Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

CRISC Exam Dumps - Isaca Certification Questions and Answers

Question # 404

An organization has allowed several employees to retire early in order to avoid layoffs Many of these employees have been subject matter experts for critical assets Which type of risk is MOST likely to materialize?

Options:

A.

Confidentiality breach

B.

Institutional knowledge loss

C.

Intellectual property loss

D.

Unauthorized access

Buy Now
Question # 405

An organization allows programmers to change production systems in emergency situations. Which of the following is the BEST control?

Options:

A.

Implementing an emergency change authorization process

B.

Periodically reviewing operator logs

C.

Limiting the number of super users

D.

Reviewing the programmers' emergency change reports

Buy Now
Question # 406

Which of the following activities is a responsibility of the second line of defense?

Options:

A.

Challenging risk decision making

B.

Developing controls to manage risk scenarios

C.

Implementing risk response plans

D.

Establishing organizational risk appetite

Buy Now
Question # 407

What is the MOST important consideration when selecting key performance indicators (KPIs) for control monitoring?

Options:

A.

Source information is acquired at stable cost.

B.

Source information is tailored by removing outliers.

C.

Source information is readily quantifiable.

D.

Source information is consistently available.

Buy Now
Question # 408

A poster has been displayed in a data center that reads. "Anyone caught taking photographs in the data center may be subject to disciplinary action." Which of the following control types has been implemented?

Options:

A.

Corrective

B.

Detective

C.

Deterrent

D.

Preventative

Buy Now
Question # 409

Which of the following is the MOST important reason to restrict access to the risk register on a need-to-know basis?

Options:

A.

It contains vulnerabilities and threats.

B.

The risk methodology is intellectual property.

C.

Contents may be used as auditable findings.

D.

Risk scenarios may be misinterpreted.

Buy Now
Question # 410

A failure in an organization’s IT system build process has resulted in several computers on the network missing the corporate endpoint detection and response (EDR) software. Which of the following should be the risk practitioner's IMMEDIATE concern?

Options:

A.

Threats are not being detected.

B.

Multiple corporate build images exist.

C.

The IT build process was not followed.

D.

The process documentation was not updated.

Buy Now
Question # 411

Which of the following presents the GREATEST privacy risk related to personal data processing for a global organization?

Options:

A.

Privacy risk awareness training has not been conducted across the organization.

B.

The organization has not incorporated privacy into its risk management framework.

C.

The organization allows staff with access to personal data to work remotely.

D.

Personal data processing occurs in an offshore location with a data sharing agreement.

Buy Now
Question # 412

Which of the following is a PRIMARY objective of privacy impact assessments (PIAs)?

Options:

A.

To identify threats introduced by business processes

B.

To identify risk when personal information is collected

C.

To ensure senior management has approved the use of personal information

D.

To ensure compliance with data privacy laws and regulations

Buy Now
Question # 413

A risk practitioner finds that data has been misclassified. Which of the following is the GREATEST concern?

Options:

A.

Unauthorized access

B.

Data corruption

C.

Inadequate retention schedules

D.

Data disruption

Buy Now
Question # 414

A risk practitioner is performing a risk assessment of recent external advancements in quantum computing. Which of the following would pose the GREATEST concern for the risk practitioner?

Options:

A.

The organization has incorporated blockchain technology in its operations.

B.

The organization has not reviewed its encryption standards.

C.

The organization has implemented heuristics on its network firewall.

D.

The organization has not adopted Infrastructure as a Service (laaS) for its operations.

Buy Now
Question # 415

When creating a separate IT risk register for a large organization, which of the following is MOST important to consider with regard to the existing corporate risk 'register?

Options:

A.

Leveraging business risk professionals

B.

Relying on generic IT risk scenarios

C.

Describing IT risk in business terms

D.

Using a common risk taxonomy

Buy Now
Question # 416

Senior management has requested more information regarding the risk associated with introducing a new application into the environment. Which of the following should be done FIRST?

Options:

A.

Perform an audit.

B.

Conduct a risk analysis.

C.

Develop risk scenarios.

D.

Perform a cost-benefit analysis.

Buy Now
Question # 417

Which of the following is the PRIMARY advantage of having a single integrated business continuity plan (BCP) rather than each business unit developing its own BCP?

Options:

A.

It provides assurance of timely business process response and effectiveness.

B.

It supports effective use of resources and provides reasonable confidence of recoverability.

C.

It enables effective BCP maintenance and updates to reflect organizational changes.

D.

It decreases the risk of downtime and operational losses in the event of a disruption.

Buy Now
Question # 418

Which of the following is the PRIMARY reason to adopt key control indicators (KCIs) in the risk monitoring and reporting process?

Options:

A.

To provide data for establishing the risk profile

B.

To provide assurance of adherence to risk management policies

C.

To provide measurements on the potential for risk to occur

D.

To provide assessments of mitigation effectiveness

Buy Now
Question # 419

A newly hired risk practitioner finds that the risk register has not been updated in the past year. What is the risk practitioner's BEST course of action?

Options:

A.

Identify changes in risk factors and initiate risk reviews.

B.

Engage an external consultant to redesign the risk management process.

C.

Outsource the process for updating the risk register.

D.

Implement a process improvement and replace the old risk register.

Buy Now
Question # 420

Which of the following is the MOST critical element to maximize the potential for a successful security implementation?

Options:

A.

The organization's knowledge

B.

Ease of implementation

C.

The organization's culture

D.

industry-leading security tools

Buy Now
Question # 421

An IT department has provided a shared drive for personnel to store information to which all employees have access. Which of the following parties is accountable for the risk of potential loss of confidential information?

Options:

A.

Risk manager

B.

Data owner

C.

End user

D.

IT department

Buy Now
Question # 422

Which of the following is the MOST appropriate key risk indicator (KRI) for backup media that is recycled monthly?

Options:

A.

Time required for backup restoration testing

B.

Change in size of data backed up

C.

Successful completion of backup operations

D.

Percentage of failed restore tests

Buy Now
Question # 423

A maturity model is MOST useful to an organization when it:

Options:

A.

benchmarks against other organizations

B.

defines a qualitative measure of risk

C.

provides a reference for progress

D.

provides risk metrics.

Buy Now
Question # 424

The BEST reason to classify IT assets during a risk assessment is to determine the:

Options:

A.

priority in the risk register.

B.

business process owner.

C.

enterprise risk profile.

D.

appropriate level of protection.

Buy Now
Question # 425

An employee lost a personal mobile device that may contain sensitive corporate information. What should be the risk practitioner's recommendation?

Options:

A.

Conduct a risk analysis.

B.

Initiate a remote data wipe.

C.

Invoke the incident response plan

D.

Disable the user account.

Buy Now
Question # 426

Which of the following should be done FIRST when developing a data protection management plan?

Options:

A.

Perform a cost-benefit analysis.

B.

Identify critical data.

C.

Establish a data inventory.

D.

Conduct a risk analysis.

Buy Now
Question # 427

Who should have the authority to approve an exception to a control?

Options:

A.

information security manager

B.

Control owner

C.

Risk owner

D.

Risk manager

Buy Now
Question # 428

Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?

Options:

A.

Obtain objective assessment of the control environment.

B.

Ensure the risk profile is defined and communicated.

C.

Validate the threat management process.

D.

Obtain an objective view of process gaps and systemic errors.

Buy Now
Question # 429

A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to:

Options:

A.

include detailed deviations from industry benchmarks,

B.

include a summary linking information to stakeholder needs,

C.

include a roadmap to achieve operational excellence,

D.

publish the report on-demand for stakeholders.

Buy Now
Question # 430

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery test of critical business processes?

Options:

A.

Percentage of job failures identified and resolved during the recovery process

B.

Percentage of processes recovered within the recovery time and point objectives

C.

Number of current test plans and procedures

D.

Number of issues and action items resolved during the recovery test

Buy Now
Question # 431

A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner's BEST course of action when a compensating control needs to be applied?

Options:

A.

Obtain the risk owner's approval.

B.

Record the risk as accepted in the risk register.

C.

Inform senior management.

D.

update the risk response plan.

Buy Now
Question # 432

Which of the following will help ensure the elective decision-making of an IT risk management committee?

Options:

A.

Key stakeholders are enrolled as members

B.

Approved minutes ate forwarded to senior management

C.

Committee meets at least quarterly

D.

Functional overlap across the business is minimized

Buy Now
Question # 433

From a risk management perspective, the PRIMARY objective of using maturity models is to enable:

Options:

A.

solution delivery.

B.

resource utilization.

C.

strategic alignment.

D.

performance evaluation.

Buy Now
Question # 434

Which of the following is MOST important when developing risk scenarios?

Options:

A.

Reviewing business impact analysis (BIA)

B.

Collaborating with IT audit

C.

Conducting vulnerability assessments

D.

Obtaining input from key stakeholders

Buy Now
Question # 435

Who should be PRIMARILY responsible for establishing an organization's IT risk culture?

Options:

A.

Business process owner

B.

Executive management

C.

Risk management

D.

IT management

Buy Now
Question # 436

Which of the following would require updates to an organization's IT risk register?

Options:

A.

Discovery of an ineffectively designed key IT control

B.

Management review of key risk indicators (KRls)

C.

Changes to the team responsible for maintaining the register

D.

Completion of the latest internal audit

Buy Now
Question # 437

Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?

Options:

A.

Customer database manager

B.

Customer data custodian

C.

Data privacy officer

D.

Audit committee

Buy Now
Question # 438

Which of the following is the MOST effective control to ensure user access is maintained on a least-privilege basis?

Options:

A.

User authorization

B.

User recertification

C.

Change log review

D.

Access log monitoring

Buy Now
Question # 439

Which of the following is the BEST indicator of an effective IT security awareness program?

Options:

A.

Decreased success rate of internal phishing tests

B.

Decreased number of reported security incidents

C.

Number of disciplinary actions issued for security violations

D.

Number of employees that complete security training

Buy Now
Question # 440

Which of the following is the BEST indication of a mature organizational risk culture?

Options:

A.

Corporate risk appetite is communicated to staff members.

B.

Risk owners understand and accept accountability for risk.

C.

Risk policy has been published and acknowledged by employees.

D.

Management encourages the reporting of policy breaches.

Buy Now
Question # 441

Which of the following is MOST important when considering risk in an enterprise risk management (ERM) process?

Options:

A.

Financial risk is given a higher priority.

B.

Risk with strategic impact is included.

C.

Security strategy is given a higher priority.

D.

Risk identified by industry benchmarking is included.

Buy Now
Question # 442

An organization practices the principle of least privilege. To ensure access remains appropriate, application owners should be required to review user access rights on a regular basis by obtaining:

Options:

A.

business purpose documentation and software license counts

B.

an access control matrix and approval from the user's manager

C.

documentation indicating the intended users of the application

D.

security logs to determine the cause of invalid login attempts

Buy Now
Question # 443

A business unit is implementing a data analytics platform to enhance its customer relationship management (CRM) system primarily to process data that has been provided by its customers. Which of the following presents the GREATEST risk to the organization's reputation?

Options:

A.

Third-party software is used for data analytics.

B.

Data usage exceeds individual consent.

C.

Revenue generated is not disclosed to customers.

D.

Use of a data analytics system is not disclosed to customers.

Buy Now
Question # 444

Which of the following is MOST important to have in place to ensure the effectiveness of risk and security metrics reporting?

Options:

A.

Organizational reporting process

B.

Incident reporting procedures

C.

Regularly scheduled audits

D.

Incident management policy

Buy Now
Question # 445

When reviewing a report on the performance of control processes, it is MOST important to verify whether the:

Options:

A.

business process objectives have been met.

B.

control adheres to regulatory standards.

C.

residual risk objectives have been achieved.

D.

control process is designed effectively.

Buy Now
Question # 446

Which of the following is MOST important for an organization to update following a change in legislation requiring notification to individuals impacted by data breaches?

Options:

A.

Insurance coverage

B.

Security awareness training

C.

Policies and standards

D.

Risk appetite and tolerance

Buy Now
Question # 447

Which of the following is the PRIMARY purpose of periodically reviewing an organization's risk profile?

Options:

A.

Align business objectives with risk appetite.

B.

Enable risk-based decision making.

C.

Design and implement risk response action plans.

D.

Update risk responses in the risk register

Buy Now
Question # 448

A vulnerability assessment of a vendor-supplied solution has revealed that the software is susceptible to cross-site scripting and SQL injection attacks. Which of the following will BEST mitigate this issue?

Options:

A.

Monitor the databases for abnormal activity

B.

Approve exception to allow the software to continue operating

C.

Require the software vendor to remediate the vulnerabilities

D.

Accept the risk and let the vendor run the software as is

Buy Now
Question # 449

Which of the following is the BEST way for an organization to enable risk treatment decisions?

Options:

A.

Allocate sufficient funds for risk remediation.

B.

Promote risk and security awareness.

C.

Establish clear accountability for risk.

D.

Develop comprehensive policies and standards.

Buy Now
Question # 450

Which of the following BEST enforces access control for an organization that uses multiple cloud technologies?

Options:

A.

Senior management support of cloud adoption strategies

B.

Creation of a cloud access risk management policy

C.

Adoption of a cloud access security broker (CASB) solution

D.

Expansion of security information and event management (SIEM) to cloud services

Buy Now
Question # 451

Which of the following will be MOST effective in uniquely identifying the originator of electronic transactions?

Options:

A.

Digital signature

B.

Edit checks

C.

Encryption

D.

Multifactor authentication

Buy Now
Question # 452

Which of the following is the PRIMARY objective of providing an aggregated view of IT risk to business management?

Options:

A.

To enable consistent data on risk to be obtained

B.

To allow for proper review of risk tolerance

C.

To identify dependencies for reporting risk

D.

To provide consistent and clear terminology

Buy Now
Question # 453

Which of the following is the MOST important consideration for protecting data assets m a Business application system?

Options:

A.

Application controls are aligned with data classification lutes

B.

Application users are periodically trained on proper data handling practices

C.

Encrypted communication is established between applications and data servers

D.

Offsite encrypted backups are automatically created by the application

Buy Now
Exam Code: CRISC
Exam Name: Certified in Risk and Information Systems Control
Last Update: Apr 2, 2025
Questions: 1575
CRISC pdf

CRISC PDF

$25.5  $84.99
CRISC Engine

CRISC Testing Engine

$28.5  $94.99
CRISC PDF + Engine

CRISC PDF + Testing Engine

$40.5  $134.99