The PRIMARY benefit associated with key risk indicators (KRls) is that they:

enable ongoing monitoring of emerging risk.

help an organization identify emerging threats.

benchmark the organization's risk profile.

identify trends in the organization's vulnerabilities.

enable ongoing monitoring of emerging risk.

Which of the following BEST informs decision-makers about the value of a notice and consent control for the collection of personal information?

A cost-benefit analysis of the control versus probable legal action

A comparison of the costs of notice and consent control options

Examples of regulatory fines incurred by industry peers for noncompliance

A report of critical controls showing the importance of notice and consent

A cost-benefit analysis of the control versus probable legal action

Which of the following is MOST important for a risk practitioner to verify when evaluating the effectiveness of an organization's existing controls?

Residual risk remains within acceptable levels.

Senior management has approved the control design.

Inherent risk has been reduced from original levels.

Residual risk remains within acceptable levels.

Costs for control maintenance are reasonable.

Which of the following would be the BEST key performance indicator (KPI) for monitoring the effectiveness of the IT asset management process?

Percentage of IT assets without ownership

Percentage of unpatched IT assets

Percentage of IT assets without ownership

The number of IT assets securely disposed during the past year

The number of IT assets procured during the previous month

An organization's IT infrastructure is running end-of-life software that is not allowed without exception approval. Which of the following would provide the MOST helpful information to justify investing in updated software?

The risk management framework D, A roadmap of IT strategic planning

The BEST reason to classify IT assets during a risk assessment is to determine the:

appropriate level of protection.

Which of the following would be MOST useful to senior management when determining an appropriate risk response?

A comparison of current risk levels with established tolerance

A comparison of cost variance with defined response strategies

A comparison of current risk levels with estimated inherent risk levels

A comparison of accepted risk scenarios associated with regulatory compliance

When a high-risk security breach occurs, which of the following would be MOST important to the person responsible for managing the incident?

An analysis of the impact of similar attacks in other organizations

An analysis of the security logs that illustrate the sequence of events

An analysis of the impact of similar attacks in other organizations

A business case for implementing stronger logical access controls

A justification of corrective action taken

Which of the following BEST indicates how well a web infrastructure protects critical information from an attacker?

Simulating a denial of service attack

Which of the following is the GREATEST concern associated with redundant data in an organization's inventory system?

Unnecessary costs of program changes

What is the PRIMARY benefit of risk monitoring?

It facilitates risk-aware decision making.

It reduces the number of audit findings.

It provides statistical evidence of control efficiency.

It facilitates risk-aware decision making.

It facilitates communication of threat levels.

Which of the following statements describes the relationship between key risk indicators (KRIs) and key control indicators (KCIs)?

KRI design must precede definition of KCIs.

KCIs and KRIs are independent indicators and do not impact each other.

A decreasing trend of KRI readings will lead to changes to KCIs.

Both KRIs and KCIs provide insight to potential changes in the level of risk.

Which of the following trends would cause the GREATEST concern regarding the effectiveness of an organization's user access control processes? An increase in the:

average time between user transfers and access updates.

ratio of disabled to active user accounts.

percentage of users with multiple user accounts.

average number of access entitlements per user account.

average time between user transfers and access updates.

Which of the following is the MOST important objective of an enterprise risk management (ERM) program?

To create a comprehensive view of critical risk to the organization

To create a complete repository of risk to the organization

To create a comprehensive view of critical risk to the organization

To provide a bottom-up view of the most significant risk scenarios

To optimize costs of managing risk scenarios in the organization

To help identify high-risk situations, an organization should:

continuously monitor the environment.

develop key performance indicators (KPIs).

Which of the following is the BEST evidence that risk management is driving business decisions in an organization?

Risk ownership is identified and assigned.

Compliance breaches are addressed in a timely manner.

Risk ownership is identified and assigned.

Risk treatment options receive adequate funding.

Residual risk is within risk tolerance.

An IT control gap has been identified in a key process. Who would be the MOST appropriate owner of the risk associated with this gap?

Chief information security officer (CISO)

A risk practitioner has been asked to advise management on developing a log collection and correlation strategy. Which of the following should be the MOST important consideration when developing this strategy?

Ensuring time synchronization of log sources.

Ensuring the inclusion of external threat intelligence log sources.

Ensuring the inclusion of all computing resources as log sources.

Ensuring read-write access to all log sources

Which of the following is the BEST way for an organization to enable risk treatment decisions?

Establish clear accountability for risk.

Allocate sufficient funds for risk remediation.

Promote risk and security awareness.

Establish clear accountability for risk.

Develop comprehensive policies and standards.

The PRIMARY reason for tracking the status of risk mitigation plans is to ensure:

the proposed controls are implemented as scheduled.

security controls are tested prior to implementation.

compliance with corporate policies.

the risk response strategy has been decided.

Which of the following is the GREATEST benefit for an organization with a strong risk awareness culture?

Discussing and managing risk as a team

Reducing the involvement by senior management

Reducing the need for risk policies and guidelines

Discussing and managing risk as a team

A PRIMARY advantage of involving business management in evaluating and managing risk is that management:

can make better-informed business decisions.

better understands the system architecture.

is more objective than risk management.

can balance technical and business risk.

can make better-informed business decisions.

The acceptance of control costs that exceed risk exposure MOST likely demonstrates:

corporate culture misalignment.

When of the following is the BEST key control indicator (KCI) to determine the effectiveness of en intrusion prevention system (IPS)?

Percentage of relevant threats mitigated

Total number of threats identified

Reaction time of the system to threats

Which of the following describes the relationship between Key risk indicators (KRIs) and key control indicators (KCIS)?

KCIs are independent from KRIs KRIs.

KCIs and KRIs help in determining risk appetite.

KCIs are defined using data from KRIs.

What information is MOST helpful to asset owners when classifying organizational assets for risk assessment?

Potential loss to tie business due to non-performance of the asset

Known emerging environmental threats

Known vulnerabilities published by the asset developer

Cost of replacing the asset with a new asset providing similar services

The MOST important consideration when selecting a control to mitigate an identified risk is whether:

the cost of control exceeds the mitigation value

there are sufficient internal resources to implement the control

the mitigation measures create compounding effects

the control eliminates the risk

Isaca CRISC Practice Test 20 - Free Online Exam Prep & Questions

A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:

Become a Premium Member for full access

Unlock Premium Member

Isaca CRISC Practice Test 20

Question

Isaca CRISC Practice Tests

Practice Tests