DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Boost Your Performance in the ISACA CRISC Exam with Realistic Mock Tests

Achieving the Certified in Risk and Information Systems Control (CRISC) certification is a valuable asset for risk management professionals. Preparing for the CRISC exam can be a daunting task, but with the right study materials and exam resources, you can increase your chances of passing successfully. SPOTO offers a comprehensive collection of CRISC exam questions and answers, test questions, mock exams, and exam preparation resources tailored to the CRISC exam objectives. These resources are designed to simulate the real exam environment, providing you with a realistic experience and boosting your confidence. With SPOTO's CRISC exam questions, you can identify areas where you need further study and practice, ensuring you have the knowledge and skills necessary to enhance your company's business resilience, deliver stakeholder value, and optimize risk management across the enterprise. By leveraging these exam resources and practicing with mock exams, you can effectively prepare and increase your chances of passing the CRISC certification exam successfully.
Take other online exams

Question #1
An organization is considering outsourcing user administration controls for a critical system. The potential vendor has offered to perform quarterly self-audits of its controls instead of having annual independent audits. Which of the following should be of GREATEST concern to the risk practitioner?
A. he vendor will not achieve best practices
B. he vendor will not ensure against control failure
C. he controls may not be properly tested
D. ack of a risk-based approach to access control
View answer
Correct Answer: B
Question #2
You are the project manager in your enterprise. You have identified occurrence of risk event in your enterprise. You have pre-planned risk responses. You have monitored the risks that had occurred. What is the immediate step after this monitoring process that has to be followed in response to risk events?
A. robability of achieving time and cost estimates
B. riority list of risks
C. atch list of low-priority risks
D. isks grouped by categories
View answer
Correct Answer: A
Question #3
Which of the following is a key component of strong internal control environment?
A. MIS
B. egregation of duties
C. anual control
D. utomated tools
View answer
Correct Answer: B
Question #4
Which of the following is the MOST effective key performance indicator (KPI) for change management?
A. ercentage of successful changes
B. umber of changes implemented
C. ercentage of changes with a fallback plan
D. verage time required to implement a change
View answer
Correct Answer: A
Question #5
Which of the following would prompt changes in key risk indicator (KRI) thresholds?
A. hanges in risk appetite or tolerance
B. odification to risk categories
C. nowledge of new and emerging threats
D. hanges to the risk register
View answer
Correct Answer: A
Question #6
The PRIMARY objective for selecting risk response options is to:
A. inimize residual risk
B. educe risk factors
C. educe risk to an acceptable level
D. dentify compensating controls
View answer
Correct Answer: C
Question #7
When developing IT risk scenarios, it is CRITICAL to involve:
A. rocess owners
B. T managers
C. nternal auditors
D. enior management
View answer
Correct Answer: B
Question #8
The purpose of requiring source code escrow in a contractual agreement is to:
A. nsure that the source code is available if the vendor ceases to exist
B. nsure the source code is available when bugs occur
C. eview the source code for adequacy of controls
D. nsure that the source code is valid and exists
View answer
Correct Answer: A
Question #9
Which of the following represents lack of adequate controls?
A. ulnerability
B. hreat
C. sset
D. mpact
View answer
Correct Answer: A
Question #10
You are the risk official in Techmart Inc. You are asked to perform risk assessment on the impact of losing a server. For this assessment you need to calculate monetary value of the server. On which of the following bases do you calculate monetary value?
A. ost to obtain replacement
B. riginal cost to acquire
C. nnual loss expectancy
D. ost of software stored
View answer
Correct Answer: A
Question #11
Which of the following is MOST important for maintaining the effectiveness of an IT risk register?
A. ecording and tracking the status of risk response plans within the register
B. ommunicating the register to key stakeholders
C. erforming regular reviews and updates to the register
D. emoving entries from the register after the risk has been treated
View answer
Correct Answer: C
Question #12
Which of the following controls is an example of non-technical controls?
A. ccess control
B. hysical security
C. ntrusion detection system
D. ncryption
View answer
Correct Answer: B
Question #13
Which of the following is the MOST important use of KRIs?
A. roviding a backward-looking view on risk events that have occurred
B. roviding an early warning signal
C. roviding an indication of the enterprise's risk appetite and tolerance
D. nabling the documentation and analysis of trends
View answer
Correct Answer: B
Question #14
From a risk management perspective, the PRIMARY objective of using maturity models is to enable:
A. olution delivery
B. trategic alignment
C. esource utilization
D. erformance evaluation
View answer
Correct Answer: D
Question #15
Which of the following would be MOST helpful to understand the impact of a new technology system on an organization’s current risk profile?
A. onduct a gap analysis
B. eview existing risk mitigation controls
C. erform a risk assessment
D. ire consultants specializing in the new technology
View answer
Correct Answer: D
Question #16
Which of following is NOT used for measurement of Critical Success Factors of the project?
A. roductivity
B. uality
C. uantity
D. ustomer service
View answer
Correct Answer: C
Question #17
A PRIMARY function of the risk register is to provide supporting information for the development of an organization’s risk:
A. ap
B. rocess
C. rofile
D. trategy
View answer
Correct Answer: C
Question #18
The MOST effective way to increase the likelihood that risk responses will be implemented is to:
A. eview progress reports
B. reate an action plan
C. erform regular audits
D. ssign ownership
View answer
Correct Answer: D
Question #19
A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?
A. ction plans to address risk scenarios requiring treatment
B. he team that performed the risk assessment
C. n assigned risk manager to provide oversight
D. he methodology used to perform the risk assessment
View answer
Correct Answer: D
Question #20
IT management has asked for a consolidated view into the organization’s risk profile to enable project prioritization and resource allocation. Which of the following materials would be MOST helpful?
A. ist of key risk indicators
B. nternal audit reports
C. T risk register
D. ist of approved projects
View answer
Correct Answer: C
Question #21
Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?
A. btain an objective view of process gaps and systemic errors
B. nsure the risk profile is defined and communicated
C. alidate the threat management process
D. btain objective assessment of the control environment
View answer
Correct Answer: A
Question #22
Which of the following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?
A. onduct user acceptance testing
B. erform a post-implementation review
C. nterview process owners
D. eview the key performance indicators (KPIs)
View answer
Correct Answer: B
Question #23
Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?
A. nabling risk-based decision making
B. ncreasing process control efficiencies
C. etter understanding of the risk appetite
D. mproving audit results
View answer
Correct Answer: A
Question #24
The PRIMARY benefit of conducting continuous monitoring of access controls is the ability to identify.
A. ossible noncompliant activities that lead to data disclosure
B. eading or lagging key risk indicators (KRIs)
C. nconsistencies between security policies and procedures
D. nknown threats to undermine existing access controls
View answer
Correct Answer: B
Question #25
An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?
A. void
B. ransfer
C. ccept
D. itigate
View answer
Correct Answer: D
Question #26
You work as a Project Manager for www.company.com Inc. You have to measure the probability, impact, and risk exposure. Then, you have to measure how the selected risk response can affect the probability and impact of the selected risk event. Which of the following tools will help you to accomplish the task?
A. roject network diagrams
B. elphi technique
C. ecision tree analysis
D. ause-and-effect diagrams
View answer
Correct Answer: C
Question #27
What should be PRIMARILY responsible for establishing an organization’s IT risk culture?
A. isk management
B. T management
C. usiness process owner
D. xecutive management
View answer
Correct Answer: D
Question #28
You are the project manager of a project in Bluewell Inc. You and your project team have identified several project risks, completed risk analysis, and are planning to apply most appropriate risk responses. Which of the following tools would you use to choose the appropriate risk response?
A. roject network diagrams
B. ause-and-effect analysis
C. ecision tree analysis
D. elphi Technique
View answer
Correct Answer: C
Question #29
Which of the following should be an element of the risk appetite of an organization?
A. he enterprise’s capacity to absorb loss
B. he effectiveness of compensating controls
C. he amount of inherent risk considered appropriate
D. he residual risk affected be preventive controls
View answer
Correct Answer: A
Question #30
You are the project manager of a project in Bluewell Inc. You and your project team have identified several project risks, completed risk analysis, and are planning to apply most appropriate risk responses. Which of the following tools would you use to choose the appropriate risk response?
A. roject network diagrams
B. ause-and-effect analysis
C. ecision tree analysis
D. elphi Technique
View answer
Correct Answer: C
Question #31
Which of the following risk management practices BEST facilitates the incorporation of IT risk scenarios into the enterprise-wide risk register?
A. ey risk indicators (KRIs) are developed for key IT risk scenarios
B. T risk scenarios are developed in the context of organizational objectives
C. T risk scenarios are assessed by the enterprise risk management team
D. isk appetites for IT risk scenarios are approved by key business stakeholders
View answer
Correct Answer: B
Question #32
Which of the following is the best reason for performing risk assessment?
A. o determine the present state of risk
B. o analyze the effect on the business
C. o satisfy regulatory requirements
D. o budget appropriately for the application of various controls
View answer
Correct Answer: A
Question #33
While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BEST reduce the risk associated with such a data breach?
A. ngaging a third party to validate operational controls
B. sing the same cloud vendor as a competitor
C. sing field-level encryption with a vendor supplied key
D. nsuring the vendor does not know the encryption key
View answer
Correct Answer: A
Question #34
You are the project manager for GHT project. You need to perform the Qualitative risk analysis process. When you have completed this process, you will produce all of the following as part of the risk register update output except which one?
A. roject Risk
B. tatus Update
C. isk Update
D. roject Issue
View answer
Correct Answer: A
Question #35
Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?
A. nternal audit reports from the vendor
B. control self-assessment
C. third-party security assessment report
D. ervice level agreement monitoring
View answer
Correct Answer: C
Question #36
Which of the following methods involves the use of predictive or diagnostic analytical tool for exposing risk factors?
A. cenario analysis
B. ensitivity analysis
C. ault tree analysis
D. ause and effect analysis
View answer
Correct Answer: D
Question #37
An organization has experienced several incidents of extended network outages that have exceeded tolerance. Which of the following should be the risk practitioner’s FIRST step to address this situation?
A. ecommend a root cause analysis of the incidents
B. pdate the risk tolerance level to acceptable thresholds
C. ecommend additional controls to address the risk
D. pdate the incident-related risk trend in the risk register
View answer
Correct Answer: C
Question #38
Which of the following should be the PRIMARY focus of an IT risk awareness program?
A. ultivate long-term behavioral change
B. emonstrate regulatory compliance
C. nsure compliance with the organization’s internal policies
D. ommunicate IT risk policy to the participants
View answer
Correct Answer: A
Question #39
You have identified several risks in your project. You have opted for risk mitigation in order to respond to identified risk. Which of the following ensures that risk mitigation method that you have chosen is effective?
A. ystem and Communications protection control
B. udit and Accountability control
C. ccess control
D. dentification and Authentication control
View answer
Correct Answer: B
Question #40
You are the project manager of GHT project. During the data extraction process, you evaluated the total number of transactions per year by multiplying the monthly average by twelve. This process of evaluating total number of transactions is known as?
A. uplicates test
B. ontrols total
C. implistic and ineffective
D. easonableness test
View answer
Correct Answer: D
Question #41
Which of the following should be a risk practitioner's NEXT step upon learning the organization is not in compliance with a specific legal regulation?
A. ssess the likelihood and magnitude of the associated risk
B. dentify mitigation activities and compensating controls
C. otify senior compliance executives of the associated risk
D. etermine the penalties for lack of compliance
View answer
Correct Answer: A
Question #42
You are the project manager for BlueWell Inc. You have noticed that the risk level in your project increases above the risk tolerance level of your enterprise. You have applied several risk responses. Now you have to update the risk register in accordance to risk response process. All of the following are included in the risk register except for which item?
A. isk triggers
B. greed-upon response strategies
C. etwork diagram analysis of critical path activities
D. isk owners and their responsibility
View answer
Correct Answer: C
Question #43
You are the project manager of a HGT project that has recently finished the final compilation process. The project customer has signed off on the project completion and you have to do few administrative closure activities. In the project, there were several large risks that could have wrecked the project but you and your project team found some new methods to resolve the risks without affecting the project costs or project completion date. What should you do with the risk responses that you have identified
A. nclude the responses in the project management plan
B. nclude the risk responses in the risk management plan
C. nclude the risk responses in the organization's lessons learned database
D. othing
View answer
Correct Answer: C
Question #44
What is the IMMEDIATE step after defining set of risk scenarios?
A. isk mitigation
B. isk monitoring
C. isk management
D. isk analysis
View answer
Correct Answer: D
Question #45
Which of the following is the GREATEST advantage of implementing a risk management program?
A. romoting a risk-aware culture
B. mproving security governance
C. nabling risk-aware decisions
D. educing residual risk
View answer
Correct Answer: A
Question #46
Which of the following is MOST critical when designing controls?
A. nvolvement of process owner
B. nvolvement of internal audit
C. dentification of key risk indicators
D. uantitative impact of the risk
View answer
Correct Answer: D
Question #47
An organization delegates its data processing to the internal IT team to manage information through its applications. Which of the following is the role of the internal IT team in this situation?
A. ata owners
B. ata custodians
C. ata controllers
D. ata processors
View answer
Correct Answer: B
Question #48
Which of the following test is BEST to map for confirming the effectiveness of the system access management process?
A. ser accounts to human resources (HR) records
B. ser accounts to access requests
C. he vendor database to user accounts
D. ccess requests to user accounts
View answer
Correct Answer: B
Question #49
An external security audit has reported multiple findings related to control noncompliance. Which of the following would be MOST important for the risk practitioner to communicate to senior management?
A. lans for mitigating the associated risk
B. uggestions for improving risk awareness training
C. recommendation for internal audit validation
D. he impact to the organization’s risk profile
View answer
Correct Answer: C
Question #50
Which of the following is MOST helpful in aligning IT risk with business objectives?
A. erforming a business impact analysis (BIA)
B. ntegrating the results of top-down risk scenario analyses
C. ntroducing an approved IT governance framework
D. mplementing a risk classification system
View answer
Correct Answer: C
Question #51
Which of the following would be a risk practitioner’s BEST recommendation for preventing cyber intrusion?
A. mplement data loss prevention (DLP) tools
B. mplement network segregation
C. stablish a cyber response plan
D. trengthen vulnerability remediation efforts
View answer
Correct Answer: A
Question #52
Which of the following is the BEST way to identify changes to the risk landscape?
A. ccess reviews
B. oot cause analysis
C. nternal audit reports
D. hreat modeling
View answer
Correct Answer: D
Question #53
Which of the following is MOST appropriate method to evaluate the potential impact of legal, regulatory, and contractual requirements on business objectives?
A. ommunication with business process stakeholders
B. ompliance-oriented business impact analysis
C. ompliance-oriented gap analysis
D. apping of compliance requirements to policies and procedures
View answer
Correct Answer: B
Question #54
Which section of the Sarbanes-Oxley Act specifies "Periodic financial reports must be certified by CEO and CFO"?
A. ection 302
B. ection 404
C. ection 203
D. ection 409
View answer
Correct Answer: A
Question #55
Which of the following would be a risk practitioner’s BEST recommendation to help ensure cyber risk is assessed and reflected in the enterprise-level risk profile?
A. onduct cyber risk awareness training tailored specifically for senior management
B. mplement a cyber risk program based on industry best practices
C. anage cyber risk according to the organization’s risk management framework
D. efine cyber roles and responsibilities across the organization
View answer
Correct Answer: C
Question #56
What is the PRIMARY reason to categorize risk scenarios by business process?
A. o determine aggregated risk levels by risk owner
B. o identify situations that result in over-control
C. o enable management to implement cost-effective risk mitigation
D. o show business activity deficiencies that need to be improved
View answer
Correct Answer: C
Question #57
The MAIN purpose of conducting a control self-assessment (CSA) is to:
A. educe the dependency on external audits
B. ain a better understanding of the risk in the organization
C. ain a better understanding of the control effectiveness in the organization
D. djust the controls prior to an external audit
View answer
Correct Answer: C
Question #58
The BEST indication that risk management is effective is when risk has been reduced to meet:
A. isk appetite
B. isk capacity
C. isk levels
D. isk budgets
View answer
Correct Answer: A
Question #59
Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?
A. ustomer database manager
B. udit committee
C. ata privacy officer
D. ustomer data custodian
View answer
Correct Answer: D
Question #60
When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?
A. xception handling policy
B. enchmarking assessments
C. ulnerability assessment results
D. isk analysis results
View answer
Correct Answer: D
Question #61
Which of the following is the BEST way to ensure that outsourced service providers comply with the enterprise's information security policy?
A. enetration testing
B. ervice level monitoring
C. ecurity awareness training
D. eriodic audits
View answer
Correct Answer: D
Question #62
Which of the following processes addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget?
A. onitor and Control Risk
B. lan risk response
C. dentify Risks
D. ualitative Risk Analysis
View answer
Correct Answer: B
Question #63
What type of policy would an organization use to forbid its employees from using organizational e-mail for personal use?
A. nti-harassment policy
B. cceptable use policy
C. ntellectual property policy
D. rivacy policy
View answer
Correct Answer: B
Question #64
In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data?
A. valuating each of the data sources for vulnerabilities
B. stablishing an intellectual property agreement
C. enchmarking to industry best practice
D. eriodically reviewing big data strategies
View answer
Correct Answer: A
Question #65
Sammy is the project manager for her organization. She would like to rate each risk based on its probability and affect on time, cost, and scope. Harry, a project team member, has never done this before and thinks Sammy is wrong to attempt this approach. Harry says that an accumulative risk score should be created, not three separate risk scores. Who is correct in this scenario?
A. ammy is correct, because she is the project manager
B. ammy is correct, because organizations can create risk scores for each objective of the project
C. arry is correct, the risk probability and impact matrix is the only approach to risk assessment
D. arry is correct, because the risk probability and impact considers all objectives of the project
View answer
Correct Answer: B
Question #66
When using a third party to perform penetration testing, which of the following is the MOST important control to minimize operational impact?
A. equire the vendor to have liability insurance
B. erform a background check on the vendor
C. equire the vendor to sign a nondisclosure agreement
D. learly define the project scope
View answer
Correct Answer: D
Question #67
What is the process for selecting and implementing measures to impact risk called?
A. isk Treatment
B. ontrol
C. isk Assessment
D. isk Management
View answer
Correct Answer: A
Question #68
You are the project manager of GHT project. Your hardware vendor left you a voicemail saying that the delivery of the equipment you have ordered would not arrive on time. She wanted to give you a heads-up and asked that you return the call. Which of the following statements is TRUE?
A. his is a residual risk
B. his is a trigger
C. his is a contingency plan
D. his is a secondary risk
View answer
Correct Answer: B
Question #69
Which of the following BEST indicates that an organization has implemented IT performance requirements?
A. endor references
B. ccountability matrix
C. enchmarking data
D. ervice level agreements
View answer
Correct Answer: C
Question #70
Which of the following would MOST likely require a risk practitioner to update the risk register?
A. n alert being reported by the security operations center
B. evelopment or a project schedule for implementing a risk response
C. ngagement of a third party to conduct a vulnerability scan
D. ompletion of a project for implementing a new control
View answer
Correct Answer: D
Question #71
A risk practitioner has been asked to advise management on developing a log collection and correlation strategy. Which of the following should be the MOST important consideration when developing this strategy?
A. nsuring the inclusion of all computing resources as log sources
B. nsuring time synchronization of log sources
C. nsuring read-write access to all log sources
D. nsuring the inclusion of external threat intelligence log sources
View answer
Correct Answer: B
Question #72
Which of the following is the MOST effective inhibitor of relevant and efficient communication?
A. false sense of confidence at the top on the degree of actual exposure related to IT and lack of a well- understood direction for risk management from the top down
B. he perception that the enterprise is trying to cover up known risk from stakeholders
C. xistence of a blame culture
D. isalignment between real risk appetite and translation into policies
View answer
Correct Answer: C
Question #73
What is the FIRST phase of IS monitoring and maintenance process?
A. oot cause analysis
B. nfluence diagramming techniques
C. WOT analysis
D. ssumptions analysis
View answer
Correct Answer: B
Question #74
When developing a business continuity plan (BCP), it is MOST important to:
A. evelop a multi-channel communication plan
B. rioritize critical services to be restored
C. dentify a geographically dispersed disaster recovery site
D. dentify an alternative location to host operations
View answer
Correct Answer: C
Question #75
Which of the following is NOT true for Key Risk Indicators?
A. hey are selected as the prime monitoring indicators for the enterprise
B. hey help avoid having to manage and report on an excessively large number of risk indicators
C. he complete set of KRIs should also balance indicators for risk, root causes and business impact
D. hey are monitored annually
View answer
Correct Answer: D
Question #76
Which of the following is the GREATEST concern associated with redundant data in an organization’s inventory system?
A. ata inconsistency
B. nnecessary data storage usage
C. oor access control
D. nnecessary costs of program changes
View answer
Correct Answer: C
Question #77
Which of the following is the MOST important consideration when determining whether to accept residual risk after security controls have been implemented on a critical system?
A. ost of the information control system
B. ost versus benefit of additional mitigating controls
C. nnualized loss expectancy (ALE) for the system
D. requency of business impact
View answer
Correct Answer: C
Question #78
You are the project manager of a SGT project. You have been actively communicating and working with the project stakeholders. One of the outputs of the "manage stakeholder expectations" process can actually create new risk events for your project. Which output of the manage stakeholder expectations process can create risks?
A. rusted source
B. ecure
C. istinct
D. ndependent
View answer
Correct Answer: C
Question #79
After recent updates to the risk register, management has requested that the overall level of residual risk be reduced. Which of the following is the risk practitioner's BEST course of action?
A. rioritize remediation plans
B. ecommend the acceptance of low-level risk
C. evelop new risk action plans with risk owners
D. mplement additional controls
View answer
Correct Answer: D
Question #80
A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk response is this?
A. ransference
B. itigation
C. voidance
D. xploit
View answer
Correct Answer: A
Question #81
Improvements in the design and implementation of a control will MOST likely result in an update to:
A. isk tolerance
B. isk appetite
C. nherent risk
D. esidual risk
View answer
Correct Answer: D
Question #82
Which of the following is the BEST way to validate the results of a vulnerability assessment?
A. erform a penetration test
B. erform a root cause analysis
C. onduct a threat analysis
D. eview security logs
View answer
Correct Answer: A
Question #83
Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?
A. ontrol chart
B. rend analysis
C. ensitivity analysis
D. ecision tree
View answer
Correct Answer: A
Question #84
During which of the following processes, probability and impact matrix are prepared?
A. nhance
B. xploit
C. ccept
D. hare
View answer
Correct Answer: D
Question #85
You are the project manager of HGT project. You have identified project risks and applied appropriate response for its mitigation. You noticed a risk generated as a result of applying response. What this resulting risk is known as?
A. ure risk
B. econdary risk
C. esponse risk
D. igh risk
View answer
Correct Answer: B
Question #86
The FIRST step for a startup company when developing a disaster recovery plan should be to identify:
A. urrent vulnerabilities
B. suitable alternate site
C. ecovery time objectives
D. ritical business processes
View answer
Correct Answer: D
Question #87
Which of the following would be MOST helpful to an information security management team when allocating resources to mitigate exposures?
A. nternal audit findings
B. elevant risk case studies
C. isk assessment results
D. enetration testing results
View answer
Correct Answer: C
Question #88
The BEST metric to monitor the risk associated with changes deployed to production is the percentage of:
A. hanges not requiring user acceptance testing
B. hanges that cause incidents
C. hanges due to emergencies
D. ersonnel that have rights to make changes in production
View answer
Correct Answer: B
Question #89
Which of the following is the MOST important consideration when multiple risk practitioners capture risk scenarios in a single risk register?
A. sing a consistent method for risk assessment
B. eveloping risk escalation and reporting procedures
C. aintaining up-to-date risk treatment plans
D. ligning risk ownership and control ownership
View answer
Correct Answer: A
Question #90
Which of the following type of risk could result in bankruptcy?
A. arginal
B. egligible
C. ritical
D. atastrophic
View answer
Correct Answer: D
Question #91
Which of the following risks is the risk that happen with an important business partner and affects a large group of enterprises within an area or industry?
A. ontagious risk
B. eporting risk
C. perational risk
D. ystemic risk
View answer
Correct Answer: D
Question #92
Which of the following is the MOST important consideration when sharing risk management updates with executive management?
A. sing an aggregated view of organizational risk
B. elying on key risk indicator (KRI) data
C. nsuring relevance to organizational goals
D. ncluding trend analysis of risk metrics
View answer
Correct Answer: C
Question #93
Which of the following is the BEST indication that an organization is following a mature risk management process?
A. xecutive management receives periodic risk awareness training
B. ttributes of each risk scenario have been documented within the risk register
C. he risk register is frequently utilized for decision-making
D. dashboard has been developed for senior management to provide real-time risk values
View answer
Correct Answer: D
Question #94
Which of the following roles would provide the MOST important input when identifying IT risk scenarios?
A. perational risk managers
B. nternal auditors
C. nformation security managers
D. usiness process owners
View answer
Correct Answer: D
Question #95
Who should be responsible for implementing and maintaining security controls?
A. ata custodian
B. nternal auditor
C. ata owner
D. nd user
View answer
Correct Answer: A
Question #96
The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:
A. ew vulnerabilities identified
B. ecurring vulnerabilities
C. ulnerabilities remediated
D. ulnerability scans
View answer
Correct Answer: B
Question #97
Which of the following risks is associated with not receiving the right information to the right people at the right time to allow the right action to be taken?
A. isk register and the results of risk analysis
B. isk register and the risk response plan
C. isk register and power to assign risk responses
D. isk register and the risk management plan
View answer
Correct Answer: A
Question #98
You are the project manager of RFT project. You have identified a risk that the enterprise's IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become very expensive. To overcome this risk, the response adopted is re- architecture of the existing system and purchase of new integrated system. In which of the following risk prioritization options would this case be categorized?
A. eferrals
B. uick win
C. usiness case to be made
D. ontagious risk
View answer
Correct Answer: C
Question #99
Wendy is about to perform qualitative risk analysis on the identified risks within her project. Which one of the following will NOT help Wendy to perform this project management activity?
A. isk management plan
B. roject scope statement
C. isk register
D. takeholder register
View answer
Correct Answer: D
Question #100
Which of the following should be PRIMARILY considered while designing information systems controls?
A. he IT strategic plan
B. he existing IT environment
C. he organizational strategic plan
D. he present IT budget
View answer
Correct Answer: C
Question #101
Which of the following BEST measures the efficiency of an incident response process?
A. umber of incidents lacking responses
B. umber of incidents escalated to management
C. verage time between changes and updating of escalation matrix
D. verage gap between actual and agreed response times
View answer
Correct Answer: D
Question #102
Which of the following roles is BEST suited to help a risk practitioner understand the impact of IT-related events on business objectives?
A. rocess owners
B. T management
C. enior management
D. nternal audit
View answer
Correct Answer: A
Question #103
An organization has granted a vendor access to its data in order to analyze customer behavior. Which of the following would be the MOST effective control to mitigate the risk of customer data leakage?
A. estrict access to customer data on a “need to know” basis
B. nforce criminal background checks
C. ask customer data fields
D. equire vendor to sign a confidentiality agreement
View answer
Correct Answer: A
Question #104
You are the product manager in your enterprise. You have identified that new technologies, products and services are introduced in your enterprise time-to-time. What should be done to prevent the efficiency and effectiveness of controls due to these changes?
A. eceive timely feedback from risk assessments and through key risk indicators, and update controls
B. dd more controls
C. erform Business Impact Analysis (BIA)
D. othing, efficiency and effectiveness of controls are not affected by these changes
View answer
Correct Answer: A
Question #105
Which of the following is the PRIMARY consideration when establishing an organization’s risk management methodology?
A. isk tolerance level
B. enchmarking information
C. esource requirements
D. usiness context
View answer
Correct Answer: D
Question #106
An organization has outsourced an application to a Software as a Service (SaaS) provider. The risk associated with the use of this service should be owned by the:
A. ervice provider’s IT manager
B. ervice provider’s risk manager
C. rganization’s business process manager
D. rganization’s vendor manager
View answer
Correct Answer: C
Question #107
Which of the following is MOST helpful in identifying new risk exposures due to changes in the business environment?
A. ndustry benchmarking
B. tandard operating procedures
C. ontrol gap analysis
D. WOT analysis
View answer
Correct Answer: D
Question #108
A risk practitioner discovers several key documents detailing the design of a product currently in development have been posted on the Internet. What should be the risk practitioner’s FIRST course of action?
A. erform a root cause analysis
B. onduct an immediate risk assessment
C. nvoke the established incident response plan
D. nform internal audit
View answer
Correct Answer: D
Question #109
NIST SP 800-53 identifies controls in three primary classes. What are they?
A. echnical, Administrative, and Environmental
B. reventative, Detective, and Corrective
C. echnical, Operational, and Management
D. dministrative, Technical, and Operational
View answer
Correct Answer: C
Question #110
Judy has identified a risk event in her project that will have a high probability and a high impact. Based on the requirements of the project, Judy has asked to change the project scope to remove the associated requirement and the associated risk. What type of risk response is this?
A. xploit
B. ot a risk response, but a change request
C. voidance
D. ransference
View answer
Correct Answer: C
Question #111
An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk?
A. erform a risk assessment
B. isable user access
C. erform root cause analysis
D. evelop an access control policy
View answer
Correct Answer: D
Question #112
Which of the following is MOST important to update when an organization’s risk appetite changes?
A. ey risk indicators (KRIs)
B. isk taxonomy
C. ey performance indicators (KPIs)
D. isk reporting methodology
View answer
Correct Answer: A
Question #113
Which of the following helps ensure compliance with a non-repudiation policy requirement for electronic transactions?
A. igital signatures
B. igital certificates
C. ne-time passwords
D. ncrypted passwords
View answer
Correct Answer: A
Question #114
Which of the following is the MOST effective inhibitor of relevant and efficient communication?
A. false sense of confidence at the top on the degree of actual exposure related to IT and lack of a well- understood direction for risk management from the top down
B. he perception that the enterprise is trying to cover up known risk from stakeholders
C. xistence of a blame culture
D. isalignment between real risk appetite and translation into policies
View answer
Correct Answer: C
Question #115
Which of the following is the BEST defense against successful phishing attacks?
A. ntrusion detection system
B. pplication hardening
C. nd-user awareness
D. pam filters
View answer
Correct Answer: C
Question #116
The PRIMARY goal of a risk management program is to:
A. acilitate resource availability
B. afeguard corporate assets
C. elp ensure objectives are met
D. elp prevent operational losses
View answer
Correct Answer: B
Question #117
Henry is the project manager of the QBG Project for his company. This project has a budget of $4,576,900 and is expected to last 18 months to complete. The CIO, a stakeholder in the project, has introduced a scope change request for additional deliverables as part of the project work. What component of the change control system would review the proposed changes' impact on the features and functions of the project's product?
A. isk analysis should assume an equal degree of protection for all assets
B. isk analysis should give more weight to the likelihood than the size of loss
C. isk analysis should limit the scope to a benchmark of similar companies
D. isk analysis should address the potential size and likelihood of loss
View answer
Correct Answer: B
Question #118
Which of the following components ensures that risks are examined for all new proposed change requests in the change control system?
A. onfiguration management
B. cope change control
C. isk monitoring and control
D. ntegrated change control
View answer
Correct Answer: D
Question #119
An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:
A. ommunicate the consequences for violations
B. mplement industry best practices
C. educe the organization’s risk appetite
D. educe the risk to an acceptable level
View answer
Correct Answer: D
Question #120
A risk practitioner is reviewing the status of an action plan to mitigate an emerging IT risk and finds the risk level has increased. The BEST course of action would be to:
A. valuate whether selected controls are still appropriate
B. mplement the planned controls and accept the remaining risk
C. uspend the current action plan in order to reassess the risk
D. evise the action plan to include additional mitigating controls
View answer
Correct Answer: A
Question #121
Prudent business practice requires that risk appetite not exceed:
A. isk capacity
B. nherent risk
C. isk tolerance
D. esidual risk
View answer
Correct Answer: A
Question #122
Which of the following is the MOST critical element to maximize the potential for a successful security implementation?
A. ndustry-leading security tools
B. he organization’s culture
C. ase of implementation
D. he organization’s knowledge
View answer
Correct Answer: B
Question #123
Which of the following is a performance measure that is used to evaluate the efficiency of an investment or to compare the efficiency of a number of different investments?
A. eturn On Security Investment
B. otal Cost of Ownership
C. eturn On Investment
D. edundant Array of Inexpensive Disks
View answer
Correct Answer: C
Question #124
Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?
A. edundant compensating controls are in place
B. sset custodians are responsible for defining controls instead of asset owners
C. high number of approved exceptions exist with compensating controls
D. uccessive assessments have the same recurring vulnerabilities
View answer
Correct Answer: D
Question #125
During a control review, the control owner states that an existing control has deteriorated over time. What is the BEST recommendation to the control owner?
A. scalate the issue to senior management
B. iscuss risk mitigation options with the risk owner
C. ertify the control after documenting the concern
D. mplement compensating controls to reduce residual risk
View answer
Correct Answer: D
Question #126
Which of the following should be management’s PRIMARY consideration when approving risk response action plans?
A. rioritization for implementing the action plans
B. bility of the action plans to address multiple risk scenarios
C. ase of implementing the risk treatment solution
D. hanges in residual risk after implementing the plans
View answer
Correct Answer: A
Question #127
An application runs a scheduled job that compiles financial data from multiple business systems and updates the financial reporting system. If this job runs too long, it can delay financial reporting. Which of the following is the risk practitioner's BEST recommendation?
A. mplement database activity and capacity monitoring
B. onsider providing additional system resource to this job
C. nsure the enterprise has a process to detect such situations
D. nsure the business is aware of the risk
View answer
Correct Answer: C
Question #128
Which of the following role carriers is accounted for analyzing risks, maintaining risk profile, and risk-aware decisions?
A. robabilities
B. hreats
C. ulnerabilities
D. mpacts
View answer
Correct Answer: D
Question #129
Which of the following processes addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget?
A. onitor and Control Risk
B. lan risk response
C. dentify Risks
D. ualitative Risk Analysis
View answer
Correct Answer: B
Question #130
Which of the following is MOST important when discussing risk within an organization?
A. dopting a common risk taxonomy
B. reating a risk communication policy
C. sing key performance indicators (KPIs)
D. sing key risk indicators (KRIs)
View answer
Correct Answer: D
Question #131
Which of the following will BEST mitigate the risk associated with IT and business misalignment?
A. ntroducing an established framework for IT architecture
B. stablishing business key performance indicators (KPIs)
C. nvolving the business process owner in IT strategy
D. stablishing key risk indicators (KRIs)
View answer
Correct Answer: A
Question #132
Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?
A. everaging existing metrics
B. ptimizing risk treatment decisions
C. btaining buy-in from risk owners
D. mproving risk awareness
View answer
Correct Answer: C
Question #133
The PRIMARY advantage of implementing an IT risk management framework is the:
A. lignment of business goals with IT objectives
B. mprovement of controls within the organization and minimized losses
C. ompliance with relevant legal and regulatory requirements
D. stablishment of a reliable basis for risk-aware decision making
View answer
Correct Answer: B
Question #134
Henry is the project sponsor of the JQ Project and Nancy is the project manager. Henry has asked Nancy to start the risk identification process for the project, but Nancy insists that the project team be involved in the process. Why should the project team be involved in the risk identification?
A. ramework
B. egal requirements
C. tandard
D. ractices
View answer
Correct Answer: A
Question #135
An organization is considering allowing users to access company data from their personal devices. Which of the following is the MOST important factor when assessing the risk?
A. lassification of the data
B. ype of device
C. emote management capabilities
D. olume of data
View answer
Correct Answer: C
Question #136
Which of the following is the BEST course of action to reduce risk impact?
A. reate an IT security policy
B. mplement detective controls
C. mplement corrective measures
D. everage existing technology
View answer
Correct Answer: C
Question #137
You are the project manager of a large construction project. This project will last for 18 months and will cost $750,000 to complete. You are working with your project team, experts, and stakeholders to identify risks within the project before the project work begins. Management wants to know why you have scheduled so many risk identification meetings throughout the project rather than just initially during the project planning. What is the best reason for the duplicate risk identification sessions?
A. he iterative meetings allow all stakeholders to participate in the risk identification processes throughout the project phases
B. he iterative meetings allow the project manager to discuss the risk events which have passed the project and which did not happen
C. he iterative meetings allow the project manager and the risk identification participants to identify newly discovered risk events throughout the project
D. he iterative meetings allow the project manager to communicate pending risks events during project execution
View answer
Correct Answer: C
Question #138
You work as the project manager for Bluewell Inc. There has been a delay in your project work that is adversely affecting the project schedule. You decide, with your stakeholders' approval, to fast track the project work to get the project done faster. When you fast track the project, what is likely to increase?
A. uman resource needs
B. uality control concerns
C. osts
D. isks
View answer
Correct Answer: D
Question #139
Which of the following is the BEST key performance indicator (KPI) to measure the ability to deliver uninterrupted IT services?
A. ean time between failures
B. nplanned downtime
C. ean time to recover
D. lanned downtime
View answer
Correct Answer: A
Question #140
Which of the following is the STRONGEST indication that controls implemented as part of a risk action plan are not effective?
A. security breach occurs
B. nternal audit identifies recurring exceptions
C. hanges are put into production without management approval
D. sample is used to validate the action plan
View answer
Correct Answer: B
Question #141
You are working as the project manager of the ABS project. The project is for establishing a computer network in a school premises. During the project execution, the school management asks to make the campus Wi-Fi enabled. You know that this may impact the project adversely. You have discussed the change request with other stakeholders. What will be your NEXT step?
A. pdate project management plan
B. ssue a change request
C. nalyze the impact
D. pdate risk management plan
View answer
Correct Answer: C
Question #142
You are the project manager of the AFD project for your company. You are working with the project team to reassess existing risk events and to identify risk events that have not happened and whose relevancy to the project has passed. What should you do with these events that have not happened and would not happen now in the project?
A. dd the risk to the issues log
B. lose the outdated risks
C. dd the risks to the risk register
D. dd the risks to a low-priority watch-list
View answer
Correct Answer: B
Question #143
You are the risk official of your enterprise. Your enterprise takes important decisions without considering risk credential information and is also unaware of external requirements for risk management and integration with enterprise risk management. In which of the following risk management capability maturity levels does your enterprise exists?
A. evel 1
B. evel 0
C. evel 5
D. evel 4
View answer
Correct Answer: B
Question #144
You are the risk professional of your enterprise. You need to calculate potential revenue loss if a certain risks occurs. Your enterprise has an electronic (e-commerce) web site that is producing US $1 million of revenue each day, then if a denial of service (DoS) attack occurs that lasts half a day creates how much loss?
A. ata analysis
B. ata validation
C. ata gathering
D. ata access
View answer
Correct Answer: B
Question #145
Where are all risks and risk responses documented as the project progresses?
A. isk management plan
B. roject management plan
C. isk response plan
D. isk register
View answer
Correct Answer: D
Question #146
A management team is on an aggressive mission to launch a new product to penetrate new markets and overlooks IT risk factors, threats, and vulnerabilities. This scenario BEST demonstrates an organization’s risk:
A. anagement
B. nalysis
C. ulture
D. olerance
View answer
Correct Answer: C
Question #147
An organization has allowed its cyber risk insurance to lapse while seeking a new insurance provider. The risk practitioner should report to management that the risk has been:
A. ccepted
B. itigated
C. ransferred
D. voided
View answer
Correct Answer: A
Question #148
Which of the following is MOST important to communicate to senior management during the initial implementation of a risk management program?
A. isk ownership
B. est practices
C. esired risk level
D. egulatory compliance
View answer
Correct Answer: A
Question #149
You are working on a project in an enterprise. Some part of your project requires e-commerce, but your enterprise choose not to engage in e-commerce. This scenario is demonstrating which of the following form?
A. isk avoidance
B. isk treatment
C. isk acceptance
D. isk transfer
View answer
Correct Answer: A
Question #150
Which of the following actions assures management that the organization's objectives are protected from the occurrence of risk events?
A. nternal control
B. isk management
C. edging
D. isk assessment
View answer
Correct Answer: A
Question #151
The PRIMARY objective for requiring an independent review of an organizations IT risk management process should be to:
A. nsure IT risk management is focused on mitigating potential risk
B. onfirm that IT risk assessment results are expressed as business impact
C. ssess gaps in IT risk management operations and strategic focus
D. erify implemented controls to reduce the likelihood of threat materialization
View answer
Correct Answer: C
Question #152
An organization has been notified that a dis grunted, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization?
A. brute force attack has been detected
B. n external vulnerability scan has been detected
C. n increase in support request has been observed
D. uthentication logs have been disabled
View answer
Correct Answer: D
Question #153
Harry is the project manager of HDW project. He has identified a risk that could injure project team members. He does not want to accept any risk where someone could become injured on this project so he hires a professional vendor to complete this portion of the project work. What type of risk response is Harry implementing?
A. hey are the individuals that will most likely cause and respond to the risk events
B. hey are the individuals that will have the best responses for identified risks events within the project
C. hey are the individuals that are most affected by the risk events
D. hey are the individuals that will need a sense of ownership and responsibility for the risk events
View answer
Correct Answer: A
Question #154
You are the risk professional of your enterprise. You have performed cost and benefit analysis of control that you have adopted. What are all the benefits of performing cost and benefit analysis of control? Each correct answer represents a complete solution. Choose three.
A. roject is completed and the system has been in production for a sufficient time period
B. uring the project
C. mmediately after the completion of the project
D. roject is about to complete
View answer
Correct Answer: ACD
Question #155
Qualitative risk assessment uses which of the following terms for evaluating risk level?Each correct answer represents a part of the solution. Choose two.
A. edging
B. version
C. ppetite
D. olerance
View answer
Correct Answer: AC
Question #156
Which of the following is the PRIMARY objective of providing an aggregated view of IT risk to business management?
A. o provide consistent and clear terminology
B. o allow for proper review of risk tolerance
C. o identify dependencies for reporting risk
D. o enable consistent data on risk to be obtained
View answer
Correct Answer: B
Question #157
Out of several risk responses, which of the following risk responses is used for negative risk events?
A. hare
B. nhance
C. xploit
D. ccept
View answer
Correct Answer: D
Question #158
A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization. Which of the following components of this review would provide the MOST useful information?
A. isk appetite statement
B. isk management policies
C. isk register
D. nterprise risk management framework
View answer
Correct Answer: D
Question #159
Out of several risk responses, which of the following risk responses is used for negative risk events?
A. hare
B. nhance
C. xploit
D. ccept
View answer
Correct Answer: D
Question #160
What is the value of exposure factor if the asset is lost completely?
A. nhancing
B. ositive
C. pportunistic
D. xploiting
View answer
Correct Answer: A
Question #161
Adrian is a project manager for a new project using a technology that has recently been released and there's relatively little information about the technology. Initial testing of the technology makes the use of it look promising, but there's still uncertainty as to the longevity and reliability of the technology. Adrian wants to consider the technology factors a risk for her project. Where should she document the risks associated with this technology so she can track the risk status and responses?
A. roject scope statement
B. roject charter
C. isk low-level watch list
D. isk register
View answer
Correct Answer: D
Question #162
The PRIMARY purpose of IT control status reporting is to:
A. ssist internal audit in evaluating and initiating remediation efforts
B. nsure compliance with IT governance strategy
C. acilitate the comparison of the current and desired states
D. enchmark IT controls with industry standards
View answer
Correct Answer: C
Question #163
Which of the following statements is NOT true regarding the risk management plan?
A. he risk management plan is an output of the Plan Risk Management process
B. he risk management plan is an input to all the remaining risk-planning processes
C. he risk management plan includes a description of the risk responses and triggers
D. he risk management plan includes thresholds, scoring and interpretation methods, responsible parties, and budgets
View answer
Correct Answer: C
Question #164
Which of the following is the GREATEST risk associated with using unmasked data for testing purposes?
A. onfidentiality
B. ntegrity
C. vailability
D. ccountability
View answer
Correct Answer: A
Question #165
Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?
A. ather scenarios from senior management
B. erive scenarios from IT risk policies and standards
C. enchmark scenarios against industry peers
D. ap scenarios to a recognized risk management framework
View answer
Correct Answer: D
Question #166
Which of the following is the MOST important characteristic of an effective risk management program?
A. isk response plans are documented
B. ey risk indicators are defined
C. isk ownership is assigned
D. ontrols are mapped to key risk scenarios
View answer
Correct Answer: D
Question #167
An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?
A. evelop a compensating control
B. dentify risk responses
C. llocate remediation resources
D. erform a cost-benefit analysis
View answer
Correct Answer: A
Question #168
Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis?
A. nherent risk might not be considered
B. mplementation costs might increase
C. isk factors might not be relevant to the organization
D. uantitative analysis might not be possible
View answer
Correct Answer: C
Question #169
You have been assigned as the Project Manager for a new project that involves development of a new interface for your existing time management system. You have completed identifying all possible risks along with the stakeholders and team and have calculated the probability and impact of these risks. Which of the following would you need next to help you prioritize the risks?
A. ffinity Diagram
B. isk rating rules
C. roject Network Diagram
D. isk categories
View answer
Correct Answer: B
Question #170
You are the project manager of the PFO project. You are working with your project team members and two subject matter experts to assess the identified risk events in the project. Which of the following approaches is the best to assess the risk events in the project?
A. nterviews or meetings
B. etermination of the true cost of the risk event
C. robability and Impact Matrix
D. oot cause analysis
View answer
Correct Answer: A
Question #171
Which of the following is the PRIMARY factor in determining a recovery time objective (RTO)?
A. esponse time of the emergency action plan
B. ost of downtime due to a disaster
C. ost of offsite backup premises
D. ost of testing the business continuity plan
View answer
Correct Answer: B
Question #172
Shelly is the project manager of the BUF project for her company. In this project Shelly needs to establish some rules to reduce the influence of risk bias during the qualitative risk analysis process. What method can Shelly take to best reduce the influence of risk bias?
A. stablish risk boundaries
B. roup stakeholders according to positive and negative stakeholders and then complete the risk analysis
C. etermine the risk root cause rather than the person identifying the risk events
D. stablish definitions of the level of probability and impact of risk event
View answer
Correct Answer: D
Question #173
A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology?
A. usiness process owner
B. hief financial officer
C. hief risk officer
D. T system owner
View answer
Correct Answer: D
Question #174
You work as the project manager for Bluewell Inc. Your project has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks?
A. esource Management Plan
B. isk Management Plan
C. takeholder management strategy
D. ommunications Management Plan
View answer
Correct Answer: D
Question #175
The compensating control that MOST effectively addresses the risk associated with piggybacking into a restricted area without a dead-man door is:
A. sing two-factor authentication
B. sing biometric door locks
C. equiring employees to wear ID badges
D. ecurity awareness training
View answer
Correct Answer: D
Question #176
A key risk indicator (KRI) is reported to senior management on a periodic basis as exceeding thresholds, but each time senior management has decided to take no action to reduce the risk. Which of the following is the MOST likely reason for senior management’s response?
A. he underlying data source for the KRI is using inaccurate data and needs to be corrected
B. he KRI threshold needs to be revised to better align with the organization’s risk appetite
C. enior management does not understand the KRI and should undergo risk training
D. he KRI is not providing useful information and should be removed from the KRI inventory
View answer
Correct Answer: B
Question #177
Marie has identified a risk event in her project that needs a mitigation response. Her response actually creates a new risk event that must now be analyzed and planned for. What term is given to this newly created risk event?
A. esidual risk
B. econdary risk
C. nfinitive risk
D. opulated risk
View answer
Correct Answer: B
Question #178
An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?
A. he organization’s vendor management office
B. he organization’s management
C. he control operators at the third party
D. he third party’s management
View answer
Correct Answer: B
Question #179
To effectively support business decisions, an IT risk register MUST:
A. eflect the results of risk assessments
B. ffectively support a business maturity model
C. e available to operational groups
D. e reviewed by the IT steering committee
View answer
Correct Answer: B
Question #180
Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?
A. eviewing logs for unauthorized data transfers
B. onfiguring the DLP control to block credit card numbers
C. esting the transmission of credit card numbers
D. esting the DLP rule change control process
View answer
Correct Answer: A
Question #181
A risk practitioner recently discovered that sensitive data from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation?
A. ask data before being transferred to the test environment
B. mplement equivalent security in the test environment
C. nable data encryption in the test environment
D. revent the use of production data for test purposes
View answer
Correct Answer: B
Question #182
Which of the following is the MAIN reason for documenting the performance of controls?
A. ustifying return on investment
B. emonstrating effective risk mitigation
C. roviding accurate risk reporting
D. btaining management sign-off
View answer
Correct Answer: B
Question #183
Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?
A. ssess risk against business objectives
B. mplement an organization-specific risk taxonomy
C. lign business objectives to the risk profile
D. xplain risk details to management
View answer
Correct Answer: C
Question #184
You are the project manager of your enterprise. You have identified new threats, and then evaluated the ability of existing controls to mitigate risk associated with new threats. You noticed that the existing control is not efficient in mitigating these new risks. What are the various steps you could take in this case? Each correct answer represents a complete solution. (Choose three.)
A. elevance risk
B. ntegrity risk
C. vailability risk
D. ccess risk
View answer
Correct Answer: ABC
Question #185
Which of the following is the BEST course of action when risk is found to be above the acceptable risk appetite?
A. xecute the risk response plan
B. nalyze the effectiveness of controls
C. aintain the current controls
D. eview risk tolerance levels
View answer
Correct Answer: B
Question #186
Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?
A. onduct an awareness program for data owners and users
B. aintain and review the classified data inventory
C. mplement mandatory encryption on data
D. efine and implement a data classification policy
View answer
Correct Answer: A
Question #187
Della works as a project manager for Tech Perfect Inc. She is studying the documentation of planning of a project. The documentation states that there are twenty-eight stakeholders with the project. What will be the number of communication channels for the project?
A. 50
B. 8
C. 78
D. 00
View answer
Correct Answer: C
Question #188
You are elected as the project manager of GHT project. You have to initiate the project. Your Project request document has been approved, and now you have to start working on the project. What is the FIRST step you should take to initialize the project?
A. onduct a feasibility study
B. cquire software
C. efine requirements of project
D. lan project management
View answer
Correct Answer: A
Question #189
You are the project manager of project for a client. The client has promised your company a bonus, if the project is completed early. After studying the project work, you elect to crash the project in order to realize the early end date. This is an example of what type of risk response?
A. egative risk response, because crashing will add risks
B. ositive risk response, as crashing is an example of enhancing
C. ositive risk response, as crashing is an example of exploiting
D. egative risk response, because crashing will add costs
View answer
Correct Answer: B
Question #190
You are the risk professional of your enterprise. Your enterprise has introduced new systems in many departments. The business requirements that were to be addressed by the new system are still unfulfilled, and the process has been a waste of resources. Even if the system is implemented, it will most likely be underutilized and not maintained making it obsolete in a short period of time. What kind of risk is it?
A. nherent risk
B. usiness risk
C. roject risk
D. esidual risk
View answer
Correct Answer: B
Question #191
You are the project manager of the KJH Project and are working with your project team to plan the risk responses. Consider that your project has a budget of $500,000 and is expected to last six months. Within the KJH Project you have identified a risk event that has a probability of .70 and has a cost impact of $350,000.When it comes to creating a risk response for this event what is the risk exposure of the event that must be considered for the cost of the risk response?
A. he risk exposure of the event is $350,000
B. he risk exposure of the event is $500,000
C. he risk exposure of the event is $850,000
D. he risk exposure of the event is $245,000
View answer
Correct Answer: D
Question #192
Which of the following is the BEST method for discovering high-impact risk types?
A. ualitative risk analysis
B. elphi technique
C. ailure modes and effects analysis
D. uantitative risk analysis
View answer
Correct Answer: C
Question #193
An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:
A. usiness process owner
B. hief information officer
C. roject manager
D. hief risk officer
View answer
Correct Answer: A
Question #194
After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:
A. nform the IT manager of the concerns and propose measures to reduce them
B. nform the process owner of the concerns and propose measures to reduce them
C. nform the development team of the concerns, and together formulate risk reduction measures
D. ecommend a program that minimizes the concerns of that production system
View answer
Correct Answer: A
Question #195
Which of the following BEST indicates effective information security incident management?
A. requency of information security incident response plan testing
B. ercentage of high risk security incidents
C. onthly trend of information security-related incidents
D. verage time to identify critical information security incidents
View answer
Correct Answer: D
Question #196
Which of the following is the MOST important objective of the information system control?
A. usiness objectives are achieved and undesired risk events are detected and corrected
B. nsuring effective and efficient operations
C. eveloping business continuity and disaster recovery plans
D. afeguarding assets
View answer
Correct Answer: A
Question #197
A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:
A. uantify key risk indicators (KRIs)
B. ecommend risk tolerance thresholds
C. rovide a quantified detailed analysis
D. ap findings to objectives
View answer
Correct Answer: D
Question #198
Which of the following risks refer to probability that an actual return on an investment will be lower than the investor's expectations?
A. ntegrity risk
B. roject ownership risk
C. elevance risk
D. xpense risk
View answer
Correct Answer: D
Question #199
Which of the following elements of a risk register is MOST likely to change as a result of change in management’s risk appetite?
A. isk likelihood and impact
B. isk velocity
C. nherent risk
D. ey risk indicator (KRI) thresholds
View answer
Correct Answer: D
Question #200
A review of an organization’s controls has determined its data loss prevention (DLP) system is currently failing to detect outgoing emails containing credit card data.Which of the following would be MOST impacted?
A. isk appetite
B. esidual risk
C. ey risk indicators (KRIs)
D. nherent risk
View answer
Correct Answer: B
Question #201
After mapping generic risk scenarios to organizational security policies, the NEXT course of action should be to:
A. ecord risk scenarios in the risk register for analysis
B. alidate the risk scenarios for business applicability
C. educe the number of risk scenarios to a manageable set
D. erform a risk analysis on the risk scenarios
View answer
Correct Answer: B
Question #202
An organization operates in an environment where reduced time-to-market for new software products is a top business priority. Which of the following should be the risk practitioner’s GREATEST concern?
A. mail infrastructure does not have proper rollback plans
B. ufficient resources are not assigned to IT development projects
C. he corporate email system does not identify and store phishing emails
D. ustomer support help desk staff does not have adequate training
View answer
Correct Answer: B
Question #203
Which of the following would be a risk practitioner's GREATEST concern related to the monitoring of key risk indicators (KRIs)?
A. ogs are retained for a longer duration than the data retention policy requires
B. ogs are encrypted during transmission from the system to analysis tools
C. ogs are modified before analysis is conducted
D. ogs are collected from a small number of systems
View answer
Correct Answer: D
Question #204
Which of the following is MOST important to ensure when continuously monitoring the performance of a client- facing application?
A. erformance information in the log is encrypted
B. ontrol owners approve control changes
C. bjectives are confirmed with the business owner
D. nd-user acceptance testing has been conducted
View answer
Correct Answer: D
Question #205
Which of the following provides an organization with the MOST insight with regard to operational readiness associated with risk?
A. apability maturity assessment results
B. inutes of the enterprise risk committee meetings
C. enchmarking against industry standards
D. elf-assessment of capabilities
View answer
Correct Answer: D
Question #206
Management has required information security awareness training to reduce the risk associated with credential compromise. What is the BEST way to assess the effectiveness of the training?
A. onduct social engineering testing
B. erform a vulnerability assessment
C. udit security awareness training materials
D. dminister an end-of-training quiz
View answer
Correct Answer: A
Question #207
Which of the following would BEST help to ensure that suspicious network activity is identified?
A. nalyzing server logs
B. oordinating events with appropriate agencies
C. nalyzing intrusion detection system (IDS) logs
D. sing a third-party monitoring provider
View answer
Correct Answer: C
Question #208
You are the project manager of the NHH Project. You are working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team.What document do you and your team is creating in this scenario?
A. roject plan
B. esource management plan
C. roject management plan
D. isk management plan
View answer
Correct Answer: D
Question #209
Which of the following is MOST important for evaluating the operational effectiveness of a newly implemented control?
A. ontinuous auditing techniques are used to ensure ongoing control monitoring
B. ontrol owners are conducting timely monitoring and reporting of the control results
C. he source data used for control performance is accurate and complete
D. elf-assessment testing results are regularly verified by independent control testes
View answer
Correct Answer: A
Question #210
You are working in an enterprise. Your enterprise is willing to accept a certain amount of risk. What is this risk called?
A. onfiguration management
B. ommunications management
C. erform integrated change control process
D. roject change control process
View answer
Correct Answer: C
Question #211
Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to a bring your own device (BYOD) program?
A. umber of incidents originating from BYOD devices
B. udget allocated to the BYOD program security controls
C. umber of devices enrolled in the BYOD program
D. umber of users who have signed a BYOD acceptable use policy
View answer
Correct Answer: A
Question #212
Participants in a risk workshop have become focused on the financial cost to mitigate risk rather than choosing the most appropriate response. Which of the following is the BEST way to address this type of issue in the long term?
A. eview the risk register and risk scenarios
B. alculate annualized loss expectancy of risk scenarios
C. aise the maturity of organizational risk management
D. erform a return on investment analysis
View answer
Correct Answer: B
Question #213
Which of the following is NOT true for risk governance?
A. isk governance is based on the principles of cooperation, participation, mitigation and sustainability, and is adopted to achieve more effective risk management
B. isk governance requires reporting once a year
C. isk governance seeks to reduce risk exposure and vulnerability by filling gaps in risk policy
D. isk governance is a systemic approach to decision making processes associated to natural and technological risks
View answer
Correct Answer: B
Question #214
To which level the risk should be reduced to accomplish the objective of risk management?
A. o a level where ALE is lower than SLE
B. o a level where ARO equals SLE
C. o a level that an organization can accept
D. o a level that an organization can mitigate
View answer
Correct Answer: C
Question #215
In which of the following conditions business units tend to point the finger at IT when projects are not delivered on time?
A. hreat identification in project
B. ystem failure
C. isalignment between real risk appetite and translation into policies
D. xistence of a blame culture
View answer
Correct Answer: D
Question #216
Which of the following should be considered to ensure that risk responses that are adopted are cost-effective and are aligned with business objectives?Each correct answer represents a part of the solution. Choose three.
A. roject management plan
B. roject communications plan
C. roject contractual relationship with the vendor
D. roject scope statement
View answer
Correct Answer: ABD
Question #217
Which of the following individuals is responsible for identifying process requirements, approving process design and managing process performance?
A. usiness process owner
B. isk owner
C. hief financial officer
D. hief information officer
View answer
Correct Answer: A
Question #218
Several network user accounts were recently created without the required management approvals. Which of the following would be the risk practitioner's BEST recommendation to address this situation?
A. nvestigate the root cause of noncompliance
B. eclare a security breach and inform management
C. evelop incident response procedure for noncompliance
D. onduct a comprehensive compliance review
View answer
Correct Answer: A
Question #219
You are the project manager of a HGT project that has recently finished the final compilation process. The project customer has signed off on the project completion and you have to do few administrative closure activities. In the project, there were several large risks that could have wrecked the project but you and your project team found some new methods to resolve the risks without affecting the project costs or project completion date. What should you do with the risk responses that you have identified
A. nclude the responses in the project management plan
B. nclude the risk responses in the risk management plan
C. nclude the risk responses in the organization's lessons learned database
D. othing
View answer
Correct Answer: C
Question #220
Which of the following will BEST help an organization evaluate the control environment of several third-party vendors?
A. eview vendors’ performance metrics on quality and delivery of processes
B. eview vendors’ internal risk assessments covering key risk and controls
C. btain independent control reports from high-risk vendors
D. btain vendor references from third parties
View answer
Correct Answer: A
Question #221
IT risk assessments can BEST be used by management:
A. o measure organizational success
B. s input for decision-making
C. s a basis for cost-benefit analysis
D. or compliance with laws and regulations
View answer
Correct Answer: B
Question #222
It is MOST important for a risk practitioner to have an awareness of an organization’s processes in order to:
A. erform a business impact analysis
B. stablish risk guidelines
C. nderstand control design
D. dentify potential sources of risk
View answer
Correct Answer: D
Question #223
You are the project manager of HWD project. It requires installation of some electrical machines. You and the project team decided to hire an electrician as electrical work can be too dangerous to perform. What type of risk response are you following?
A. voidance
B. ransference
C. itigation
D. cceptance
View answer
Correct Answer: B
Question #224
You are the project manager of a large networking project. During the execution phase the customer requests for a change in the existing project plan. What will be your immediate action?
A. pdate the risk register
B. sk for a formal change request
C. gnore the request as the project is in the execution phase
D. efuse the change request
View answer
Correct Answer: B
Question #225
Sensitive data has been lost after an employee inadvertently removed a file from the premises, in violation of organizational policy. Which of the following controls MOST likely failed?
A. ackground checks
B. wareness training
C. ser access
D. olicy management
View answer
Correct Answer: B
Question #226
In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities. The risk practitioner’s BEST recommendation to further reduce the impact of ransomware attacks would be to implement:
A. ncryption for data at rest
B. ncryption for data in motion
C. wo-factor authentication
D. ontinuous data backup controls
View answer
Correct Answer: D
Question #227
During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?
A. ecommend the formation of an executive risk council to oversee IT risk
B. rovide an estimate of IT system downtime if IT risk materializes
C. escribe IT risk scenarios in terms of business risk
D. ducate business executives on IT risk concepts
View answer
Correct Answer: C
Question #228
Which of the following is the MOST important factor when deciding on a control to mitigate risk exposure?
A. omparison against best practice
B. elevance to the business process
C. egulatory compliance requirements
D. ost-benefit analysis
View answer
Correct Answer: B
Question #229
Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?
A. stablishing e-discovery and data loss prevention (DLP)
B. ending notifications when near storage quota
C. mplementing record retention tools and techniques
D. mplementing a bring your own device (BYOD) policy
View answer
Correct Answer: B
Question #230
You are the project manager of the NGQQ Project for your company. To help you communicate project status to your stakeholders, you are going to create a stakeholder register. All of the following information should be included in the stakeholder register except for which one?
A. takeholder management strategy
B. ssessment information of the stakeholders' major requirements, expectations, and potential influence
C. dentification information for each stakeholder
D. takeholder classification of their role in the project
View answer
Correct Answer: A
Question #231
You are preparing to complete the quantitative risk analysis process with your project team and several subject matter experts. You gather the necessary inputs including the project's cost management plan. Why is it necessary to include the project's cost management plan in the preparation for the quantitative risk analysis process?
A. he project's cost management plan provides control that may help determine the structure for quantitative analysis of the budget
B. he project's cost management plan can help you to determine what the total cost of the project is allowed to be
C. he project's cost management plan provides direction on how costs may be changed due to identified risks
D. he project's cost management plan is not an input to the quantitative risk analysis process
View answer
Correct Answer: A
Question #232
You work as a project manager for TechSoft Inc. You are working with the project stakeholders on the qualitative risk analysis process in your project. You have used all the tools to the qualitative risk analysis process in your project. Which of the following techniques is NOT used as a tool in qualitative risk analysis process?
A. isk Urgency Assessment
B. isk Reassessment
C. isk Data Quality Assessment
D. isk Categorization
View answer
Correct Answer: B
Question #233
A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?
A. mplement a tool to create and distributive violation reports
B. lock unencrypted outgoing emails which contain sensitive data
C. mplement a progressive disciplinary process for email violations
D. aise awareness of encryption requirements for sensitive data
View answer
Correct Answer: B
Question #234
Which of the following should be the PRIMARY focus of a risk owner once a decision is made to mitigate a risk?
A. etermining processes for monitoring the effectiveness of the controls
B. onfirming to management the controls reduce the likelihood of the risk
C. pdating the risk register to include the risk mitigation plan
D. nsuring that control design reduces risk to an acceptable level
View answer
Correct Answer: D
Question #235
Which of the following IT key risk indicators (KRIs) provides management with the BEST feedback on IT capacity?
A. rends in IT resource usage
B. ncreased resource availability
C. rends in IT maintenance costs
D. ncreased number of incidents
View answer
Correct Answer: D
Question #236
You are working as a project manager in Bluewell Inc.. You are nearing the final stages of project execution and looking towards the final risk monitoring and controlling activities. For your project archives, which one of the following is an output of risk monitoring and control?
A. ualitative risk analysis
B. isk audits
C. uantitative risk analysis
D. equested changes
View answer
Correct Answer: D
Question #237
Which of the following guidelines should be followed for effective risk management? Each correct answer represents a complete solution. Choose three.
A. onfiguration management system
B. ntegrated change control
C. hange log
D. cope change control system
View answer
Correct Answer: BCD
Question #238
What are the functions of audit and accountability control?Each correct answer represents a complete solution. (Choose three.)
A. isk level increases above risk appetite
B. isk level increase above risk tolerance
C. isk level equates risk appetite
D. isk level equates the risk tolerance
View answer
Correct Answer: ACD
Question #239
Whose risk tolerance matters MOST when making a risk decision?
A. ustomers who would be affected by a breach
B. he information security manager
C. he business process owner of the exposed assets
D. uditors, regulators, and standards organizations
View answer
Correct Answer: D
Question #240
Which of the following nodes of the decision tree analysis represents the start point of decision tree?
A. ecision node
B. nd node
C. vent node
D. oot node
View answer
Correct Answer: D
Question #241
Which of the following BEST describes the utility of a risk?
A. he finance incentive behind the risk
B. he potential opportunity of the risk
C. he mechanics of how a risk works
D. he usefulness of the risk to individuals or groups
View answer
Correct Answer: D
Question #242
In the project initiation phase of System Development Life Cycle, there is information on project initiated by which of the following role carriers?
A. RO
B. ponsor
C. usiness management
D. IO
View answer
Correct Answer: B
Question #243
Which of the following is a KEY outcome of risk ownership?
A. isk-related information is communicated
B. isk responsibilities are addressed
C. isk-oriented tasks are defined
D. usiness process risk is analyzed
View answer
Correct Answer: B
Question #244
Which of the following would BEST ensure that identified risk scenarios are addressed?
A. erforming real-time monitoring of threats
B. reating a separate risk register for key business units
C. erforming regular risk control self-assessments
D. eviewing the implementation of the risk response
View answer
Correct Answer: D
Question #245
Which of the following are risk components of the COSO ERM framework? Each correct answer represents a complete solution. Choose three.
A. isting of risk responses
B. isk ranking matrix
C. isting of prioritized risks
D. ualitative analysis outcomes
View answer
Correct Answer: ABD
Question #246
A peer review of a risk assessment finds that a relevant threat community was not included. Mitigation of the risk will require substantial changes to a software application. Which of the following is the BEST course of action?
A. sk the business to make a budget request to remediate the problem
B. esearch the types of attacks the threat can present
C. etermine the impact of the missing threat
D. uild a business case to remediate the fix
View answer
Correct Answer: C
Question #247
Which of the following approaches to bring you own device (BYOD) service delivery provides the BEST protection from data loss?
A. enetration testing and session timeouts
B. mplement remote monitoring
C. nforce strong passwords and data encryption
D. nable data wipe capabilities
View answer
Correct Answer: B
Question #248
Which of the following statements are true for enterprise's risk management capability maturity level 3?
A. robabilities
B. hreats
C. ulnerabilities
D. mpacts
View answer
Correct Answer: ABD
Question #249
Which of the following operational risks ensures that the provision of a quality product is not overshadowed by the production costs of that product?
A. nformation security risks
B. ontract and product liability risks
C. roject activity risks
D. rofitability operational risks
View answer
Correct Answer: D
Question #250
Stephen is the project manager of the GBB project. He has worked with two subject matter experts and his project team to complete the risk assessment technique. There are approximately 47 risks that have a low probability and a low impact on the project. Which of the following answers best describes what Stephen should do with these risk events?
A. ecause they are low probability and low impact, Stephen should accept the risks
B. he low probability and low impact risks should be added to a watchlist for future monitoring
C. ecause they are low probability and low impact, the risks can be dismissed
D. he low probability and low impact risks should be added to the risk register
View answer
Correct Answer: B
Question #251
Which of the following is the MOST important benefit of key risk indicators (KRIs)?
A. ssisting in continually optimizing risk governance
B. roviding an early warning to take proactive actions
C. nabling the documentation and analysis of trends
D. nsuring compliance with regulatory requirements
View answer
Correct Answer: A
Question #252
Which of the following is the BEST key performance indicator (KPI) to measure the maturity of an organization’s security incident handling process?
A. he number of resolved security incidents
B. he number of security incidents escalated to senior management
C. he number of newly identified security incidents
D. he number of recurring security incidents
View answer
Correct Answer: D
Question #253
Which of following is NOT used for measurement of Critical Success Factors of the project?
A. roductivity
B. uality
C. uantity
D. ustomer service
View answer
Correct Answer: C
Question #254
Who is the MOST appropriate owner for newly identified IT risk?
A. he manager responsible for IT operations that will support the risk mitigation efforts
B. he individual with the most IT risk-related subject matter knowledge
C. he individual with authority to commit organizational resources to mitigate the risk
D. project manager capable of prioritizing the risk remediation efforts
View answer
Correct Answer: B
Question #255
You are an experienced Project Manager that has been entrusted with a project to develop a machine which produces auto components. You have scheduled meetings with the project team and the key stakeholders to identify the risks for your project. Which of the following is a key output of this process?
A. isk Register
B. isk Management Plan
C. isk Breakdown Structure
D. isk Categories
View answer
Correct Answer: A
Question #256
An enterprise has identified risk events in a project. While responding to these identified risk events, which among the following stakeholders is MOST important for reviewing risk response options to an IT risk.
A. nformation security managers
B. nternal auditors
C. ncident response team members
D. usiness managers
View answer
Correct Answer: D
Question #257
Which of the following would be MOST helpful to a risk practitioner when ensuring that mitigated risk remains within acceptable limits?
A. mplementing a process for ongoing monitoring of control effectiveness
B. esigning a process for risk owners to periodically review identified risk
C. nsuring risk owners participate on a periodic control testing process
D. uilding an organizational risk profile after updating the risk register
View answer
Correct Answer: A
Question #258
Which of the following is BEST described by the definition below?"They are heavy influencers of the likelihood and impact of risk scenarios and should be taken into account during every risk analysis, when likelihood and impact are assessed."
A. bscure risk
B. isk factors
C. isk analysis
D. isk event
View answer
Correct Answer: B
Question #259
Which of the following come under the management class of controls? Each correct answer represents a complete solution. (Choose two.)
A. cceptance
B. voidance
C. xploit
D. nhance
View answer
Correct Answer: AC
Question #260
Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment?
A. mproved senior management communication
B. nhanced awareness of risk management
C. ptimized risk treatment decisions
D. mproved collaboration among risk professionals
View answer
Correct Answer: B
Question #261
An organization has implemented a preventive control to lock user accounts after three unsuccessful login attempts. This practice has been proven to be unproductive, and a change in the control threshold value has been recommended. Who should authorize changing this threshold?
A. ontrol owner
B. T security manager
C. isk owner
D. T system owner
View answer
Correct Answer: A
Question #262
Which of the following techniques examines the degree to which organizational strengths offset threats and opportunities that may serve to overcome weaknesses?
A. WOT Analysis
B. elphi
C. rainstorming
D. xpert Judgment
View answer
Correct Answer: A
Question #263
Which of the following IS processes provide indirect information? Each correct answer represents a complete solution. Choose three.
A. S $250,000 loss
B. S $500,000 loss
C. S $1 million loss
D. S $100,000 loss
View answer
Correct Answer: ABC
Question #264
The BEST control to mitigate the risk associated with project scope creep is to:
A. onsult with senior management on a regular basis
B. pply change management procedures
C. nsure extensive user involvement
D. eploy CASE tools in software development
View answer
Correct Answer: A
Question #265
Which of the following would BEST help minimize the risk associated with social engineering threats?
A. eviewing the organization’s risk appetite
B. nforcing employee sanctions
C. nforcing segregation of duties
D. onducting phishing exercises
View answer
Correct Answer: D
Question #266
A trusted third party service provider has determined that the risk of a client’s systems being hacked is low. Which of the following would be the client’s BEST course of action?
A. erform an independent audit of the third party
B. ccept the risk based on the third party’s risk assessment
C. erform their own risk assessment
D. mplement additional controls to address the risk
View answer
Correct Answer: A
Question #267
A global organization is planning to collect customer behavior data through social media advertising. Which of the following is the MOST important business risk to be considered?
A. egulatory requirements may differ in each country
B. usiness advertising will need to be tailored by country
C. he data analysis may be ineffective in achieving objectives
D. ata sampling may be impacted by various industry restrictions
View answer
Correct Answer: A
Question #268
In which of the following risk management capability maturity levels risk appetite and tolerance are applied only during episodic risk assessments?
A. evel 3
B. evel 2
C. evel 4
D. evel 1
View answer
Correct Answer: D
Question #269
Performing a background check on a new employee candidate before hiring is an example of what type of control?
A. ompensating
B. reventive
C. etective
D. orrective
View answer
Correct Answer: B
Question #270
Who should be accountable for monitoring the control environment to ensure controls are effective?
A. isk owner
B. ecurity monitoring operations
C. mpacted data owner
D. ystem owner
View answer
Correct Answer: B
Question #271
Which of the following is true for Cost Performance Index (CPI)?
A. f the CPI > 1, it indicates better than expected performance of project
B. PI = Earned Value (EV) * Actual Cost (AC)
C. t is used to measure performance of schedule
D. f the CPI = 1, it indicates poor performance of project
View answer
Correct Answer: A
Question #272
Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?
A. verage time to provision user accounts
B. assword reset volume per month
C. umber of tickers for provisioning new accounts
D. verage account lockout time
View answer
Correct Answer: A
Question #273
Which of the following is an administrative control?
A. ater detection
B. easonableness check
C. ata loss prevention program
D. ession timeout
View answer
Correct Answer: C
Question #274
A risk practitioner has become aware of production data being used in a test environment. Which of the following should be the practitioner’s PRIMARY concern?
A. ecurity of the test environment
B. eadability of test data
C. ensitivity of the data
D. vailability of data to authorized staff
View answer
Correct Answer: C
Question #275
Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?
A. udit trails for updates and deletions
B. ncrypted storage of data
C. inks to source data
D. heck totals on data records and data fields
View answer
Correct Answer: A
Question #276
An IT control gap has been identified in a key process. Who would be the MOST appropriate owner of the risk associated with this gap?
A. usiness process owner
B. hief information security officer
C. perational risk manager
D. ey control owner
View answer
Correct Answer: A
Question #277
Which of the following is the MOST important aspect to ensure that an accurate risk register is maintained?
A. ublish the risk register in a knowledge management platform with workflow features that periodically contacts and polls risk assessors to ensure accuracy of content
B. erform regular audits by audit personnel and maintain risk register
C. ubmit the risk register to business process owners for review and updating
D. onitor key risk indicators, and record the findings in the risk register
View answer
Correct Answer: A
Question #278
An organization has engaged a third party to provide an Internet gateway encryption service that protects sensitive data uploaded to a cloud service. This is an example of risk:
A. ransfer
B. cceptance
C. itigation
D. voidance
View answer
Correct Answer: A
Question #279
Which of the following is the MOST important use of KRIs?
A. roviding a backward-looking view on risk events that have occurred
B. roviding an early warning signal
C. roviding an indication of the enterprise's risk appetite and tolerance
D. nabling the documentation and analysis of trends
View answer
Correct Answer: B
Question #280
Which of the following is MOST important to understand when determining an appropriate risk assessment approach?
A. hreats and vulnerabilities
B. alue of information assets
C. omplexity of the IT infrastructure
D. anagement culture
View answer
Correct Answer: B
Question #281
Which of the following can be used to assign a monetary value to risk?
A. nnual loss expectancy (ALE)
B. usiness impact analysis
C. ost-benefit analysis
D. nherent vulnerabilities
View answer
Correct Answer: A
Question #282
You are the project manager of GHT project. Your project team is in the process of identifying project risks on your current project. The team has the option to use all of the following tools and techniques to diagram some of these potential risks EXCEPT for which one?
A. rocess flowchart
B. shikawa diagram
C. nfluence diagram
D. ecision tree diagram
View answer
Correct Answer: D
Question #283
Which of the following is the BEST way to ensure that outsourced service providers comply with the enterprise's information security policy?
A. enetration testing
B. ervice level monitoring
C. ecurity awareness training
D. eriodic audits
View answer
Correct Answer: D
Question #284
You are the project manager of GHT project. You have implemented an automated tool to analyze and report on access control logs based on severity. This tool generates excessively large amounts of results. You perform a risk assessment and decide to configure the monitoring tool to report only when the alerts are marked "critical". What you should do in order to fulfill that?
A. pply risk response
B. ptimize Key Risk Indicator
C. pdate risk register
D. erform quantitative risk analysis
View answer
Correct Answer: B
Question #285
Which of the following is the BEST metric to demonstrate the effectiveness of an organization’s change management process?
A. verage time to complete changes
B. ncrease in the number of emergency changes
C. ercent of unauthorized changes
D. ncrease in the frequency of changes
View answer
Correct Answer: A
Question #286
Which of the following components of risk scenarios has the potential to generate internal or external threat on an enterprise?
A. iming dimension
B. vents
C. ssets
D. ctors
View answer
Correct Answer: D
Question #287
In which of the following risk management capability maturity levels does the enterprise takes major business decisions considering the probability of loss and the probability of reward? Each correct answer represents a complete solution. Choose two.
A. o that the project team can develop a sense of ownership for the risks and associated risk responsibilities
B. o that the project manager can identify the risk owners for the risks within the project and the needed risk responses
C. o that the project manager isn't the only person identifying the risk events within the project
D. o that the project team and the project manager can work together to assign risk ownership
View answer
Correct Answer: CD
Question #288
Which of the following is the MOST important foundational element of an effective three lines of defense model for an organization?
A. well-established risk management committee
B. robust risk aggregation tool set
C. ell-documented and communicated escalation procedures
D. learly defined roles and responsibilities
View answer
Correct Answer: D
Question #289
David is the project manager of the HRC Project. He has identified a risk in the project, which could cause the delay in the project. David does not want this risk event to happen so he takes few actions to ensure that the risk event will not happen. These extra steps, however, cost the project an additional $10,000. What type of risk response has David adopted?
A. voidance
B. itigation
C. cceptance
D. ransfer
View answer
Correct Answer: B
Question #290
Which among the following acts as a trigger for risk response process?
A.
B. nfinity
C. 0
D.
View answer
Correct Answer: B
Question #291
When does the Identify Risks process take place in a project?
A. t the Planning stage
B. t the Executing stage
C. t the Initiating stage
D. hroughout the project life-cycle
View answer
Correct Answer: D
Question #292
You are completing the qualitative risk analysis process with your project team and are relying on the risk management plan to help you determine the budget, schedule for risk management, and risk categories. You discover that the risk categories have not been created. When the risk categories should have been created?
A. efine scope process
B. isk identification process
C. lan risk management process
D. reate work breakdown structure process
View answer
Correct Answer: C
Question #293
Jenny is the project manager for the NBT projects. She is working with the project team and several subject matter experts to perform the quantitative risk analysis process. During this process she and the project team uncover several risks events that were not previously identified. What should Jenny do with these risk events?
A. he events should be entered into qualitative risk analysis
B. he events should be determined if they need to be accepted or responded to
C. he events should be entered into the risk register
D. he events should continue on with quantitative risk analysis
View answer
Correct Answer: C
Question #294
The risk associated with an asset before controls are applied can be expressed as:
A. he likelihood of a given threat
B. he magnitude of an impact
C. function of the likelihood and impact
D. function of the cost and effectiveness of controls
View answer
Correct Answer: C
Question #295
You are the project manager of the GHT project. This project will last for 18 months and has a project budget of $567,000. Robert, one of your stakeholders, has introduced a scope change request that will likely have an impact on the project costs and schedule. Robert assures you that he will pay for the extra time and costs associated with the risk event. You have identified that change request may also affect other areas of the project other than just time and cost. What project management component is re
A. onfiguration management
B. ntegrated change control
C. isk analysis
D. roject change control system
View answer
Correct Answer: B
Question #296
The head of a business operations department asks to review the entire IT risk register. Which of the following would be the risk manager’s BEST approach to this request before sharing the register?
A. etermine the purpose of the request
B. equire a nondisclosure agreement
C. anitize portions of the register
D. scalate to senior management
View answer
Correct Answer: A
Question #297
Which of the following should be done FIRST when a new risk scenario has been identified?
A. ssess the risk awareness program
B. ssess the risk training program
C. dentify the risk owner
D. stimate the residual risk
View answer
Correct Answer: A
Question #298
You are the risk professional in Bluewell Inc. A risk is identified and enterprise wants to quickly implement control by applying technical solution that deviates from the company's policies. What you should do?
A. ecommend against implementation because it violates the company's policies
B. ecommend revision of the current policy
C. ecommend a risk assessment and subsequent implementation only if residual risk is accepted
D. onduct a risk assessment and allow or disallow based on the outcome
View answer
Correct Answer: C
Question #299
A change management process has recently been updated with new testing procedures. The NEXT course of action is to:
A. ommunicate to those who test and promote changes
B. ssess the maturity of the change management process
C. onduct a cost-benefit analysis to justify the cost of the control
D. onitor processes to ensure recent updates are being followed
View answer
Correct Answer: A
Question #300
Which of the following is the BEST way to validate whether controls have been implemented according to the risk mitigation action plan?
A. mplement key risk indicators (KRIs)
B. est the control design
C. est the control environment
D. mplement key performance indicators (KPIs)
View answer
Correct Answer: A
Question #301
Which of the following activities should be performed FIRST when establishing IT risk management processes?
A. onduct a high-level risk assessment based on the nature of business
B. ollect data of past incidents and lessons learned
C. dentify the risk appetite of the organization
D. ssess the goals and culture of the organization
View answer
Correct Answer: D
Question #302
You are the project manager for BlueWell Inc. Your current project is a high priority and high profile project within your organization. You want to identify the project stakeholders that will have the most power in relation to their interest on your project. This will help you plan for project risks, stakeholder management, and ongoing communication with the key stakeholders in your project. In this process of stakeholder analysis, what type of a grid or model should you create based on these conditions?
A. takeholder power/interest grid
B. takeholder register
C. nfluence/impact grid
D. alience model
View answer
Correct Answer: A
Question #303
A teaming agreement is an example of what type of risk response?
A. cceptance
B. itigation
C. ransfer
D. hare
View answer
Correct Answer: D
Question #304
An organization is implementing encryption for data at rest to reduce the risk associated with unauthorized access. Which of the following MUST be considered to assess the residual risk?
A. ata destruction requirements
B. loud storage architecture
C. ata retention requirements
D. ey management
View answer
Correct Answer: D
Question #305
Whether the results of risk analysis should be presented in quantitative or qualitative terms should be based PRIMARILY on the:
A. pecific risk analysis framework being used
B. esults of the risk assessment
C. equirements of management
D. rganizational risk tolerance
View answer
Correct Answer: A
Question #306
Which of the following is the MOST cost-effective way to test a business continuity plan?
A. onduct a tabletop exercise
B. onduct interviews with key stakeholders
C. onduct a disaster recovery exercise
D. onduct a full functional exercise
View answer
Correct Answer: A
Question #307
You are the risk official at Bluewell Inc. There are some risks that are posing threat on your enterprise. You are measuring exposure of those risk factors, which has the highest potential, by examining the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values. Which type of analysis you are performing?
A. ensitivity analysis
B. ault tree analysis
C. ause-and-effect analysis
D. cenario analysis
View answer
Correct Answer: A
Question #308
When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes:
A. ecommendations by an independent risk assessor
B. summary of incidents that have impacted the organization
C. detailed view of individual risk exposures
D. isk exposure in business terms
View answer
Correct Answer: C
Question #309
An internal audit report reveals that not all IT application databases have encryption in place. Which of the following information would be MOST important for assessing the risk impact?
A. he reason some databases have not been encrypted
B. list of unencrypted databases which contain sensitive data
C. he cost required to enforce encryption
D. he number of users who can access sensitive data
View answer
Correct Answer: A
Question #310
Which of the following is an acceptable method for handling positive project risk?
A. isk identification
B. isk trigger
C. isk event
D. isk response
View answer
Correct Answer: A
Question #311
Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?
A. o continuously improve risk management processes
B. o build an organizational risk-aware culture
C. o comply with legal and regulatory requirements
D. o identify gaps in risk management practices
View answer
Correct Answer: A
Question #312
Which of the following is the BEST method for assessing control effectiveness?
A. d hoc reporting
B. redictive analytics
C. ontinuous monitoring
D. ontrol self-assessment
View answer
Correct Answer: B
Question #313
A newly hired risk practitioner finds that the risk register has not been updated in the past year. What is the risk practitioner’s BEST course of action?
A. mplement a process improvement and replace the old risk register
B. utsource the process for updating the risk register
C. dentify changes in risk factors and initiate risk reviews
D. ngage an external consultant to redesign the risk management process
View answer
Correct Answer: C
Question #314
An organization has introduced risk ownership to establish clear accountability for each process. To ensure effective risk ownership, it is MOST important that:
A. isk owners have decision-making authority
B. enior management has oversight of the process
C. egregation of duties exists between risk and process owners
D. rocess ownership aligns with IT system ownership
View answer
Correct Answer: C
Question #315
Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register?
A. orporate incident escalation protocols are established
B. he organization-wide control budget is expanded
C. xposure is integrated into the organization’s risk profile
D. isk appetite cascades to business unit management
View answer
Correct Answer: A
Question #316
Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:
A. vulnerability assessment
B. root cause analysis
C. n impact assessment
D. gap analysis
View answer
Correct Answer: B
Question #317
When defining thresholds for control key performance indicators (KPIs), it is MOST helpful to align:
A. ey risk indicators (KRIs) with risk appetite of the business
B. he control key performance indicators (KPIs) with audit findings
C. ontrol performance with risk tolerance of business owners
D. nformation risk assessments with enterprise risk assessments
View answer
Correct Answer: B
Question #318
Mike is the project manager of the NNP Project for his organization. He is working with his project team to plan the risk responses for the NNP Project. Mike would like the project team to work together on establishing risk thresholds in the project. What is the purpose of establishing risk threshold?
A. t is a study of the organization's risk tolerance
B. t is a warning sign that a risk event is going to happen
C. t is a limit of the funds that can be assigned to risk events
D. t helps to identify those risks for which specific responses are needed
View answer
Correct Answer: D
Question #319
Which of the following are sub-categories of threat?Each correct answer represents a complete solution. Choose three.
A. enchmarking
B. ost-benefits analysis
C. ost of conformance to quality
D. eam development
View answer
Correct Answer: CDE
Question #320
A contract associated with a cloud service provider MUST include:
A. business recovery plan
B. wnership of responsibilities
C. rovision for source code escrow
D. he provider’s financial statements
View answer
Correct Answer: B
Question #321
You are the project manager in your enterprise. You have identified risk that is noticeable failure threatening the success of certain goals of your enterprise. In which of the following levels do this identified risk exists?
A. oderate risk
B. igh risk
C. xtremely high risk
D. ow risk
View answer
Correct Answer: A
Question #322
Tom works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks, and provides a quantitative assessment of the likely cost to complete the scheduled activities?
A. ctivity duration estimates
B. isk management plan
C. ost management plan
D. ctivity cost estimates
View answer
Correct Answer: D
Question #323
You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What should you do with these identified risk events?
A. hese risks can be dismissed
B. hese risks can be accepted
C. hese risks can be added to a low priority risk watch list
D. ll risks must have a valid, documented risk response
View answer
Correct Answer: C
Question #324
Which of the following is MOST helpful in developing key risk indicator thresholds?
A. oss expectancy information
B. T service level agreements
C. ontrol performance results
D. emediation activity progress
View answer
Correct Answer: A
Question #325
Which of the following is the MOST important topic to cover in a risk awareness training program for all staff?
A. he risk department’s roles and responsibilities
B. olicy compliance requirements and exceptions process
C. he organization’s information security risk profile
D. nternal and external information security incidents
View answer
Correct Answer: B
Question #326
Which of the following provides the MOST up-to-date information about the effectiveness of an organization's overall IT control environment?
A. eriodic penetration testing
B. ey performance indicators (KPIs)
C. nternal audit findings
D. isk heat maps
View answer
Correct Answer: D
Question #327
Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk?
A. n access control list
B. n acceptable usage policy
C. n intrusion detection system (IDS)
D. data extraction tool
View answer
Correct Answer: B

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: