CRISC Dumps CRISC Braindumps
CRISC Real Questions CRISC Practice Test CRISC dumps free
Certified in Risk and Information Systems Control
https://killexams.com/pass4sure/exam-detail/CRISC
Which of the following criteria associated with key risk indicators (KRIs) BEST enables effective risk monitoring?
Use of industry risk data sources
Sensitivity to changes in risk levels
Low cost of development and maintenance
Approval by senior management
Which of the following is the BEST indication of a mature organizational risk culture?
Corporate risk appetite is communicated to staff members.
Risk policy has been published and acknowledged by employees.
Management encourages the reporting of policy breaches.
Risk owners understand and accept accountability for risk.
The BEST key performance indicator (KPI) for monitoring adherence to an organizationג€™s user accounts provisioning practices is the percentage of:
active accounts belonging to former personnel.
accounts with dormant activity.
accounts without documented approval.
user accounts with default passwords.
Which of the following facilitates a completely independent review of test results for evaluating control effectiveness?
Segregation of duties
Compliance review
Three lines of defense
Quality assurance review
Which of the following is a KEY consideration for a risk practitioner to communicate to senior management evaluating the introduction of artificial intelligence (AI) solutions into the organization?
Third-party AI solutions increase regulatory obligations.
AI requires entirely new risk management processes.
AI will result in changes to business processes.
AI potentially introduces new types of risk.
An organization must make a choice among multiple options to respond to a risk. The stakeholders cannot agree and decide to postpone the decision. Which of the following risk responses has the organization adopted?
Mitigation
Acceptance
Avoidance
Transfer
To communicate the risk associated with IT in business terms, which of the following MUST be defined?
Risk appetite of the organization
Compliance objectives
Organizational objectives
Inherent and residual risk
An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?
Verify the data backup process and confirm which backups are the most recent ones available.
Identify systems that are vulnerable to being exploited by the attack.
Confirm with the antivirus solution vendor whether the next update will detect the attack.
Obtain approval for funding to purchase a cyber insurance plan.
Which of the following is MOST important to the successful development of IT risk scenarios?
Control effectiveness assessment
Threat and vulnerability analysis
Internal and external audit reports
Cost-benefit analysis
While reviewing an organizationג€™s monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially. Which of the following would be the BEST approach for the risk practitioner to take?
Temporarily suspend emergency changes.
Continue monitoring change management metrics.
Conduct a root cause analysis.
Document the control deficiency in the risk register.
Which of the following MUST be updated to maintain an IT risk register?
Risk appetite
Risk tolerance
Expected frequency and potential impact
Enterprise-wide IT risk assessment
Which of the following is the BEST method for assessing control effectiveness against technical vulnerabilities that could be exploited to compromise an information system?
Vulnerability scanning
Penetration testing
Systems log correlation analysis
Monitoring of intrusion detection system (IDS) alerts
Which of the following is the MOST effective control to ensure user access is maintained on a least-privilege basis?
Change log review
User recertification
Access log monitoring
User authorization
Which of the following is MOST important when considering risk in an enterprise risk management (ERM) process?
Risk identified by industry benchmarking is included.
Financial risk is given a higher priority.
Risk with strategic impact is included.
Security strategy is given a higher priority.
Which of the following is MOST important when developing risk scenarios?
Conducting vulnerability assessments
Reviewing business impact analysis (BIA)
Collaborating with IT audit
Obtaining input from key stakeholders
Which of the following BEST protects an organization against breaches when using a software as a service (SaaS)
application?
Security information and event management (SIEM) solutions
Control self-assessment (CSA)
Data privacy impact assessment (DPIA)
Data loss prevention (DLP) tools
Which of the following is the GREATEST risk associated with the misclassification of data?
Data disruption
Inadequate resource allocation
Unauthorized access
Inadequate retention schedules
Which of the following would BEST mitigate the risk associated with reputational damage from inappropriate use of social media sites by employees?
Disabling social media access from the organizationג€™s technology
Validating employee social media accounts and passwords
Implementing training and awareness programs
Monitoring Internet usage on employee workstations
Which of the following should be the FIRST step when a company is made aware of new regulatory requirements impacting IT?
Perform a risk assessment.
Prioritize impact to the business units.
Perform a gap analysis.
Review the risk tolerance and appetite.
The design of procedures to prevent fraudulent transactions within an enterprise resource planning (ERP) system should be based on:
benchmarking criteria.
stakeholder risk tolerance.
the control environment.
suppliers used by the organization.
A vulnerability assessment of a vendor-supplied solution has revealed that the software is susceptible to cross-site scripting and SQL injection attacks. Which of the following will BEST mitigate this issue?
Require the software vendor to remediate the vulnerabilities.
Approve exception to allow the software to continue operating.
Monitor the databases for abnormal activity.
Accept the risk and let the vendor run the software as is.
Which of the following represents a vulnerability?
An employee recently fired for insubordination
An identity thief seeking to acquire personal financial data from an organization
Media recognition of an organizationג€™s market leadership in its industry
A standard procedure for applying software patches two weeks after release
An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern?
Potential increase in regulatory scrutiny
Potential theft of personal information
Potential legal risk
Potential system downtime
Which of the following is the PRIMARY role of a data custodian in the risk management process?
Ensuring data is protected according to the classification
Being accountable for control design
Reporting and escalating data breaches to senior management
Performing periodic data reviews according to policy