CRISC Exam Questions
640 real CRISC exam questions with expert-verified answers and explanations. Page 13 of 13.
- Question #601Governance
In addition to the risk exposure, which of the following is MOST important for senior management to understand prior to approving the use of artificial intelligence (Al) solutions?
AI SolutionsSenior ManagementStrategic Decision MakingBusiness Value - Question #602IT Risk Assessment
Which of the following is MOST useful when performing a quantitative risk assessment?
Quantitative Risk AssessmentRisk Assessment TechniquesFinancial ModelsRisk Quantification - Question #603Governance
When determining risk ownership, the MAIN consideration should be:
Risk OwnershipAccountabilityBusiness ProcessRisk Governance - Question #604Governance
The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for:
E-discoveryData Retention PolicyCost OptimizationInformation Governance - Question #605Governance
To help ensure the success of a major IT project, it is MOST important to:
Project successStakeholder commitmentIT governanceCritical success factors - Question #606IT Risk Assessment
Which of the following is the PRIMARY reason to conduct risk assessments at periodic intervals?
Risk AssessmentPeriodic ReviewEmerging RisksRisk Identification - Question #607Risk Response and Reporting
Which of the following provides the MOST mitigation value for an organization implementing new Internet of Things (loT) devices?
IoT SecuritySecurity by DesignRisk MitigationSecurity Architecture - Question #608Governance
Which of the following is the MOST critical consideration when awarding a project to a third-party service provider whose servers are located offshore?
Third-party risk managementData governanceOffshore outsourcingCompliance risk - Question #609Governance
A new risk practitioner finds that decisions for implementing risk response plans are not being made. Which of the following would MOST likely explain this situation?
Risk ownershipRisk response implementationAccountabilityRisk management decision-making - Question #610Governance
A recently purchased IT application does not meet project requirements. Of the following, who is accountable for the potential impact?
Project AccountabilityProject Sponsor RoleIT Project GovernanceRole Responsibility Matrix - Question #611IT Risk Assessment
A risk practitioner finds that data has been misclassified. Which of the following is the GREATEST concern?
Data classificationRisk identificationUnauthorized accessConfidentiality - Question #612Governance
An organization has outsourced its customer management database to an external service provider. Of the following, who should be accountable for ensuring customer data privacy?
AccountabilityOutsourcing riskData privacyBusiness process owner - Question #613Risk Response and Reporting
Following the implementation of an Internet of Things (loT) solution, a risk practitioner identifies new risk factors with impact to existing controls. Which of the following is MO...
Risk reportingResidual riskStakeholder communicationIoT risk management - Question #614IT Risk Assessment
Which of the following should a risk practitioner review FIRST when evaluating risk events associated with the organization's data flow model?
Data ClassificationRisk EvaluationData Flow ModelsRisk Assessment Process - Question #615Risk Response and Reporting
Which of the following controls will BEST mitigate risk associated with excessive access privileges?
Access ControlEntitlement ManagementRisk MitigationLeast Privilege - Question #616Governance
A technology company is developing a strategic artificial intelligence (Al)-driven application that has high potential business value. At what point should the enterprise risk prof...
Enterprise Risk Management (ERM)Strategic PlanningProject InitiationRisk Profile Update - Question #617Risk Response and Reporting
Which of the following is a risk practitioner's BEST course of action if a risk assessment identifies a risk that is extremely unlikely but would have a severe impact should it occ...
Risk assessment outcomesRisk response planningRisk treatment optionsRisk prioritization - Question #618IT Risk Assessment
Which of the following should be done FIRST when developing an initial set of risk scenarios for an organization?
Risk IdentificationRisk ScenariosBusiness ActivitiesInitial Risk Assessment - Question #619Risk Response and Reporting
Which of the following is MOST important for a risk practitioner to understand about an organization in order to create an effective risk awareness program?
Risk awareness programThreatsVulnerabilitiesRisk communication - Question #620Governance
Which of the following is the PRIMARY advantage of having a single integrated business continuity plan (BCP) rather than each business unit developing its own BCP?
Business Continuity Planning (BCP)BCP IntegrationBCP MaintenanceOrganizational Resilience - Question #621IT Risk Assessment
An organization is implementing Zero Trust architecture to improve its security posture. Which of the following is the MOST important input to develop the architecture?
Zero Trust ArchitectureThreat ModelingSecurity Architecture DesignRisk Assessment Inputs - Question #622Governance
Who is PRIMARILY accountable for identifying risk on a daily basis and ensuring adherence to the organization's policies?
Three Lines of DefenseRisk ownershipAccountabilityOperational risk management - Question #623Governance
Which of the following is the PRIMARY risk management responsibility of the third line of defense?
Three Lines ModelRisk Management RolesAssuranceInternal Audit - Question #624Governance
Which of the following is a PRIMARY objective of privacy impact assessments (PIAs)?
Privacy Impact AssessmentData PrivacyComplianceRisk Management - Question #625Risk Response and Reporting
Within the risk management space, which of the following activities could be delegated to a cloud service provider?
Cloud computingShared responsibility modelControl implementationDelegation - Question #626Governance
External penetration tests MUST include:
Penetration TestingSecurity TestingAuthorizationRisk Governance - Question #627Governance
A business unit has implemented robotic process automation (RPA) for its repetitive back-office tasks. Which of the following should be the risk practitioner's GREATEST concern?
RPA risksIT governanceSecurity team involvementShadow IT - Question #628Risk Response and Reporting
Senior management has requested a risk practitioner's guidance on whether a new technical control requested by a business unit is worth the investment. Which of the following shoul...
Control effectivenessRisk mitigationResidual riskControl investment - Question #629IT Risk Assessment
A new international data privacy regulation requires personal data to be disposed after the specified retention period, which is different from the local regulatory requirement. Wh...
Regulatory ComplianceData PrivacyIT ControlsRisk Identification - Question #630IT Risk Assessment
Which of the following presents the GREATEST concern associated with the use of artificial intelligence (Al) systems?
AI riskBias in AIEthical AIEmerging technologies risk - Question #631Risk Response and Reporting
An organization has determined that risk is not being adequately tracked and managed due to a distributed operating model. Which of the following is the BEST way to address this is...
Risk ManagementCentralized RiskDistributed Operating ModelRisk Tracking - Question #632Risk Response and Reporting
Upon learning that the number of failed backup attempts continually exceeds the current risk threshold, the risk practitioner should:
Risk ResponseCorrective ActionRisk ThresholdsRisk Monitoring - Question #633Risk Response and Reporting
Which of the following BEST indicates that an organization's disaster recovery plan (DRP) will mitigate the risk of the organization failing to recover from a major service disrupt...
Disaster Recovery Plan (DRP)Recovery Point Objective (RPO)Business Continuity Planning (BCP)Risk Mitigation - Question #634Risk Response and Reporting
Which of the following BEST helps to ensure disaster recovery staff members are able to complete their assigned tasks effectively during a disaster?
Disaster Recovery TrainingTabletop ExercisesStaff PreparednessBusiness Continuity Management - Question #635Risk Response and Reporting
An organization becomes aware that IT security failed to detect a coordinated cyber attack on its data center. Which of the following is the BEST course of action?
Root Cause AnalysisIncident ResponseControl FailureCyber Attack - Question #636IT Risk Assessment
Which of the following is the PRIMARY purpose of a risk register?
risk registerrisk inventoryrisk identification - Question #637Risk Response and Reporting
Who is accountable for the process when an IT stakeholder operates a key control to address a risk scenario?
Risk owner responsibilitiesAccountability in risk managementRisk responseControl ownership - Question #638IT Risk Assessment
Which of the following BEST facilitates the identification of emerging risk?
Emerging Risk IdentificationScenario AnalysisRisk Assessment TechniquesProactive Risk Management - Question #639Risk Response and Reporting
Which of the following BEST enables effective risk reporting to the board of directors?
Risk ReportingBoard CommunicationStrategic AlignmentRisk Governance - Question #640Risk Response and Reporting
The patch management process is MOST effectively monitored through which of the following key control indicators (KCIs)?
Patch ManagementKey Control Indicators (KCI)Process MonitoringIT Controls