CRISC Exam Questions
640 real CRISC exam questions with expert-verified answers and explanations. Page 10 of 13.
- Question #451Risk Response and Reporting
Which of the following is the BEST key performance indicator (KPI) for a server patch management process?
Key Performance Indicators (KPIs)Patch ManagementControl MonitoringRisk Mitigation - Question #452Risk Response and Reporting
What is a risk practitioner's BEST approach to monitor and measure how quickly an exposure to a specific risk can affect the organization?
Risk monitoringRisk measurementKey Risk Indicators (KRIs)Risk reporting - Question #453Governance
Which of the following is MOST important to update following a change in organizational risk appetite and tolerance?
Risk appetiteRisk toleranceRisk profileRisk management - Question #454Risk Response and Reporting
Which of the following provides the BEST evidence that risk responses are effective?
Risk responsesResidual riskRisk toleranceRisk effectiveness - Question #455Risk Response and Reporting
An organization has an internal control that requires all access for employees be removed within 15 days of their termination date. Which of the following should the risk practitio...
internal controlsmonitoringkey performance indicators (KPIs)access management - Question #456Risk Response and Reporting
Which of the following is the BEST indication that key risk indicators (KRIs) should be revised?
Key Risk Indicators (KRIs)Risk MonitoringRisk ThresholdsRisk Management Effectiveness - Question #457IT Risk Assessment
Which of the following is the MOST useful information an organization can obtain from external sources about emerging threats?
Threat intelligenceEmerging threatsRisk identificationThreat detection - Question #458Risk Response and Reporting
After conducting a risk assessment for regulatory compliance, an organization has identified only one possible mitigating control. The cost of the control has been determined to be...
Risk acceptanceRisk response strategiesCost-benefit analysisRegulatory risk - Question #459Risk Response and Reporting
Which of the following is the BEST approach when a risk treatment plan cannot be completed on time?
Risk treatmentCompensating controlsRisk responseAction plan management - Question #460Governance
Which of the following should be done FIRST when a new risk scenario has been identified
Risk IdentificationRisk OwnershipRisk Management ProcessAccountability - Question #461Governance
Which of the following activities is a responsibility of the second line of defense?
Three Lines of DefenseRisk GovernanceSecond Line of DefenseRisk Oversight - Question #462Governance
Which of the following is MOST important requirement to include in a Software as a Service (SaaS) vendor contract to ensure data is protected?
SaaS contractsData protectionData residencyRegulatory compliance - Question #463IT Risk Assessment
Which of the following is MOST important when identifying an organization's risk exposure associated with Internet of Things (loT) devices?
IoT SecurityAsset ManagementRisk IdentificationNetwork Visibility - Question #464Governance
An organization has contracted with a cloud service provider to support the deployment of a new product. Of the following, who should own the associated risk?
Risk ownershipProduct riskCloud riskAccountability - Question #465Risk Response and Reporting
A business impact analysis (BIA) has documented the duration of maximum allowable outage for each of an organization's applications. Which of the following MUST be aligned with the...
Business Impact AnalysisRecovery Time ObjectiveMaximum Allowable OutageBusiness Continuity - Question #466Risk Response and Reporting
Which of the following offers the SIMPLEST overview of changes in an organization's risk profile?
Risk reportingRisk visualizationHeat mapRisk communication - Question #467Risk Response and Reporting
A risk practitioner is defining metrics for security threats that were not identified by antivirus software. Which type of metric is being developed?
Key Risk IndicatorsRisk MetricsThreat MonitoringRisk Management - Question #468Governance
Which of the following BEST mitigates ethical risk?
EthicsRisk mitigationCorporate governanceEthics committee - Question #469IT Risk Assessment
Which process is MOST effective to determine relevance of threats for risk scenarios?
Vulnerability assessmentThreat identificationRisk scenariosRisk assessment techniques - Question #470Risk Response and Reporting
Which of the following is the BEST approach for obtaining management buy-in to implement additional IT controls?
Risk communicationManagement engagementMonetary risk quantificationIT control justification - Question #471Governance
Which of the following is the MOST important consideration for the board and senior leadership regarding the organization's approach to risk management for emerging technologies?
GovernanceRisk FrameworkEmerging Technologies RiskStrategic Risk Management - Question #472Risk Response and Reporting
An organization recently implemented an automated interface for uploading payment files to its banking system to replace manual processing. Which of the following elements of the r...
Risk registerControl effectivenessRisk likelihoodRisk mitigation - Question #473IT Risk Assessment
A data center has recently been migrated to a jurisdiction where heavy fines will be imposed should leakage of customer personal data occur. Assuming no other changes to the operat...
Risk ImpactRisk AssessmentRisk Scenario DevelopmentRisk Parameters - Question #474Risk Response and Reporting
Which of the following is MOST important to review when an organization needs to transition the majority of its employees to remote work during a crisis?
Crisis ManagementBusiness ContinuityIT Capacity PlanningRemote Work - Question #475Risk Response and Reporting
Which of the following BEST mitigates the risk associated with inadvertent data leakage by users who work remotely?
Remote access securityData protectionEncryptionRisk mitigation - Question #476IT Risk Assessment
A failure in an organization s IT system build process has resulted in several computers on the network missing the corporate endpoint detection and response (EDR) software. Which...
Risk ManagementEndpoint SecurityThreat DetectionSecurity Controls - Question #477Governance
In a public company, which group is PRIMARILY accountable for ensuring sufficient attention and resources are applied to the risk management process?
Corporate GovernanceRisk Management OversightBoard Accountability - Question #478Risk Response and Reporting
The PRIMARY reason for communicating risk assessment results to data owners is to enable the:
Risk communicationRisk responsePrioritizationData owner responsibility - Question #479Risk Response and Reporting
Which of the following BEST enables the timely detection of changes in the security control environment?
Control self-assessment (CSA)Security control monitoringControl effectivenessRisk response - Question #480Risk Response and Reporting
Reviewing which of the following would provide the MOST useful information when preparing to evaluate the effectiveness of existing controls?
Control effectivenessRisk profileControl evaluationRisk monitoring - Question #481Governance
Which of the following BEST enables the integration of IT risk management across an organization?
Enterprise Risk ManagementIT Risk IntegrationRisk GovernanceFrameworks - Question #482Risk Response and Reporting
The percentage of unpatched systems is a:
Key Risk Indicators (KRI)Risk MetricsRisk MonitoringVulnerability Management - Question #483Governance
Which of the following is MOST important to the effectiveness of a senior oversight committee for risk monitoring?
Risk GovernanceOversight CommitteesCommittee EffectivenessEnterprise Risk Management - Question #484Information Technology and Security
Which of the following is BEST used to aggregate data from multiple systems to identify abnormal behavior?
SIEMSecurity MonitoringIncident DetectionLog Aggregation - Question #485IT Risk Assessment
A risk practitioner's BEST guidance to help an organization develop relevant risk scenarios is to ensure the scenarios are:
Risk ScenariosRisk AssessmentRisk IdentificationProbability - Question #486Governance
Which of the following is the MOST important update for keeping the risk register current?
Risk Register ManagementOrganizational Change ImpactRisk ContextStrategic Risk Management - Question #487Governance
Which of the following BEST enables detection of ethical violations committed by employees?
Ethical violationsDetection controlsWhistleblower programsCorporate ethics - Question #488IT Risk Assessment
During a recent security framework review, it was discovered that the marketing department implemented a non-fungible token asset program. This was done without following establish...
Risk assessmentUnauthorized implementationRisk management processEmerging technologies - Question #489IT Risk Assessment
An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk pract...
Data OwnershipRisk Assessment ProcessSensitive DataData Governance - Question #490Risk Response and Reporting
A robotic process automation (RPA) project has implemented new robots to enhance the efficiency of a sales business process. Which of the following provides the BEST evidence that...
RPAControl EffectivenessIndependent AssuranceRisk Response Validation - Question #491Risk Response and Reporting
Which of the following should be the PRIMARY focus of a disaster recovery management (DRM) framework and related processes?
Disaster Recovery ManagementBusiness ContinuityCritical Business OperationsRisk Response - Question #492Risk Response and Reporting
A risk practitioner has been notified of a social engineering attack using artificial intelligence (Al) technology to impersonate senior management personnel. Which of the followin...
Social EngineeringSecurity Awareness TrainingRisk MitigationHuman Factors in Security - Question #493IT Risk Assessment
Which of the following presents the GREATEST privacy risk related to personal data processing for a global organization?
Privacy RiskCross-border Data TransferJurisdictional RiskData Processing - Question #494Governance
Which of the following describes the relationship between risk appetite and risk tolerance?
Risk AppetiteRisk ToleranceRisk ConceptsRisk Management Framework - Question #495Risk Response and Reporting
Which of the following should be the MOST important consideration when determining controls necessary for a highly critical information system?
Acceptable RiskRisk ResponseControl SelectionRisk Management Principles - Question #496Governance
Which of the following is MOST important to ensure risk management practices are effective at all levels within the organization?
Risk Management IntegrationEnterprise Risk Management (ERM)Organizational EffectivenessRisk Culture - Question #497IT Risk Assessment
Which of the following scenarios presents the GREATEST risk of noncompliance with data privacy best practices?
Data PrivacyCompliance RiskConsent ManagementPurpose Limitation - Question #498IT Risk Assessment
A business impact analysis (BIA) enables an organization to determine appropriate IT risk mitigation actions by:
Business Impact Analysis (BIA)IT Risk MitigationCritical IT AssetsBusiness Processes - Question #499Risk Response and Reporting
Which of the following should be reported periodically to the risk committee?
Risk reportingRisk committee responsibilitiesEmerging IT risks - Question #500Governance
A risk practitioner is advising management on how to update the IT policy framework to account for the organization s cloud usage. Which of the following should be the FIRST step i...
Policy framework updateCloud governanceGap analysisRisk management process