Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

CRISC Exam Dumps - Isaca Certification Questions and Answers

Question # 104

It was discovered that a service provider's administrator was accessing sensitive information without the approval of the customer in an Infrastructure as a Service (laaS) model. Which of the following would BEST protect against a future recurrence?

Options:

A.

Data encryption

B.

Intrusion prevention system (IPS)

C.

Two-factor authentication

D.

Contractual requirements

Buy Now
Question # 105

A rule-based data loss prevention {DLP) tool has recently been implemented to reduce the risk of sensitive data leakage. Which of the following is MOST likely to change as a result of this implementation?

Options:

A.

Risk likelihood

B.

Risk velocity

C.

Risk appetite

D.

Risk impact

Buy Now
Question # 106

The PRIMARY advantage of implementing an IT risk management framework is the:

Options:

A.

establishment of a reliable basis for risk-aware decision making.

B.

compliance with relevant legal and regulatory requirements.

C.

improvement of controls within the organization and minimized losses.

D.

alignment of business goals with IT objectives.

Buy Now
Question # 107

Which of the following is MOST important to understand when determining an appropriate risk assessment approach?

Options:

A.

Complexity of the IT infrastructure

B.

Value of information assets

C.

Management culture

D.

Threats and vulnerabilities

Buy Now
Question # 108

Which of the following should an organization perform to forecast the effects of a disaster?

Options:

A.

Develop a business impact analysis (BIA).

B.

Define recovery time objectives (RTO).

C.

Analyze capability maturity model gaps.

D.

Simulate a disaster recovery.

Buy Now
Question # 109

Which of the following is the PRIMARY role of the board of directors in corporate risk governance?

Options:

A.

Approving operational strategies and objectives

B.

Monitoring the results of actions taken to mitigate risk

C.

Ensuring the effectiveness of the risk management program

D.

Ensuring risk scenarios are identified and recorded in the risk register

Buy Now
Question # 110

An organization plans to migrate sensitive information to a public cloud infrastructure. Which of the following is the GREATEST security risk in this scenario?

Options:

A.

Data may be commingled with other tenants' data.

B.

System downtime does not meet the organization's thresholds.

C.

The infrastructure will be managed by the public cloud administrator.

D.

The cloud provider is not independently certified.

Buy Now
Question # 111

Which of the following is the MOST important criteria for selecting key risk indicators (KRIs)?

Options:

A.

Historical data availability

B.

Implementation and reporting effort

C.

Ability to display trends

D.

Sensitivity and reliability

Buy Now
Question # 112

Which of the following would BEST mitigate the risk associated with reputational damage from inappropriate use of social media sites by employees?

Options:

A.

Validating employee social media accounts and passwords

B.

Monitoring Internet usage on employee workstations

C.

Disabling social media access from the organization's technology

D.

Implementing training and awareness programs

Buy Now
Question # 113

The MAIN purpose of conducting a control self-assessment (CSA) is to:

Options:

A.

gain a better understanding of the control effectiveness in the organization

B.

gain a better understanding of the risk in the organization

C.

adjust the controls prior to an external audit

D.

reduce the dependency on external audits

Buy Now
Question # 114

Which of the following would MOST likely drive the need to review and update key performance indicators (KPIs) for critical IT assets?

Options:

A.

The outsourcing of related IT processes

B.

Outcomes of periodic risk assessments

C.

Changes in service level objectives

D.

Findings from continuous monitoring

Buy Now
Question # 115

Which of the following is the result of a realized risk scenario?

Options:

A.

Threat event

B.

Vulnerability event

C.

Technical event

D.

Loss event

Buy Now
Question # 116

An organization has contracted with a cloud service provider to support the deployment of a new product. Of the following, who should own the associated risk?

Options:

A.

The head of enterprise architecture (EA)

B.

The IT risk manager

C.

The information security manager

D.

The product owner

Buy Now
Question # 117

During a risk assessment, the risk practitioner finds a new risk scenario without controls has been entered into the risk register. Which of the following is the MOST appropriate action?

Options:

A.

Include the new risk scenario in the current risk assessment.

B.

Postpone the risk assessment until controls are identified.

C.

Request the risk scenario be removed from the register.

D.

Exclude the new risk scenario from the current risk assessment

Buy Now
Question # 118

A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:

Options:

A.

reduces risk to an acceptable level

B.

quantifies risk impact

C.

aligns with business strategy

D.

advances business objectives.

Buy Now
Question # 119

Which of the following is the BEST approach for selecting controls to minimize risk?

Options:

A.

Industry best practice review

B.

Risk assessment

C.

Cost-benefit analysis

D.

Control-effectiveness evaluation

Buy Now
Question # 120

Which of the following would provide the MOST helpful input to develop risk scenarios associated with hosting an organization's key IT applications in a cloud environment?

Options:

A.

Reviewing the results of independent audits

B.

Performing a site visit to the cloud provider's data center

C.

Performing a due diligence review

D.

Conducting a risk workshop with key stakeholders

Buy Now
Question # 121

Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?

Options:

A.

Identification of controls gaps that may lead to noncompliance

B.

Prioritization of risk action plans across departments

C.

Early detection of emerging threats

D.

Accurate measurement of loss impact

Buy Now
Question # 122

When formulating a social media policy lo address information leakage, which of the following is the MOST important concern to address?

Options:

A.

Sharing company information on social media

B.

Sharing personal information on social media

C.

Using social media to maintain contact with business associates

D.

Using social media for personal purposes during working hours

Buy Now
Question # 123

A risk practitioner observes that the fraud detection controls in an online payment system do not perform as expected. Which of the following will MOST likely change as a result?

Options:

A.

Impact

B.

Residual risk

C.

Inherent risk

D.

Risk appetite

Buy Now
Question # 124

Which of the following is a crucial component of a key risk indicator (KRI) to ensure appropriate action is taken to mitigate risk?

Options:

A.

Management intervention

B.

Risk appetite

C.

Board commentary

D.

Escalation triggers

Buy Now
Question # 125

An organization requires a third party for processing customer personal data. Which of the following is the BEST approach when sharing data over a public network?

Options:

A.

Include a nondisclosure agreement (NDA) for personal data in the contract.

B.

Implement a digital rights protection tool to monitor data.

C.

Use a virtual private network (VPN) to communicate data.

D.

Transfer a read-only version of the data.

Buy Now
Question # 126

Which of the following is the BEST approach when a risk treatment plan cannot be completed on time?

Options:

A.

Replace the action owner with a more experienced individual.

B.

Implement compensating controls until the preferred action can be completed.

C.

Change the risk response strategy of the relevant risk to risk avoidance.

D.

Develop additional key risk indicators (KRIs) until the preferred action can be completed.

Buy Now
Question # 127

Which of the following is MOST effective against external threats to an organizations confidential information?

Options:

A.

Single sign-on

B.

Data integrity checking

C.

Strong authentication

D.

Intrusion detection system

Buy Now
Question # 128

In the three lines of defense model, a PRIMARY objective of the second line is to:

Options:

A.

Review and evaluate the risk management program.

B.

Ensure risk and controls are effectively managed.

C.

Implement risk management policies regarding roles and responsibilities.

D.

Act as the owner for any operational risk identified as part of the risk program.

Buy Now
Question # 129

Which of the following would provide the MOST useful input when evaluating the appropriateness of risk responses?

Options:

A.

Incident reports

B.

Cost-benefit analysis

C.

Risk tolerance

D.

Control objectives

Buy Now
Question # 130

An organizational policy requires critical security patches to be deployed in production within three weeks of patch availability. Which of the following is the BEST metric to verify adherence to the policy?

Options:

A.

Maximum time gap between patch availability and deployment

B.

Percentage of critical patches deployed within three weeks

C.

Minimum time gap between patch availability and deployment

D.

Number of critical patches deployed within three weeks

Buy Now
Question # 131

A large organization recently restructured the IT department and has decided to outsource certain functions. What action should the control owners in the IT department take?

Options:

A.

Conduct risk classification for associated IT controls.

B.

Determine whether risk responses still effectively address risk.

C.

Perform vulnerability and threat assessments.

D.

Analyze and update IT control assessments.

Buy Now
Question # 132

An organization has implemented a policy requiring staff members to take a minimum of five consecutive days' leave per year to mitigate the risk of malicious insider activities. Which of the following is the BEST key performance indicator (KPI) of the effectiveness of this policy?

Options:

A.

Percentage of staff turnover following five consecutive days of leave

B.

Average number of consecutive days of leave per staff member

C.

Number of suspected malicious activities reported since policy implementation

D.

Financial loss incurred due to malicious activities since policy implementation

Buy Now
Question # 133

Which of the following is MOST useful input when developing risk scenarios?

Options:

A.

Common attacks in other industries.

B.

Identification of risk events.

C.

Impact on critical assets.

D.

Probability of disruptive risk events.

Buy Now
Question # 134

An organization is planning to outsource its payroll function to an external service provider Which of the following should be the MOST important consideration when selecting the provider?

Options:

A.

Disaster recovery plan (DRP) of the system

B.

Right to audit the provider

C.

Internal controls to ensure data privacy

D.

Transparency of key performance indicators (KPIs)

Buy Now
Question # 135

The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:

Options:

A.

align with audit results.

B.

benchmark with competitor s actions.

C.

reference best practice.

D.

focus on the business drivers

Buy Now
Question # 136

Which of the following elements of a risk register is MOST likely to change as a result of change in management's risk appetite?

Options:

A.

Key risk indicator (KRI) thresholds

B.

Inherent risk

C.

Risk likelihood and impact

D.

Risk velocity

Buy Now
Question # 137

The PRIMARY goal of a risk management program is to:

Options:

A.

facilitate resource availability.

B.

help ensure objectives are met.

C.

safeguard corporate assets.

D.

help prevent operational losses.

Buy Now
Question # 138

A PRIMARY function of the risk register is to provide supporting information for the development of an organization's risk:

Options:

A.

strategy.

B.

profile.

C.

process.

D.

map.

Buy Now
Question # 139

The PRIMARY reason for periodically monitoring key risk indicators (KRIs) is to:

Options:

A.

rectify errors in results of KRIs.

B.

detect changes in the risk profile.

C.

reduce costs of risk mitigation controls.

D.

continually improve risk assessments.

Buy Now
Question # 140

When using a third party to perform penetration testing, which of the following is the MOST important control to minimize operational impact?

Options:

A.

Perform a background check on the vendor.

B.

Require the vendor to sign a nondisclosure agreement.

C.

Require the vendor to have liability insurance.

D.

Clearly define the project scope

Buy Now
Question # 141

The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:

Options:

A.

implement uniform controls for common risk scenarios.

B.

ensure business unit risk is uniformly distributed.

C.

build a risk profile for management review.

D.

quantify the organization's risk appetite.

Buy Now
Question # 142

After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?

Options:

A.

The risk practitioner

B.

The business process owner

C.

The risk owner

D.

The control owner

Buy Now
Question # 143

It is MOST important for a risk practitioner to have an awareness of an organization s processes in order to:

Options:

A.

perform a business impact analysis.

B.

identify potential sources of risk.

C.

establish risk guidelines.

D.

understand control design.

Buy Now
Question # 144

Which of the following is the BEST course of action for a system administrator who suspects a colleague may be intentionally weakening a system's validation controls in order to pass through fraudulent transactions?

Options:

A.

Implement compensating controls to deter fraud attempts.

B.

Share the concern through a whistleblower communication channel.

C.

Monitor the activity to collect evidence.

D.

Determine whether the system environment has flaws that may motivate fraud attempts.

Buy Now
Question # 145

Which of the following would BEST facilitate the implementation of data classification requirements?

Options:

A.

Assigning a data owner

B.

Scheduling periodic audits

C.

Implementing technical controls over the assets

D.

Implementing a data loss prevention (DLP) solution

Buy Now
Question # 146

Which of the following is the MOST useful information for prioritizing risk mitigation?

Options:

A.

Cost of risk mitigation

B.

Asset criticality

C.

Acceptable risk level

D.

Business impact assessment

Buy Now
Question # 147

Which of the following is the PRIMARY objective of risk management?

Options:

A.

Identify and analyze risk.

B.

Achieve business objectives

C.

Minimi2e business disruptions.

D.

Identify threats and vulnerabilities.

Buy Now
Question # 148

Which of the following would be a risk practitioner’s GREATEST concern related to the monitoring of key risk indicators (KRIs)?

Options:

A.

Logs are retained for longer than required.

B.

Logs are reviewed annually.

C.

Logs are stored in a multi-tenant cloud environment.

D.

Logs are modified before analysis is conducted.

Buy Now
Question # 149

Which of the following should be considered FIRST when creating a comprehensive IT risk register?

Options:

A.

Risk management budget

B.

Risk mitigation policies

C.

Risk appetite

D.

Risk analysis techniques

Buy Now
Question # 150

The operational risk associated with attacks on a web application should be owned by the individual in charge of:

Options:

A.

network operations.

B.

the cybersecurity function.

C.

application development.

D.

the business function.

Buy Now
Question # 151

A penetration test reveals several vulnerabilities in a web-facing application. Which of the following should be the FIRST step in selecting a risk response?

Options:

A.

Correct the vulnerabilities to mitigate potential risk exposure.

B.

Develop a risk response action plan with key stakeholders.

C.

Assess the level of risk associated with the vulnerabilities.

D.

Communicate the vulnerabilities to the risk owner.

Buy Now
Question # 152

The MOST important measure of the effectiveness of risk management in project implementation is the percentage of projects:

Options:

A.

introduced into production without high-risk issues.

B.

having the risk register updated regularly.

C.

having key risk indicators (KRIs) established to measure risk.

D.

having an action plan to remediate overdue issues.

Buy Now
Question # 153

Which of the following is the GREATEST risk associated with inappropriate classification of data?

Options:

A.

Inaccurate record management data

B.

Users having unauthorized access to data

C.

Inaccurate recovery time objectives (RTOs)

D.

Lack of accountability for data ownership

Buy Now
Exam Code: CRISC
Exam Name: Certified in Risk and Information Systems Control
Last Update: Apr 2, 2025
Questions: 1575
CRISC pdf

CRISC PDF

$25.5  $84.99
CRISC Engine

CRISC Testing Engine

$28.5  $94.99
CRISC PDF + Engine

CRISC PDF + Testing Engine

$40.5  $134.99