Business areas within an organization have engaged various cloud service providers directly without assistance from the IT department. What should the risk practitioner do?

Engage with the business area managers to review controls applied.

Recommend the IT department remove access to the cloud services.

Engage with the business area managers to review controls applied.

Escalate to the risk committee.

Recommend a risk assessment be conducted.

A bank is experiencing an increasing incidence of customer identity theft. Which of the following is the BEST way to mitigate this risk?

Implement monitoring techniques.

Outsource to a local processor.

An organization striving to be on the leading edge in regard to risk monitoring would MOST likely implement:

real-time monitoring of risk events and control exceptions.

procedures to monitor the operation of controls.

a tool for monitoring critical activities and controls.

real-time monitoring of risk events and control exceptions.

monitoring activities for all critical assets.

Which of the following would MOST likely cause a risk practitioner to reassess risk scenarios?

A change in the regulatory environment

A change in the risk management policy

A change in the regulatory environment

An increase in intrusion attempts

Which of the following should be the risk practitioner s FIRST course of action when an organization has decided to expand into new product areas?

Review existing risk scenarios with stakeholders.

Identify any new business objectives with stakeholders.

Present a business case for new controls to stakeholders.

Revise the organization's risk and control policy.

Review existing risk scenarios with stakeholders.

An organization's HR department has implemented a policy requiring staff members to take a minimum of five consecutive days leave per year to mitigate the risk of malicious insider activities. Which of the following is the BEST key performance indicator (KPI) of the effectiveness of this policy?

Percentage of staff members seeking exception to the policy

Number of malicious activities occurring during staff members leave

Percentage of staff members seeking exception to the policy

Percentage of staff members taking leave according to the policy

Financial loss incurred due to malicious activities during staff members' leave

An organization operates in a jurisdiction where heavy fines are imposed for leakage of customer data. Which of the following provides the BEST input to assess the inherent risk impact?

Number of databases that host customer data

Number of customer records held

Number of databases that host customer data

Number of encrypted customer databases

Number of staff members having access to customer data

An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?

Identify existing data loss controls and their levels of effectiveness.

Identify staff members who have access to the organization's sensitive data.

Identify locations where the organization's sensitive data is stored.

Identify risk scenarios and owners associated with possible data loss vectors.

Identify existing data loss controls and their levels of effectiveness.

A risk practitioner has been notified that an employee sent an email in error containing customers' personally identifiable information (Pll). Which of the following is the risk practitioner's BEST course of action?

follow incident reporting procedures.

Report it to the chief risk officer.

Advise the employee to forward the email to the phishing team.

follow incident reporting procedures.

Advise the employee to permanently delete the email.

Which of the following is MOST essential for an effective change control environment?

Business management approval of change requests

Separation of development and production environments

Requirement of an implementation rollback plan

IT management review of implemented changes

The PRIMARY reason for periodically monitoring key risk indicators (KRIs) is to:

detect changes in the risk profile.

rectify errors in results of KRIs.

detect changes in the risk profile.

reduce costs of risk mitigation controls.

continually improve risk assessments.

Which of the following is the GREATEST risk associated with the transition of a sensitive data backup solution from on-premise to a cloud service provider?

Inadequate service level agreement (SLA) with the provider

More complex incident response procedures

For no apparent reason, the time required to complete daily processing for a legacy application is approaching a risk threshold. Which of the following activities should be performed FIRST?

Temporarily increase the risk threshold.

Suspend processing to investigate the problem.

Initiate a feasibility study for a new application.

An organization plans to migrate sensitive information to a public cloud infrastructure. Which of the following is the GREATEST security risk in this scenario?

Data may be commingled with other tenants' data.

System downtime does not meet the organization's thresholds.

The infrastructure will be managed by the public cloud administrator.

The cloud provider is not independently certified.

Which of the following is the MOST important reason to create risk scenarios?

To assist with risk identification

To assist in the development of risk responses

The MAIN purpose of a risk register is to:

enable well-informed risk management decisions.

document the risk universe of the organization.

promote an understanding of risk across the organization.

enable well-informed risk management decisions.

identify stakeholders associated with risk scenarios.

Which of the following will BEST help to ensure that information system controls are effective?

Responding promptly to control exceptions

Implementing compensating controls

Which of the following is the MOST important information to be communicated during security awareness training?

The current risk management capability

Which of the following requirements is MOST important to include in an outsourcing contract to help ensure sensitive data stored with a service provider is secure?

A third-party assessment report of control environment effectiveness must be provided at least annually.

Incidents related to data toss must be reported to the organization immediately after they occur.

Risk assessment results must be provided to the organization at least annually.

A cyber insurance policy must be purchased to cover data loss events.

The MOST essential content to include in an IT risk awareness program is how to:

comply with the organization's IT risk and information security policies.

populate risk register entries and build a risk profile for management reporting.

prioritize IT-related actions by considering risk appetite and risk tolerance.

define the IT risk framework for the organization.

comply with the organization's IT risk and information security policies.

Which of the following would qualify as a key performance indicator (KPI)?

Number of identified system vulnerabilities

Aggregate risk of the organization

Number of identified system vulnerabilities

Number of exception requests processed in the past 90 days

Number of attacks against the organization's website

An organization is planning to outsource its payroll function to an external service provider Which of the following should be the MOST important consideration when selecting the provider?

Internal controls to ensure data privacy

Disaster recovery plan (DRP) of the system

Internal controls to ensure data privacy

Transparency of key performance indicators (KPIs)

Which of the following is a risk practitioner's BEST course of action upon learning that a control under internal review may no longer be necessary?

Update the status of the control as obsolete.

Obtain approval to retire the control.

Update the status of the control as obsolete.

Consult the internal auditor for a second opinion.

Verify the effectiveness of the original mitigation plan.

Which of the following is the BEST way to ensure ongoing control effectiveness?

Measuring trends in control performance

Establishing policies and procedures

Periodically reviewing control design

Measuring trends in control performance

Obtaining management control attestations

Who is responsible for IT security controls that are outsourced to an external service provider?

Organization's information security manager

Service provider's IT management

Service provider's information security manager

The effectiveness of a control has decreased. What is the MOST likely effect on the associated risk?

The risk classification changes.

Which of the following is MOST important to sustainable development of secure IT services?

Security architecture principles

Security training for systems development staff

\Well-documented business cases

Security architecture principles

An organization is making significant changes to an application. At what point should the application risk profile be updated?

When reviewing functional requirements

After user acceptance testing (UAT)

When reviewing functional requirements

Which of the following is the MOST important objective of embedding risk management practices into the initiation phase of the project management life cycle?

To deliver projects on time and on budget

To include project risk in the enterprise-wide IT risk profit.

To assess risk throughout the project

An organization's risk practitioner learns a new third-party system on the corporate network has introduced vulnerabilities that could compromise corporate IT systems. What should the risk practitioner doFIRST?

Identify procedures to mitigate the vulnerabilities.

Confirm the vulnerabilities with the third party

Identify procedures to mitigate the vulnerabilities.

Notify information security management.

Request IT to remove the system from the network.

Which of the following is the MOST important component of effective security incident response?

Network time protocol synchronization

Identification of attack sources

A documented communications plan

A recent audit identified high-risk issues in a business unit though a previous control self-assessment (CSA) had good results. Which of the following is the MOST likely reason for the difference?

The CSA was compliance-based, while the audit was risk-based.

The audit had a broader scope than the CSA.

The CSA did not test control effectiveness.

The CSA was compliance-based, while the audit was risk-based.

Isaca CRISC Practice Test 13 - Free Online Exam Prep & Questions

An organization is unable to implement a multi-factor authentication requirement until the next fiscal year due to budget constraints. Consequently, a policy exception must be submitted. Which of the following is MOST important to include in the analysis of the exception?

Become a Premium Member for full access

Unlock Premium Member

Isaca CRISC Practice Test 13

Question

Isaca CRISC Practice Tests

Practice Tests