CRISC Exam Questions
640 real CRISC exam questions with expert-verified answers and explanations. Page 3 of 13.
- Question #101Risk Response and Reporting
An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the risk associat...
Risk responseRisk acceptanceRisk treatmentDecision making - Question #102IT Risk Assessment
When a risk practitioner is determining a system's criticality. it is MOST helpful to review the associated:
System CriticalityBusiness Impact Analysis (BIA)Risk AssessmentImpact Analysis - Question #103Risk Response and Reporting
When evaluating a number of potential controls for treating risk, it is MOST important to consider:
Risk treatmentControl evaluationResidual riskCost of control - Question #104Risk Response and Reporting
Which of the following is the MOST effective way to reduce potential losses due to ongoing expense fraud?
Fraud preventionAccess controlsInternal controlsRisk mitigation - Question #105Risk Response and Reporting
An organization is participating in an industry benchmarking study that involves providing customer transaction records for analysis Which of the following is the MOST important co...
Data PrivacyData CleansingData SharingRisk Response - Question #106Risk Response and Reporting
Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board?
Risk reportingBoard communicationKey Risk Indicators (KRIs)Risk communication - Question #107Risk Response and Reporting
Which of the following is MOST important to promoting a risk-aware culture?
Risk-aware cultureRisk communicationRisk reportingOrganizational awareness - Question #108Information Technology and Security
The BEST metric to demonstrate that servers are configured securely is the total number of servers:
Server hardeningSecurity metricsSecure configurationBaseline security - Question #109IT Risk Assessment
Which of the following resources is MOST helpful to a risk practitioner when updating the likelihood rating in the risk register?
Risk assessmentLikelihood determinationRisk registerPenetration testing - Question #110Risk Response and Reporting
A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access. Who is responsible for ensuring the cont...
Control ownerControl designControl effectivenessSegregation of duties - Question #111Risk Response and Reporting
Which of the following would be the BEST way for a risk practitioner to validate the effectiveness of a patching program?
Patch ManagementVulnerability ScanningControl EffectivenessRisk Monitoring - Question #112Governance
The BEST indicator of the risk appetite of an organization is the
Risk appetiteBoard of DirectorsRisk governanceOrganizational risk - Question #113Risk Response and Reporting
Which of the following is the BEST method to mitigate the risk of an unauthorized employee viewing confidential data in a database''
Data MaskingConfidentiality ProtectionData Security ControlsRisk Mitigation Strategies - Question #114Risk Response and Reporting
Which of the following is the BEST approach for an organization in a heavily regulated industry to comprehensively test application functionality?
Application TestingData AnonymizationData PrivacyRegulatory Compliance - Question #115Governance
An organization has agreed to a 99% availability for its online services and will not accept availability that falls below 98.5%. This is an example of:
Risk toleranceRisk appetiteService availabilityRisk definitions - Question #116Risk Response and Reporting
Which of the following is the PRIMARY purpose of creating and documenting control procedures?
Control proceduresRisk managementRisk mitigationControl objectives - Question #117Governance
Of the following, who is responsible for approval when a change in an application system is ready for release to production?
Change ManagementRoles and ResponsibilitiesBusiness OwnershipRelease Management - Question #118Risk Response and Reporting
A risk practitioner recently discovered that personal information from the production environment is required for testing purposes in non-production environments. Which of the foll...
Data de-identificationTest data managementData privacyRisk mitigation - Question #119IT Risk Assessment
Which of the following is the GREATEST concern when establishing key risk indicators (KRIs)?
Key Risk Indicators (KRIs)Risk AssessmentKRI EstablishmentRisk Management Process - Question #120IT Risk Assessment
Which of the following provides the MOST useful information to assess the magnitude of identified deficiencies in the IT control environment?
IT control deficienciesInternal auditRisk assessmentControl assessment - Question #121IT Risk Assessment
Which of the following provides the BEST assurance of the effectiveness of vendor security controls?
Vendor Risk ManagementThird-Party AssuranceSecurity Control EffectivenessIndependent Audit - Question #122Risk Response and Reporting
The MAIN purpose of selecting a risk response is to.
Risk ResponseResidual RiskRisk ToleranceRisk Management Objective - Question #123IT Risk Assessment
Which component of a software inventory BEST enables the identification and mitigation of known vulnerabilities?
Software InventoryVulnerability ManagementRisk IdentificationAsset Management - Question #124Information Technology and Security
Which of the following is the BEST way to ensure data is properly sanitized while in cloud storage?
Data sanitizationCloud securityCryptographic erasureData destruction - Question #125Risk Response and Reporting
Which risk response strategy could management apply to both positive and negative risk that has been identified?
Risk ResponseRisk AcceptancePositive RiskNegative Risk - Question #126Risk Response and Reporting
An organization's recovery team is attempting to recover critical data backups following a major flood in its data center. However, key team members do not know exactly what steps...
DRP TestingDisaster RecoveryCrisis ManagementBusiness Continuity - Question #127Governance
A control process has been implemented in response to a new regulatory requirement, but has significantly reduced productivity. Which of the following is the BEST way to resolve th...
Regulatory complianceProductivity impactRisk escalationGovernance decision-making - Question #128Risk Response and Reporting
A risk practitioner has identified that the agreed recovery time objective (RTO) with a Software as a Service (SaaS) provider is longer than the business expectation. Which ot the...
Risk responseRisk ownerRTOSaaS risk management - Question #129Risk Response and Reporting
A risk practitioner has identified that the agreed recovery time objective (RTO) with a Software as a Service (SaaS) provider is longer than the business expectation. Which of the...
Risk identificationRisk reportingRisk registerThird-party risk - Question #130Risk Response and Reporting
Which of the following is the MOST useful information for a risk practitioner when planning response activities after risk identification?
Risk response planningRisk prioritizationRisk management processRisk information utility - Question #131IT Risk Assessment
Which of the following situations presents the GREATEST challenge to creating a comprehensive IT risk profile of an organization?
IT Risk ProfileEnterprise ArchitectureRisk IdentificationData Accuracy - Question #132Governance
Which of the following BEST enables a risk practitioner to understand management's approach to organizational risk?
Risk appetiteRisk toleranceManagement approachRisk governance - Question #133Risk Response and Reporting
Which of the following is the MOST important reason to validate that risk responses have been executed as outlined in the risk response plan''
Risk response validationResidual riskRisk response executionRisk management objectives - Question #134IT Risk Assessment
Which of the following BEST helps to identify significant events that could impact an organization?
Risk identificationScenario analysisRisk assessment techniquesEvent identification - Question #135Risk Response and Reporting
Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)?
Key Risk IndicatorsRisk monitoringEarly warning systemsRisk thresholds - Question #136Risk Response and Reporting
Which of the following is the PRIMARY reason for sharing risk assessment reports with senior stakeholders?
Risk ReportingDecision MakingSenior ManagementRisk Response - Question #137Governance
Which of the following BEST enables effective IT control implementation?
Control implementationDocumented proceduresIT controlsGovernance frameworks - Question #138Governance
Which of the following should be the FIRST consideration when establishing a new risk governance program?
Risk Governance ProgramProgram EstablishmentRisk Management IntegrationOrganizational Embedding - Question #139Governance
When establishing an enterprise IT risk management program, it is MOST important to:
IT Risk Management ProgramStrategic AlignmentProgram EstablishmentRisk Governance - Question #140Risk Response and Reporting
An organization has operations in a location that regularly experiences severe weather events. Which of the following would BEST help to mitigate the risk to operations?
Business Continuity Planning (BCP)Operational ResilienceRisk MitigationDisaster Recovery - Question #141Risk Response and Reporting
Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)?
Key Risk Indicators (KRIs)Risk monitoringEarly warning systemsRisk management tools - Question #142Risk Response and Reporting
What is the BEST recommendation to reduce the risk associated with potential system compromise when a vendor stops releasing security patches and updates for a business-critical le...
Legacy system riskNetwork segmentationRisk mitigationCompensating controls - Question #143IT Risk Assessment
Which of the following would provide the MOST helpful input to develop risk scenarios associated with hosting an organization's key IT applications in a cloud environment?
Risk ScenariosCloud Computing RisksRisk WorkshopsStakeholder Engagement - Question #144Governance
A newly incorporated enterprise needs to secure its information assets From a governance perspective which of the following should be done FIRST?
Information asset identificationSecurity governanceAsset inventoryFoundational security - Question #145Governance
A highly regulated enterprise is developing a new risk management plan to specifically address legal and regulatory risk scenarios What should be done FIRST by IT governance to sup...
IT governanceCompliance objectivesRegulatory riskRisk management plan - Question #146Risk Response and Reporting
Business management is seeking assurance from the CIO that IT has a plan in place for early identification of potential issues that could impact the delivery of a new application W...
Risk reportingStakeholder communicationProject risk managementBusiness assurance - Question #147Governance
A root because analysis indicates a major service disruption due to a lack of competency of newly hired IT system administrators. Who should be accountable for resolving the situat...
IT AccountabilityService DisruptionIT CompetencyExecutive Oversight - Question #148Risk Response and Reporting
Which of the following is the BEST way to determine whether system settings are in alignment with control baselines?
Configuration managementControl validationSecurity baselinesCompliance checking - Question #149IT Risk Assessment
A recent big data project has resulted in the creation of an application used to support important investment decisions. Which of the following should be of GREATEST concern to the...
Data qualityRisk assessmentDecision makingBig data - Question #150IT Risk Assessment
Which of the following presents the GREATEST challenge to managing an organization's end- user devices?
Asset ManagementIT InventoryEnd-user Device SecurityRisk Identification