Weekend Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sale65best

How to Easily Pass the Isaca CRISC Exam: Expert Advice

Questions 251

An organizational policy requires critical security patches to be deployed in production within three weeks of patch availability. Which of the following is the BEST metric to verify adherence to the policy?

Options:
A.

Maximum time gap between patch availability and deployment

B.

Percentage of critical patches deployed within three weeks

C.

Minimum time gap between patch availability and deployment

D.

Number of critical patches deployed within three weeks

Isaca CRISC Premium Access
Questions 252

A multinational company needs to implement a new centralized security system. The risk practitioner has identified a conflict between the organization's data-handling policy and local privacy regulations. Which of the following would be the BEST recommendation?

Options:
A.

Request a policy exception from senior management.

B.

Comply with the organizational policy.

C.

Report the noncompliance to the local regulatory agency.

D.

Request an exception from the local regulatory agency.

Questions 253

Which of the following is the ULTIMATE objective of utilizing key control indicators (KCIs) in the risk management process?

Options:
A.

To provide a basis for determining the criticality of risk mitigation controls

B.

To provide early warning signs of a potential change in risk level

C.

To provide benchmarks for assessing control design effectiveness against industry peers

D.

To provide insight into the effectiveness of the intemnal control environment

Questions 254

Which of the following BEST helps to mitigate risk associated with excessive access by authorized users?

Options:
A.

Monitoring user activity using security logs

B.

Revoking access for users changing roles

C.

Granting access based on least privilege

D.

Conducting periodic reviews of authorizations granted

Questions 255

It was discovered that a service provider's administrator was accessing sensitive information without the approval of the customer in an Infrastructure as a Service (laaS) model. Which of the following would BEST protect against a future recurrence?

Options:
A.

Data encryption

B.

Intrusion prevention system (IPS)

C.

Two-factor authentication

D.

Contractual requirements

Questions 256

Who is the BEST person to an application system used to process employee personal data?

Options:
A.

Compliance manager

B.

Data privacy manager

C.

System administrator

D.

Human resources (HR) manager

Questions 257

Which of the following is the MOST important consideration when prioritizing risk response?

Options:
A.

Requirements for regulatory obligations.

B.

Cost of control implementation.

C.

Effectiveness of risk treatment.

D.

Number of risk response options.

Questions 258

Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization's risk appetite?

Options:
A.

Establishing a series of key risk indicators (KRIs).

B.

Adding risk triggers to entries in the risk register.

C.

Implementing key performance indicators (KPIs).

D.

Developing contingency plans for key processes.

Questions 259

Which of the following is the BEST recommendation to address recent IT risk trends that indicate social engineering attempts are increasing in the organization?

Options:
A.

Conduct a simulated phishing attack.

B.

Update spam filters

C.

Revise the acceptable use policy

D.

Strengthen disciplinary procedures

Questions 260

Which of the following is MOST useful input when developing risk scenarios?

Options:
A.

Common attacks in other industries

B.

Identification of risk events

C.

Impact on critical assets

D.

Probability of disruptive risk events

Questions 261

During a post-implementation review for a new system, users voiced concerns about missing functionality. Which of the following is the BEST way for the organization to avoid this situation in the future?

Options:
A.

Test system reliability and performance.

B.

Adopt an Agile development approach.

C.

Conduct user acceptance testing (UAT).

D.

Adopt a phased changeover approach.

Questions 262

Which of the following is the BEST approach when a risk treatment plan cannot be completed on time?

Options:
A.

Replace the action owner with a more experienced individual.

B.

Implement compensating controls until the preferred action can be completed.

C.

Change the risk response strategy of the relevant risk to risk avoidance.

D.

Develop additional key risk indicators (KRIs) until the preferred action can be completed.

Questions 263

An organization operates in an environment where the impact of ransomware attacks is high, with a low likelihood. After quantifying the impact of the risk associated with ransomware attacks exceeds the organization's risk appetite and tolerance, which of the following is the risk practitioner's BEST recommendation?

Options:
A.

Obtain adequate cybersecurity insurance coverage.

B.

Ensure business continuity assessments are up to date.

C.

Adjust the organization's risk appetite and tolerance.

D.

Obtain certification to a global information security standard.

Questions 264

Which of the following is the BEST metric to demonstrate the effectiveness of an organization's patch management process?

Options:
A.

Average time to implement patches after vendor release

B.

Number of patches tested prior to deployment

C.

Increase in the frequency of patches deployed into production

D.

Percent of patches implemented within established timeframe

Questions 265

A penetration testing team discovered an ineffectively designed access control. Who is responsible for ensuring the control design gap is remediated?

Options:
A.

Control owner

B.

Risk owner

C.

IT security manager

D.

Control operator

Questions 266

A key risk indicator (KRI) that incorporates data from external open-source threat intelligence sources has shown changes in risk trend data. Which of the following is MOST important to update in the risk register?

Options:
A.

Impact of risk occurrence

B.

Frequency of risk occurrence

C.

Cost of risk response

D.

Legal aspects of risk realization

Questions 267

Which of the following BEST facilitates the development of relevant risk scenarios?

Options:
A.

Perform quantitative risk analysis of historical data.

B.

Adopt an industry-recognized risk framework.

C.

Use qualitative risk assessment methodologies.

D.

Conduct brainstorming sessions with key stakeholders.

Questions 268

When assigning control ownership, it is MOST important to verify that the owner has accountability for:

Options:
A.

Control effectiveness.

B.

The budget for control implementation.

C.

Assessment of control risk.

D.

Internal control audits.

Questions 269

Which of the following would BEST prevent an unscheduled application of a patch?

Options:
A.

Network-based access controls

B.

Compensating controls

C.

Segregation of duties

D.

Change management

Questions 270

A robotic process automation (RPA) project has implemented new robots to enhance the efficiency of a sales business process. Which of the following provides the BEST evidence that the new controls have been implemented successfully?

Options:
A.

A post-implementation review has been conducted by key personnel.

B.

A qualified independent party assessed the new controls as effective.

C.

Senior management has signed off on the design of the controls.

D.

Robots have operated without human interference on a daily basis.

Questions 271

A global organization is considering the transfer of its customer information systems to an overseas cloud service provider in the event of a disaster. Which of the following should be the MOST important risk consideration?

Options:
A.

Regulatory restrictions for cross-border data transfer

B.

Service level objectives in the vendor contract

C.

Organizational culture differences between each country

D.

Management practices within each company

Questions 272

An organization recently experienced a cyber attack that resulted in the loss of confidential customer data. Which of the following is the risk practitioner's BEST recommendation after recovery steps have been completed?

Options:
A.

Develop new key risk indicators (KRIs).

B.

Perform a root cause analysis.

C.

Recommend the purchase of cyber insurance.

D.

Review the incident response plan.

Questions 273

An organization needs to send files to a business partner to perform a quality control audit on the organization’s record-keeping processes. The files include personal information on the organization's customers. Which of the following is the BEST recommendation to mitigate privacy risk?

Options:
A.

Obfuscate the customers’ personal information.

B.

Require the business partner to delete personal information following the audit.

C.

Use a secure channel to transmit the files.

D.

Ensure the contract includes provisions for sharing personal information.

Questions 274

Warning banners on login screens for laptops provided by an organization to its employees are an example of which type of control?

Options:
A.

Corrective

B.

Preventive

C.

Detective

D.

Deterrent

Questions 275

A user has contacted the risk practitioner regarding malware spreading laterally across the organization's corporate network. Which of the following is the risk practitioner’s BEST course of action?

Options:
A.

Review all log files generated during the period of malicious activity.

B.

Perform a root cause analysis.

C.

Notify the cybersecurity incident response team.

D.

Update the risk register.

Questions 276

Which of the following is MOST important for the organization to consider before implementing a new in-house developed artificial intelligence (Al) solution?

Options:
A.

Industry trends in Al

B.

Expected algorithm outputs

C.

Data feeds

D.

Alert functionality

Questions 277

Which of the following should be of MOST concern to a risk practitioner reviewing the system development life cycle (SDLC)?

Options:
A.

Testing is completed in phases, with user testing scheduled as the final phase.

B.

Segregation of duties controls are overridden during user testing phases.

C.

Data anonymization is used during all cycles of end-user testing.

D.

Testing is completed by IT support users without input from end users.

Questions 278

An application development team has a backlog of user requirements for a new system that will process insurance claim payments for customers. Which of the following should be the MOST important consideration for a risk-based review of the user requirements?

Options:
A.

Number of claims affected by the user requirements

B.

Number of customers impacted

C.

Impact to the accuracy of claim calculation

D.

Level of resources required to implement the user requirements

Questions 279

Who is accountable for authorizing application access in a cloud Software as a Service (SaaS) solution?

Options:
A.

Cloud service provider

B.

IT department

C.

Senior management

D.

Business unit owner

Questions 280

Which of the following is the MOST important reason to communicate control effectiveness to senior management?

Options:
A.

To demonstrate alignment with industry best practices

B.

To assure management that control ownership is assigned

C.

To ensure management understands the current risk status

D.

To align risk management with strategic objectives

Questions 281

Which of the following is MOST likely to introduce risk for financial institutions that use blockchain?

Options:
A.

Cost of implementation

B.

Implementation of unproven applications

C.

Disruption to business processes

D.

Increase in attack surface area

Questions 282

Which of the following should be done FIRST upon learning that the organization will be affected by a new regulation in its industry?

Options:
A.

Transfer the risk.

B.

Perform a gap analysis.

C.

Determine risk appetite for the new regulation.

D.

Implement specific monitoring controls.

Questions 283

One of an organization's key IT systems cannot be patched because the patches interfere with critical business application functionalities. Which of the following would be the risk practitioner's BEST recommendation?

Options:
A.

Additional mitigating controls should be identified.

B.

The system should not be used until the application is changed

C.

The organization's IT risk appetite should be adjusted.

D.

The associated IT risk should be accepted by management.

Questions 284

An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner's FIRST course of action?

Options:
A.

Determine whether the impact is outside the risk appetite.

B.

Request a formal acceptance of risk from senior management.

C.

Report the ineffective control for inclusion in the next audit report.

D.

Deploy a compensating control to address the identified deficiencies.

Questions 285

Analyzing trends in key control indicators (KCIs) BEST enables a risk practitioner to proactively identify impacts on an organization's:

Options:
A.

risk classification methods

B.

risk-based capital allocation

C.

risk portfolio

D.

risk culture

Questions 286

Which of the following is the BEST way to determine whether new controls mitigate security gaps in a business system?

Options:
A.

Complete an offsite business continuity exercise.

B.

Conduct a compliance check against standards.

C.

Perform a vulnerability assessment.

D.

Measure the change in inherent risk.

Questions 287

Which of the following should be the GREATEST concern for an organization that uses open source software applications?

Options:
A.

Lack of organizational policy regarding open source software

B.

Lack of reliability associated with the use of open source software

C.

Lack of monitoring over installation of open source software in the organization

D.

Lack of professional support for open source software

Questions 288

Which of the following is the MOST important objective of establishing an enterprise risk management (ERM) function within an organization?

Options:
A.

To have a unified approach to risk management across the organization

B.

To have a standard risk management process for complying with regulations

C.

To optimize risk management resources across the organization

D.

To ensure risk profiles are presented in a consistent format within the organization

Questions 289

When of the following provides the MOST tenable evidence that a business process control is effective?

Options:
A.

Demonstration that the control is operating as designed

B.

A successful walk-through of the associated risk assessment

C.

Management attestation that the control is operating effectively

D.

Automated data indicating that risk has been reduced

Questions 290

Determining if organizational risk is tolerable requires:

Options:
A.

mapping residual risk with cost of controls

B.

comparing against regulatory requirements

C.

comparing industry risk appetite with the organizations.

D.

understanding the organization's risk appetite.

Questions 291

Which of the following poses the GREATEST risk to an organization's operations during a major it transformation?

Options:
A.

Lack of robust awareness programs

B.

infrequent risk assessments of key controls

C.

Rapid changes in IT procedures

D.

Unavailability of critical IT systems

Questions 292

Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Options:
A.

Including trend analysis of risk metrics

B.

Using an aggregated view of organizational risk

C.

Relying on key risk indicator (KRI) data

D.

Ensuring relevance to organizational goals

Questions 293

Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?

Options:
A.

Customer database manager

B.

Customer data custodian

C.

Data privacy officer

D.

Audit committee

Questions 294

When of the following is the BEST key control indicator (KCI) to determine the effectiveness of en intrusion prevention system (IPS)?

Options:
A.

Percentage of system uptime

B.

Percentage of relevant threats mitigated

C.

Total number of threats identified

D.

Reaction time of the system to threats

Questions 295

Which of the following is the MOST common concern associated with outsourcing to a service provider?

Options:
A.

Lack of technical expertise

B.

Combining incompatible duties

C.

Unauthorized data usage

D.

Denial of service attacks

Questions 296

Winch of the following is the BEST evidence of an effective risk treatment plan?

Options:
A.

The inherent risk is below the asset residual risk.

B.

Remediation cost is below the asset business value

C.

The risk tolerance threshold s above the asset residual

D.

Remediation is completed within the asset recovery time objective (RTO)

Questions 297

The PRIMARY advantage of involving end users in continuity planning is that they:

Options:
A.

have a better understanding of specific business needs

B.

can balance the overall technical and business concerns

C.

can see the overall impact to the business

D.

are more objective than information security management.

Questions 298

Which of the following is the BEST way to quantify the likelihood of risk materialization?

Options:
A.

Balanced scorecard

B.

Threat and vulnerability assessment

C.

Compliance assessments

D.

Business impact analysis (BIA)

Questions 299

Which of the following is necessary to enable an IT risk register to be consolidated with the rest of the organization’s risk register?

Options:
A.

Risk taxonomy

B.

Risk response

C.

Risk appetite

D.

Risk ranking

Questions 300

Print jobs containing confidential information are sent to a shared network printer located in a secure room. Which of the following is the BEST control to prevent the inappropriate disclosure of confidential information?

Options:
A.

Requiring a printer access code for each user

B.

Using physical controls to access the printer room

C.

Using video surveillance in the printer room

D.

Ensuring printer parameters are properly configured

Exam Code: CRISC
Certification Provider: Isaca
Exam Name: Certified in Risk and Information Systems Control
Last Update: Jan 15, 2025
Questions: 1583

Isaca Related Exams

How to pass Isaca CISA - Certified Information Systems Auditor Exam
How to pass Isaca CISM - Certified Information Security Manager Exam
How to pass Isaca CGEIT - Certified in the Governance of Enterprise IT Exam Exam
How to pass Isaca COBIT5 - COBIT 5 Foundation Exam Exam
How to pass Isaca CDPSE - Certified Data Privacy Solutions Engineer Exam
How to pass Isaca COBIT-2019 - COBIT 2019 Foundation Exam
How to pass Isaca NIST-COBIT-2019 - ISACA Implementing the NIST Cybersecurity Framework using COBIT 2019 Exam

Isaca Free Exams

Isaca Free Exams
Examstrack offers comprehensive free resources and practice tests for Isaca exams.