system?

Key risk indicators (KRIs)

The owner of the financial reporting process

The risk rating of affected financial processes

The list of relevant financial controls

137. Which of the following is the BEST method for assessing control effectiveness against technical vulnerabilities that could be exploited to compromise an information system?

Vulnerability scanning

Systems log correlation analysis

Penetration testing

Monitoring of intrusion detection system (IDS) alerts

138. An IT department has organized training sessions to improve user awareness of organizational information security policies .

Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training?

Number of training sessions completed

Percentage of staff members who complete the training with a passing score

Percentage of attendees versus total staff

Percentage of staff members who attend the training with positive feedback

139. A risk assessment has identified increased losses associated with an IT risk scenario. It is MOST important for the risk practitioner to:

update the risk rating.

reevaluate inherent risk.

develop new risk scenarios.

implement additional controls.

140. Which of the following is the PRIMARY role of the board of directors in corporate risk governance?

Approving operational strategies and objectives

Monitoring the results of actions taken to mitigate risk

Ensuring the effectiveness of the risk management program

Ensuring risk scenarios are identified and recorded in the risk register

Page 15 of 25

141. A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges .

What is the risk practitioner's BEST course of action?

Review the design of the machine learning model against control objectives.

Adopt the machine learning model as a replacement for current manual access reviews.

Ensure the model assists in meeting regulatory requirements for access controls.

Discourage the use of emerging technologies in key processes.

142. Which of the following would BEST help to address the risk associated with malicious outsiders modifying application data?

Multi-factor authentication

Role-based access controls

Activation of control audits

Acceptable use policies

143. Which of the following statements BEST describes risk appetite?

The amount of risk an organization is willing to accept

The effective management of risk and internal control environments

Acceptable variation between risk thresholds and business objectives

The acceptable variation relative to the achievement of objectives

144. Which of the following is the BEST way to detect zero-day malware on an end user's workstation?

An antivirus program

Database activity monitoring

Firewall log monitoring

File integrity monitoring

145. A service provider is managing a client’s servers. During an audit of the service, a noncompliant control is discovered that will not be resolved before the next audit because the client cannot afford the downtime required to correct the issue.

The service provider’s MOST appropriate action would be to:

develop a risk remediation plan overriding the client's decision

make a note for this item in the next audit explaining the situation

insist that the remediation occur for the benefit of other customers

ask the client to document the formal risk acceptance for the provider

146. A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

communication

identification.

treatment.

assessment.

147. Which of the following is the BEST way to ensure ongoing control effectiveness?

Establishing policies and procedures

Periodically reviewing control design

Measuring trends in control performance

Obtaining management control attestations

148. Prudent business practice requires that risk appetite not exceed:

inherent risk.

risk tolerance.

risk capacity.

residual risk.

149. An organization's risk register contains a large volume of risk scenarios that senior

management considers overwhelming .

Which of the following would BEST help to improve the risk register?

Analyzing the residual risk components

Performing risk prioritization

Validating the risk appetite level

Conducting a risk assessment

150. Which of the following should be considered FIRST when assessing risk associated with the adoption of emerging technologies?

Organizational strategy

Cost-benefit analysis

Control self-assessment (CSA)

Business requirements

Page 16 of 25

151. The MOST essential content to include in an IT risk awareness program is how to:

populate risk register entries and build a risk profile for management reporting.

prioritize IT-related actions by considering risk appetite and risk tolerance.

define the IT risk framework for the organization.

comply with the organization's IT risk and information security policies.

152. Which of the following would be the BEST justification to invest in the development of a governance, risk, and compliance (GRC) solution?

Facilitating risk-aware decision making by stakeholders

Demonstrating management commitment to mitigate risk

Closing audit findings on a timely basis

Ensuring compliance to industry standards

153. Which of the following is MOST essential for an effective change control environment?

Business management approval of change requests

Separation of development and production environments

Requirement of an implementation rollback plan

IT management review of implemented changes

154. Which of the following is MOST important to compare against the corporate risk profile?

Industry benchmarks

Risk tolerance

Risk appetite

Regulatory compliance

155. Which of the following would MOST likely cause a risk practitioner to reassess risk scenarios?

A change in the risk management policy

A major security incident

A change in the regulatory environment

An increase in intrusion attempts

156. Which of the following is MOST effective in continuous risk management process improvement?

Periodic assessments

Change management

Awareness training

Policy updates

157. Which of the following represents a vulnerability?

An identity thief seeking to acquire personal financial data from an organization

Media recognition of an organization's market leadership in its industry

A standard procedure for applying software patches two weeks after release

An employee recently fired for insubordination

158. What is the PRIMARY reason an organization should include background checks on roles with elevated access to production as part of its hiring process?

Reduce internal threats

Reduce exposure to vulnerabilities

Eliminate risk associated with personnel

Ensure new hires have the required skills

159. When an organization’s disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment options is being applied?

Acceptance

Mitigation

Transfer

Avoidance

160. Which of the following is performed after a risk assessment is completed?

Defining risk taxonomy

Identifying vulnerabilities

Conducting an impact analysis

Defining risk response options

Page 17 of 25

161. An organization is implementing encryption for data at rest to reduce the risk associated with unauthorized access .

Which of the following MUST be considered to assess the residual risk?

Data retention requirements

Data destruction requirements

Cloud storage architecture

Key management

162. Which of the following provides the MOST useful information when developing a risk profile for management approval?

Residual risk and risk appetite

Strength of detective and preventative controls

Effectiveness and efficiency of controls

Inherent risk and risk tolerance

163. After identifying new risk events during a project, the project manager s NEXT step should be to:

determine if the scenarios need 10 be accepted or responded to.

record the scenarios into the risk register.

continue with a qualitative risk analysis.

continue with a quantitative risk analysis.

164. An organization has outsourced its IT security operations to a third party.

Who is ULTIMATELY accountable for the risk associated with the outsourced operations?

The third party s management

The organization's management

The control operators at the third party

The organization's vendor management office

165. Performing a background check on a new employee candidate before hiring is an example of what type of control?

Detective

Compensating

Corrective

Preventive

166. Which of the following is MOST important for an organization to have in place when developing a risk management framework?

A strategic approach to risk including an established risk appetite

A risk-based internal audit plan for the organization

A control function within the risk management team

An organization-wide risk awareness training program

167. Which of the following approaches would BEST help to identify relevant risk scenarios?

Engage line management in risk assessment workshops.

Escalate the situation to risk leadership.

Engage internal audit for risk assessment workshops.

Review system and process documentation.

168. Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?

An updated risk register

Risk assessment results

Technical control validation

Control testing results

169. An organization is planning to outsource its payroll function to an external service provider.

Which of the following should be the MOST important consideration when selecting the provider?

Disaster recovery plan (DRP) of the system

Right to audit the provider

Internal controls to ensure data privacy

Transparency of key performance indicators (KPIs)

170. Which of the following BEST enables the identification of trends in risk levels?

Correlation between risk levels and key risk indicators (KRIs) is positive.

Measurements for key risk indicators (KRIs) are repeatable

Quantitative measurements are used for key risk indicators (KRIs).

Qualitative definitions for key risk indicators (KRIs) are used.

Page 18 of 25

171. Which of the following is the MOST important objective of regularly presenting the project risk register to the project steering committee?

To allocate budget for resolution of risk issues

To determine if new risk scenarios have been identified

To ensure the project timeline is on target

To track the status of risk mitigation actions

172. An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program .

Which of the following is MOST useful for this purpose?

Balanced scorecard

Capability maturity level

Internal audit plan

Control self-assessment (CSA)

173. An organization's financial analysis department uses an in-house forecasting application for business projections.

Who is responsible for defining access roles to protect the sensitive data within this application?

IT risk manager

IT system owner

Information security manager

Business owner

174. An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy .

Which of the following is the BEST risk response?

Mitigate

Transfer

Avoid

175. When evaluating enterprise IT risk management it is MOST important to:

create new control processes to reduce identified IT risk scenarios

confirm the organization’s risk appetite and tolerance

report identified IT risk scenarios to senior management

review alignment with the organization's investment plan

176. Which of the following is the MOST important input when developing risk scenarios?

Key performance indicators

Business objectives

The organization's risk framework

Risk appetite

177. Which of the following is the BEST approach to mitigate the risk associated with a control deficiency?

Perform a business case analysis

Implement compensating controls.

Conduct a control sell-assessment (CSA)

Build a provision for risk

178. The MAIN purpose of conducting a control self-assessment (CSA) is to:

gain a better understanding of the control effectiveness in the organization

gain a better understanding of the risk in the organization

adjust the controls prior to an external audit

reduce the dependency on external audits

179. A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:

a root cause analysis is required

controls are effective for ensuring continuity

hardware needs to be upgraded

no action is required as there was no impact

180. Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?

Improving risk awareness

Obtaining buy-in from risk owners

Leveraging existing metrics

Optimizing risk treatment decisions

Page 19 of 25

181. Which of the following is the MAIN reason for analyzing risk scenarios?

Identifying additional risk scenarios

Updating the heat map

Assessing loss expectancy

Establishing a risk appetite

182. When developing risk scenario using a list of generic scenarios based on industry best practices, it is MOST imported to:

Assess generic risk scenarios with business users.

Validate the generic risk scenarios for relevance.

Select the maximum possible risk scenarios from the list.

Identify common threats causing generic risk scenarios

183. A risk practitioner is organizing a training session lo communicate risk assessment methodologies to ensure a consistent risk view within the organization.

Which of the following i< the MOST important topic to cover in this training?

Applying risk appetite

Applying risk factors

Referencing risk event data

Understanding risk culture

184. When reporting risk assessment results to senior management, which of the following is MOST important to include to enable risk-based decision making?

Risk action plans and associated owners

Recent audit and self-assessment results

Potential losses compared to treatment cost

A list of assets exposed to the highest risk

185. An organization discovers significant vulnerabilities in a recently purchased commercial off-the-shelf software product which will not be corrected until the next release .

Which of the following is the risk manager's BEST course of action?

Review the risk of implementing versus postponing with stakeholders.

Run vulnerability testing tools to independently verify the vulnerabilities.

Review software license to determine the vendor's responsibility regarding vulnerabilities.

Require the vendor to correct significant vulnerabilities prior to installation.

186. The PRIMARY purpose of IT control status reporting is to:

ensure compliance with IT governance strategy.

assist internal audit in evaluating and initiating remediation efforts.

benchmark IT controls with Industry standards.

facilitate the comparison of the current and desired states.

187. Accountability for a particular risk is BEST represented in a:

risk register

risk catalog

risk scenario

RACI matrix

188. The risk associated with an asset after controls are applied can be expressed as:

a function of the cost and effectiveness of controls.

the likelihood of a given threat.

a function of the likelihood and impact.

the magnitude of an impact.

189. Which of the following MOST effectively limits the impact of a ransomware attack?

Cyber insurance

Cryptocurrency reserve

Data backups

End user training

190. An organization learns of a new ransomware attack affecting organizations worldwide .

Which of the following should be done FIRST to reduce the likelihood of infection from the attack?

Identify systems that are vulnerable to being exploited by the attack.

Confirm with the antivirus solution vendor whether the next update will detect the attack.

Verify the data backup process and confirm which backups are the most recent ones available.

Obtain approval for funding to purchase a cyber insurance plan.

Page 20 of 25

191. The design of procedures to prevent fraudulent transactions within an enterprise resource planning (ERP) system should be based on:

stakeholder risk tolerance.

benchmarking criteria.

suppliers used by the organization.

the control environment.

192. Following a significant change to a business process, a risk practitioner believes the associated risk has been reduced.

The risk practitioner should advise the risk owner to FIRST

review the key risk indicators.

conduct a risk analysis.

update the risk register

reallocate risk response resources.

193. Which of the following is the PRIMARY reason to establish the root cause of an IT security

incident?

Prepare a report for senior management.

Assign responsibility and accountability for the incident.

Update the risk register.

Avoid recurrence of the incident.

194. Which of the following would be a risk practitioner's BEST course of action when a project team has accepted a risk outside the established risk appetite?

Reject the risk acceptance and require mitigating controls.

Monitor the residual risk level of the accepted risk.

Escalate the risk decision to the project sponsor for review.

Document the risk decision in the project risk register.

195. Days before the realization of an acquisition, a data breach is discovered at the company to be acquired.

For the accruing organization, this situation represents which of the following?

Threat event

Inherent risk

Risk event

Security incident

196. An organization is considering the adoption of an aggressive business strategy to achieve desired growth.

From a risk management perspective what should the risk practitioner do NEXT?

Identify new threats resorting from the new business strategy

Update risk awareness training to reflect current levels of risk appetite and tolerance

Inform the board of potential risk scenarios associated with aggressive business strategies

Increase the scale for measuring impact due to threat materialization

197. Upon learning that the number of failed back-up attempts continually exceeds the current risk threshold, the risk practitioner should:

inquire about the status of any planned corrective actions

keep monitoring the situation as there is evidence that this is normal

adjust the risk threshold to better reflect actual performance

initiate corrective action to address the known deficiency

198. Which of the following controls BEST enables an organization to ensure a complete and accurate IT asset inventory?

Prohibiting the use of personal devices for business

Performing network scanning for unknown devices

Requesting an asset list from business owners

Documenting asset configuration baselines

199. Which of the following approaches will BEST help to ensure the effectiveness of risk awareness training?

Piloting courses with focus groups

Using reputable third-party training programs

Reviewing content with senior management

Creating modules for targeted audiences

200. Which of the following would MOST likely drive the need to review and update key performance indicators (KPIs) for critical IT assets?

The outsourcing of related IT processes

Outcomes of periodic risk assessments

Changes in service level objectives

Findings from continuous monitoring

Page 21 of 25

201. Which of the following would BEST help to ensure that identified risk is efficiently managed?

Reviewing the maturity of the control environment

Regularly monitoring the project plan

Maintaining a key risk indicator for each asset in the risk register

Periodically reviewing controls per the risk treatment plan

202. Which of the following should be management's PRIMARY focus when key risk indicators (KRIs) begin to rapidly approach defined thresholds?

Designing compensating controls

Determining if KRIs have been updated recently

Assessing the effectiveness of the incident response plan

Determining what has changed in the environment

203. Which of the following is the MOST effective way to integrate risk and compliance management?

Embedding risk management into compliance decision-making

Designing corrective actions to improve risk response capabilities

Embedding risk management into processes that are aligned with business drivers

Conducting regular self-assessments to verify compliance

204. An organization has provided legal text explaining the rights and expected behavior of users accessing a system from geographic locations that have strong privacy regulations .

Which of the following control types has been applied?

Detective

Directive

Preventive

Compensating

205. An organization automatically approves exceptions to security policies on a recurring basis.

This practice is MOST likely the result of:

a lack of mitigating actions for identified risk

decreased threat levels

ineffective service delivery

ineffective IT governance

206. Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited .

Which of the following would be the BEST response to this scenario?

Assess the vulnerability management process.

Conduct a control serf-assessment.

Conduct a vulnerability assessment.

Reassess the inherent risk of the target.

207. The MOST important characteristic of an organization s policies is to reflect the organization's:

risk assessment methodology.

risk appetite.

capabilities

asset value.

208. Which of the following is MOST useful when communicating risk to management?

Risk policy

Audit report

Risk map

Maturity model

209. Which of the following is MOST helpful to review when identifying risk scenarios associated with the adoption of Internet of Things (loT) technology in an organization?

The business case for the use of loT

The loT threat landscape

Policy development for loT

The network that loT devices can access

210. A risk practitioner has learned that an effort to implement a risk mitigation action plan has stalled due to lack of funding.

The risk practitioner should report that the associated risk has been:

mitigated

accepted

avoided

deferred

Page 22 of 25

211. Calculation of the recovery time objective (RTO) is necessary to determine the:

time required to restore files.

point of synchronization

priority of restoration.

annual loss expectancy (ALE).

212. Which of the following is the BEST indication of a mature organizational risk culture?

Corporate risk appetite is communicated to staff members.

Risk owners understand and accept accountability for risk.

Risk policy has been published and acknowledged by employees.

Management encourages the reporting of policy breaches.

213. The PRIMARY advantage of involving end users in continuity planning is that they:

have a better understanding of specific business needs

can balance the overall technical and business concerns

can see the overall impact to the business

are more objective than information security management.

214. Which of the following tools is MOST effective in identifying trends in the IT risk profile?

Risk self-assessment

Risk register

Risk dashboard

Risk map

215. When using a third party to perform penetration testing, which of the following is the MOST important control to minimize operational impact?

Perform a background check on the vendor.

Require the vendor to sign a nondisclosure agreement.

Require the vendor to have liability insurance.

Clearly define the project scope

216. Within the three lines of defense model, the accountability for the system of internal control resides with:

the chief information officer (CIO).

the board of directors

enterprise risk management

the risk practitioner

217. Vulnerabilities have been detected on an organization's systems. Applications installed on these systems will not operate if the underlying servers are updated .

Which of the following is the risk practitioner's BEST course of action?

Recommend the business change the application.

Recommend a risk treatment plan.

Include the risk in the next quarterly update to management.

Implement compensating controls.

218. Which of the following presents the GREATEST risk to change control in business application development over the complete life cycle?

Emphasis on multiple application testing cycles

Lack of an integrated development environment (IDE) tool

Introduction of requirements that have not been approved

Bypassing quality requirements before go-live

219. Which of the following would provide the MOST useful information to a risk owner when reviewing the progress of risk mitigation?

Key audit findings

Treatment plan status

Performance indicators

Risk scenario results

220. Which of the following is the PRIMARY reason for an organization to ensure the risk register is updated regularly?

Risk assessment results are accessible to senior management and stakeholders.

Risk mitigation activities are managed and coordinated.

Key risk indicators (KRIs) are evaluated to validate they are still within the risk threshold.

Risk information is available to enable risk-based decisions.

Page 23 of 25

221. The PRIMARY benefit of classifying information assets is that it helps to:

communicate risk to senior management

assign risk ownership

facilitate internal audit

determine the appropriate level of control

222. Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Using an aggregated view of organizational risk

Ensuring relevance to organizational goals

Relying on key risk indicator (KRI) data Including

Trend analysis of risk metrics

223. The BEST key performance indicator (KPI) to measure the effectiveness of a vendor risk management program is the percentage of:

vendors providing risk assessments on time.

vendor contracts reviewed in the past year.

vendor risk mitigation action items completed on time.

vendors that have reported control-related incidents.

224. Which of the following BEST facilitates the mitigation of identified gaps between current and desired risk environment states?

Develop a risk treatment plan.

Validate organizational risk appetite.

Review results of prior risk assessments.

Include the current and desired states in the risk register.

225. A rule-based data loss prevention {DLP) tool has recently been implemented to reduce the risk of sensitive data leakage .

Which of the following is MOST likely to change as a result of this implementation?

Risk likelihood

Risk velocity

Risk appetite

Risk impact

226. Which of the following is the BEST method to ensure a terminated employee's access to IT systems is revoked upon departure from the organization?

A list of terminated employees is generated for reconciliation against current IT access.

A process to remove employee access during the exit interview is implemented.

The human resources (HR) system automatically revokes system access.

227. Which of the following practices BEST mitigates risk related to enterprise-wide ethical

decision making in a multi-national organization?

Customized regional training on local laws and regulations

Policies requiring central reporting of potential procedure exceptions

Ongoing awareness training to support a common risk culture

Zero-tolerance policies for risk taking by middle-level managers

228. To reduce costs, an organization is combining the second and third tines of defense in a new department that reports to a recently appointed C-level executive .

Which of the following is the GREATEST concern with this situation?

The risk governance approach of the second and third lines of defense may differ.

The independence of the internal third line of defense may be compromised.

Cost reductions may negatively impact the productivity of other departments.

The new structure is not aligned to the organization's internal control framework.

229. Which of the following is a KEY consideration for a risk practitioner to communicate to senior management evaluating the introduction of artificial intelligence (Al) solutions into the organization?

Al requires entirely new risk management processes.

Al potentially introduces new types of risk.

Al will result in changes to business processes.

Third-party Al solutions increase regulatory obligations.

230. Which of the following is the BEST control to detect an advanced persistent threat (APT)?

Utilizing antivirus systems and firewalls

Conducting regular penetration tests

Monitoring social media activities

Implementing automated log monitoring

Page 24 of 25

231. Winch of the following key control indicators (KCIs) BEST indicates whether security requirements are identified and managed throughout a project He cycle?

Number of projects going live without a security review

Number of employees completing project-specific security training

Number of security projects started in core departments

Number of security-related status reports submitted by project managers

232. Which of the following is the MOST important reason to link an effective key control indicator (KCI) to relevant key risk indicators (KRIs)?

To monitor changes in the risk environment

To provide input to management for the adjustment of risk appetite

To monitor the accuracy of threshold levels in metrics

To obtain business buy-in for investment in risk mitigation measures

233. Which of the following is the GREATEST advantage of implementing a risk management program?

Enabling risk-aware decisions

Promoting a risk-aware culture

Improving security governance

Reducing residual risk

234. Which of the following would be MOST relevant to stakeholders regarding ineffective control implementation?

Threat to IT

Number of control failures

Impact on business

Risk ownership

235. Which of the following would be of GREATEST assistance when justifying investment in risk response strategies?

Total cost of ownership

Resource dependency analysis

Cost-benefit analysis

Business impact analysis

236. An organization is planning to acquire a new financial system .

Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?

Project sponsor

Process owner

Risk manager

Internal auditor

237. An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST.

The risk owner who also owns the business service enabled by this infrastructure

The data center manager who is also employed under the managed hosting services contract

The site manager who is required to provide annual risk assessments under the contract

The chief information officer (CIO) who is responsible for the hosted services

238. The MAIN purpose of having a documented risk profile is to:

comply with external and internal requirements.

enable well-informed decision making.

prioritize investment projects.

keep the risk register up-to-date.

239. Which of the following trends would cause the GREATEST concern regarding the effectiveness of an organization's user access control processes? An increase in the:

ratio of disabled to active user accounts.

percentage of users with multiple user accounts.

average number of access entitlements per user account.

average time between user transfers and access updates.

240. After the implementation of internal of Things (IoT) devices, new risk scenarios were identified .

What is the PRIMARY reason to report this information to risk owners?

To reevaluate continued use to IoT devices

The add new controls to mitigate the risk

The recommend changes to the IoT policy

To confirm the impact to the risk profile

Page 25 of 25

241. Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?

Performing a benchmark analysis and evaluating gaps

Conducting risk assessments and implementing controls

Communicating components of risk and their acceptable levels

Participating in peer reviews and implementing best practices

242. Which of the following BEST indicates the condition of a risk management program?

Number of risk register entries

Number of controls

Level of financial support

Amount of residual risk

243. Which of the following should be determined FIRST when a new security vulnerability is made public?

Whether the affected technology is used within the organization

Whether the affected technology is Internet-facing

What mitigating controls are currently in place

How pervasive the vulnerability is within the organization

244. Which of the following would BEST enable mitigation of newly identified risk factors related to internet of Things (loT)?

Introducing control procedures early in the life cycle

Implementing loT device software monitoring

Performing periodic risk assessments of loT

Performing secure code reviews