CRISC Practice Exam Questions and Answers

A.  

define recovery time objectives (RTOs).

B.  

define the information classification policy

C.  

conduct a sensitivity analyse

D.  

Identify information custodians

A.  

risk scenarios

B.  

risk maps

C.  

risk appetite

D.  

risk ownership.

A.  

Penetration testing

B.  

IT general controls audit

C.  

Vulnerability assessment

D.  

Fault tree analysis

A.  

Peer benchmarks

B.  

Internal audit reports

C.  

Business impact analysis (BIA) results

D.  

Threat analysis results

A.  

The quantity of data logged by the attack control tools

B.  

Blocking the attack route immediately

C.  

The ability to trace the source of the attack

D.  

The timeliness of attack recognition

A.  

involve IT leadership in the policy development process

B.  

Require business users to sign acknowledgment of the poises

C.  

involve business owners in the pokey development process

D.  

Provide policy owners with greater enforcement authority

A.  

Risk assessment results

B.  

Adherence to governing policies

C.  

Regular stakeholder briefings

D.  

Independent audit results

A.  

Perform a business case analysis

B.  

Implement compensating controls.

C.  

Conduct a control sell-assessment (CSA)

D.  

Build a provision for risk

A.  

Board of directors

B.  

Vendors

C.  

Regulators

D.  

Legal team

A.  

Deleting the data from the file system

B.  

Cryptographically scrambling the data

C.  

Formatting the cloud storage at the block level

D.  

Degaussing the cloud storage media

A.  

IT goals and objectives

B.  

Organizational goals and objectives

C.  

The organization's risk appetite statement

D.  

Legal and regulatory requirements

A.  

ensure compliance with local regulatory requirements

B.  

demonstrate the effectiveness of risk management practices.

C.  

ensure organizational awareness of the risk level

D.  

mitigate the residual risk to be within tolerance

A.  

Risk control assessment

B.  

Audit reports with risk ratings

C.  

Penetration test results

D.  

Business impact analysis (BIA)

A.  

Establishing employee awareness training

B.  

Assigning accountability to risk owners

C.  

Selling target dates to complete actions

D.  

Contracting to third parties

A.  

Organization's industry sector

B.  

Long-term organizational goals

C.  

Concerns of the business process owners

D.  

History of risk events

A.  

Several risk action plans have missed target completion dates.

B.  

Senior management has accepted more risk than usual.

C.  

Risk associated with many assets is only expressed in qualitative terms.

D.  

Many risk scenarios are owned by the same senior manager.

A.  

Gap analysis

B.  

Threat assessment

C.  

Resource skills matrix

D.  

Data quality assurance plan

A.  

Conducting awareness training

B.  

Executing a risk response plan

C.  

Establishing an organization's risk tolerance

D.  

Performing periodic audits

A.  

Obtain necessary resources to address regulatory requirements

B.  

Develop a policy framework that addresses regulatory requirements

C.  

Perform a gap analysis against regulatory requirements.

D.  

Employ IT solutions that meet regulatory requirements.

A.  

minimum tolerable downtime

B.  

minimum tolerable loss of data.

C.  

maximum tolerable downtime.

D.  

maximum tolerable loss of data

A.  

controls perform as intended.

B.  

controls operate efficiently.

C.  

controls are implemented consistent

D.  

control designs are reviewed periodically

A.  

review alignment with the organizations strategy.

B.  

understand the organization's information security policy.

C.  

validate the organization's data classification scheme.

D.  

report identified IT risk scenarios to senior management.

A.  

Information security officer

B.  

IT risk manager

C.  

Business owner

D.  

Chief risk officer (CRO)

A.  

Risk Impact Rating

B.  

Risk Owner

C.  

Risk Likelihood Rating

D.  

Risk Exposure

A.  

Implement role-based access control

B.  

Implement a data masking process

C.  

Include sanctions in nondisclosure agreements (NDAs)

D.  

Install a data loss prevention (DLP) tool

A.  

determine the risk appetite.

B.  

determine the budget.

C.  

define key performance indicators (KPIs).

D.  

optimize resource utilization.

A.  

Communication

B.  

Risk analysis

C.  

Decision support

D.  

Benchmarking

A.  

Review the risk profile

B.  

Review pokey change history

C.  

interview the control owner

D.  

Perform control testing

A.  

Internal and external audit reports

B.  

Risk disclosures in financial statements

C.  

Risk assessment and risk register

D.  

Business objectives and strategies

A.  

Ongoing training

B.  

Timely notification

C.  

Return on investment (ROI)

D.  

Cost minimization

A.  

Time zone difference of the outsourcing location

B.  

Ongoing financial viability of the outsourcing company

C.  

Cross-border information transfer restrictions in the outsourcing country

D.  

Historical network latency between the organization and outsourcing location

A.  

Change logs

B.  

Change management meeting minutes

C.  

Key control indicators (KCIs)

D.  

Key risk indicators (KRIs)

A.  

Key risk indicators (KRIs)

B.  

Documented procedures

C.  

Information security policies

D.  

Information security standards

A.  

The third-party risk manager

B.  

The application vendor

C.  

The business process owner

D.  

The information security manager

A.  

Reject the risk acceptance and require mitigating controls.

B.  

Monitor the residual risk level of the accepted risk.

C.  

Escalate the risk decision to the project sponsor for review.

D.  

Document the risk decision in the project risk register.

A.  

The organization may not have a sufficient number of skilled resources.

B.  

Application and data migration cost for backups may exceed budget.

C.  

Data may not be recoverable due to system failures.

D.  

The database system may not be scalable in the future.

A.  

Data classification policy

B.  

Emerging technology trends

C.  

The IT strategic plan

D.  

The risk register

A.  

Request a regulatory risk reporting methodology

B.  

Require critical success factors (CSFs) for IT risks.

C.  

Establish IT-specific compliance objectives

D.  

Communicate IT key risk indicators (KRIs) and triggers

A.  

The organization's structure has not been updated

B.  

Unnecessary access permissions have not been removed.

C.  

Company equipment has not been retained by IT

D.  

Job knowledge was not transferred to employees m the former department

A.  

communicate risk trends to stakeholders.

B.  

assign ownership of emerging risk scenarios.

C.  

highlight noncompliance with the risk policy

D.  

identify threats to emerging technologies.

A.  

Software version

B.  

Assigned software manager

C.  

Software support contract expiration

D.  

Software licensing information

A.  

Frequency of business continuity plan (BCP) lasting

B.  

Frequency and number of new software releases

C.  

Frequency and duration of unplanned downtime

D.  

Number of IT support staff available after business hours

A.  

Failure to test the disaster recovery plan (DRP)

B.  

Lack of well-documented business impact analysis (BIA)

C.  

Lack of annual updates to the disaster recovery plan (DRP)

D.  

Significant changes in management personnel

A.  

Threat

B.  

Risk

C.  

Vulnerability

D.  

Policy violation

A.  

Acquisition

B.  

Implementation

C.  

Initiation

D.  

Operation and maintenance

A.  

The program has not decreased threat counts.

B.  

The program has not considered business impact.

C.  

The program has been significantly revised

D.  

The program uses non-customized training modules.

A.  

risk appetite and control efficiency.

B.  

inherent risk and control effectiveness.

C.  

residual risk and cost of control.

D.  

risk tolerance and control complexity.

A.  

Implement user access controls

B.  

Perform regular internal audits

C.  

Develop and communicate fraud prevention policies

D.  

Conduct fraud prevention awareness training.

A.  

The number of stakeholders involved in IT risk identification workshops

B.  

The percentage of corporate budget allocated to IT risk activities

C.  

The percentage of incidents presented to the board

D.  

The number of executives attending IT security awareness training

A.  

exceeding availability thresholds

B.  

experiencing hardware failures

C.  

exceeding current patching standards.

D.  

meeting the baseline for hardening.

A.  

Existing IT environment

B.  

IT strategic plan

C.  

Risk register

D.  

Organizational strategic plan

A.  

Compliance manager

B.  

Risk owner

C.  

Control owner

D.  

Risk practitioner

A.  

A decrease in the number of critical assets covered by risk thresholds

B.  

An Increase In the number of risk threshold exceptions

C.  

An increase in the number of change events pending management review

D.  

A decrease In the number of key performance indicators (KPls)

A.  

Recommend risk remediation

B.  

Change the level of risk appetite

C.  

Document formal acceptance of the risk

D.  

Reject the business initiative

A.  

a recognized industry control framework

B.  

guidance provided by the external auditor

C.  

the service provider's existing controls

D.  

The organization's specific control requirements

A.  

Data quality

B.  

Maintenance costs

C.  

Data redundancy

D.  

System integration

A.  

To provide input to the organization's risk appetite

B.  

To monitor the vendor's control effectiveness

C.  

To verify the vendor's ongoing financial viability

D.  

To assess the vendor's risk mitigation plans

A.  

Reviewing the results of independent audits

B.  

Performing a site visit to the cloud provider's data center

C.  

Performing a due diligence review

D.  

Conducting a risk workshop with key stakeholders

A.  

Accountability may not be clearly defined.

B.  

Risk ratings may be inconsistently applied.

C.  

Different risk taxonomies may be used.

D.  

Mitigation efforts may be duplicated.

A.  

Business impact analysis (BIA) results

B.  

Risk scenario ownership

C.  

Risk thresholds

D.  

Possible causes of materialized risk

A.  

To support decision-making for risk response

B.  

To hold risk owners accountable for risk action plans

C.  

To secure resourcing for risk treatment efforts

D.  

To enable senior management to compile a risk profile

A.  

Reduce internal threats

B.  

Reduce exposure to vulnerabilities

C.  

Eliminate risk associated with personnel

D.  

Ensure new hires have the required skills

A.  

Well documented policies and procedures

B.  

Risk and issue tracking

C.  

An IT strategy committee

D.  

Change and release management

A.  

IT risk practitioner

B.  

Third -partf3ecurity team

C.  

The relationship owner

D.  

Legal representation of the business

A.  

exposures are reduced to the fullest extent

B.  

exposures are reduced only for critical business systems

C.  

insurance costs are minimized

D.  

the cost of controls does not exceed the expected loss.

A.  

Remove risk that has been mitigated by third-party transfer

B.  

Remove risk that management has decided to accept

C.  

Remove risk only following a significant change in the risk environment

D.  

Remove risk when mitigation results in residual risk within tolerance levels

A.  

Control owner

B.  

Risk owner

C.  

Internal auditor

D.  

Compliance manager

A.  

Define metrics for restoring availability.

B.  

Identify conditions that may cause disruptions.

C.  

Review incident response procedures.

D.  

Evaluate the probability of risk events.

A.  

Increase in mitigating control costs

B.  

Increase in risk event impact

C.  

Increase in risk event likelihood

D.  

Increase in cybersecurity premium

A.  

Operational strategies

B.  

Risk governance

C.  

Annualized loss expectancy (ALE)

D.  

Risk appetite

A.  

Apply data classification policy

B.  

Utilize encryption with logical access controls

C.  

Require logical separation of company data

D.  

Obtain the right to audit

A.  

Escalate the non-cooperation to management

B.  

Exclude applicable controls from the assessment.

C.  

Review the supplier's contractual obligations.

D.  

Request risk acceptance from the business process owner.

A.  

Security control owners based on control failures

B.  

Cyber risk remediation plan owners

C.  

Risk owners based on risk impact

D.  

Enterprise risk management (ERM) team

A.  

IT security manager

B.  

IT personnel

C.  

Data custodian

D.  

Data owner

A.  

Scan end points for applications not included in the asset inventory.

B.  

Prohibit the use of cloud-based virtual desktop software.

C.  

Conduct frequent reviews of software licenses.

D.  

Perform frequent internal audits of enterprise IT infrastructure.

A.  

Some critical business applications are not included in the plan

B.  

Several recovery activities will be outsourced

C.  

The plan is not based on an internationally recognized framework

D.  

The chief information security officer (CISO) has not approved the plan

A.  

Recovery time objectives (RTOs)

B.  

Segregation of duties

C.  

Communication plan

D.  

Critical asset inventory

A.  

Human resources (HR) manager

B.  

System administrator

C.  

Data privacy manager

D.  

Compliance manager

A.  

Cable lock

B.  

Data encryption

C.  

Periodic backup

D.  

Biometrics access control

A.  

Incomplete end-user device inventory

B.  

Unsupported end-user applications

C.  

Incompatible end-user devices

D.  

Multiple end-user device models

A.  

Removing entries from the register after the risk has been treated

B.  

Recording and tracking the status of risk response plans within the register

C.  

Communicating the register to key stakeholders

D.  

Performing regular reviews and updates to the register

A.  

Cost and benefit

B.  

Security and availability

C.  

Maintainability and reliability

D.  

Performance and productivity

A.  

Industry best practice review

B.  

Risk assessment

C.  

Cost-benefit analysis

D.  

Control-effectiveness evaluation

A.  

The individual responsible for control operation

B.  

The individual informed of the control effectiveness

C.  

The individual responsible for resting the control

D.  

The individual accountable for monitoring control effectiveness

A.  

Data minimization

B.  

Accountability

C.  

Accuracy

D.  

Purpose limitation

A.  

Business benefits of shadow IT

B.  

Application-related expresses

C.  

Classification of the data

D.  

Volume of data

A.  

Encryption policy

B.  

Organization risk profile

C.  

Digital rights management policy

D.  

Information classification policy

A.  

Data encryption

B.  

Continuous log monitoring

C.  

Right to audit

D.  

Data obfuscation

A.  

Adherence to legal and compliance requirements

B.  

Reduction in the number of test cases in the acceptance phase

C.  

Establishment of digital forensic architectures

D.  

Consistent management of information assets

A.  

Regularly updated risk management procedures

B.  

A management-approved risk dashboard

C.  

A current control framework

D.  

A regularly updated risk register

A.  

Risk practitioner

B.  

Business manager

C.  

Risk owner

D.  

Control owner

A.  

Identify the regulatory bodies that may highlight this gap

B.  

Highlight news articles about data breaches

C.  

Evaluate the risk as a measure of probable loss

D.  

Verify if competitors comply with a similar policy

A.  

Multiple corporate build images exist.

B.  

The process documentation was not updated.

C.  

The IT build process was not followed.

D.  

Threats are not being detected.

A.  

They support compliance with regulations.

B.  

They provide evidence of risk assessment.

C.  

They facilitate communication of risk.

D.  

They enable the use of key risk indicators (KRls)

A.  

Board of directors

B.  

Human resources (HR)

C.  

Risk management committee

D.  

Audit committee

A.  

Providing risk awareness training for business units

B.  

Obtaining input from business management

C.  

Understanding the business controls currently in place

D.  

Conducting a business impact analysis (BIA)

A.  

SWOT analysis

B.  

Business impact analysis (BIA)

C.  

Cost-benefit analysis

D.  

Root cause analysis

A.  

Changes in the organization's risk appetite and risk tolerance levels

B.  

Impact due to changes in external and internal risk factors

C.  

Changes in residual risk levels against acceptable levels

D.  

Gaps in best practices and implemented controls across the industry

A.  

the risk register change log.

B.  

evidence of risk acceptance.

C.  

control effectiveness test results.

D.  

control design documentation.

A.  

Accepted risk scenarios with detailed plans for monitoring

B.  

Risk scenarios that have been shared with vendors and third parties

C.  

Accepted risk scenarios with impact exceeding the risk tolerance

D.  

Risk scenarios that have been identified, assessed, and responded to by the risk owners

A.  

Preventive

B.  

Detective

C.  

Compensating

D.  

Deterrent

A.  

Risk appetite is decreased.

B.  

Inherent risk is increased.

C.  

Risk tolerance is decreased.

D.  

Residual risk is increased.

A.  

The criticality of the asset

B.  

The monetary value of the asset

C.  

The vulnerability profile of the asset

D.  

The size of the asset's user base

A.  

Assessment of organizational risk appetite

B.  

Compliance with best practice

C.  

Accountability for loss events

D.  

Accuracy of risk profiles

A.  

validating whether critical IT risk has been addressed.

B.  

assigning accountability for IT risk to business functions.

C.  

identifying IT assets that support key business processes.

D.  

defining the requirements for an IT risk-aware culture

A.  

Data encryption

B.  

Intrusion prevention system (IPS)

C.  

Two-factor authentication

D.  

Contractual requirements

A.  

Scope of the control coverage

B.  

The number of exceptions granted

C.  

Number of steps necessary to operate process

D.  

Number of control deviations detected

A.  

To provide insight into the effectiveness of the internal control environment

B.  

To provide a basis for determining the criticality of risk mitigation controls

C.  

To provide benchmarks for assessing control design effectiveness against industry peers

D.  

To provide early warning signs of a potential change in risk level

A.  

Comparative analysis of peer companies

B.  

Reviews of brokerage firm assessments

C.  

Interviews with senior management

D.  

Trend analysis using prior annual reports

A.  

Comparing risk rating against appetite

B.  

Obtaining input from business units

C.  

Determining cost of controls to mitigate risk

D.  

Ranking the risk based on likelihood of occurrence

A.  

Initiate a retest of the full control

B.  

Retest the control using the new application as the only sample.

C.  

Review the corresponding change control documentation

D.  

Re-evaluate the control during (he next assessment

A.  

The probability of application defects will increase

B.  

Data confidentiality could be compromised

C.  

Increase in the use of redundant processes

D.  

The application could fail to meet defined business requirements

A.  

Service level agreements (SLAs) have not been met over the last quarter.

B.  

The service contract is up for renewal in less than thirty days.

C.  

Key third-party personnel have recently been replaced.

D.  

Monthly service charges are significantly higher than industry norms.

A.  

Conduct a risk assessment with stakeholders.

B.  

Conduct third-party resilience tests.

C.  

Update the risk register with the process changes.

D.  

Review risk related to standards and regulations.

A.  

Identify and analyze risk.

B.  

Achieve business objectives

C.  

Minimi2e business disruptions.

D.  

Identify threats and vulnerabilities.

A.  

Include the application in the business continuity plan (BCP).

B.  

Determine the business purpose of the application.

C.  

Segregate the application from the network.

D.  

Report the finding to management.

A.  

low cost effectiveness ratios and high risk levels

B.  

high cost effectiveness ratios and low risk levels.

C.  

high cost effectiveness ratios and high risk levels

D.  

low cost effectiveness ratios and low risk levels.

A.  

Redesign key risk indicators (KRIs).

B.  

Update risk responses.

C.  

Conduct a SWOT analysis.

D.  

Perform a threat assessment.

A.  

The head of enterprise architecture (EA)

B.  

The IT risk manager

C.  

The information security manager

D.  

The product owner

A.  

The percentage of servers with allowed patching exceptions

B.  

The number of servers with local credentials to install patches

C.  

The percentage of servers patched within required service level agreements

D.  

The number of servers running the software patching service

A.  

The organization has incorporated blockchain technology in its operations.

B.  

The organization has not reviewed its encryption standards.

C.  

The organization has implemented heuristics on its network firewall.

D.  

The organization has not adopted Infrastructure as a Service (laaS) for its operations.

A.  

It facilitates the use of a framework for risk management.

B.  

It establishes a means for senior management to formally approve risk practices.

C.  

It encourages risk-based decision making for stakeholders.

D.  

It provides a basis for benchmarking against industry standards.

A.  

Performing credit verification of third-party vendors prior to payment

B.  

Conducting system access reviews to ensure least privilege and appropriate access

C.  

Performing regular reconciliation of payments to the check registers

D.  

Enforcing segregation of duties between the vendor master file and invoicing

A.  

Request a policy exception from senior management.

B.  

Comply with the organizational policy.

C.  

Report the noncompliance to the local regulatory agency.

D.  

Request an exception from the local regulatory agency.

A.  

To reduce the likelihood of insider threat

B.  

To eliminate the possibility of insider threat

C.  

To enable rapid discovery of insider threat

D.  

To reduce the impact of insider threat

A.  

Vulnerability assessment

B.  

Business impact analysis (BIA)

C.  

Penetration testing

D.  

Root cause analysis

A.  

Key risk indicators (KRIs)

B.  

Risk governance charter

C.  

Organizational risk appetite

D.  

Cross-business representation

A.  

The costs associated with mitigation options

B.  

The status of identified risk scenarios

C.  

The cost-benefit analysis of each risk response

D.  

The timeframes for risk response actions

A.  

Network-based access controls

B.  

Compensating controls

C.  

Segregation of duties

D.  

Change management

A.  

insurance could be acquired for the risk associated with the outsourced process.

B.  

service accountability remains with the cloud service provider.

C.  

a risk owner must be designated within the cloud service provider.

D.  

accountability for the risk will remain with the organization.

A.  

Conduct risk classification for associated IT controls.

B.  

Determine whether risk responses still effectively address risk.

C.  

Perform vulnerability and threat assessments.

D.  

Analyze and update IT control assessments.

A.  

Risk management budget

B.  

Risk management industry trends

C.  

Risk tolerance

D.  

Risk capacity

A.  

prepare an IT risk mitigation strategy.

B.  

escalate to senior management.

C.  

perform a cost-benefit analysis.

D.  

review the impact to the IT environment.

A.  

Balanced scorecard

B.  

Risk appetite

C.  

Risk map

D.  

Risk events

A.  

Percentage of standard supplier uptime

B.  

Average time to respond to incidents

C.  

Number of assets included in recovery processes

D.  

Number of key applications hosted

A.  

Internet of Things (IoT)

B.  

Quantum computing

C.  

Virtual reality (VR)

D.  

Machine learning

A.  

Making data available to a larger audience of customers

B.  

Data not being disposed according to the retention policy

C.  

Personal data not being de-identified properly

D.  

Data being used for purposes the data subjects have not opted into

A.  

Prepare a business case for the response options.

B.  

Identify resources for implementing responses.

C.  

Develop a mechanism for monitoring residual risk.

D.  

Update the risk register with the results.

A.  

Previous audit reports

B.  

Control objectives

C.  

Risk responses in the risk register

D.  

Changes in risk profiles

A.  

Defined remediation plans

B.  

Management sign-off on the scope

C.  

Manual testing of device vulnerabilities

D.  

Visibility into all networked devices

A.  

network operations.

B.  

the cybersecurity function.

C.  

application development.

D.  

the business function.

A.  

Enforce sanctions for noncompliance with security procedures.

B.  

Conduct organization-w>de phishing simulations.

C.  

Require training on the data handling policy.

D.  

Require regular testing of the data breach response plan.

A.  

Technology subject matter experts

B.  

Business process owners

C.  

Business users of IT systems

D.  

Risk management consultants

A.  

Re-evaluate the organization's risk appetite.

B.  

Outsource the cybersecurity function.

C.  

Purchase cybersecurity insurance.

D.  

Review cybersecurity incident response procedures.

A.  

Risk avoidance

B.  

Risk transfer

C.  

Risk mitigation

D.  

Risk acceptance

A.  

Stakeholder preferences

B.  

Contractual requirements

C.  

Regulatory requirements

D.  

Management assertions

A.  

Survey device owners.

B.  

Rescan the user environment.

C.  

Require annual end user policy acceptance.

D.  

Review awareness training assessment results

A.  

Escalate to senior management.

B.  

Identify a risk transfer option.

C.  

Reassess risk scenarios.

D.  

Benchmark with similar industries.

A.  

Ongoing sharing of information among industry peers

B.  

Obtaining support from senior leadership

C.  

Adhering to industry-recognized risk management standards

D.  

Implementing detection and response measures

A.  

Assess the loss impact if the information is inadvertently disclosed.

B.  

Calculate the overhead required to keep the information secure throughout its life cycle.

C.  

Calculate the replacement cost of obtaining the information from alternate sources.

D.  

Assess the market value offered by consumers of the information.

A.  

Information security officer

B.  

Information security manager

C.  

Information custodian

D.  

Information owner

A.  

Availability of test data

B.  

Integrity of data

C.  

Cost overruns

D.  

System performance

A.  

Assess the threat and associated impact.

B.  

Evaluate risk appetite and tolerance levels

C.  

Recommend device management controls

D.  

Enable role-based access control.

A.  

An increase in the number of high-risk audit findings

B.  

An increase in the number of security incidents

C.  

An increase in the percentage of turnover in IT personnel

D.  

An increase in the number of infrastructure changes

A.  

Report the incident.

B.  

Plan a security awareness session.

C.  

Assess the new risk.

D.  

Update the risk register.

A.  

Residual risk in excess of the risk appetite cannot be mitigated.

B.  

Inherent risk is too high, resulting in the cancellation of an initiative.

C.  

Risk appetite has changed to align with organizational objectives.

D.  

Residual risk remains at the same level over time without further mitigation.

A.  

Before defining a framework

B.  

During the risk assessment

C.  

When evaluating risk response

D.  

When updating the risk register

A.  

Operational risk

B.  

Residual risk

C.  

Inherent risk

D.  

Regulatory risk

A.  

Develop new key risk indicators (KRIs).

B.  

Perform a root cause analysis.

C.  

Recommend the purchase of cyber insurance.

D.  

Review the incident response plan.

A.  

Challenging risk decision making

B.  

Developing controls to manage risk scenarios

C.  

Implementing risk response plans

D.  

Establishing organizational risk appetite

A.  

Use an encrypted tunnel lo connect to the cloud.

B.  

Encrypt the data in the cloud database.

C.  

Encrypt physical hard drives within the cloud.

D.  

Encrypt data before it leaves the organization.

A.  

Historical data availability

B.  

Implementation and reporting effort

C.  

Ability to display trends

D.  

Sensitivity and reliability

A.  

recommend a program that minimizes the concerns of that production system.

B.  

inform the process owner of the concerns and propose measures to reduce them.

C.  

inform the IT manager of the concerns and propose measures to reduce them.

D.  

inform the development team of the concerns and together formulate risk reduction measures.

A.  

Collecting risk event data

B.  

Maintaining a risk register

C.  

Using key risk indicators (KRIs)

D.  

Defining risk parameters

A.  

An incident resulting in data loss

B.  

Introduction of a new product line

C.  

Changes in executive management

D.  

Updates to the information security policy

A.  

Risk management budget

B.  

Risk mitigation policies

C.  

Risk appetite

D.  

Risk analysis techniques

A.  

Solutions for eradicating emerging threats

B.  

Cost to mitigate the risk resulting from threats

C.  

Indicators for detecting the presence of threatsl)

D.  

Source and identity of attackers

A.  

Reevaluate the design of the KRIs.

B.  

Develop a corresponding key performance indicator (KPI).

C.  

Monitor KRIs within a specific timeframe.

D.  

Activate the incident response plan.

A.  

Remediate and report the deficiency to the enterprise risk committee.

B.  

Verify the deficiency and then notify the business process owner.

C.  

Verify the deficiency and then notify internal audit.

D.  

Remediate and report the deficiency to senior executive management.

A.  

Mean time between failures (MTBF)

B.  

Mean time to recover (MTTR)

C.  

Planned downtime

D.  

Unplanned downtime

A.  

Mapping threats to organizational objectives

B.  

Reviewing past audits

C.  

Analyzing key risk indicators (KRIs)

D.  

Identifying potential sources of risk

A.  

Recommend the business change the application.

B.  

Recommend a risk treatment plan.

C.  

Include the risk in the next quarterly update to management.

D.  

Implement compensating controls.

A.  

Including trend analysis of risk metrics

B.  

Using an aggregated view of organizational risk

C.  

Relying on key risk indicator (KRI) data

D.  

Ensuring relevance to organizational goals

A.  

Conduct root cause analyses for risk events.

B.  

Educate personnel on risk mitigation strategies.

C.  

Integrate the risk event and incident management processes.

D.  

Implement controls to prevent future risk events.

A.  

Conduct a risk analysis.

B.  

Initiate a remote data wipe.

C.  

Invoke the incident response plan

D.  

Disable the user account.

A.  

Building an organizational risk profile after updating the risk register

B.  

Ensuring risk owners participate in a periodic control testing process

C.  

Designing a process for risk owners to periodically review identified risk

D.  

Implementing a process for ongoing monitoring of control effectiveness

A.  

Reducing the involvement by senior management

B.  

Using more risk specialists

C.  

Reducing the need for risk policies and guidelines

D.  

Discussing and managing risk as a team

A.  

Perform a return on investment analysis.

B.  

Review the risk register and risk scenarios.

C.  

Calculate annualized loss expectancy of risk scenarios.

D.  

Raise the maturity of organizational risk management.

A.  

Financial risk is given a higher priority.

B.  

Risk with strategic impact is included.

C.  

Security strategy is given a higher priority.

D.  

Risk identified by industry benchmarking is included.

A.  

Escalate the concern to senior management.

B.  

Document the reasons for the exception.

C.  

Include the application in IT risk assessments.

D.  

Propose that the application be transferred to IT.

A.  

develop a comprehensive risk mitigation strategy

B.  

develop understandable and realistic risk scenarios

C.  

identify root causes for relevant events

D.  

perform an aggregated cost-benefit analysis

A.  

Analyzing the residual risk components

B.  

Performing risk prioritization

C.  

Validating the risk appetite level

D.  

Conducting a risk assessment

A.  

Cost-benefit analysis of running the current business

B.  

Cost of regulatory compliance

C.  

Projected impact of current business on future business

D.  

Expected costs for recovering the business

A.  

Risk management

B.  

Change management

C.  

Problem management

D.  

Quality management

A.  

mapping residual risk with cost of controls

B.  

comparing against regulatory requirements

C.  

comparing industry risk appetite with the organizations.

D.  

understanding the organization's risk appetite.

A.  

To enable consistent data on risk to be obtained

B.  

To allow for proper review of risk tolerance

C.  

To identify dependencies for reporting risk

D.  

To provide consistent and clear terminology

A.  

It provides a cost-benefit analysis on control options available for implementation.

B.  

It provides a view on where controls should be applied to maximize the uptime of servers.

C.  

It provides historical information about the impact of individual servers malfunctioning.

D.  

It provides a comprehensive view of the impact should the servers simultaneously fail.

A.  

Archive the information to a backup database.

B.  

Protect the information according to the classification policy.

C.  

Assess the information against the retention policy.

D.  

Securely and permanently erase the information

A.  

Single sign-on

B.  

Audit trail review

C.  

Multi-factor authentication

D.  

Data encryption at rest

A.  

The inherent risk is below the asset residual risk.

B.  

Remediation cost is below the asset business value

C.  

The risk tolerance threshold s above the asset residual

D.  

Remediation is completed within the asset recovery time objective (RTO)

A.  

A comparison of the costs of notice and consent control options

B.  

Examples of regulatory fines incurred by industry peers for noncompliance

C.  

A report of critical controls showing the importance of notice and consent

D.  

A cost-benefit analysis of the control versus probable legal action

A.  

To have a unified approach to risk management across the organization

B.  

To have a standard risk management process for complying with regulations

C.  

To optimize risk management resources across the organization

D.  

To ensure risk profiles are presented in a consistent format within the organization

A.  

More time has been allotted for testing.

B.  

The project is likely to deliver the product late.

C.  

A new project manager is handling the project.

D.  

The cost of the project will exceed the allotted budget.

A.  

Privacy risk controls

B.  

Business continuity

C.  

Risk taxonomy

D.  

Management support

A.  

Automated access revocation

B.  

Daily transaction reconciliation

C.  

Rule-based data analytics

D.  

Role-based user access model

A.  

Percentage of high-risk vulnerabilities missed

B.  

Number of high-risk vulnerabilities outstanding

C.  

Defined thresholds for high-risk vulnerabilities

D.  

Percentage of high-risk vulnerabilities addressed

A.  

Risk taxonomy

B.  

Risk response

C.  

Risk appetite

D.  

Risk ranking

A.  

availability of fault tolerant software.

B.  

strategic plan for business growth.

C.  

vulnerability scan results of critical systems.

D.  

redundancy of technical infrastructure.

A.  

Introducing an approved IT governance framework

B.  

Integrating the results of top-down risk scenario analyses

C.  

Performing a business impact analysis (BlA)

D.  

Implementing a risk classification system

A.  

automation cannot be applied to the control

B.  

business benefits exceed the loss exposure.

C.  

the end-user license agreement has expired.

D.  

the control is difficult to enforce in practice.

A.  

Adopting qualitative enterprise risk assessment methods

B.  

Linking IT risk scenarios to technology objectives

C.  

linking IT risk scenarios to enterprise strategy

D.  

Adopting quantitative enterprise risk assessment methods

A.  

Relevance

B.  

Annual review

C.  

Automation

D.  

Management approval

A.  

Employees do not report IT risk issues for fear of consequences.

B.  

Internal IT auditors report to the chief information security officer (CISO).

C.  

Employees face sanctions for not signing the organization's acceptable use policy.

D.  

The organization has only two lines of defense.

A.  

operates as intended.

B.  

is being monitored.

C.  

meets regulatory requirements.

D.  

operates efficiently.

A.  

Number of staff hours lost due to malware attacks

B.  

Number of downtime hours in business critical servers

C.  

Number of patches made to anti-malware software

D.  

Number of successful attacks by malicious software

A.  

BCP testing is net in conjunction with the disaster recovery plan (DRP)

B.  

Recovery time objectives (RTOs) do not meet business requirements.

C.  

BCP is often tested using the walk-through method.

D.  

Each business location has separate, inconsistent BCPs.

A.  

business purpose documentation and software license counts

B.  

an access control matrix and approval from the user's manager

C.  

documentation indicating the intended users of the application

D.  

security logs to determine the cause of invalid login attempts

A.  

risk levels.

B.  

risk budgets.

C.  

risk appetite.

D.  

risk capacity.

A.  

Cost of controls

B.  

Risk tolerance

C.  

Risk appetite

D.  

Probability definition

A.  

Alignment with regulatory requirements

B.  

Availability of qualitative data

C.  

Properly set thresholds

D.  

Alignment with industry benchmarks

A.  

To monitor changes in the risk environment

B.  

To provide input to management for the adjustment of risk appetite

C.  

To monitor the accuracy of threshold levels in metrics

D.  

To obtain business buy-in for investment in risk mitigation measures

A.  

Establish baseline security configurations with the cloud service provider.

B.  

Require the cloud prowler 10 disclose past data privacy breaches.

C.  

Ensure the cloud service provider performs an annual risk assessment.

D.  

Specify cloud service provider liability for data privacy breaches in the contract

A.  

An analysis of the security logs that illustrate the sequence of events

B.  

An analysis of the impact of similar attacks in other organizations

C.  

A business case for implementing stronger logical access controls

D.  

A justification of corrective action taken

A.  

Control self-assessment (CSA)

B.  

Risk policy requirements

C.  

A risk register

D.  

Key performance indicators (KPIs)

A.  

risk is treated appropriately

B.  

mitigating actions are prioritized

C.  

risk entries are regularly updated

D.  

risk exposure is minimized.

A.  

Requiring a printer access code for each user

B.  

Using physical controls to access the printer room

C.  

Using video surveillance in the printer room

D.  

Ensuring printer parameters are properly configured

A.  

Vulnerability scanning

B.  

Systems log correlation analysis

C.  

Penetration testing

D.  

Monitoring of intrusion detection system (IDS) alerts

A.  

Application controls are aligned with data classification lutes

B.  

Application users are periodically trained on proper data handling practices

C.  

Encrypted communication is established between applications and data servers

D.  

Offsite encrypted backups are automatically created by the application

A.  

Risk policy

B.  

Audit report

C.  

Risk map

D.  

Maturity model

A.  

Educating employees on what needs to be kept confidential

B.  

Implementing a data loss prevention (DLP) solution

C.  

Taking punitive action against employees who expose confidential data

D.  

Requiring employees to sign nondisclosure agreements

A.  

To create a complete repository of risk to the organization

B.  

To create a comprehensive view of critical risk to the organization

C.  

To provide a bottom-up view of the most significant risk scenarios

D.  

To optimize costs of managing risk scenarios in the organization

A.  

Key control owner

B.  

Operational risk manager

C.  

Business process owner

D.  

Chief information security officer (CISO)

A.  

business process objectives have been met.

B.  

control adheres to regulatory standards.

C.  

residual risk objectives have been achieved.

D.  

control process is designed effectively.

A.  

Flexibility and adaptability

B.  

Measurability and consistency

C.  

Robustness and resilience

D.  

Optimal cost and benefit

A.  

Number of times the recovery plan is reviewed

B.  

Number of successful recovery plan tests

C.  

Percentage of systems with outdated virus protection

D.  

Percentage of employees who can work remotely

A.  

updating the risk register

B.  

documenting the risk scenarios.

C.  

validating the risk scenarios

D.  

identifying risk mitigation controls.

A.  

The risk profile was not updated after a recent incident

B.  

The risk profile was developed without using industry standards.

C.  

The risk profile was last reviewed two years ago.

D.  

The risk profile does not contain historical loss data.

A.  

A comparison of current risk levels with established tolerance

B.  

A comparison of cost variance with defined response strategies

C.  

A comparison of current risk levels with estimated inherent risk levels

D.  

A comparison of accepted risk scenarios associated with regulatory compliance

A.  

Report the observation to the chief risk officer (CRO).

B.  

Validate the adequacy of the implemented risk mitigation measures.

C.  

Update the risk register with the implemented risk mitigation actions.

D.  

Revert the implemented mitigation measures until approval is obtained

A.  

Monitoring is only conducted between official hours of business

B.  

Employees are informed of how they are bong monitored

C.  

Reporting on nonproductive employees is sent to management on a scheduled basis

D.  

Multiple data monitoring sources are integrated into security incident response procedures

A.  

Potential loss to tie business due to non-performance of the asset

B.  

Known emerging environmental threats

C.  

Known vulnerabilities published by the asset developer

D.  

Cost of replacing the asset with a new asset providing similar services

A.  

Organizational reporting process

B.  

Incident reporting procedures

C.  

Regularly scheduled audits

D.  

Incident management policy

A.  

Monitoring risk responses

B.  

Applying risk treatments

C.  

Providing assurance of control effectiveness

D.  

Implementing internal controls

A.  

KCIs are independent from KRIs KRIs.

B.  

KCIs and KRIs help in determining risk appetite.

C.  

KCIs are defined using data from KRIs.

D.  

KCIs provide input for KRIs

A.  

select a provider to standardize the disaster recovery plans.

B.  

outsource disaster recovery to an external provider.

C.  

centralize the risk response function at the enterprise level.

D.  

evaluate opportunities to combine disaster recovery plans.

A.  

Not providing capability for employees to work remotely

B.  

Outsourcing the IT activities and infrastructure

C.  

Enforcing change and configuration management processes

D.  

Taking out insurance coverage for IT-related incidents

A.  

reduce the likelihood of future events

B.  

restore availability

C.  

reduce the impact of future events

D.  

address the root cause

A.  

assess gaps in IT risk management operations and strategic focus.

B.  

confirm that IT risk assessment results are expressed as business impact.

C.  

verify implemented controls to reduce the likelihood of threat materialization.

D.  

ensure IT risk management is focused on mitigating potential risk.

A.  

To provide data for establishing the risk profile

B.  

To provide assurance of adherence to risk management policies

C.  

To provide measurements on the potential for risk to occur

D.  

To provide assessments of mitigation effectiveness

A.  

Evaluating the impact to control objectives

B.  

Conducting a root cause analysis

C.  

Validating the adequacy of current processes

D.  

Reconfiguring the IT infrastructure

A.  

The risk governance approach of the second and third lines of defense may differ.

B.  

The independence of the internal third line of defense may be compromised.

C.  

Cost reductions may negatively impact the productivity of other departments.

D.  

The new structure is not aligned to the organization's internal control framework.

A.  

Approval by senior management

B.  

Low cost of development and maintenance

C.  

Sensitivity to changes in risk levels

D.  

Use of industry risk data sources

A.  

Digital signature

B.  

Edit checks

C.  

Encryption

D.  

Multifactor authentication

A.  

Ability of the action plans to address multiple risk scenarios

B.  

Ease of implementing the risk treatment solution

C.  

Changes in residual risk after implementing the plans

D.  

Prioritization for implementing the action plans

A.  

improve accountability

B.  

improve consistency

C.  

help define risk tolerance

D.  

help develop risk scenarios.

A.  

Users may share accounts with business system analyst

B.  

Application may not capture a complete audit trail.

C.  

Users may be able to circumvent application controls.

D.  

Multiple connects to the database are used and slow the process

A.  

Enable data wipe capabilities

B.  

Penetration testing and session timeouts

C.  

Implement remote monitoring

D.  

Enforce strong passwords and data encryption

A.  

Require the vendor to degauss the hard drives

B.  

Implement an encryption policy for the hard drives.

C.  

Require confirmation of destruction from the IT manager.

D.  

Use an accredited vendor to dispose of the hard drives.

A.  

evaluate how risk conditions are managed.

B.  

determine threats and vulnerabilities.

C.  

estimate anticipated financial impact of risk conditions.

D.  

establish risk response options.

A.  

Lack of robust awareness programs

B.  

infrequent risk assessments of key controls

C.  

Rapid changes in IT procedures

D.  

Unavailability of critical IT systems

A.  

Risk appetite

B.  

Threat type

C.  

Risk tolerance

D.  

Residual risk

A.  

Percentage of job failures identified and resolved during the recovery process

B.  

Percentage of processes recovered within the recovery time and point objectives

C.  

Number of current test plans and procedures

D.  

Number of issues and action items resolved during the recovery test

A.  

Conduct a comprehensive review of access management processes.

B.  

Declare a security incident and engage the incident response team.

C.  

Conduct a comprehensive awareness session for system administrators.

D.  

Evaluate system administrators' technical skills to identify if training is required.

A.  

Customer database manager

B.  

Customer data custodian

C.  

Data privacy officer

D.  

Audit committee

A.  

Informed consent

B.  

Cross border controls

C.  

Business impact analysis (BIA)

D.  

Data breach protection

A.  

Insurance coverage

B.  

Security awareness training

C.  

Policies and standards

D.  

Risk appetite and tolerance

A.  

transferred

B.  

mitigated.

C.  

accepted

D.  

avoided

A.  

Standard operating procedures

B.  

SWOT analysis

C.  

Industry benchmarking

D.  

Control gap analysis

A.  

Describe IT risk scenarios in terms of business risk.

B.  

Recommend the formation of an executive risk council to oversee IT risk.

C.  

Provide an estimate of IT system downtime if IT risk materializes.

D.  

Educate business executives on IT risk concepts.

A.  

Percentage of mitigated risk scenarios

B.  

Annual loss expectancy (ALE) changes

C.  

Resource expenditure against budget

D.  

An up-to-date risk register

A.  

The percentage of systems meeting recovery target times has increased.

B.  

The number of systems tested in the last year has increased.

C.  

The number of systems requiring a recovery plan has increased.

D.  

The percentage of systems with long recovery target times has decreased.

A.  

Optimize the control environment.

B.  

Realign risk appetite to the current risk level.

C.  

Decrease the number of related risk scenarios.

D.  

Reduce the risk management budget.

A.  

Business continuity manager (BCM)

B.  

Human resources manager (HRM)

C.  

Chief risk officer (CRO)

D.  

Chief information officer (CIO)

A.  

Internal audit reports

B.  

Access reviews

C.  

Threat modeling

D.  

Root cause analysis

A.  

Implementing record retention tools and techniques

B.  

Establishing e-discovery and data loss prevention (DLP)

C.  

Sending notifications when near storage quota

D.  

Implementing a bring your own device 1BVOD) policy

A.  

Industry best practices

B.  

Placement on the risk map

C.  

Degree of variances in the risk

D.  

Cost of risk mitigation

A.  

Identify the potential risk.

B.  

Monitor employee usage.

C.  

Assess the potential risk.

D.  

Develop risk awareness training.

A.  

Key risk indicator (KRI) thresholds

B.  

Inherent risk

C.  

Risk likelihood and impact

D.  

Risk velocity

A.  

implement uniform controls for common risk scenarios.

B.  

ensure business unit risk is uniformly distributed.

C.  

build a risk profile for management review.

D.  

quantify the organization's risk appetite.

A.  

Customizing content for the audience

B.  

Providing incentives to participants

C.  

Mapping to a recognized standard

D.  

Providing metrics for measurement

A.  

Threshold definition

B.  

Escalation procedures

C.  

Automated data feed

D.  

Controls monitoring

A.  

requirements of management.

B.  

specific risk analysis framework being used.

C.  

organizational risk tolerance

D.  

results of the risk assessment.

A.  

The organization's strategic risk management projects

B.  

Senior management roles and responsibilities

C.  

The organizations risk appetite and tolerance

D.  

Senior management allocation of risk management resources

A.  

Involvement of internal audit

B.  

Involvement of process owner

C.  

Quantitative impact of the risk

D.  

Identification of key risk indicators

A.  

plan awareness programs for business managers.

B.  

evaluate maturity of the risk management process.

C.  

assist in the development of a risk profile.

D.  

maintain a risk register based on noncompliance.

A.  

Better understanding of the risk appetite

B.  

Improving audit results

C.  

Enabling risk-based decision making

D.  

Increasing process control efficiencies

A.  

Risk self-assessment

B.  

Risk register

C.  

Risk dashboard

D.  

Risk map

A.  

Assuring the risk profile supports the IT objectives

B.  

Improving the competencies of employees who performed the review

C.  

Determining what changes should be made to IS policies to reduce risk

D.  

Determining that procedures used in risk assessment are appropriate

A.  

Cost of offsite backup premises

B.  

Cost of downtime due to a disaster

C.  

Cost of testing the business continuity plan

D.  

Response time of the emergency action plan

A.  

Assisting in continually optimizing risk governance

B.  

Enabling the documentation and analysis of trends

C.  

Ensuring compliance with regulatory requirements

D.  

Providing an early warning to take proactive actions

A.  

for compliance with laws and regulations

B.  

as a basis for cost-benefit analysis.

C.  

as input for decision-making

D.  

to measure organizational success.

A.  

Applying risk appetite

B.  

Applying risk factors

C.  

Referencing risk event data

D.  

Understanding risk culture

A.  

A robust risk aggregation tool set

B.  

Clearly defined roles and responsibilities

C.  

A well-established risk management committee

D.  

Well-documented and communicated escalation procedures

A.  

Information security managers

B.  

Internal auditors

C.  

Business process owners

D.  

Operational risk managers

A.  

Reviewing the implementation of the risk response

B.  

Creating a separate risk register for key business units

C.  

Performing real-time monitoring of threats

D.  

Performing regular risk control self-assessments

A.  

User provisioning

B.  

Role-based access controls

C.  

Security log monitoring

D.  

Entitlement reviews

A.  

impact due to failure of control

B.  

Frequency of failure of control

C.  

Contingency plan for residual risk

D.  

Cost-benefit analysis of automation

A.  

Conduct interviews with key stakeholders.

B.  

Conduct a tabletop exercise.

C.  

Conduct a disaster recovery exercise.

D.  

Conduct a full functional exercise.

A.  

Implement a tool to create and distribute violation reports

B.  

Raise awareness of encryption requirements for sensitive data.

C.  

Block unencrypted outgoing emails which contain sensitive data.

D.  

Implement a progressive disciplinary process for email violations.

A.  

a gap analysis

B.  

a root cause analysis.

C.  

an impact assessment.

D.  

a vulnerability assessment.

A.  

Business impact analysis

B.  

Risk analysis

C.  

Threat risk assessment

D.  

Vulnerability assessment

A.  

IT risk register

B.  

List of key risk indicators

C.  

Internal audit reports

D.  

List of approved projects

A.  

Document the finding in the risk register.

B.  

Invoke the incident response plan.

C.  

Re-evaluate key risk indicators.

D.  

Modify the design of the control.

A.  

ensure that risk is mitigated by the control.

B.  

measure efficiency of the control process.

C.  

confirm control alignment with business objectives.

D.  

comply with the organization's policy.

A.  

Evaluating the impact of removing existing controls

B.  

Evaluating existing controls against audit requirements

C.  

Reviewing system functionalities associated with business processes

D.  

Monitoring existing key risk indicators (KRIs)

A.  

reduces risk to an acceptable level

B.  

quantifies risk impact

C.  

aligns with business strategy

D.  

advances business objectives.

A.  

time required to restore files.

B.  

point of synchronization

C.  

priority of restoration.

D.  

annual loss expectancy (ALE).

A.  

Business continuity director

B.  

Disaster recovery manager

C.  

Business application owner

D.  

Data center manager

A.  

Percentage of changes with a fallback plan

B.  

Number of changes implemented

C.  

Percentage of successful changes

D.  

Average time required to implement a change

A.  

Enforcing employees’ sanctions

B.  

Conducting phishing exercises

C.  

Enforcing segregation of dunes

D.  

Reviewing the organization's risk appetite

A.  

Hire consultants specializing m the new technology.

B.  

Review existing risk mitigation controls.

C.  

Conduct a gap analysis.

D.  

Perform a risk assessment.