CRISC Exam Questions
640 real CRISC exam questions with expert-verified answers and explanations. Page 12 of 13.
- Question #551Governance
Which of the following factors will have the GREATEST impact on the implementation of a risk mitigation strategy for an organization?
Risk toleranceRisk mitigation strategyStrategic risk managementGovernance - Question #552Governance
In the three lines of defense model, a PRIMARY objective of the second line is to:
Three Lines of DefenseSecond Line of DefenseRisk Management RolesRisk Governance - Question #553IT Risk Assessment
Which of the following is the MOST useful input when developing risk scenarios?
Risk ScenariosRisk EventsRisk AssessmentScenario Development - Question #554Risk Response and Reporting
An organization needs to send files to a business partner to perform a quality control audit on the organization's record-keeping processes. The files include personal information...
Privacy risk mitigationData obfuscationThird-party data sharingData minimization - Question #555Governance
A risk action plan has been changed during the risk mitigation effort. Which of the following is MOST important for the risk practitioner to verify?
Risk MitigationRisk Action PlanChange ManagementRisk Owner Responsibilities - Question #556Information Technology and Security
An organization uses a biometric access control system for authentication and access to its server room. Which control type has been implemented?
Preventive controlsAccess control systemsBiometric authenticationControl types - Question #557Governance
Which of the following is the GREATEST concern associated with the use of artificial intelligence (AI) language models?
AI RiskAI BiasEthical AIRisk Prioritization - Question #558Risk Response and Reporting
Which of the following is BEST measured by key control indicators (KCIs)?
Key Control IndicatorsControl effectivenessDefense in depthRisk monitoring - Question #559Risk Response and Reporting
Which of the following would be a risk practitioner's GREATEST concern related to the monitoring of key risk indicators (KRIs)?
Key Risk Indicators (KRIs)Data IntegrityRisk MonitoringLog Management - Question #560Risk Response and Reporting
An organization requires a third party for processing customer personal data. Which of the following is the BEST approach when sharing data over a public network?
Data in TransitVPNThird-Party SecurityRisk Mitigation - Question #561Governance
Which of the following is the GREATEST concern when using artificial intelligence (AI) language models?
Artificial IntelligenceAI RiskAI BiasEthical AI - Question #562Risk Response and Reporting
Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization's risk appetite?
Key Risk IndicatorsRisk AppetiteRisk MonitoringEarly Warning Systems - Question #563Governance
An organization's decision to remain noncompliant with certain laws or regulations is MOST likely influenced by:
Risk AppetiteCompliance ManagementStrategic Decision MakingSenior Management Responsibility - Question #564Governance
When assessing the maturity level of an organization's risk management framework, which of the following should be of GREATEST concern to a risk practitioner?
Risk management maturitySenior management commitmentRisk governanceFramework effectiveness - Question #565IT Risk Assessment
Which of the following is MOST useful input when developing risk scenarios?
Risk ScenariosRisk IdentificationRisk Assessment Process - Question #566Risk Response and Reporting
Which of the following is the GREATEST impact of implementing a risk mitigation strategy?
Risk mitigationResidual riskRisk responseControl implementation - Question #567Governance
In the three lines of defense model, a PRIMARY objective of the second line is to:
Three Lines of DefenseSecond Line of DefenseRisk Management RolesControl Effectiveness - Question #568Risk Response and Reporting
Which of the following is the MOST important consideration when prioritizing risk response?
Risk response prioritizationRisk treatment effectivenessRisk management principles - Question #569Risk Response and Reporting
Which of the following is the GREATEST concern related to the monitoring of key risk indicators (KRIs)?
Key Risk Indicators (KRIs)Risk MonitoringData IntegrityInformation Reliability - Question #570Governance
Who is accountable for authorizing application access in a cloud Software as a Service (SaaS) solution?
AccountabilityAccess ControlSaaS SecurityRisk Ownership - Question #571Risk Response and Reporting
The BEST use of key risk indicators (KRIs) is to provide:
Key Risk Indicators (KRIs)Risk MonitoringLeading IndicatorsRisk Management - Question #572IT Risk Assessment
During the control evaluation phase of a risk assessment, it is noted that multiple controls are ineffective. Which of the following should be the risk practitioner's FIRST course...
Risk AssessmentControl EvaluationResidual RiskRisk Appetite - Question #573Risk Response and Reporting
A MAJOR advantage of using key risk indicators (KRIs) is that they:
Key Risk IndicatorsRisk MonitoringRisk ThresholdsRisk Management - Question #574Risk Response and Reporting
Which of the following is the PRIMARY benefit of using a risk profile?
Risk ProfileRisk ReportingInternal CommunicationRisk Management Benefits - Question #575Information Technology and Security
A failure in an organization's IT system build process has resulted in several computers on the network missing the corporate endpoint detection and response (EDR) software. Which...
Security Control FailureThreat DetectionRisk ImpactEndpoint Security - Question #576Risk Response and Reporting
Which of the following is the PRIMARY reason for logging in a production database environment?
LoggingDatabase SecurityAudit TrailsAccountability - Question #577Governance
Who is ULTIMATELY accountable for risk treatment?
Risk ownershipAccountabilityRisk treatmentRoles and responsibilities - Question #578Risk Response and Reporting
An organization has implemented a policy requiring staff members to take a minimum of five consecutive days' leave per year to mitigate the risk of malicious insider activities. Wh...
KPIsRisk MitigationInsider ThreatPolicy Effectiveness - Question #579Risk Response and Reporting
Which of the following BEST enables an organization to address new risk associated with an Internet of Things (IoT) solution?
IoT Risk ManagementControl ImplementationSecurity by DesignProactive Risk Management - Question #580Risk Response and Reporting
An organization is subject to a new regulation that requires nearly real-time recovery of its services following a disruption. Which of the following is the BEST way to manage the...
Business Continuity PlanningRegulatory ComplianceRisk ResponseDisaster Recovery - Question #581Risk Response and Reporting
A user has contacted the risk practitioner regarding malware spreading laterally across the organization's corporate network. Which of the following is the risk practitioner's BEST...
Incident ResponseRisk ResponseMalwareCommunication - Question #582Risk Response and Reporting
Because of a potential data breach, an organization has decided to temporarily shut down its online sales order system until sufficient controls can be implemented. Which risk trea...
Risk avoidanceRisk treatment strategiesInformation security riskData breach - Question #583IT Risk Assessment
A global organization is considering the transfer of its customer information systems to an overseas cloud service provider in the event of a disaster. Which of the following shoul...
Regulatory complianceCross-border data transferData privacyVendor risk management - Question #584IT Risk Assessment
Recent penetration testing of an organization's software has identified many different types of security risks. Which of the following is the MOST likely root cause for the identif...
Threat ModelingSoftware Security DesignVulnerability Root CausePenetration Testing - Question #585Governance
Which of the following would BEST facilitate the implementation of data classification requirements?
Data ClassificationData OwnershipInformation GovernanceRoles and Responsibilities - Question #586IT Risk Assessment
An organization has adopted an emerging technology without following proper processes. Which of the following is the risk practitioner's BEST course of action to address this risk?
Risk assessmentRisk management processEmerging technologyRisk identification - Question #587Risk Response and Reporting
Which of the following BEST reduces the likelihood of fraudulent activity that occurs through use of a digital wallet?
Fraud preventionMulti-factor authentication (MFA)Digital wallet securityRisk mitigation - Question #588Risk Response and Reporting
A risk practitioner has been notified of a social engineering attack using artificial intelligence (AI) technology to impersonate senior management personnel. Which of the followin...
Social EngineeringSecurity Awareness TrainingRisk MitigationAI Threats - Question #589Risk Response and Reporting
Which of the following outcomes of disaster recovery planning is MOST important to enable the initiation of necessary actions during a disaster?
Disaster Recovery PlanningRecovery Time Objective (RTO)Recovery Point Objective (RPO)Business Continuity - Question #590Risk Response and Reporting
When assigning control ownership, it is MOST important to verify that the owner has accountability for:
Control OwnershipAccountabilityControl EffectivenessRisk Response - Question #591IT Risk Assessment
A risk practitioner's BEST guidance to help an organization develop relevant risk scenarios is to ensure the scenarios are:
Risk scenario developmentRisk assessmentRisk relevanceProbable events - Question #592IT Risk Assessment
Which of the following presents the GREATEST security risk associated with Internet of Things (IoT) technology?
IoT SecurityFirmware VulnerabilitiesPatch ManagementRisk Identification - Question #593Governance
An organization has established a single enterprise-wide risk register that records high-level risk scenarios. The IT risk department has created its own register to record more gr...
Risk RegisterEnterprise Risk ManagementIT Risk ManagementRisk Alignment - Question #594Governance
Where is the FIRST place a risk practitioner should look to identify accountability for a specific risk?
AccountabilityRACI matrixRisk ownershipRisk management tools - Question #595IT Risk Assessment
A service organization is preparing to adopt an IT control framework to comply with the contractual requirements of a new client. Which of the following would be MOST helpful to th...
IT control framework adoptionGap analysisCompliance requirementsRisk assessment techniques - Question #596Risk Response and Reporting
Which of the following is the BEST way to mitigate the risk associated with fraudulent use of an enterprise's brand on Internet sites?
Risk MitigationBrand ProtectionExternal Threat DetectionFraud Prevention - Question #597Governance
Which of the following is PRIMARILY responsible for providing assurance to the board of directors and senior management during the evaluation of a risk management program implement...
Internal auditAssuranceRisk management programGovernance oversight - Question #598Risk Response and Reporting
During the creation of an organization's IT risk management program, the BEST time to identify key risk indicators (KRIs) is while:
Key Risk Indicators (KRIs)Risk MonitoringIT Risk Program Development - Question #599IT Risk Assessment
A bank recently incorporated blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner's BEST course of...
Risk assessmentEmerging technology riskRisk practitioner responsibilities - Question #600Risk Response and Reporting
During a risk assessment of a financial institution, a risk practitioner discovers that tellers can initiate and approve transactions of significant value. This team is also respon...
Separation of DutiesInternal ControlsRisk MitigationOperational Risk