Black Friday Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sale65best

examstrack slider

How to Easily Pass the Isaca CRISC Exam: Expert Advice

Questions 351

After entering a large number of low-risk scenarios into the risk register, it is MOST important for the risk practitioner to:

Options:

A.

prepare a follow-up risk assessment.

B.

recommend acceptance of the risk scenarios.

C.

reconfirm risk tolerance levels.

D.

analyze changes to aggregate risk.

Buy Now
Questions 352

An organization recently configured a new business division Which of the following is MOST likely to be affected?

Options:

A.

Risk profile

B.

Risk culture

C.

Risk appetite

D.

Risk tolerance

Buy Now
Questions 353

Which of the following is the PRIMARY reason for sharing risk assessment reports with senior stakeholders?

Options:

A.

To support decision-making for risk response

B.

To hold risk owners accountable for risk action plans

C.

To secure resourcing for risk treatment efforts

D.

To enable senior management to compile a risk profile

Buy Now
Questions 354

Which of the following should be of GREATEST concern when reviewing the results of an independent control assessment to determine the effectiveness of a vendor's control environment?

Options:

A.

The report was provided directly from the vendor.

B.

The risk associated with multiple control gaps was accepted.

C.

The control owners disagreed with the auditor's recommendations.

D.

The controls had recurring noncompliance.

Buy Now
Questions 355

A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access. Who is responsible for ensuring the control is designed to effectively address risk?

Options:

A.

Risk manager

B.

Control owner

C.

Control tester

D.

Risk owner

Buy Now
Questions 356

An organization has made a decision to purchase a new IT system. During when phase of the system development life cycle (SDLC) will identified risk MOST likely lead to architecture and design trade-offs?

Options:

A.

Acquisition

B.

Implementation

C.

Initiation

D.

Operation and maintenance

Buy Now
Questions 357

A maturity model is MOST useful to an organization when it:

Options:

A.

benchmarks against other organizations

B.

defines a qualitative measure of risk

C.

provides a reference for progress

D.

provides risk metrics.

Buy Now
Questions 358

Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness?

Options:

A.

To measure business exposure to risk

B.

To identify control vulnerabilities

C.

To monitor the achievement of set objectives

D.

To raise awareness of operational issues

Buy Now
Questions 359

An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern?

Options:

A.

Potential increase in regulatory scrutiny

B.

Potential system downtime

C.

Potential theft of personal information

D.

Potential legal risk

Buy Now
Questions 360

Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?

Options:

A.

A high number of approved exceptions exist with compensating controls.

B.

Successive assessments have the same recurring vulnerabilities.

C.

Redundant compensating controls are in place.

D.

Asset custodians are responsible for defining controls instead of asset owners.

Buy Now
Questions 361

Which of the following controls BEST enables an organization to ensure a complete and accurate IT asset inventory?

Options:

A.

Prohibiting the use of personal devices for business

B.

Performing network scanning for unknown devices

C.

Requesting an asset list from business owners

D.

Documenting asset configuration baselines

Buy Now
Questions 362

Which of the following is the GREATEST benefit of analyzing logs collected from different systems?

Options:

A.

A record of incidents is maintained.

B.

Forensic investigations are facilitated.

C.

Security violations can be identified.

D.

Developing threats are detected earlier.

Buy Now
Questions 363

For a large software development project, risk assessments are MOST effective when performed:

Options:

A.

before system development begins.

B.

at system development.

C.

at each stage of the system development life cycle (SDLC).

D.

during the development of the business case.

Buy Now
Questions 364

Which of the following is a drawback in the use of quantitative risk analysis?

Options:

A.

It assigns numeric values to exposures of assets.

B.

It requires more resources than other methods

C.

It produces the results in numeric form.

D.

It is based on impact analysis of information assets.

Buy Now
Questions 365

An organization has recently been experiencing frequent data corruption incidents. Implementing a file corruption detection tool as a risk response strategy will help to:

Options:

A.

reduce the likelihood of future events

B.

restore availability

C.

reduce the impact of future events

D.

address the root cause

Buy Now
Questions 366

Which of the following is the MOST critical element to maximize the potential for a successful security implementation?

Options:

A.

The organization's knowledge

B.

Ease of implementation

C.

The organization's culture

D.

industry-leading security tools

Buy Now
Questions 367

Key risk indicators (KRIs) are MOST useful during which of the following risk management phases?

Options:

A.

Monitoring

B.

Analysis

C.

Identification

D.

Response selection

Buy Now
Questions 368

Which of the following is the BEST key control indicator (KCI) for risk related to IT infrastructure failure?

Options:

A.

Number of times the recovery plan is reviewed

B.

Number of successful recovery plan tests

C.

Percentage of systems with outdated virus protection

D.

Percentage of employees who can work remotely

Buy Now
Questions 369

Which of the following BEST indicates whether security awareness training is effective?

Options:

A.

User self-assessment

B.

User behavior after training

C.

Course evaluation

D.

Quality of training materials

Buy Now
Questions 370

When of the following provides the MOST tenable evidence that a business process control is effective?

Options:

A.

Demonstration that the control is operating as designed

B.

A successful walk-through of the associated risk assessment

C.

Management attestation that the control is operating effectively

D.

Automated data indicating that risk has been reduced

Buy Now
Questions 371

Which of the following is the GREATEST risk associated with an environment that lacks documentation of the architecture?

Options:

A.

Unknown vulnerabilities

B.

Legacy technology systems

C.

Network isolation

D.

Overlapping threats

Buy Now
Questions 372

Which of the following would be MOST helpful to a risk practitioner when ensuring that mitigated risk remains within acceptable limits?

Options:

A.

Building an organizational risk profile after updating the risk register

B.

Ensuring risk owners participate in a periodic control testing process

C.

Designing a process for risk owners to periodically review identified risk

D.

Implementing a process for ongoing monitoring of control effectiveness

Buy Now
Questions 373

A risk practitioner identifies a database application that has been developed and implemented by the business independently of IT. Which of the following is the BEST course of action?

Options:

A.

Escalate the concern to senior management.

B.

Document the reasons for the exception.

C.

Include the application in IT risk assessments.

D.

Propose that the application be transferred to IT.

Buy Now
Questions 374

The PRIMARY benefit of conducting continuous monitoring of access controls is the ability to identify:

Options:

A.

inconsistencies between security policies and procedures

B.

possible noncompliant activities that lead to data disclosure

C.

leading or lagging key risk indicators (KRIs)

D.

unknown threats to undermine existing access controls

Buy Now
Questions 375

The BEST key performance indicator (KPI) to measure the effectiveness of a backup process would be the number of:

Options:

A.

resources to monitor backups

B.

restoration monitoring reports

C.

backup recovery requests

D.

recurring restore failures

Buy Now
Questions 376

A business unit is implementing a data analytics platform to enhance its customer relationship management (CRM) system primarily to process data that has been provided by its customers. Which of the following presents the GREATEST risk to the organization's reputation?

Options:

A.

Third-party software is used for data analytics.

B.

Data usage exceeds individual consent.

C.

Revenue generated is not disclosed to customers.

D.

Use of a data analytics system is not disclosed to customers.

Buy Now
Questions 377

A service provider is managing a client’s servers. During an audit of the service, a noncompliant control is discovered that will not be resolved before the next audit because the client cannot afford the downtime required to correct the issue. The service provider’s MOST appropriate action would be to:

Options:

A.

develop a risk remediation plan overriding the client's decision

B.

make a note for this item in the next audit explaining the situation

C.

insist that the remediation occur for the benefit of other customers

D.

ask the client to document the formal risk acceptance for the provider

Buy Now
Questions 378

An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?

Options:

A.

Identify systems that are vulnerable to being exploited by the attack.

B.

Confirm with the antivirus solution vendor whether the next update will detect the attack.

C.

Verify the data backup process and confirm which backups are the most recent ones available.

D.

Obtain approval for funding to purchase a cyber insurance plan.

Buy Now
Questions 379

An organization moved its payroll system to a Software as a Service (SaaS) application. A new data privacy regulation stipulates that data can only be processed within the country where it is collected. Which of the following should be done FIRST when addressing this situation?

Options:

A.

Analyze data protection methods.

B.

Understand data flows.

C.

Include a right-to-audit clause.

D.

Implement strong access controls.

Buy Now
Questions 380

Which of the following is the MOST important component in a risk treatment plan?

Options:

A.

Technical details

B.

Target completion date

C.

Treatment plan ownership

D.

Treatment plan justification

Buy Now
Questions 381

Which of the following approaches will BEST help to ensure the effectiveness of risk awareness training?

Options:

A.

Piloting courses with focus groups

B.

Using reputable third-party training programs

C.

Reviewing content with senior management

D.

Creating modules for targeted audiences

Buy Now
Questions 382

Which of the following controls are BEST strengthened by a clear organizational code of ethics?

Options:

A.

Detective controls

B.

Administrative controls

C.

Technical controls

D.

Preventive controls

Buy Now
Questions 383

A department allows multiple users to perform maintenance on a system using a single set of credentials. A risk practitioner determined this practice to be high-risk. Which of the following is the MOST effective way to mitigate this risk?

Options:

A.

Single sign-on

B.

Audit trail review

C.

Multi-factor authentication

D.

Data encryption at rest

Buy Now
Questions 384

Which of the following BEST supports ethical IT risk management practices?

Options:

A.

Robust organizational communication channels

B.

Mapping of key risk indicators (KRIs) to corporate strategy

C.

Capability maturity models integrated with risk management frameworks

D.

Rigorously enforced operational service level agreements (SLAs)

Buy Now
Questions 385

Participants in a risk workshop have become focused on the financial cost to mitigate risk rather than choosing the most appropriate response. Which of the following is the BEST way to address this type of issue in the long term?

Options:

A.

Perform a return on investment analysis.

B.

Review the risk register and risk scenarios.

C.

Calculate annualized loss expectancy of risk scenarios.

D.

Raise the maturity of organizational risk management.

Buy Now
Questions 386

Which of the following methods is an example of risk mitigation?

Options:

A.

Not providing capability for employees to work remotely

B.

Outsourcing the IT activities and infrastructure

C.

Enforcing change and configuration management processes

D.

Taking out insurance coverage for IT-related incidents

Buy Now
Questions 387

Determining if organizational risk is tolerable requires:

Options:

A.

mapping residual risk with cost of controls

B.

comparing against regulatory requirements

C.

comparing industry risk appetite with the organizations.

D.

understanding the organization's risk appetite.

Buy Now
Questions 388

When of the following 15 MOST important when developing a business case for a proposed security investment?

Options:

A.

identification of control requirements

B.

Alignment to business objectives

C.

Consideration of new business strategies

D.

inclusion of strategy for regulatory compliance

Buy Now
Questions 389

A peer review of a risk assessment finds that a relevant threat community was not included. Mitigation of the risk will require substantial changes to a software application. Which of the following is the BEST course of action?

Options:

A.

Ask the business to make a budget request to remediate the problem.

B.

Build a business case to remediate the fix.

C.

Research the types of attacks the threat can present.

D.

Determine the impact of the missing threat.

Buy Now
Questions 390

While reviewing the risk register, a risk practitioner notices that different business units have significant variances in inherent risk for the same risk scenario. Which of the following is the BEST course of action?

Options:

A.

Update the risk register with the average of residual risk for both business units.

B.

Review the assumptions of both risk scenarios to determine whether the variance is reasonable.

C.

Update the risk register to ensure both risk scenarios have the highest residual risk.

D.

Request that both business units conduct another review of the risk.

Buy Now
Questions 391

All business units within an organization have the same risk response plan for creating local disaster recovery plans. In an effort to achieve cost effectiveness, the BEST course of action would be to:

Options:

A.

select a provider to standardize the disaster recovery plans.

B.

outsource disaster recovery to an external provider.

C.

centralize the risk response function at the enterprise level.

D.

evaluate opportunities to combine disaster recovery plans.

Buy Now
Questions 392

Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents:

Options:

A.

a threat.

B.

a vulnerability.

C.

an impact

D.

a control.

Buy Now
Questions 393

An organization is preparing to transfer a large number of customer service representatives to the sales department. Of the following, who is responsible for mitigating the risk associated with residual system access?

Options:

A.

IT service desk manager

B.

Sales manager

C.

Customer service manager

D.

Access control manager

Buy Now
Questions 394

Which of the following is the MOST common concern associated with outsourcing to a service provider?

Options:

A.

Lack of technical expertise

B.

Combining incompatible duties

C.

Unauthorized data usage

D.

Denial of service attacks

Buy Now
Questions 395

Which of the following is the MOST effective way to incorporate stakeholder concerns when developing risk scenarios?

Options:

A.

Evaluating risk impact

B.

Establishing key performance indicators (KPIs)

C.

Conducting internal audits

D.

Creating quarterly risk reports

Buy Now
Questions 396

When performing a risk assessment of a new service to support a ewe Business process. which of the following should be done FRST10 ensure continuity of operations?

Options:

A.

a identity conditions that may cause disruptions

B.

Review incident response procedures

C.

Evaluate the probability of risk events

D.

Define metrics for restoring availability

Buy Now
Questions 397

Which of the following roles is BEST suited to help a risk practitioner understand the impact of IT-related events on business objectives?

Options:

A.

IT management

B.

Internal audit

C.

Process owners

D.

Senior management

Buy Now
Questions 398

Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?

Options:

A.

Ongoing availability of data

B.

Ability to aggregate data

C.

Ability to predict trends

D.

Availability of automated reporting systems

Buy Now
Questions 399

In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities. The risk practitioner's BEST recommendation to further reduce the impact of ransomware attacks would be to implement:

Options:

A.

two-factor authentication.

B.

continuous data backup controls.

C.

encryption for data at rest.

D.

encryption for data in motion.

Buy Now
Questions 400

Which of the following is a risk practitioner's BEST recommendation to address an organization's need to secure multiple systems with limited IT resources?

Options:

A.

Apply available security patches.

B.

Schedule a penetration test.

C.

Conduct a business impact analysis (BIA)

D.

Perform a vulnerability analysis.

Buy Now