Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

CRISC Exam Dumps - Isaca Certification Questions and Answers

Question # 154

Which of the following is the PRIMARY reason for a risk practitioner to report changes and trends in the IT risk profile to senior management?

Options:

A.

To ensure risk owners understand their responsibilities

B.

To ensure IT risk is managed within acceptable limits

C.

To ensure the organization complies with legal requirements

D.

To ensure the IT risk awareness program is effective

Buy Now
Question # 155

Which of the following is the BEST way to mitigate the risk associated with fraudulent use of an enterprise's brand on Internet sites?

Options:

A.

Utilizing data loss prevention (DLP) technology

B.

Monitoring the enterprise's use of the Internet

C.

Scanning the Internet to search for unauthorized usage

D.

Developing training and awareness campaigns

Buy Now
Question # 156

A bank has outsourced its statement printing function to an external service provider. Which of the following is the MOST critical requirement to include in the contract?

Options:

A.

Monitoring of service costs

B.

Provision of internal audit reports

C.

Notification of sub-contracting arrangements

D.

Confidentiality of customer data

Buy Now
Question # 157

When establishing leading indicators for the information security incident response process it is MOST important to consider the percentage of reported incidents:

Options:

A.

that results in a full root cause analysis.

B.

used for verification within the SLA.

C.

that are verified as actual incidents.

D.

resolved within the SLA.

Buy Now
Question # 158

What can be determined from the risk scenario chart?

Options:

A.

Relative positions on the risk map

B.

Risk treatment options

C.

Capability of enterprise to implement

D.

The multiple risk factors addressed by a chosen response

Buy Now
Question # 159

Which of the following controls will BEST detect unauthorized modification of data by a database administrator?

Options:

A.

Reviewing database access rights

B.

Reviewing database activity logs

C.

Comparing data to input records

D.

Reviewing changes to edit checks

Buy Now
Question # 160

Which of the following is the BEST indication of the effectiveness of a business continuity program?

Options:

A.

Business continuity tests are performed successfully and issues are addressed.

B.

Business impact analyses are reviewed and updated in a timely manner.

C.

Business continuity and disaster recovery plans are regularly updated.

D.

Business units are familiar with the business continuity plans and process.

Buy Now
Question # 161

Which of the following is the MOST important element of a successful risk awareness training program?

Options:

A.

Customizing content for the audience

B.

Providing incentives to participants

C.

Mapping to a recognized standard

D.

Providing metrics for measurement

Buy Now
Question # 162

Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?

Options:

A.

Encrypted storage of data

B.

Links to source data

C.

Audit trails for updates and deletions

D.

Check totals on data records and data fields

Buy Now
Question # 163

What should a risk practitioner do FIRST when vulnerability assessment results identify a weakness in an application?

Options:

A.

Review regular control testing results.

B.

Recommend a penetration test.

C.

Assess the risk to determine mitigation needed.

D.

Analyze key performance indicators (KPIs).

Buy Now
Question # 164

A risk practitioner is reporting on an increasing trend of ransomware attacks in the industry. Which of the following information is MOST important to include to enable an informed response decision by key stakeholders?

Options:

A.

Methods of attack progression

B.

Losses incurred by industry peers

C.

Most recent antivirus scan reports

D.

Potential impact of events

Buy Now
Question # 165

Which of the following will BEST help an organization select a recovery strategy for critical systems?

Options:

A.

Review the business impact analysis.

B.

Create a business continuity plan.

C.

Analyze previous disaster recovery reports.

D.

Conduct a root cause analysis.

Buy Now
Question # 166

Which of the following is MOST important when defining controls?

Options:

A.

Identifying monitoring mechanisms

B.

Including them in the risk register

C.

Aligning them with business objectives

D.

Prototyping compensating controls

Buy Now
Question # 167

Which of the following criteria is MOST important when developing a response to an attack that would compromise data?

Options:

A.

The recovery time objective (RTO)

B.

The likelihood of a recurring attack

C.

The organization's risk tolerance

D.

The business significance of the information

Buy Now
Question # 168

An organization has implemented a system capable of comprehensive employee monitoring. Which of the following should direct how the system is used?

Options:

A.

Organizational strategy

B.

Employee code of conduct

C.

Industry best practices

D.

Organizational policy

Buy Now
Question # 169

A risk practitioner notices a trend of noncompliance with an IT-related control. Which of the following would BEST assist in making a recommendation to management?

Options:

A.

Assessing the degree to which the control hinders business objectives

B.

Reviewing the IT policy with the risk owner

C.

Reviewing the roles and responsibilities of control process owners

D.

Assessing noncompliance with control best practices

Buy Now
Question # 170

Which of the following is a detective control?

Options:

A.

Limit check

B.

Periodic access review

C.

Access control software

D.

Rerun procedures

Buy Now
Question # 171

Which of the following should be included in a risk assessment report to BEST facilitate senior management's understanding of the results?

Options:

A.

Benchmarking parameters likely to affect the results

B.

Tools and techniques used by risk owners to perform the assessments

C.

A risk heat map with a summary of risk identified and assessed

D.

The possible impact of internal and external risk factors on the assessment results

Buy Now
Question # 172

A software developer has administrative access to a production application. Which of the following should be of GREATEST concern to a risk practitioner?

Options:

A.

The administrative access does not allow for activity log monitoring.

B.

The administrative access does not follow password management protocols.

C.

The administrative access represents a deviation from corporate policy.

D.

The administrative access represents a segregation of duties conflict.

Buy Now
Question # 173

Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Options:

A.

Using an aggregated view of organizational risk

B.

Ensuring relevance to organizational goals

C.

Relying on key risk indicator (KRI) data Including

D.

Trend analysis of risk metrics

Buy Now
Question # 174

What should a risk practitioner do FIRST upon learning a risk treatment owner has implemented a different control than what was specified in the IT risk action plan?

Options:

A.

Seek approval from the control owner.

B.

Update the action plan in the risk register.

C.

Reassess the risk level associated with the new control.

D.

Validate that the control has an established testing method.

Buy Now
Question # 175

Which of the following is a KEY outcome of risk ownership?

Options:

A.

Risk responsibilities are addressed.

B.

Risk-related information is communicated.

C.

Risk-oriented tasks are defined.

D.

Business process risk is analyzed.

Buy Now
Question # 176

The BEST key performance indicator (KPI) to measure the effectiveness of a vendor risk management program is the percentage of:

Options:

A.

vendors providing risk assessments on time.

B.

vendor contracts reviewed in the past year.

C.

vendor risk mitigation action items completed on time.

D.

vendors that have reported control-related incidents.

Buy Now
Question # 177

Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy?

Options:

A.

Chief financial officer

B.

Information security director

C.

Internal audit director

D.

Chief information officer

Buy Now
Question # 178

Which of the following BEST helps to identify significant events that could impact an organization?

Vulnerability analysis

Options:

A.

Control analysis

B.

Scenario analysis

C.

Heat map analysis

Buy Now
Question # 179

An organization has decided to implement an emerging technology and incorporate the new capabilities into its strategic business plan. Business operations for the technology will be outsourced. What will be the risk practitioner's PRIMARY role during the change?

Options:

A.

Managing third-party risk

B.

Developing risk scenarios

C.

Managing the threat landscape

D.

Updating risk appetite

Buy Now
Question # 180

Which of the following would be of GREATEST concern to a risk practitioner reviewing current key risk indicators (KRIs)?

Options:

A.

The KRIs' source data lacks integrity.

B.

The KRIs are not automated.

C.

The KRIs are not quantitative.

D.

The KRIs do not allow for trend analysis.

Buy Now
Question # 181

Which of the following provides the BEST assurance of the effectiveness of vendor security controls?

Options:

A.

Review vendor control self-assessments (CSA).

B.

Review vendor service level agreement (SLA) metrics.

C.

Require independent control assessments.

D.

Obtain vendor references from existing customers.

Buy Now
Question # 182

Which of the following would be the result of a significant increase in the motivation of a malicious threat actor?

Options:

A.

Increase in mitigating control costs

B.

Increase in risk event impact

C.

Increase in risk event likelihood

D.

Increase in cybersecurity premium

Buy Now
Question # 183

The BEST key performance indicator (KPI) to measure the effectiveness of the security patching process is the percentage of patches installed:

Options:

A.

by the security administration team.

B.

successfully within the expected time frame.

C.

successfully during the first attempt.

D.

without causing an unplanned system outage.

Buy Now
Question # 184

The MAJOR reason to classify information assets is

Options:

A.

maintain a current inventory and catalog of information assets

B.

determine their sensitivity and critical

C.

establish recovery time objectives (RTOs)

D.

categorize data into groups

Buy Now
Question # 185

Which of the following provides the MOST comprehensive information when developing a risk profile for a system?

Options:

A.

Results of a business impact analysis (BIA)

B.

Risk assessment results

C.

A mapping of resources to business processes

D.

Key performance indicators (KPIs)

Buy Now
Question # 186

When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:

Options:

A.

information risk assessments with enterprise risk assessments.

B.

key risk indicators (KRIs) with risk appetite of the business.

C.

the control key performance indicators (KPIs) with audit findings.

D.

control performance with risk tolerance of business owners.

Buy Now
Question # 187

A financial institution has identified high risk of fraud in several business applications. Which of the following controls will BEST help reduce the risk of fraudulent internal transactions?

Options:

A.

Periodic user privileges review

B.

Log monitoring

C.

Periodic internal audits

D.

Segregation of duties

Buy Now
Question # 188

While reviewing the risk register, a risk practitioner notices that different business units have significant variances in inherent risk for the same risk scenario. Which of the following is the BEST course of action?

Options:

A.

Update the risk register with the average of residual risk for both business units.

B.

Review the assumptions of both risk scenarios to determine whether the variance is reasonable.

C.

Update the risk register to ensure both risk scenarios have the highest residual risk.

D.

Request that both business units conduct another review of the risk.

Buy Now
Question # 189

Which of the following should be the GREATEST concern for an organization that uses open source software applications?

Options:

A.

Lack of organizational policy regarding open source software

B.

Lack of reliability associated with the use of open source software

C.

Lack of monitoring over installation of open source software in the organization

D.

Lack of professional support for open source software

Buy Now
Question # 190

An organization is preparing to transfer a large number of customer service representatives to the sales department. Of the following, who is responsible for mitigating the risk associated with residual system access?

Options:

A.

IT service desk manager

B.

Sales manager

C.

Customer service manager

D.

Access control manager

Buy Now
Question # 191

An organization planning to transfer and store its customer data with an offshore cloud service provider should be PRIMARILY concerned with:

Options:

A.

data aggregation

B.

data privacy

C.

data quality

D.

data validation

Buy Now
Question # 192

Which of the following is MOST important to compare against the corporate risk profile?

Options:

A.

Industry benchmarks

B.

Risk tolerance

C.

Risk appetite

D.

Regulatory compliance

Buy Now
Question # 193

A service provider is managing a client’s servers. During an audit of the service, a noncompliant control is discovered that will not be resolved before the next audit because the client cannot afford the downtime required to correct the issue. The service provider’s MOST appropriate action would be to:

Options:

A.

develop a risk remediation plan overriding the client's decision

B.

make a note for this item in the next audit explaining the situation

C.

insist that the remediation occur for the benefit of other customers

D.

ask the client to document the formal risk acceptance for the provider

Buy Now
Question # 194

Which of the following BEST mitigates the risk of sensitive personal data leakage from a software development environment?

Options:

A.

Tokenized personal data only in test environments

B.

Data loss prevention tools (DLP) installed in passive mode

C.

Anonymized personal data in non-production environments

D.

Multi-factor authentication for access to non-production environments

Buy Now
Question # 195

Which of the following should be the FIRST step when a company is made aware of new regulatory requirements impacting IT?

Options:

A.

Perform a gap analysis.

B.

Prioritize impact to the business units.

C.

Perform a risk assessment.

D.

Review the risk tolerance and appetite.

Buy Now
Question # 196

An organization outsources the processing of us payroll data A risk practitioner identifies a control weakness at the third party trial exposes the payroll data. Who should own this risk?

Options:

A.

The third party's IT operations manager

B.

The organization's process owner

C.

The third party's chief risk officer (CRO)

D.

The organization's risk practitioner

Buy Now
Question # 197

Determining if organizational risk is tolerable requires:

Options:

A.

mapping residual risk with cost of controls

B.

comparing against regulatory requirements

C.

comparing industry risk appetite with the organizations.

D.

understanding the organization's risk appetite.

Buy Now
Question # 198

What is the PRIMARY benefit of risk monitoring?

Options:

A.

It reduces the number of audit findings.

B.

It provides statistical evidence of control efficiency.

C.

It facilitates risk-aware decision making.

D.

It facilitates communication of threat levels.

Buy Now
Question # 199

Which of the following provides the MOST up-to-date information about the effectiveness of an organization's overall IT control environment?

Options:

A.

Key performance indicators (KPIs)

B.

Risk heat maps

C.

Internal audit findings

D.

Periodic penetration testing

Buy Now
Question # 200

When developing risk treatment alternatives for a Business case, it is MOST helpful to show risk reduction based on:

Options:

A.

cost-benefit analysis.

B.

risk appetite.

C.

regulatory guidelines

D.

control efficiency

Buy Now
Question # 201

Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents:

Options:

A.

a threat.

B.

a vulnerability.

C.

an impact

D.

a control.

Buy Now
Question # 202

Which of the following risk management practices BEST facilitates the incorporation of IT risk scenarios into the enterprise-wide risk register?

Options:

A.

Key risk indicators (KRls) are developed for key IT risk scenarios

B.

IT risk scenarios are assessed by the enterprise risk management team

C.

Risk appetites for IT risk scenarios are approved by key business stakeholders.

D.

IT risk scenarios are developed in the context of organizational objectives.

Buy Now
Question # 203

Which of the following controls BEST helps to ensure that transaction data reaches its destination?

Options:

A.

Securing the network from attacks

B.

Providing acknowledgments from receiver to sender

C.

Digitally signing individual messages

D.

Encrypting data-in-transit

Buy Now
Exam Code: CRISC
Exam Name: Certified in Risk and Information Systems Control
Last Update: Apr 2, 2025
Questions: 1575
CRISC pdf

CRISC PDF

$25.5  $84.99
CRISC Engine

CRISC Testing Engine

$28.5  $94.99
CRISC PDF + Engine

CRISC PDF + Testing Engine

$40.5  $134.99