DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Boost Your ISACA Exam Preparation with CRISC Practice Tests

Gain a competitive advantage with SPOTO's ISACA CRISC exam questions, designed to elevate your Certified in Risk and Information Systems Control (CRISC) certification journey. Dive into comprehensive exam questions and answers tailored to enhance your understanding of risk management, stakeholder value delivery, and business resilience optimization. With SPOTO's test questions and exam preparation materials, adopt a proactive approach based on Agile methodology to navigate complex risk landscapes effectively. Access valuable study materials and exam resources curated to help you pass successfully. Engage in realistic mock exams to simulate the exam environment and boost your confidence. Prepare with SPOTO and become a CRISC-certified professional equipped to drive risk management excellence and business success across your organization.
Take other online exams

Question #1
Which of the following should be PRIMARILY considered while designing information systems controls?
A. he IT strategic plan
B. he existing IT environment
C. he organizational strategic plan
D. he present IT budget
View answer
Correct Answer: C

View The Updated CRISC Exam Questions

SPOTO Provides 100% Real CRISC Exam Questions for You to Pass Your CRISC Exam!

Question #2
Which of the following can be interpreted from a single data point on a risk heat map?
A. isk appetite
B. isk magnitude
C. isk response
D. isk tolerance
View answer
Correct Answer: B
Question #3
A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?
A. n increase in attempted distributed denial of service (DDoS) attacks
B. n increase in attempted website phishing attacks
C. decrease in remediated web security vulnerabilities
D. decrease in achievement of service level agreements (SLAs)
View answer
Correct Answer: A
Question #4
Which of the following would be the BEST recommendation if the level of risk in the IT risk profile has decreased and is now below management’s risk appetite?
A. ecrease the number of related risk scenarios
B. ptimize the control environment
C. ealign risk appetite to the current risk level
D. educe the risk management budget
View answer
Correct Answer: B
Question #5
An organization must implement changes as the result of new regulations. Which of the following should the risk practitioner do FIRST to prepare for these changes?
A. ngage the legal department
B. onduct a gap analysis
C. mplement compensating controls
D. eview the risk profile
View answer
Correct Answer: B
Question #6
You and your project team have identified a few risk events in the project and recorded the events in the risk register. Part of the recording of the events includes the identification of a risk owner. Who is a risk owner?
A. risk owner is the party that will monitor the risk events
B. risk owner is the party that will pay for the cost of the risk event if it becomes an issue
C. risk owner is the party that has caused the risk event
D. risk owner is the party authorized to respond to the risk event
View answer
Correct Answer: D
Question #7
When collecting information to identify IT-related risk, a risk practitioner should FIRST focus on IT:
A. ecurity policies
B. rocess maps
C. isk tolerance level,
D. isk appetite
View answer
Correct Answer: A
Question #8
Which of the following role carriers will decide the Key Risk Indicator of the enterprise?Each correct answer represents a part of the solution. Choose two.
A. usiness leaders
B. enior management
C. uman resource
D. hief financial officer
View answer
Correct Answer: AB
Question #9
Which of the following BEST ensures that a firewall is configured in compliance with an enterprise's security policy?
A. nterview the firewall administrator
B. eview the actual procedures
C. eview the device's log file for recent attacks
D. eview the parameter settings
View answer
Correct Answer: D
Question #10
Which of the following is the greatest risk to reporting?
A. ntegrity of data
B. vailability of data
C. onfidentiality of data
D. eliability of data
View answer
Correct Answer: D
Question #11
Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?
A. control self-assessment
B. enchmarking against peers
C. ransaction logging
D. ontinuous monitoring
View answer
Correct Answer: D
Question #12
Courtney is the project manager for her organization. She is working with the project team to complete the qualitative risk analysis for her project. During the analysis Courtney encourages the project team to begin the grouping of identified risks by common causes. What is the primary advantage to group risks by common causes during qualitative risk analysis?
A. t helps the project team realize the areas of the project most laden with risks
B. t assist in developing effective risk responses
C. t saves time by collecting the related resources, such as project team members, to analyze the risk events
D. t can lead to the creation of risk categories unique to each project
View answer
Correct Answer: B
Question #13
An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:
A. dentify key process owners
B. alidate control process execution
C. etermine if controls are effective
D. onduct a baseline assessment
View answer
Correct Answer: D
Question #14
You work as a project manager for Bluewell Inc. You have identified a project risk. You have then implemented the risk action plan and it turn out to be non-effective. What type of plan you should implement in such case?
A. isk mitigation
B. isk fallback plan
C. isk avoidance
D. isk response plan
View answer
Correct Answer: B
Question #15
Which of the following is MOST important when developing key performance indicators (KPIs)?
A. lignment to management reports
B. lignment to risk responses
C. lerts when risk thresholds are reached
D. dentification of trends
View answer
Correct Answer: D
Question #16
Who should be accountable for ensuring effective cybersecurity controls are established?
A. ecurity management function
B. nterprise risk function
C. isk owner
D. T management
View answer
Correct Answer: C
Question #17
An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?
A. roject Alpha
B. roject Bravo
C. roject Charlie
D. roject Delta
View answer
Correct Answer: C
Question #18
The PRIMARY objective of testing the effectiveness of a new control before implementation is to:
A. omply with the organization’s policy
B. nsure that risk is mitigated by the control
C. onfirm control alignment with business objectives
D. easure efficiency of the control process
View answer
Correct Answer: D
Question #19
Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?
A. tilize the change management process
B. alidate functionality by running in a test environment
C. erform an in-depth code review with an expert
D. mplement a service level agreement
View answer
Correct Answer: C
Question #20
If preventive controls cannot be implemented due to technology limitations, which of the following should be done FIRST to reduce risk?
A. edefine the business process to reduce the risk
B. valuate alternative controls
C. evelop a plan to upgrade technology
D. efine a process for monitoring risk
View answer
Correct Answer: B
Question #21
An interruption in business productivity is considered as which of the following risks?
A. t is a risk event that only has a negative side and not any positive result
B. t is a risk event that is created by the application of risk response
C. t is a risk event that is generated due to errors or omission in the project work
D. t is a risk event that cannot be avoided because of the order of the work
View answer
Correct Answer: B
Question #22
Which of the following are parts of SWOT Analysis?Each correct answer represents a complete solution. (Choose four.)
A. eport result
B. rioritizing risks
C. mplement monitoring
D. dentifying controls
View answer
Correct Answer: ACDE
Question #23
Which of the following controls would BEST decrease exposure if a password is compromised?
A. asswords have format restrictions
B. asswords are masked
C. assword changes are mandated
D. asswords are encrypted
View answer
Correct Answer: D
Question #24
FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?
A. nnually
B. uarterly
C. very three years
D. ever
View answer
Correct Answer: A
Question #25
Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?
A. evelop risk awareness training
B. onitor employee usage
C. dentify the potential risk
D. ssess the potential risk
View answer
Correct Answer: A
Question #26
An organization is considering modifying its system to enable acceptance of credit card payments. To reduce the risk of data exposure, which of the following should the organization do FIRST?
A. mplement additional controls
B. onduct a risk assessment
C. pdate the risk register
D. pdate the security strategy
View answer
Correct Answer: B
Question #27
Which of the following approaches will BEST help to ensure the effectiveness of risk awareness training?
A. eviewing content with senior management
B. sing reputable third-party training programs
C. iloting courses with focus groups
D. reating modules for targeted audiences
View answer
Correct Answer: D
Question #28
You are working in an enterprise. Your enterprise owned various risks. Which among the following is MOST likely to own the risk to an information system that supports a critical business process?
A. ystem users
B. enior management
C. T director
D. isk management department
View answer
Correct Answer: B
Question #29
Which of the following would be an IT business owner’s BEST course of action following an unexpected increase in emergency changes?
A. onducting a root-cause analysis
B. alidating the adequacy of current processes
C. valuating the impact to control objectives
D. econfiguring the IT infrastructure
View answer
Correct Answer: A
Question #30
A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?
A. enior management allocation of risk management resources
B. enior management roles and responsibilities
C. he organization’s strategic risk management projects
D. he organization’s risk appetite and tolerance
View answer
Correct Answer: B
Question #31
Which of the following is the BEST way to identify changes in the risk profile of an organization?
A. onitor key risk indicators (KRIs)
B. onitor key performance indicators (KPIs)
C. onduct a gap analysis
D. nterview the risk owner
View answer
Correct Answer: C
Question #32
Which of the following vulnerability assessment software can check for weak passwords on the network?
A. assword cracker
B. ntivirus software
C. nti-spyware software
D. ireshark
View answer
Correct Answer: A
Question #33
Which of the following is an output of risk assessment process?
A. dentification of risk
B. dentification of appropriate controls
C. itigated risk
D. nterprise left with residual risk
View answer
Correct Answer: B
Question #34
Which of the following are the principles of risk management? Each correct answer represents a complete solution. Choose three.
A. eliability
B. ustainability
C. onsistency
D. istinct
View answer
Correct Answer: ABD
Question #35
A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner’s BEST course of action when a compensating control needs to be applied?
A. ecord the risk as accepted in the risk register
B. btain the risk owner’s approval
C. nform senior management
D. pdate the risk response plan
View answer
Correct Answer: B
Question #36
John works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk?
A. ctivity duration estimates
B. ctivity cost estimates
C. isk management plan
D. chedule management plan
View answer
Correct Answer: A
Question #37
An organization has outsourced its IT security management function to an external service provider. The BEST party to own the IT security controls under this arrangement is the:
A. rganization’s risk function
B. ervice provider’s audit function
C. rganization’s IT management
D. ervice provider’s IT security function
View answer
Correct Answer: A
Question #38
You are the project manager for Bluewell Inc. You are studying the documentation of project plan. The documentation states that there are twenty-five stakeholders with the project. What will be the number of communication channel s for the project?
A. 0
B. 00
C. 0
D. 00
View answer
Correct Answer: D
Question #39
Controls should be defined during the design phase of system development because:
A. echnical specifications are defined during this phase
B. tructured programming techniques require that controls be designed before coding begins
C. ts more cost-effective to determine controls in the early design phase
D. tructured analysis techniques exclude identification of controls
View answer
Correct Answer: B
Question #40
During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:
A. control mitigation plan is in place
B. esidual risk is accepted
C. ompensating controls are in place
D. isk management is effective
View answer
Correct Answer: A
Question #41
When a risk cannot be sufficiently mitigated through manual or automatic controls, which of the following options will BEST protect the enterprise from the potential financial impact of the risk?
A. pdating the IT risk registry
B. nsuring against the risk
C. utsourcing the related business process to a third party
D. mproving staff-training in the risk area
View answer
Correct Answer: B
Question #42
Which of the following is the PRIMARY purpose of periodically reviewing an organization’s risk profile?
A. esign and implement risk response action plans
B. lign business objectives with risk appetite
C. nable risk-based decision making
D. pdate risk responses in the risk register
View answer
Correct Answer: C
Question #43
During qualitative risk analysis you want to define the risk urgency assessment. All of the following are indicators of risk priority except for which one?
A. arning signs
B. ymptoms
C. isk rating
D. ost of the project
View answer
Correct Answer: D
Question #44
A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?
A. hief risk officer (CRO)
B. usiness continuity manager (BCM)
C. uman resources manager (HRM)
D. hief information officer (CIO)
View answer
Correct Answer: D
Question #45
Which of the following is MOST useful when communicating risk to management?
A. isk policy
B. isk map
C. aturity model
D. udit report
View answer
Correct Answer: B
Question #46
The only output of qualitative risk analysis is risk register updates. When the project manager updates the risk register he will need to include several pieces of information including all of the following except for which one?
A. rends in qualitative risk analysis
B. isk probability-impact matrix
C. isks grouped by categories
D. atchlist of low-priority risks
View answer
Correct Answer: B
Question #47
You work as a project manager for BlueWell Inc. Your project is using a new material to construct a large warehouse in your city. This new material is cheaper than traditional building materials, but it takes some time to learn how to use the material properly. You have communicated to the project stakeholders that you will be able to save costs by using the new material, but you will need a few extra weeks to complete training to use the materials. This risk response of learning how to use the new material
A. n quality of work
B. n ease of access
C. n profession
D. n independence
View answer
Correct Answer: C
Question #48
Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?
A. t compares performance levels of IT assets to value delivered
B. t provides input to business managers when preparing a business case for new IT projects
C. t facilitates the alignment of strategic IT objectives to business objectives
D. t helps assess the effects of IT decisions on risk exposure
View answer
Correct Answer: B
Question #49
Your project spans the entire organization. You would like to assess the risk of your project but worried about that some of the managers involved in the project could affect the outcome of any risk identification meeting. Your consideration is based on the fact that some employees would not want to publicly identify risk events that could declare their supervision as poor. You would like a method that would allow participants to anonymously identify risk events. What risk identification method could you us
A. elphi technique
B. oot cause analysis
C. solated pilot groups
D. WOT analysis
View answer
Correct Answer: A
Question #50
The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner’s BEST recommendation?
A. mplement training on coding best practices
B. erform a code review
C. erform a root cause analysis
D. mplement version control software
View answer
Correct Answer: B
Question #51
You are elected as the project manager of GHT project. You are in project initialization phase and are busy in defining requirements for your project. While defining requirements you are describing how users will interact with a system. Which of the following requirements are you defining here?
A. rganizational levels
B. isk components
C. trategic objectives
D. isk objectives
View answer
Correct Answer: C
Question #52
An IT department has organized training sessions to improve user awareness of organizational information security policies. Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training?
A. umber of training sessions completes
B. ercentage of staff members who complete the training with a passing score
C. ercentage of attendees versus total staff
D. ercentage of staff members who attend the training with positive feedback
View answer
Correct Answer: C
Question #53
What is the MAIN purpose of designing risk management programs?
A. o reduce the risk to a level that the enterprise is willing to accept
B. o reduce the risk to the point at which the benefit exceeds the expense
C. o reduce the risk to a level that is too small to be measurable
D. o reduce the risk to a rate of return that equals the current cost of capital
View answer
Correct Answer: A
Question #54
A risk practitioner has populated the risk register with industry-based generic risk scenarios to be further assessed by risk owners. Which of the following is the GREATEST concern with this approach?
A. isk scenarios in the generic list may not help in building risk awareness
B. isk scenarios that are not relevant to the organization may be assessed
C. eveloping complex risk scenarios using the generic list will be difficult
D. elevant risk scenarios that do not appear in the generic list may not be assessed
View answer
Correct Answer: B
Question #55
Natural disaster is BEST associated to which of the following types of risk?
A. nternal accounting control
B. etective control
C. dministrative control
D. perational control
View answer
Correct Answer: C
Question #56
Following a significant change to a business process, a risk practitioner believes the associated risk has been reduced. The risk practitioner should advise the risk owner to FIRST:
A. eallocate risk response resources
B. eview the key risk indicators
C. onduct a risk analysis
D. pdate the risk register
View answer
Correct Answer: C
Question #57
You are the project manager of the NHH Project. You are working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team. What document do you and your team is creating in this scenario?
A. roject plan
B. esource management plan
C. roject management plan
D. isk management plan
View answer
Correct Answer: D
Question #58
Which of the following is the BEST method to ensure a terminated employee’s access to IT systems is revoked upon departure from the organization?
A. ogin attempts are reconciled to a list of terminated employees
B. process to remove employee access during the exit interview is implemented
C. he human resources (HR) system automatically revokes system access
D. list of terminated employees is generated for reconciliation against current IT access
View answer
Correct Answer: D
Question #59
Which of the following is the BEST indicator of the effectiveness of IT risk management processes?
A. ime between when IT risk scenarios are identified and the enterprise’s response
B. ercentage of business users completing risk training
C. ercentage of high-risk scenarios for which risk action plans have been developed
D. umber of key risk indicators (KRIs) defined
View answer
Correct Answer: C
Question #60
Which of the following approaches would BEST help to identify relevant risk scenarios?
A. ngage line management in risk assessment workshops
B. scalate the situation to risk leadership
C. ngage internal audit for risk assessment workshops
D. eview system and process documentation
View answer
Correct Answer: A
Question #61
John works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk?
A. ctivity duration estimates
B. ctivity cost estimates
C. isk management plan
D. chedule management plan
View answer
Correct Answer: A
Question #62
All business units within an organization have the same risk response plan for creating local disaster recovery plans. In an effort to achieve cost effectiveness., the BEST course of action would be to:
A. utsource disaster recovery to an external provider
B. elect a provider to standardize the disaster recovery plans
C. valuate opportunities to combine disaster recovery plans
D. entralize the risk response function at the enterprise level
View answer
Correct Answer: C
Question #63
During testing, a risk practitioner finds the IT department’s recovery time objective (RTO) for a key system does not align with the enterprise’s business continuity plan (BCP). Which of the following should be done NEXT?
A. omplete a risk exception form
B. eport the gap to senior management
C. onsult with the business owner to update the BCP
D. onsult with the IT department to update the RTO
View answer
Correct Answer: B
Question #64
An IT license audit has revealed that there are several unlicensed copies of commercial applications installed on company laptops. The risk practitioner’s BEST course of action would be to:
A. mmediately uninstall the unlicensed software from the laptops
B. rocure the requisite licenses for the software to minimize business impact
C. eport the issue to management so appropriate action can be taken
D. entralize administration rights on laptops so that installations are controlled
View answer
Correct Answer: D
Question #65
A rule-based data loss prevention (DLP) tool has recently been implemented to reduce the risk of sensitive data leakage. Which of the following is MOST likely to change as a result of this implementation?
A. isk velocity
B. isk impact
C. isk likelihood
D. isk appetite
View answer
Correct Answer: B
Question #66
Which of the following BEST enables the risk profile to serve as an effective resource to support business objectives?
A. pdating the risk profile with risk assessment results
B. ssigning quantitative values to qualitative metrics in the risk register
C. ngaging external risk professionals to periodically review the risk
D. rioritizing global standards over local requirements in the risk profile
View answer
Correct Answer: B
Question #67
Which of the following would require updates to an organization’s IT risk register?
A. iscovery of an ineffectively designed key IT control
B. anagement review of key risk indicators (KRIs)
C. hanges to the team responsible for maintaining the register
D. ompletion of the latest internal audit
View answer
Correct Answer: A
Question #68
Which of the following is true for Single loss expectancy (SLE), Annual rate of occurrence (ARO), and Annual loss expectancy (ALE)?
A. LE= ARO/SLE
B. RO= SLE/ALE
C. RO= ALE*SLE
D. LE= ARO*SLE
View answer
Correct Answer: D
Question #69
Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?
A. ccurate measurement of loss impact
B. arly detection of emerging threats
C. dentification of controls gaps that may lead to noncompliance
D. rioritization of risk action plans across departments
View answer
Correct Answer: A
Question #70
Which of the following would be MOST helpful when estimating the likelihood of negative events?
A. usiness impact analysis
B. ost-benefit analysis
C. isk response analysis
D. hreat analysis
View answer
Correct Answer: D
Question #71
You are the project manager of GHT project. You are performing cost and benefit analysis of control. You come across the result that costs of specific controls exceed the benefits of mitigating a given risk. What is the BEST action would you choose in this scenario?
A. he enterprise may apply the appropriate control anyway
B. he enterprise should adopt corrective control
C. he enterprise may choose to accept the risk rather than incur the cost of mitigation
D. he enterprise should exploit the risk
View answer
Correct Answer: C
Question #72
Which of the following is the GREATEST benefit of analyzing logs collected from different systems?
A. eveloping threats are detected earlier
B. orensic investigations are facilitated
C. ecurity violations can be identified
D. record of incidents is maintained
View answer
Correct Answer: D
Question #73
Risks with low ratings of probability and impact are included for future monitoring in which of the following?
A. isk alarm
B. bservation list
C. atch-list
D. isk register
View answer
Correct Answer: C
Question #74
You are the project manager of GHT project. You have identified a risk event on your project that could save $100,000 in project costs if it occurs. Which of the following statements BEST describes this risk event?
A. his risk event should be mitigated to take advantage of the savings
B. his is a risk event that should be accepted because the rewards outweigh the threat to the project
C. his risk event should be avoided to take full advantage of the potential savings
D. his risk event is an opportunity to the project and should be exploited
View answer
Correct Answer: D
Question #75
A risk assessment has identified that departments have installed their own WiFi access points on the enterprise network. Which of the following would be MOST important to include in a report to senior management?
A. lanned remediation actions
B. he network security policy
C. he WiFi access point configuration
D. otential business impact
View answer
Correct Answer: D
Question #76
You work as a project manager for BlueWell Inc. Management has asked you to work with the key project stakeholder to analyze the risk events you have identified in the project. They would like you to analyze the project risks with a goal of improving the project's performance as a whole. What approach can you use to achieve this goal of improving the project's performance through risk analysis with your project stakeholders?
A. roject risks are uncertain as to when they will happen
B. isks can happen at any time in the project
C. roject risks are always in the future
D. isk triggers are warning signs of when the risks will happen
View answer
Correct Answer: D
Question #77
Which of the following is MOST effective against external threats to an organization’s confidential information?
A. ingle sign-on
B. trong authentication
C. ata integrity checking
D. ntrusion detection system
View answer
Correct Answer: D
Question #78
Who is at the BEST authority to develop the priorities and identify what risks and impacts would occur if there were loss of the organization's private information?
A. xternal regulatory agencies
B. nternal auditor
C. usiness process owners
D. ecurity management
View answer
Correct Answer: D
Question #79
Which of the following is the MOST important reason to maintain key risk indicators (KRIs)?
A. n order to avoid risk
B. omplex metrics require fine-tuning
C. isk reports need to be timely
D. hreats and vulnerabilities change over time
View answer
Correct Answer: D
Question #80
The analysis of which of the following will BEST help validate whether suspicious network activity is malicious?
A. ntrusion detection system (IDS) rules
B. enetration test reports
C. ulnerability assessment reports
D. ogs and system events
View answer
Correct Answer: D
Question #81
Which of the following statements is NOT true regarding the risk management plan?
A. he risk management plan is an output of the Plan Risk Management process
B. he risk management plan is an input to all the remaining risk-planning processes
C. he risk management plan includes a description of the risk responses and triggers
D. he risk management plan includes thresholds, scoring and interpretation methods, responsible parties, and budgets
View answer
Correct Answer: C
Question #82
John is the project manager of the HGH Project for her company. He and his project team have agreed that if the vendor is late by more than ten days they will cancel the order and hire the NBG Company to fulfill the order. The NBG Company can guarantee orders within three days, but the costs of their products are significantly more expensive than the current vendor. What type of response does John adopt here?
A. ontingent response strategy
B. isk avoidance
C. isk mitigation
D. xpert judgment
View answer
Correct Answer: A
Question #83
After the implementation of Internet of Things (IoT) devices, new risk scenarios were identified. What is the PRIMARY reason to report this information to risk owners?
A. o reevaluate continued use of IoT devices
B. o recommend changes to the IoT policy
C. o confirm the impact to the risk profile
D. o add new controls to mitigate the risk
View answer
Correct Answer: D
Question #84
When an organization’s disaster recovery plan has a reciprocal agreement, which of the following risk treatment options is being applied?
A. ransfer
B. voidance
C. cceptance
D. itigation
View answer
Correct Answer: D
Question #85
A business unit has decided to accept the risk of implementing an off-the-shelf, commercial software package that uses weak password controls. The BEST course of action would be to:
A. btain management approval for policy exception
B. ontinue the implementation with no changes
C. evelop an improved password software routine
D. elect another application with strong password controls
View answer
Correct Answer: C
Question #86
You are the project manager of your project. You have to analyze various project risks. You have opted for quantitative analysis instead of qualitative risk analysis. What is the MOST significant drawback of using quantitative analysis over qualitative risk analysis?
A. ower objectivity
B. igher cost
C. igher reliance on skilled personnel
D. ower management buy-in
View answer
Correct Answer: B
Question #87
Which of the following is the MOST important factor affecting risk management in an organization?
A. he risk manager’s expertise
B. egulatory requirements
C. oard of director’s expertise
D. he organization’s culture
View answer
Correct Answer: D
Question #88
A PRIMARY advantage of involving business management in evaluating and managing risk is that management:
A. an make better informed business decisions
B. etter understands the system architecture
C. an balance technical and business risk
D. s more objective than risk management
View answer
Correct Answer: A
Question #89
A risk practitioner’s PRIMARY focus when validating a risk response action plan should be that risk response:
A. dvances business objectives
B. uantifies risk impact
C. educes risk to an acceptable level
D. ligns with business strategy
View answer
Correct Answer: D
Question #90
To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:
A. learly define the project scope
B. erform background checks on the vendor
C. otify network administrators before testing
D. equire the vendor to sign a nondisclosure agreement
View answer
Correct Answer: A
Question #91
Which of the following is a detective control?
A. imit check
B. ccess control software
C. eriodic access review
D. erun procedures
View answer
Correct Answer: D
Question #92
Which of the following is NOT the method of Qualitative risk analysis?
A. corecards
B. ttribute analysis
C. ikelihood-impact matrix
D. usiness process modeling (BPM) and simulation
View answer
Correct Answer: D
Question #93
The risk associated with a high-risk vulnerability in an application is owned by the:
A. ecurity department
B. endor
C. usiness unit
D. T department
View answer
Correct Answer: C
Question #94
Which of the following would present the GREATEST challenge when assigning accountability for control ownership?
A. nclear reporting relationships
B. eak governance structures
C. enior management scrutiny
D. omplex regulatory environment
View answer
Correct Answer: A
Question #95
You are the project manager of GHT project. Your project utilizes a machine for production of goods. This machine has the specification that if its temperature would rise above 450 degree Fahrenheit then it may result in burning of windings. So, there is an alarm which blows when machine's temperature reaches 430 degree Fahrenheit and the machine is shut off for 1 hour. What role does alarm contribute here?
A. f risk indicator
B. f risk identification
C. f risk trigger
D. f risk response
View answer
Correct Answer: A
Question #96
What are the functions of audit and accountability control?Each correct answer represents a complete solution. (Choose three.)
A. isk level increases above risk appetite
B. isk level increase above risk tolerance
C. isk level equates risk appetite
D. isk level equates the risk tolerance
View answer
Correct Answer: ACD
Question #97
An organization maintains independent departmental risk registers that are not automatically aggregated. Which of the following is the GREATEST concern?
A. esources may be inefficiency allocated
B. anagement may be unable to accurately evaluate the risk profile
C. ultiple risk treatment efforts may be initiated to treat a given risk
D. he same risk factor may be identified in multiple areas
View answer
Correct Answer: B
Question #98
Which of the following is the HIGHEST risk of a policy that inadequately defines data and system ownership?
A. ser management coordination does not exist
B. udit recommendations may not be implemented
C. sers may have unauthorized access to originate, modify or delete data
D. pecific user accountability cannot be established
View answer
Correct Answer: C
Question #99
Which of the following controls will BEST detect unauthorized modification of data by a database administrator?
A. eviewing database access rights
B. eviewing changes to edit checks
C. omparing data to input records
D. eviewing database activity logs
View answer
Correct Answer: C
Question #100
Where are all risks and risk responses documented as the project progresses?
A. isk management plan
B. roject management plan
C. isk response plan
D. isk register
View answer
Correct Answer: D
Question #101
How residual risk can be determined?
A. y determining remaining vulnerabilities after countermeasures are in place
B. y transferring all risks
C. y threat analysis
D. y risk assessment
View answer
Correct Answer: D
Question #102
You are the project manager of your enterprise. You have introduced an intrusion detection system for the control. You have identified a warning of violation of security policies of your enterprise. What type of control is an intrusion detection system (IDS)?
A. etective
B. orrective
C. reventative
D. ecovery
View answer
Correct Answer: A
Question #103
You are the risk official in Techmart Inc. You are asked to perform risk assessment on the impact of losing a network connectivity for 1 day. Which of the following factors would you include?
A. ggregate compensation of all affected business users
B. ourly billing rate charged by the carrier
C. alue that enterprise get on transferring data over the network
D. inancial losses incurred by affected business units
View answer
Correct Answer: D
Question #104
Which of the following is the MOST important reason to maintain key risk indicators (KRIs)?
A. n order to avoid risk
B. omplex metrics require fine-tuning
C. isk reports need to be timely
D. hreats and vulnerabilities change over time
View answer
Correct Answer: D
Question #105
Which of the following would be MOST useful when measuring the progress of a risk response action plan?
A. esource expenditure against budget
B. n up-to-date risk register
C. ercentage of mitigated risk scenarios
D. nnual loss expectancy (ALE) changes
View answer
Correct Answer: C
Question #106
The MAIN purpose of having a documented risk profile is to:
A. nable well-informed decision making
B. omply with external and internal requirements
C. eep the risk register up-to-date
D. rioritize investment projects
View answer
Correct Answer: A
Question #107
When developing a new risk register, a risk practitioner should focus on which of the following risk management activities?
A. isk response planning
B. isk identification
C. isk monitoring and control
D. isk management strategy planning
View answer
Correct Answer: C
Question #108
You work as the project manager for Bluewell Inc. Your project has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks?
A. esource Management Plan
B. isk Management Plan
C. takeholder management strategy
D. ommunications Management Plan
View answer
Correct Answer: D
Question #109
Which of the following changes would be reflected in an organization’s risk profile after the failure of a critical patch implementation?
A. nherent risk is increased
B. isk tolerance is decreased
C. isk appetite is decreased
D. esidual risk is increased
View answer
Correct Answer: D
Question #110
When evaluating enterprise IT risk management, it is MOST important to:
A. reate new control processes to reduce identified IT risk scenarios
B. eview alignment with the organization’s investment plan
C. eport identified IT risk scenarios to senior management
D. onfirm the organization’s risk appetite and tolerance
View answer
Correct Answer: B
Question #111
You work as a Project Manager for Company Inc. You are incorporating a risk response owner to take the job for each agreed-to and funded risk response. On which of the following processes are you working?
A. uantitative Risk Analysis
B. dentify Risks
C. lan risk response
D. ualitative Risk Analysis
View answer
Correct Answer: C
Question #112
Which of the following serve as the authorization for a project to begin?
A. pproval of project management plan
B. pproval of a risk response document
C. pproval of risk management document
D. pproval of a project request document
View answer
Correct Answer: D
Question #113
You are the project manager of the NHQ project in Bluewell Inc. The project has an asset valued at $200,000 and is subjected to an exposure factor of 45 percent. If the annual rate of occurrence of loss in this project is once a month, then what will be the Annual Loss Expectancy (ALE) of the project?
A. 2,160,000
B. 95,000
C. 108,000
D. 90,000
View answer
Correct Answer: C
Question #114
Which of the following would BEST help an enterprise prioritize risk scenarios?
A. ndustry best practices
B. egree of variances in the risk
C. ost of risk mitigation
D. lacement on the risk map
View answer
Correct Answer: D
Question #115
Which of the following should be of MOST concern to a risk practitioner reviewing findings from a recent audit of an organization’s data center?
A. wnership of an audit finding has not been assigned
B. he data center is not fully redundant
C. udit findings were not communicated to senior management
D. ey risk indicators (KRIs) for the data center do not include critical components
View answer
Correct Answer: C
Question #116
IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:
A. istorical risk assessments
B. ey risk indicators (KRIs)
C. he cost associated with each control
D. nformation from the risk register
View answer
Correct Answer: A
Question #117
Mortality tables are based on what mathematical activity?Each correct answer represents a complete solution. Choose three.
A. ransference
B. itigation
C. cceptance
D. voidance
View answer
Correct Answer: ABD
Question #118
Jane is the project manager of the NHJ Project for his company. He has identified several positive risk events within his project and he thinks these events can save the project time and money. Positive risk events, such as these within the NHJ Project are referred to as?
A. ontingency risks
B. enefits
C. esidual risk
D. pportunities
View answer
Correct Answer: D
Question #119
Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?
A. quantitative presentation of risk assessment results
B. qualitative presentation of risk assessment results
C. comparison of risk assessment results to the desired state
D. n assessment of organizational maturity levels and readiness
View answer
Correct Answer: A
Question #120
Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?
A. mplement segregation of duties
B. nforce an internal data access policy
C. nforce the use of digital signatures
D. pply single sign-on for access control
View answer
Correct Answer: D
Question #121
Which of the following are external risk factors?Each correct answer represents a complete solution. Choose three.
A. xploit
B. void
C. itigate
D. ransfer
View answer
Correct Answer: AD
Question #122
You are the project manager of GHT project. You have initiated the project and conducted the feasibility study. What result would you get after conducting feasibility study?Each correct answer represents a complete solution. (Choose two.)
A. takeholder identification
B. endor selection process
C. uality baseline
D. rocess improvement plan
View answer
Correct Answer: AD
Question #123
You work as a project manager for BlueWell Inc. You are involved with the project team on the different risk issues in your project. You are using the applications of IRGC model to facilitate the understanding and managing the rising of the overall risks that have impacts on the economy and society. One of your team members wants to know that what the need to use the IRGC is. What will be your reply?
A. echnical requirement
B. roject requirement
C. unctional requirement
D. usiness requirement
View answer
Correct Answer: A
Question #124
What activity should be done for effective post-implementation reviews during the project?
A. stablish the business measurements up front
B. llow a sufficient number of business cycles to be executed in the new system
C. dentify the information collected during each stage of the project
D. dentify the information to be reviewed
View answer
Correct Answer: A
Question #125
Mary is a project manager in her organization. On her current project she is working with her project team and other key stakeholders to identify the risks within the project. She is currently aiming to create a comprehensive list of project risks so she is using a facilitator to help generate ideas about project risks. What risk identification method is Mary likely using?
A. elphi Techniques
B. xpert judgment
C. rainstorming
D. hecklist analysis
View answer
Correct Answer: C
Question #126
You work as a project manager for BlueWell Inc. You are about to complete the quantitative risk analysis process for your project. You can use three available tools and techniques to complete this process. Which one of the following is NOT a tool or technique that is appropriate for the quantitative risk analysis process?
A. ata gathering and representation techniques
B. xpert judgment
C. uantitative risk analysis and modeling techniques
D. rganizational process assets
View answer
Correct Answer: D
Question #127
Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system?
A. ontrol owner
B. isk owner
C. ata owner
D. ystem owner
View answer
Correct Answer: D
Question #128
You are the Risk Official in Bluewell Inc. You have detected much vulnerability during risk assessment process. What you should do next?
A. rioritize vulnerabilities for remediation solely based on impact
B. andle vulnerabilities as a risk, even though there is no threat
C. nalyze the effectiveness of control on the vulnerabilities' basis
D. valuate vulnerabilities for threat, impact, and cost of mitigation
View answer
Correct Answer: D
Question #129
You are the project manager of GHT project. Your hardware vendor left you a voicemail saying that the delivery of the equipment you have ordered would not arrive on time. You identified a risk response strategy for this risk and have arranged for a local company to lease you the needed equipment until yours arrives. This is an example of which risk response strategy?
A. void
B. ransfer
C. cceptance
D. itigate
View answer
Correct Answer: D
Question #130
Which of the following processes is described in the statement below?"It is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions."
A. isk governance
B. RGC
C. isk response planning
D. isk communication
View answer
Correct Answer: D
Question #131
Which of the following control audit is performed to assess the efficiency of the productivity in the operations environment?
A. roject risk management has been concluded with the project planning
B. roject risk management happens at every milestone
C. roject risk management is scheduled for every month in the 18-month project
D. t every status meeting the project team project risk management is an agenda item
View answer
Correct Answer: C
Question #132
Malicious code protection is which type control?
A. onfiguration management control
B. ystem and information integrity control
C. edia protection control
D. ersonal security control
View answer
Correct Answer: B
Question #133
Which negative risk response usually has a contractual agreement?
A. haring
B. ransference
C. itigation
D. xploiting
View answer
Correct Answer: B
Question #134
Risk mitigation procedures should include:
A. uying an insurance policy
B. cceptance of exposures
C. eployment of countermeasures
D. nterprise architecture implementation
View answer
Correct Answer: C
Question #135
You are the project manager of GHT project. You identified a risk of noncompliance with regulations due to missing of a number of relatively simple procedures.The response requires creating the missing procedures and implementing them. In which of the following risk response prioritization should this case be categorized?
A. usiness case to be made
B. uick win
C. isk avoidance
D. eferrals
View answer
Correct Answer: B
Question #136
Which of the following will BEST support management reporting on risk?
A. risk register
B. ey performance indicators
C. ontrol self-assessment
D. isk policy requirements
View answer
Correct Answer: B
Question #137
What are the requirements of monitoring risk?Each correct answer represents a part of the solution. Choose three.
A. isk transfer
B. isk acceptance
C. isk avoidance
D. isk mitigation
View answer
Correct Answer: BCD
Question #138
A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:
A. o action is required as there was no impact
B. root cause analysis is required
C. ardware needs to be upgraded
D. ontrols are effective for ensuring continuity
View answer
Correct Answer: D
Question #139
An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure manuals for use by the part-time employees. This situation would be considered:
A. risk
B. n incident
C. threat
D. vulnerability
View answer
Correct Answer: D
Question #140
Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?
A. ommunicating components of risk and their acceptable levels
B. erforming a benchmark analysis and evaluating gaps
C. articipating in peer reviews and implementing best practices
D. onducting risk assessments and implementing controls
View answer
Correct Answer: D
Question #141
Which of the following processes is described in the statement below?"It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project."
A. erform Quantitative Risk Analysis
B. onitor and Control Risks
C. dentify Risks
D. erform Qualitative Risk Analysis
View answer
Correct Answer: B
Question #142
Which of the following come under the phases of risk identification and evaluation? Each correct answer represents a complete solution. Choose three.
A. nd node
B. oot node
C. vent node
D. ecision node
View answer
Correct Answer: ABC
Question #143
Suppose you are working in Company Inc. and you are using risk scenarios for estimating the likelihood and impact of the significant risks on this organization. Which of the following assessment are you doing?
A. T security assessment
B. T audit
C. hreat and vulnerability assessment
D. isk assessment
View answer
Correct Answer: C
Question #144
Which of the following do NOT indirect information?
A. nformation about the propriety of cutoff
B. eports that show orders that were rejected for credit limitations
C. eports that provide information about any unusual deviations and individual product margins
D. he lack of any significant differences between perpetual levels and actual levels of goods
View answer
Correct Answer: A
Question #145
Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system. These scenarios will be owned by the system manager. Which of the following would be the BEST method to use when developing the scenarios?
A. ottom-up approach
B. ause-and-effect diagram
C. op-down approach
D. elphi technique
View answer
Correct Answer: D
Question #146
Which of the following controls is an example of non-technical controls?
A. ccess control
B. hysical security
C. ntrusion detection system
D. ncryption
View answer
Correct Answer: B
Question #147
A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:
A. dentifying risk mitigation controls
B. ocumenting the risk scenarios
C. alidating the risk scenarios
D. pdating the risk register
View answer
Correct Answer: C
Question #148
You are the project manager of GHT project. A stakeholder of this project requested a change request in this project. What are your responsibilities as the project manager that you should do in order to approve this change request?Each correct answer represents a complete solution. Choose two.
A. hort-term
B. ong-term
C. iscontinuous
D. arge impact
View answer
Correct Answer: AC
Question #149
Which among the following is the BEST reason for defining a risk response?
A. o eliminate risk from the enterprise
B. o ensure that the residual risk is within the limits of the risk appetite and tolerance
C. o overview current status of risk
D. o mitigate risk
View answer
Correct Answer: B
Question #150
You are the program manager for your organization and you are working with Alice, a project manager in her program. Alice calls you and insists you to add a change to program scope. You agree for that the change. What must Alice do to move forward with her change request?
A. dd the change to the program scope herself, as she is a project manager
B. reate a change request charter justifying the change request
C. ocument the change request in a change request form
D. dd the change request to the scope and complete integrated change control
View answer
Correct Answer: C
Question #151
What are the functions of the auditor while analyzing risk?Each correct answer represents a complete solution. Choose three.
A. ost change control system
B. onfiguration management system
C. cope change control system
D. ntegrated change control
View answer
Correct Answer: ACD
Question #152
You are the risk official in Bluewell Inc. You are supposed to prioritize several risks. A risk has a rating for occurrence, severity, and detection as 4, 5, and 6, respectively. What Risk Priority Number (RPN) you would give to it?
A. 20
B. 00
C. 5
D. 0
View answer
Correct Answer: A
Question #153
When it appears that a project risk is going to happen, what is this term called?
A. urrency with changing legislative requirements
B. umber of employees
C. omplexity of the organizational structure
D. ultural differences between physical locations
View answer
Correct Answer: C
Question #154
While defining the risk management strategies, what are the major parts to be determined first? Each correct answer represents a part of the solution. Choose two.
A. ias towards risk in new resources
B. isk probability and impact matrixes
C. ncertainty in values such as duration of schedule activities
D. isk identification
View answer
Correct Answer: BC
Question #155
Which of the following is NOT true for effective risk communication?
A. isk information must be known and understood by all stakeholders
B. se of technical terms of risk
C. ny communication on risk must be relevant
D. or each risk, critical moments exist between its origination and its potential business consequence
View answer
Correct Answer: B
Question #156
Which of the following is true for risk management frameworks, standards and practices? Each correct answer represents a part of the solution. Choose three.
A. eporting risk
B. perational risk
C. egal risk
D. trategic risk
View answer
Correct Answer: ACD
Question #157
Which of the following controls focuses on operational efficiency in a functional area sticking to management policies?
A. ey risk indicators
B. apability maturity models
C. ey performance indicators
D. etric thresholds
View answer
Correct Answer: C
Question #158
Capability maturity models are the models that are used by the enterprise to rate itself in terms of the least mature level to the most mature level. Which of the following capability maturity levels shows that the enterprise does not recognize the need to consider the risk management or the business impact from IT risk?
A. evel 2
B. evel 0
C. evel 3
D. evel 1
View answer
Correct Answer: B
Question #159
You are the project manager of your enterprise. While performing risk management, you are given a task to identify where your enterprise stands in certain practice and also to suggest the priorities for improvements. Which of the following models would you use to accomplish this task?
A. apability maturity model
B. ecision tree model
C. ishbone model
D. imulation tree model
View answer
Correct Answer: A
Question #160
Which of the following is described by the definition given below? "It is the expected guaranteed value of taking a risk."
A. ertainty equivalent value
B. isk premium
C. isk value guarantee
D. ertain value assurance
View answer
Correct Answer: A
Question #161
An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan. Which of the following is the risk practitioner’s BEST course of action?
A. evert the implemented mitigation measures until approval is obtained
B. alidate the adequacy of the implemented risk mitigation measures
C. eport the observation to the chief risk officer (CRO)
D. pdate the risk register with the implemented risk mitigation actions
View answer
Correct Answer: B
Question #162
What is the GREATEST concern with maintaining decentralized risk registers instead of a consolidated risk register?
A. ggregated risk may exceed the enterprise’s risk appetite and tolerance
B. uplicate resources may be used to manage risk registers
C. tandardization of risk management practices may be difficult to enforce
D. isk analysis may be inconsistent due to non-uniform impact and likelihood scales
View answer
Correct Answer: D
Question #163
Which of the following are the principles of access controls?Each correct answer represents a complete solution. Choose three.
A. isk reports need to be timely
B. omplex metrics require fine-tuning
C. hreats and vulnerabilities change over time
D. hey help to avoid risk
View answer
Correct Answer: ABD
Question #164
According to the Section-302 of the Sarbanes-Oxley Act of 2002, what does certification of reports implies? Each correct answer represents a complete solution. Choose three.
A. isk management
B. isk response integration
C. isk response implementation
D. isk response tracking
View answer
Correct Answer: BCD
Question #165
Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)?
A. anagement approval
B. utomation
C. nnual review
D. elevance
View answer
Correct Answer: B
Question #166
Which one of the following is the only output for the qualitative risk analysis process?
A. roject management plan
B. isk register updates
C. rganizational process assets
D. nterprise environmental factors
View answer
Correct Answer: B
Question #167
Which of the following BEST enables the identification of trends in risk levels?
A. easurements for key risk indicators (KRIs) are repeatable
B. ualitative definitions for key risk indicators (KRIs) are used
C. uantitative measurements are used for key risk indicators (KRIs)
D. orrelation between risk levels and key risk indicators (KRIs) is positive
View answer
Correct Answer: C
Question #168
Jane, the Director of Sales, contacts you and demands that you add a new feature to the software your project team is creating for the organization. In the meeting she tells you how important the scope change would be. You explain to her that the software is almost finished and adding a change now could cause the deliverable to be late, cost additional funds, and would probably introduce new risks to the project. Jane stands up and says to you, "I am the Director of Sales and this change will happen in the
A. nclude the change in the project scope immediately
B. irect your project team to include the change if they have time
C. o not implement the verbal change request
D. eport Jane to your project sponsor and then include the change
View answer
Correct Answer: C
Question #169
One of the risk events you've identified is classified as force majeure. What risk response is likely to be used?
A. cceptance
B. ransference
C. nhance
D. itigation
View answer
Correct Answer: A
Question #170
Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?
A. n increase in control vulnerabilities
B. n increase in inherent risk
C. decrease in control layering effectiveness
D. n increase in the level of residual risk
View answer
Correct Answer: B
Question #171
Which of the following matrices is used to specify risk thresholds?
A. isk indicator matrix
B. mpact matrix
C. isk scenario matrix
D. robability matrix
View answer
Correct Answer: A
Question #172
You are the project manager of GHT project. You have identified a risk event on your current project that could save $670,000 in project costs if it occurs. Your organization is considering hiring a vendor to help establish proper project management techniques in order to assure it realizes these savings. Which of the following statements is TRUE for this risk event?
A. his risk event should be accepted because the rewards outweigh the threat to the project
B. his risk event should be mitigated to take advantage of the savings
C. his risk event is an opportunity to the project and should be exploited
D. his is a risk event that should be shared to take full advantage of the potential savings
View answer
Correct Answer: D
Question #173
There are five inputs to the quantitative risk analysis process. Which one of the following is NOT an input to quantitative risk analysis process?
A. isk management plan
B. nterprise environmental factors
C. ost management plan
D. isk register
View answer
Correct Answer: B
Question #174
An unauthorized individual has socially engineered entry into an organization’s secured physical premises. Which of the following is the BEST way to prevent future occurrences?
A. equire security access badges
B. mploy security guards
C. nstall security cameras
D. onduct security awareness training
View answer
Correct Answer: D
Question #175
Which of the following would be of GREATEST assistance when justifying investment in risk response strategies?
A. ost-benefit analysis
B. usiness impact analysis
C. otal cost of ownership
D. esource dependency analysis
View answer
Correct Answer: A
Question #176
Which of the following is the PRIMARY reason to perform ongoing risk assessments?
A. he risk environment is subject to change
B. he information security budget must be justified
C. merging risk must be continuously reported to management
D. ew system vulnerabilities emerge at frequent intervals
View answer
Correct Answer: A
Question #177
Which of the following is the BEST method to maintain a common view of IT risk within an organization?
A. stablishing and communicating the IT risk profile
B. erforming and publishing an IT risk analysis
C. ollecting data for IT risk assessment
D. tilizing a balanced scorecard
View answer
Correct Answer: B
Question #178
Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:
A. rovide a current reference to stakeholders for risk-based decisions
B. inimize the number of risk scenarios for risk assessment
C. ggregate risk scenarios identified across different business units
D. uild a threat profile of the organization for management review
View answer
Correct Answer: A
Question #179
Which of the following is the BEST indication of an effective risk management program?
A. isk action plans are approved by senior management
B. itigating controls are designed and implemented
C. esidual risk is within the organizational risk appetite
D. isk is recorded and tracked in the risk register
View answer
Correct Answer: B
Question #180
Which of the following should be included in a risk scenario to be used for risk analysis?
A. esidual risk
B. isk tolerance
C. isk appetite
D. hreat type
View answer
Correct Answer: D
Question #181
During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?
A. uthentication
B. dentification
C. ata validation
D. ata integrity
View answer
Correct Answer: A
Question #182
Which of the following is the BEST way to promote adherence to the risk tolerance level set by management?
A. voiding risks that could materialize into substantial losses
B. ncreasing organizational resources to mitigate risks
C. efining expectations in the enterprise risk policy
D. ommunicating external audit results
View answer
Correct Answer: C
Question #183
Ben works as a project manager for the MJH Project. In this project, Ben is preparing to identify stakeholders so he can communicate project requirements, status, and risks. Ben has elected to use a salience model as part of his stakeholder identification process. Which of the following activities best describes a salience model?
A. escribing classes of stakeholders based on their power (ability to impose their will), urgency (need for immediate attention), and legitimacy (their involvement is appropriate)
B. rouping the stakeholders based on their level of authority ("power") and their level or concern ("interest") regarding the project outcomes
C. nfluence/impact grid, grouping the stakeholders based on their active involvement ("influence") in the project and their ability to affect changes to the project\'s planning or execution ("impact")
D. rouping the stakeholders based on their level of authority ("power") and their active involvement ("influence") in the project
View answer
Correct Answer: A
Question #184
A program manager has completed an unsuccessful disaster recovery test. Which of the following should the risk practitioner recommend as the NEXT course of action?
A. dentify what additional controls are needed
B. pdate the business impact analysis (BIA)
C. rioritize issues noted during the testing window
D. ommunicate test results to management
View answer
Correct Answer: B
Question #185
Which of the following is the BEST indication of the effectiveness of a business continuity program?
A. usiness continuity tests are performed successfully and issues are addressed
B. usiness continuity and disaster recovery plans are regularly updated
C. usiness impact analyses are reviewed and updated in a timely manner
D. usiness units are familiar with the business continuity plans and process
View answer
Correct Answer: A
Question #186
A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to:
A. nclude a roadmap to achieve operational excellence
B. nclude a summary linking information to stakeholder needs
C. ublish the report on-demand for stakeholders
D. nclude detailed deviations from industry benchmarks
View answer
Correct Answer: A
Question #187
When prioritizing risk response, management should FIRST:
A. valuate the organization’s ability and expertise to implement the solution
B. valuate the risk response of similar organizations
C. etermine which risk factors have high remediation costs
D. ddress high risk factors that have efficient and effective solutions
View answer
Correct Answer: A
Question #188
You are working in an enterprise. You project deals with important files that are stored on the computer. You have identified the risk of the failure of operations. To address this risk of failure, you have guided the system administrator sign off on the daily backup. This scenario is an example of which of the following?
A. perational
B. inancial
C. nformation
D. trategic
View answer
Correct Answer: D
Question #189
Wendy has identified a risk event in her project that has an impact of $75,000 and a 60 percent chance of happening. Through research, her project team learns that the risk impact can actually be reduced to just $15,000 with only a ten percent chance of occurring. The proposed solution will cost $25,000. Wendy agrees to the $25,000 solution. What type of risk response is this?
A. itigation
B. voidance
C. ransference
D. nhancing
View answer
Correct Answer: A
Question #190
Which of the following is the MOST critical security consideration when an enterprise outsource is major part of IT department to a third party whose servers are in foreign company?
A. security breach notification may get delayed due to time difference
B. he enterprise could not be able to monitor the compliance with its internal security and privacy guidelines
C. aws and regulations of the country of origin may not be enforceable in foreign country
D. dditional network intrusion detection sensors should be installed, resulting in additional cost
View answer
Correct Answer: C
Question #191
You are the project manager for your organization. You are preparing for the quantitative risk analysis. Mark, a project team member, wants to know why you need to do quantitative risk analysis when you just completed qualitative risk analysis. Which one of the following statements best defines what quantitative risk analysis is?
A. uantitative risk analysis is the review of the risk events with the high probability and the highest impact on the project objectives
B. uantitative risk analysis is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact
C. uantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives
D. uantitative risk analysis is the planning and quantification of risk responses based on probability and impact of each risk event
View answer
Correct Answer: C
Question #192
After a high-profile systems breach at an organization’s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments: Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor’s control environment?
A. xternal audit
B. nternal audit
C. endor performance scorecard
D. egulatory examination
View answer
Correct Answer: B
Question #193
You are the project manager of the NKJ Project for your company. The project's success or failure will have a significant impact on your organization's profitability for the coming year. Management has asked you to identify the risk events and communicate the event's probability and impact as early as possible in the project.Management wants to avoid risk events and needs to analyze the cost-benefits of each risk event in this project. What term is assigned to the low-level of stakeholder tolerance in this
A. itigation-ready project management
B. isk avoidance
C. isk utility function
D. isk-reward mentality
View answer
Correct Answer: C
Question #194
Which of the following is the MOST important element of a successful risk awareness training program?
A. apping to a recognized standard
B. roviding metrics for measurement
C. ustomizing content for the audience
D. roviding incentives to participants
View answer
Correct Answer: B
Question #195
Which of the following statements are true for risk communication? Each correct answer represents a complete solution. Choose three.
A. t is an unknown event that can affect the project scope
B. t is an uncertain event or condition within the project execution
C. t is an uncertain event that can affect the project costs
D. t is an uncertain event that can affect at least one project objective
View answer
Correct Answer: ACD
Question #196
Which of the following is MOST important for successful incident response?
A. he quantity of data logged by the attack control tools
B. he ability to trace the source of the attack
C. he timeliness of attack recognition
D. locking the attack route immediately
View answer
Correct Answer: C
Question #197
Shawn is the project manager of the HWT project. In this project Shawn's team reports that they have found a way to complete the project work cheaply than what was originally estimated earlier. The project team presents a new software that will help to automate the project work. While the software and the associated training costs$25,000 it will save the project nearly $65,000 in total costs. Shawn agrees to the software and changes the project management plan accordingly. What type of risk response had bee
A. voiding
B. ccepting
C. xploiting
D. nhancing
View answer
Correct Answer: C
Question #198
The BEST reason to classify IT assets during a risk assessment is to determine the:
A. ppropriate level of protection
B. nterprise risk profile
C. riority in the risk register
D. usiness process owner
View answer
Correct Answer: A
Question #199
After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?
A. he risk practitioner
B. he risk owner
C. he control owner
D. he business process owner
View answer
Correct Answer: A
Question #200
While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:
A. ontrol is ineffective and should be strengthened
B. isk is inefficiently controlled
C. isk is efficiently controlled
D. ontrol is weak and should be removed
View answer
Correct Answer: B
Question #201
Which of the following are the common mistakes while implementing KRIs? Each correct answer represents a complete solution. Choose three.
A. perational
B. inancial
C. dministrative
D. pecialized
View answer
Correct Answer: ACD
Question #202
Which of the following BEST ensures that a firewall is configured in compliance with an enterprise's security policy?
A. nterview the firewall administrator
B. eview the actual procedures
C. eview the device's log file for recent attacks
D. eview the parameter settings
View answer
Correct Answer: D
Question #203
Which of the following is the MOST effective method for indicating that the risk level is approaching a high or unacceptable level of risk?
A. isk register
B. ause and effect diagram
C. isk indicator
D. eturn on investment
View answer
Correct Answer: C
Question #204
Which of the following BEST enables a risk practitioner to enhance understanding of risk among stakeholders?
A. hreat analysis
B. ey risk indicators
C. isk scenarios
D. usiness impact analysis
View answer
Correct Answer: A
Question #205
You are the project manager of GHT project. You have planned the risk response process and now you are about to implement various controls. What you should do before relying on any of the controls?
A. here is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk
B. ecisions involving risk lack credible information
C. isk appetite and tolerance are applied only during episodic risk assessments
D. isk management skills exist on an ad hoc basis, but are not actively developed
View answer
Correct Answer: AC
Question #206
An organization has completed a project to implement encryption on all databases that host customer data. Which of the following elements of the risk register should be updated to reflect this change?
A. isk tolerance
B. nherent risk
C. isk appetite
D. isk likelihood
View answer
Correct Answer: B
Question #207
Which of the following baselines identifies the specifications required by the resource that meet the approved requirements?
A. unctional baseline
B. llocated baseline
C. roduct baseline
D. evelopmental baseline
View answer
Correct Answer: B
Question #208
Which of the following BEST indicates the condition of a risk management program?
A. umber of controls
B. mount of residual risk
C. umber of risk register entries
D. evel of financial support
View answer
Correct Answer: B
Question #209
Which of the following is the MOST common concern associated with outsourcing to a service provider?
A. ombining incompatible duties
B. nauthorized data usage
C. enial of service attacks
D. ack of technical expertise
View answer
Correct Answer: B
Question #210
Which of the following comes under phases of risk management?
A. nitiate incident response
B. pdate the risk register
C. liminate the risk completely
D. ommunicate lessons learned from risk events
View answer
Correct Answer: ABCD
Question #211
Who is accountable for risk treatment?
A. isk owner
B. isk mitigation manager
C. nterprise risk management team
D. usiness process owner
View answer
Correct Answer: A
Question #212
Which of the following BEST illustrates the relationship of actual risk exposure to appetite?
A. esidual risk that exceeds appetite
B. isk events in the risk profile
C. ercentage of high risk scenarios
D. ontrols that exceed risk appetite
View answer
Correct Answer: D
Question #213
Effective risk communication BEST benefits an organization by:
A. mproving the effectiveness of IT controls
B. elping personnel make better informed decisions
C. ncreasing participation in the risk assessment process
D. ssisting the development of a risk register
View answer
Correct Answer: A
Question #214
Beth is a project team member on the JHG Project. Beth has added extra features to the project and this has introduced new risks to the project work. The project manager of the JHG project elects to remove the features Beth has added. The process of removing the extra features to remove the risks is called what?
A. etective control
B. reventive control
C. orrective control
D. cope creep
View answer
Correct Answer: B
Question #215
Assessing the probability and consequences of identified risks to the project objectives, assigning a risk score to each risk, and creating a list of prioritized risks describes which of the following processes?
A. ualitative Risk Analysis
B. lan Risk Management
C. dentify Risks
D. uantitative Risk Analysis
View answer
Correct Answer: A
Question #216
You are the risk official in Bluewell Inc. You are supposed to prioritize several risks. A risk has a rating for occurrence, severity, and detection as 4, 5, and 6, respectively. What Risk Priority Number (RPN) you would give to it?
A. 20
B. 00
C. 5
D. 0
View answer
Correct Answer: A
Question #217
Which of the following should be the HIGHEST priority when developing a risk response?
A. he risk response is accounted for in the budget
B. he risk response aligns with the organization’s risk appetite
C. he risk response is based on a cost-benefit analysis
D. he risk response addresses the risk with a holistic view
View answer
Correct Answer: C
Question #218
A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:
A. reatment
B. dentification
C. ommunication
D. ssessment
View answer
Correct Answer: D
Question #219
An organization is considering acquiring a new line of business and wants to develop new IT risk scenarios to guide its decisions. Which of the following would add the MOST value to the new risk scenarios?
A. udit findings
B. xpected losses
C. ost-benefit analysis
D. rganizational threats
View answer
Correct Answer: D
Question #220
Which of the following is the BEST evidence that a user account has been properly authorized?
A. otification from human resources that the account is active
B. ormal approval of the account by the user’s manager
C. ser privileges matching the request form
D. n email from the user accepting the account
View answer
Correct Answer: C
Question #221
Which of the following is the BEST way to mitigate the risk associated with fraudulent use of an enterprise’s brand on Internet sites?
A. tilizing data loss prevention technology
B. canning the Internet to search for unauthorized usage
C. onitoring the enterprise’s use of the Internet
D. eveloping training and awareness campaigns
View answer
Correct Answer: B
Question #222
Which of the following would be considered a vulnerability?
A. elayed removal of employee access
B. orruption of files due to malware
C. uthorized administrative access to HR files
D. erver downtime due to a denial of service (DoS) attack
View answer
Correct Answer: A
Question #223
You are the project manager of the HJK Project for your organization. You and the project team have created risk responses for many of the risk events in the project. Where should you document the proposed responses and the current status of all identified risks?
A. ost of response
B. apability to implement response
C. mportance of risk
D. fficiency of response
View answer
Correct Answer: C
Question #224
You are the administrator of your enterprise. Which of the following controls would you use that BEST protects an enterprise from unauthorized individuals gaining access to sensitive information?
A. onitoring and recording unsuccessful logon attempts
B. orcing periodic password changes
C. sing a challenge response system
D. roviding access on a need-to-know basis
View answer
Correct Answer: D
Question #225
Risk management strategies are PRIMARILY adopted to:
A. chieve compliance with legal requirements
B. ake necessary precautions for claims and losses
C. void risk for business and IT assets
D. chieve acceptable residual risk levels
View answer
Correct Answer: B
Question #226
An organization’s internal auditors have identified a new IT control deficiency in the organization’s identity and access management (IAM) system. It is most important for the risk practitioner to:
A. erform a follow-up risk assessment to quantify the risk impact
B. erify that applicable risk owners understand the risk
C. mplement compensating controls to address the deficiency
D. ecommend replacement of the deficient system
View answer
Correct Answer: C
Question #227
You work as a Project Manager for Company Inc. You have to conduct the risk management activities for a project. Which of the following inputs will you use in the plan risk management process?Each correct answer represents a complete solution. (Choose three.)
A. uality management plan
B. isk management plan
C. isk register
D. roject charter
View answer
Correct Answer: BCD
Question #228
When updating the risk register after a risk assessment, which of the following is MOST important to include?
A. ctor and threat type of the risk scenario
B. istorical losses due to past risk events
C. ost to reduce the impact and likelihood
D. ikelihood and impact of the risk scenario
View answer
Correct Answer: D
Question #229
What are the PRIMARY objectives of a control?
A. etect, recover, and attack
B. revent, respond, and log
C. revent, control, and attack
D. revent, recover, and detect
View answer
Correct Answer: D
Question #230
You are the project manager for your organization to install new workstations, servers, and cabling throughout a new building, where your company will be moving into. The vendor for the project informs you that the cost of the cabling has increased due to some reason. This new cost will cause the cost of your project to increase by nearly eight percent. What change control system should the costs be entered into for review?
A. ost change control system
B. ontract change control system
C. cope change control system
D. nly changes to the project scope should pass through a change control system
View answer
Correct Answer: A
Question #231
Establishing an organizational code of conduct is an example of which type of control?
A. irective
B. reventive
C. etective
D. ompensating
View answer
Correct Answer: A
Question #232
Which of the following is the BEST way to validate whether controls to reduce user device vulnerabilities have been implemented according to management’s action plan?
A. urvey device owners
B. eview awareness training assessment results
C. e-scan the user environment
D. equire annual end user policy acceptance
View answer
Correct Answer: C
Question #233
Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs?
A. uilding correlations between logs collected from different sources
B. nsuring the control is proportional to the risk
C. mplementing log analysis tools to automate controls
D. nsuring availability of resources for log analysis
View answer
Correct Answer: D

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: