CRISC Exam Questions
640 real CRISC exam questions with expert-verified answers and explanations. Page 7 of 13.
- Question #301IT Risk Assessment
Which of the following analyses is MOST useful for prioritizing risk scenarios associated with loss of IT assets?
Risk PrioritizationBusiness Impact Analysis (BIA)IT Asset RiskRisk Assessment Tools - Question #302Risk Response and Reporting
Optimized risk management is achieved when risk is reduced:
Risk appetiteRisk optimizationRisk reduction - Question #303Risk Response and Reporting
Which of the following is the GREATEST benefit of updating the risk register to include outcomes from a risk assessment?
Risk RegisterRisk Assessment OutcomesDecision SupportRisk Management Process - Question #304Risk Response and Reporting
Which strategy employed by risk management would BEST help to prevent internal fraud?
Internal FraudSegregation of DutiesRisk MitigationPreventative Controls - Question #305IT Risk Assessment
An enterprise has taken delivery of software patches that address vulnerabilities in its core business software. Prior to implementation, which of the following is the MOST importa...
Risk AssessmentImpact AnalysisPatch Management RisksVulnerability Remediation - Question #306Governance
An organization is developing a risk universe to create a holistic view of its overall risk profile. Which of the following is the GREATEST barrier to achieving the initiative's ob...
Risk CultureEnterprise Risk ManagementRisk GovernanceHolistic Risk View - Question #307Risk Response and Reporting
Which of the following would BEST prevent an unscheduled application of a patch?
Change managementPatch managementIT controlsRisk mitigation - Question #308IT Risk Assessment
After the announcement of a new IT regulatory requirement, it is MOST important for a risk practitioner to;
Regulatory complianceRisk assessmentImpact analysisIT risk management - Question #309Information Technology and Security
Who is the BEST person to an application system used to process employee personal data?
Data PrivacyData OwnershipRoles and ResponsibilitiesPersonal Data - Question #310Governance
An organization's Internet-facing server was successfully attacked because the server did not have the latest security patches. The risk associated with poor patch management had b...
Risk ownershipAccountabilityRisk acceptanceRisk management roles - Question #311IT Risk Assessment
An organization has just started accepting credit card payments from customers via the corporate website. Which of the following is MOST likely to increase as a result of this new...
Inherent RiskRisk IdentificationPayment Processing RiskNew Initiative Risk - Question #312Risk Response and Reporting
Which of the following scenarios is MOST likely to cause a risk practitioner to request a formal risk acceptance sign-off?
Risk AcceptanceResidual RiskRisk AppetiteRisk Response - Question #313Governance
An organization's IT team has proposed the adoption of cloud computing as a cost-saving measure for the business. Which of the following should be of GREATEST concern to the risk p...
Cloud RiskThird-Party Risk ManagementVendor Due DiligenceRisk Governance - Question #314IT Risk Assessment
A risk practitioner has been asked to evaluate the adoption of a third-party blockchain integration platform based on the value added by the platform and the organization's risk ap...
Risk AssessmentThird-Party RiskRisk AppetiteNew Technology Adoption - Question #315Risk Response and Reporting
Which of the following is the MOST significant indicator of the need to perform a penetration test?
Penetration TestingSecurity IncidentsRisk ResponseSecurity Testing - Question #316IT Risk Assessment
An organization's IT department wants to complete a proof of concept (POC) for a security tool. The project lead has asked for approval to use the production data for testing purpo...
Risk assessmentData usage riskPOC testingRisk management process - Question #317IT Risk Assessment
A risk practitioner has been asked to evaluate a new cloud-based service to enhance an organization's access management capabilities. When is the BEST time for the risk practitione...
Risk assessment timingControl strength evaluationProject lifecycle riskProactive risk management - Question #318Risk Response and Reporting
Which of the following is the BEST recommendation of a risk practitioner for an organization that recently changed its organizational structure?
Risk communicationOrganizational change impactRisk profile managementStakeholder awareness - Question #319Governance
Which of the following is the MOST important document regarding the treatment of sensitive data?
Information classificationData handling policiesSensitive data protectionSecurity governance - Question #320Risk Response and Reporting
The results of a risk assessment reveal risk scenarios with high impact and low likelihood of occurrence. Which of the following would be the BEST action to address these scenarios...
Risk Response PlanningRisk Assessment OutputHigh Impact RisksRisk Management Process - Question #321IT Risk Assessment
Which of the following should be a risk practitioner's GREATEST concern upon learning of failures in a data migration activity?
Data IntegrityData Migration RiskRisk Impact AssessmentCriticality Analysis - Question #322IT Risk Assessment
The PRIMARY benefit of conducting a risk workshop using a top-down approach instead of a bottom-up approach is the ability to:
Risk workshopTop-down approachStrategic riskHolistic risk view - Question #323Risk Response and Reporting
A risk assessment has been completed on an application and reported to the application owner. The report includes validated vulnerability findings that require mitigation. Which of...
risk responserisk mitigationrisk tolerancerisk management process - Question #324Governance
Which of the following BEST enables the development of a successful IT strategy focused on business risk mitigation?
IT StrategyBusiness AlignmentRisk MitigationStakeholder Engagement - Question #325Governance
Which of the following activities should only be performed by the third line of defense?
Three Lines of DefenseInternal AuditRisk AssuranceGovernance Frameworks - Question #326Risk Response and Reporting
Reviewing which of the following BEST helps an organization gain insight into its overall risk profile?
Risk RegisterOverall Risk ProfileRisk ReportingRisk Management Tools - Question #327Governance
Which of the following is MOST important for managing ethical risk?
Ethical Risk ManagementCode of ConductOrganizational EthicsRisk Controls - Question #328IT Risk Assessment
What should a risk practitioner do FIRST when a shadow IT application is identified in a business owner's business impact analysis (BIA)?
Shadow ITRisk identificationBusiness Impact Analysis (BIA)Risk assessment process - Question #329IT Risk Assessment
Which of the following is a risk practitioner's BEST course of action upon learning that regulatory authorities have concerns with an emerging technology the organization is consid...
Regulatory RiskEmerging Technology RiskThreat AssessmentRisk Assessment Process - Question #330IT Risk Assessment
An organization has established workflows in its service desk to support employee reports of security-related concerns. Which of the following is the MOST efficient approach to ana...
Incident triageRisk prioritizationSecurity concern analysisOperational efficiency - Question #331Risk Response and Reporting
Which of the following should be the PRIMARY basis for deciding whether to disclose information related to risk events that impact external stakeholders?
Risk reportingRegulatory complianceExternal communicationDisclosure requirements - Question #332IT Risk Assessment
Which of the following provides the MOST useful information to trace the impact of aggregated risk across an organization's technical environment?
Enterprise ArchitectureRisk AggregationRisk Impact AnalysisTechnical Environment Mapping - Question #333Governance
Which of the following would BEST facilitate the maintenance of data classification requirements?
Data ClassificationAuditingComplianceData Governance - Question #334Risk Response and Reporting
Which of the following is the PRIMARY reason for a risk practitioner to report changes and trends in the IT risk profile to senior management?
Risk ReportingSenior Management CommunicationIT Risk ProfileRisk Monitoring - Question #335Risk Response and Reporting
Continuous monitoring of key risk indicators (KRIs) will:
Key Risk Indicators (KRIs)Risk monitoringEarly warning systemsProactive risk management - Question #336Risk Response and Reporting
An organization allows programmers to change production systems in emergency situations. Which of the following is the BEST control?
Emergency Change ManagementChange ControlAuthorization ProcessPreventive Controls - Question #337Risk Response and Reporting
Which of the following is the BEST recommendation when a key risk indicator (KRI) is generating an excessive volume of events?
Key Risk Indicators (KRIs)Risk MonitoringKRI DesignRisk Management Process Improvement - Question #338IT Risk Assessment
Which of the following is MOST important to consider when determining the value of an asset during the risk identification process?
Asset ValuationRisk IdentificationAsset CriticalityIT Risk Assessment - Question #339IT Risk Assessment
Which of the following is the MOST effective way to validate organizational awareness of cybersecurity risk?
Cybersecurity awarenessRisk validationPhishing simulationSecurity testing - Question #340IT Risk Assessment
A risk practitioner wants to identify potential risk events that affect the continuity of a critical business process. Which of the following should the risk practitioner do FIRST?
Business Impact Analysis (BIA)Risk IdentificationBusiness Continuity ManagementRisk Assessment Methodology - Question #341IT Risk Assessment
Which of the following is the BEST risk management approach for the strategic IT planning process?
Risk AssessmentStrategic IT PlanningRisk IdentificationRisk Analysis - Question #342IT Risk Assessment
Which of the following should be the PRIMARY consideration when assessing the risk of using Internet of Things (loT) devices to collect and process personally identifiable informat...
IoT RiskPII ProtectionRegulatory ComplianceRisk Assessment - Question #343Risk Response and Reporting
Which of the following is the BEST way to reduce the likelihood of an individual performing a potentially harmful action as the result of unnecessary entitlement?
Least PrivilegeAccess ControlRisk MitigationSecurity Controls - Question #344Governance
The operational risk associated with attacks on a web application should be owned by the individual in charge of:
Risk ownershipOperational riskBusiness accountabilityCRISC principles - Question #345Information Technology and Security
The BEST way for an organization to ensure that servers are compliant to security policy is to review:
Server SecurityConfiguration ManagementCompliance MonitoringSecurity Policies - Question #346IT Risk Assessment
Which of the following would be MOST helpful in assessing the risk associated with data loss due to human vulnerabilities?
Risk AssessmentHuman VulnerabilitiesSocial EngineeringSecurity Testing - Question #347Governance
Which of the following will BEST help to improve an organization's risk culture?
Risk CultureRisk AwarenessOrganizational BehaviorRisk Management Programs - Question #348Risk Response and Reporting
Which of the following should be the FIRST course of action if the risk associated with a new technology is found to be increasing?
Risk MonitoringRisk ResponseRisk Action PlanRisk Management Process - Question #349IT Risk Assessment
Which of the following is the PRIMARY benefit of consistently recording risk assessment results in the risk register?
Risk RegisterRisk AssessmentRisk ProfileData Consistency - Question #350Risk Response and Reporting
Which of the following is a risk practitioner's BEST recommendation to help reduce IT risk associated with scheduling overruns when starting a new application development project?
Risk MitigationProject PlanningScheduling RiskApplication Development