Weekend Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sale65best

How to Easily Pass the Isaca CRISC Exam: Expert Advice

Questions 51

Which of the following is MOST important to the effective monitoring of key risk indicators (KRIS)?

Options:

A.

Updating the threat inventory with new threats

B.

Automating log data analysis

C.

Preventing the generation of false alerts

D.

Determining threshold levels

Buy Now
Questions 52

A risk practitioner notices that a particular key risk indicator (KRI) has remained below its established trigger point for an extended period of time. Which of the following should be done FIRST?

Options:

A.

Recommend a re-evaluation of the current threshold of the KRI.

B.

Notify management that KRIs are being effectively managed.

C.

Update the risk rating associated with the KRI In the risk register.

D.

Update the risk tolerance and risk appetite to better align to the KRI.

Buy Now
Questions 53

Within the three lines of defense model, the accountability for the system of internal control resides with:

Options:

A.

the chief information officer (CIO).

B.

the board of directors

C.

enterprise risk management

D.

the risk practitioner

Buy Now
Questions 54

IT disaster recovery point objectives (RPOs) should be based on the:

Options:

A.

maximum tolerable downtime.

B.

maximum tolerable loss of data.

C.

need of each business unit.

D.

type of business.

Buy Now
Questions 55

Which of the following indicates an organization follows IT risk management best practice?

Options:

A.

The risk register template uses an industry standard.

B.

The risk register is regularly updated.

C.

All fields in the risk register have been completed.

D.

Controls are listed against risk entries in the register.

Buy Now
Questions 56

It is MOST important to the effectiveness of an IT risk management function that the associated processes are:

Options:

A.

aligned to an industry-accepted framework.

B.

reviewed and approved by senior management.

C.

periodically assessed against regulatory requirements.

D.

updated and monitored on a continuous basis.

Buy Now
Questions 57

Which of the following would provide the MOST comprehensive information for updating an organization's risk register?

Options:

A.

Results of the latest risk assessment

B.

Results of a risk forecasting analysis

C.

A review of compliance regulations

D.

Findings of the most recent audit

Buy Now
Questions 58

Which of the following would BEST enable mitigation of newly identified risk factors related to internet of Things (loT)?

Options:

A.

Introducing control procedures early in the life cycle

B.

Implementing loT device software monitoring

C.

Performing periodic risk assessments of loT

D.

Performing secure code reviews

Buy Now
Questions 59

The MOST essential content to include in an IT risk awareness program is how to:

Options:

A.

populate risk register entries and build a risk profile for management reporting.

B.

prioritize IT-related actions by considering risk appetite and risk tolerance.

C.

define the IT risk framework for the organization.

D.

comply with the organization's IT risk and information security policies.

Buy Now
Questions 60

Which of the following BEST indicates that an organizations risk management program is effective?

Options:

A.

Fewer security incidents have been reported.

B.

The number of audit findings has decreased.

C.

Residual risk is reduced.

D.

inherent risk Is unchanged.

Buy Now
Questions 61

Which of the following should management consider when selecting a risk mitigation option?

Options:

A.

Maturity of the enterprise architecture

B.

Cost of control implementation

C.

Reliability of key performance indicators (KPIs)

D.

Reliability of key risk indicators (KPIs)

Buy Now
Questions 62

A risk practitioner shares the results of a vulnerability assessment for a critical business application with the business manager. Which of the following is the NEXT step?

Options:

A.

Develop a risk action plan to address the findings.

B.

Evaluate the impact of the vulnerabilities to the business application.

C.

Escalate the findings to senior management and internal audit.

D.

Conduct a penetration test to validate the vulnerabilities from the findings.

Buy Now
Questions 63

Who is responsible for IT security controls that are outsourced to an external service provider?

Options:

A.

Organization's information security manager

B.

Organization's risk function

C.

Service provider's IT management

D.

Service provider's information security manager

Buy Now
Questions 64

Who should be responsible for strategic decisions on risk management?

Options:

A.

Chief information officer (CIO)

B.

Executive management team

C.

Audit committee

D.

Business process owner

Buy Now
Questions 65

Which of the following is MOST influential when management makes risk response decisions?

Options:

A.

Risk appetite

B.

Audit risk

C.

Residual risk

D.

Detection risk

Buy Now
Questions 66

Which of the following would BEST enable a risk practitioner to embed risk management within the organization?

Options:

A.

Provide risk management feedback to key stakeholders.

B.

Collect and analyze risk data for report generation.

C.

Monitor and prioritize risk data according to the heat map.

D.

Engage key stakeholders in risk management practices.

Buy Now
Questions 67

Which of the following is MOST important to include in a Software as a Service (SaaS) vendor agreement?

Options:

A.

An annual contract review

B.

A service level agreement (SLA)

C.

A requirement to adopt an established risk management framework

D.

A requirement to provide an independent audit report

Buy Now
Questions 68

Which of the following would be MOST beneficial as a key risk indicator (KRI)?

Options:

A.

Current capital allocation reserves

B.

Negative security return on investment (ROI)

C.

Project cost variances

D.

Annualized loss projections

Buy Now
Questions 69

The GREATEST concern when maintaining a risk register is that:

Options:

A.

impacts are recorded in qualitative terms.

B.

executive management does not perform periodic reviews.

C.

IT risk is not linked with IT assets.

D.

significant changes in risk factors are excluded.

Buy Now
Questions 70

Which of the following will BEST help ensure that risk factors identified during an information systems review are addressed?

Options:

A.

Informing business process owners of the risk

B.

Reviewing and updating the risk register

C.

Assigning action items and deadlines to specific individuals

D.

Implementing new control technologies

Buy Now
Questions 71

Once a risk owner has decided to implement a control to mitigate risk, it is MOST important to develop:

Options:

A.

a process for measuring and reporting control performance.

B.

an alternate control design in case of failure of the identified control.

C.

a process for bypassing control procedures in case of exceptions.

D.

procedures to ensure the effectiveness of the control.

Buy Now
Questions 72

Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?

Options:

A.

Improving risk awareness

B.

Obtaining buy-in from risk owners

C.

Leveraging existing metrics

D.

Optimizing risk treatment decisions

Buy Now
Questions 73

What is the GREATEST concern with maintaining decentralized risk registers instead of a consolidated risk register?

Options:

A.

Aggregated risk may exceed the enterprise's risk appetite and tolerance.

B.

Duplicate resources may be used to manage risk registers.

C.

Standardization of risk management practices may be difficult to enforce.

D.

Risk analysis may be inconsistent due to non-uniform impact and likelihood scales.

Buy Now
Questions 74

Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications?

Options:

A.

Identify information security controls in the requirements analysis

B.

Identify key risk indicators (KRIs) as process output.

C.

Design key performance indicators (KPIs) for security in system specifications.

D.

Include information security control specifications in business cases.

Buy Now
Questions 75

Which of the following provides the MOST important information to facilitate a risk response decision?

Options:

A.

Audit findings

B.

Risk appetite

C.

Key risk indicators

D.

Industry best practices

Buy Now
Questions 76

To mitigate the risk of using a spreadsheet to analyze financial data, IT has engaged a third-party vendor to deploy a standard application to automate the process. Which of the following parties should own the risk associated with calculation errors?

Options:

A.

business owner

B.

IT department

C.

Risk manager

D.

Third-party provider

Buy Now
Questions 77

The BEST key performance indicator (KPI) to measure the effectiveness of a vendor risk management program is the percentage of:

Options:

A.

vendors providing risk assessments on time.

B.

vendor contracts reviewed in the past year.

C.

vendor risk mitigation action items completed on time.

D.

vendors that have reported control-related incidents.

Buy Now
Questions 78

A maturity model will BEST indicate:

Options:

A.

confidentiality and integrity.

B.

effectiveness and efficiency.

C.

availability and reliability.

D.

certification and accreditation.

Buy Now
Questions 79

Which of the following is a KEY responsibility of the second line of defense?

Options:

A.

Implementing control activities

B.

Monitoring control effectiveness

C.

Conducting control self-assessments

D.

Owning risk scenarios

Buy Now
Questions 80

A risk practitioner is assisting with the preparation of a report on the organization s disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?

Options:

A.

The percentage of systems meeting recovery target times has increased.

B.

The number of systems tested in the last year has increased.

C.

The number of systems requiring a recovery plan has increased.

D.

The percentage of systems with long recovery target times has decreased.

Buy Now
Questions 81

Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?

Options:

A.

Identify the potential risk.

B.

Monitor employee usage.

C.

Assess the potential risk.

D.

Develop risk awareness training.

Buy Now
Questions 82

From a business perspective, which of the following is the MOST important objective of a disaster recovery test?

Options:

A.

The organization gains assurance it can recover from a disaster

B.

Errors are discovered in the disaster recovery process.

C.

All business-critical systems are successfully tested.

D.

All critical data is recovered within recovery time objectives (RTOs).

Buy Now
Questions 83

The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner s BEST recommendation?

Options:

A.

Perform a root cause analysis

B.

Perform a code review

C.

Implement version control software.

D.

Implement training on coding best practices

Buy Now
Questions 84

The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:

Options:

A.

align with audit results.

B.

benchmark with competitor s actions.

C.

reference best practice.

D.

focus on the business drivers

Buy Now
Questions 85

Which of the following would be considered a vulnerability?

Options:

A.

Delayed removal of employee access

B.

Authorized administrative access to HR files

C.

Corruption of files due to malware

D.

Server downtime due to a denial of service (DoS) attack

Buy Now
Questions 86

Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?

Options:

A.

It compares performance levels of IT assets to value delivered.

B.

It facilitates the alignment of strategic IT objectives to business objectives.

C.

It provides input to business managers when preparing a business case for new IT projects.

D.

It helps assess the effects of IT decisions on risk exposure

Buy Now
Questions 87

Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?

Options:

A.

Derive scenarios from IT risk policies and standards.

B.

Map scenarios to a recognized risk management framework.

C.

Gather scenarios from senior management.

D.

Benchmark scenarios against industry peers.

Buy Now
Questions 88

Risk mitigation procedures should include:

Options:

A.

buying an insurance policy.

B.

acceptance of exposures

C.

deployment of counter measures.

D.

enterprise architecture implementation.

Buy Now
Questions 89

A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:

Options:

A.

reduces risk to an acceptable level

B.

quantifies risk impact

C.

aligns with business strategy

D.

advances business objectives.

Buy Now
Questions 90

Which of the following is the BEST way to determine the ongoing efficiency of control processes?

Options:

A.

Perform annual risk assessments.

B.

Interview process owners.

C.

Review the risk register.

D.

Analyze key performance indicators (KPIs).

Buy Now
Questions 91

A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:

Options:

A.

conduct a gap analysis against compliance criteria.

B.

identify necessary controls to ensure compliance.

C.

modify internal assurance activities to include control validation.

D.

collaborate with management to meet compliance requirements.

Buy Now
Questions 92

Which of the following would be a risk practitioner's BEST course of action when a project team has accepted a risk outside the established risk appetite?

Options:

A.

Reject the risk acceptance and require mitigating controls.

B.

Monitor the residual risk level of the accepted risk.

C.

Escalate the risk decision to the project sponsor for review.

D.

Document the risk decision in the project risk register.

Buy Now
Questions 93

An organization is considering the adoption of an aggressive business strategy to achieve desired growth From a risk management perspective what should the risk practitioner do NEXT?

Options:

A.

Identify new threats resorting from the new business strategy

B.

Update risk awareness training to reflect current levels of risk appetite and tolerance

C.

Inform the board of potential risk scenarios associated with aggressive business strategies

D.

Increase the scale for measuring impact due to threat materialization

Buy Now
Questions 94

Which of the following should be of MOST concern to a risk practitioner reviewing an organization risk register after the completion of a series of risk assessments?

Options:

A.

Several risk action plans have missed target completion dates.

B.

Senior management has accepted more risk than usual.

C.

Risk associated with many assets is only expressed in qualitative terms.

D.

Many risk scenarios are owned by the same senior manager.

Buy Now
Questions 95

Business management is seeking assurance from the CIO that IT has a plan in place for early identification of potential issues that could impact the delivery of a new application Which of the following is the BEST way to increase the chances of a successful delivery'?

Options:

A.

Implement a release and deployment plan

B.

Conduct comprehensive regression testing.

C.

Develop enterprise-wide key risk indicators (KRls)

D.

Include business management on a weekly risk and issues report

Buy Now
Questions 96

What is the PRIMARY reason an organization should include background checks on roles with elevated access to production as part of its hiring process?

Options:

A.

Reduce internal threats

B.

Reduce exposure to vulnerabilities

C.

Eliminate risk associated with personnel

D.

Ensure new hires have the required skills

Buy Now
Questions 97

The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for.

Options:

A.

data logging and monitoring

B.

data mining and analytics

C.

data classification and labeling

D.

data retention and destruction

Buy Now
Questions 98

Which key performance efficiency IKPI) BEST measures the effectiveness of an organization's disaster recovery program?

Options:

A.

Number of service level agreement (SLA) violations

B.

Percentage of recovery issues identified during the exercise

C.

Number of total systems recovered within tie recovery point objective (RPO)

D.

Percentage of critical systems recovered within tie recovery time objective (RTO)

Buy Now
Questions 99

Which of the following would be of GREATEST concern regarding an organization's asset management?

Options:

A.

Lack of a mature records management program

B.

Lack of a dedicated asset management team

C.

Decentralized asset lists

D.

Incomplete asset inventory

Buy Now
Questions 100

To define the risk management strategy which of the following MUST be set by the board of directors?

Options:

A.

Operational strategies

B.

Risk governance

C.

Annualized loss expectancy (ALE)

D.

Risk appetite

Buy Now