Certified in Risk and Information Systems Control Questions and Answers
Which of the following is the PRIMARY reason for monitoring activities performed in a production database environment?
A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to:
Which of the following should be considered when selecting a risk response?
Which of the following should be done FIRST when information is no longer required to support business objectives?
A business unit is implementing a data analytics platform to enhance its customer relationship management (CRM) system primarily to process data that has been provided by its customers. Which of the following presents the GREATEST risk to the organization's reputation?
While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BES reduce the risk associated with such a data breach?
An organizations chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a denial-of-service (DoS) attack. In this situation, the risk practitioner's BEST course of action is to:
Which of the following is the MOST common concern associated with outsourcing to a service provider?
Which of the following is the BEST evidence that risk management is driving business decisions in an organization?
When of the following is the MOST significant exposure when an application uses individual user accounts to access the underlying database?
The BEST metric to monitor the risk associated with changes deployed to production is the percentage of:
Which type of indicators should be developed to measure the effectiveness of an organization's firewall rule set?
Which of the following is the BEST way to determine whether new controls mitigate security gaps in a business system?
Which of the following is MOST important for an organization to update following a change in legislation requiring notification to individuals impacted by data breaches?
Which of the following is the MOST important responsibility of a risk owner?
The PRIMARY reason for prioritizing risk scenarios is to:
Vulnerabilities have been detected on an organization's systems. Applications installed on these systems will not operate if the underlying servers are updated. Which of the following is the risk practitioner's BEST course of action?
Which of the following scenarios represents a threat?
An organization has implemented a preventive control to lock user accounts after three unsuccessful login attempts. This practice has been proven to be unproductive, and a change in the control threshold value has been recommended. Who should authorize changing this threshold?
An employee lost a personal mobile device that may contain sensitive corporate information. What should be the risk practitioner's recommendation?
An application runs a scheduled job that compiles financial data from multiple business systems and updates the financial reporting system. If this job runs too long, it can delay financial reporting. Which of the following is the risk practitioner's BEST recommendation?
Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment?
Which of the following is the MOST effective control to maintain the integrity of system configuration files?
Which of the following should be the FIRST consideration when a business unit wants to use personal information for a purpose other than for which it was originally collected?
Which of the following is a risk practitioner's BEST recommendation to address an organization's need to secure multiple systems with limited IT resources?
Which of the following is the GREATEST benefit of analyzing logs collected from different systems?
Which of the following presents the GREATEST risk to change control in business application development over the complete life cycle?
During implementation of an intrusion detection system (IDS) to monitor network traffic, a high number of alerts is reported. The risk practitioner should recommend to:
A vulnerability assessment of a vendor-supplied solution has revealed that the software is susceptible to cross-site scripting and SQL injection attacks. Which of the following will BEST mitigate this issue?
The PRIMARY purpose of IT control status reporting is to:
An organization automatically approves exceptions to security policies on a recurring basis. This practice is MOST likely the result of:
A risk practitioner has been asked to advise management on developing a log collection and correlation strategy. Which of the following should be the MOST important consideration when developing this strategy?
Which of the following is MOST important when developing risk scenarios?
Which of the following roles is BEST suited to help a risk practitioner understand the impact of IT-related events on business objectives?
Upon learning that the number of failed back-up attempts continually exceeds the current risk threshold, the risk practitioner should:
Which of the following is the MOST effective way to incorporate stakeholder concerns when developing risk scenarios?
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery test of critical business processes?
The PRIMARY objective of a risk identification process is to:
Which of the following is the BEST recommendation to senior management when the results of a risk and control assessment indicate a risk scenario can only be partially mitigated?
Determining if organizational risk is tolerable requires:
Which of the following approaches will BEST help to ensure the effectiveness of risk awareness training?
Which of the following is the BEST control to detect an advanced persistent threat (APT)?
Which of the following BEST enables a risk practitioner to enhance understanding of risk among stakeholders?
Which of the following should be the PRIMARY focus of a risk owner once a decision is made to mitigate a risk?
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an antivirus program?
Which of the following is MOST important when developing key performance indicators (KPIs)?
When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?
Which of the following is the MOST important requirement for monitoring key risk indicators (KRls) using log analysis?
The MOST effective way to increase the likelihood that risk responses will be implemented is to:
Which of the following is the MAIN reason for documenting the performance of controls?
Which of the following will BEST mitigate the risk associated with IT and business misalignment?
A risk practitioner discovers several key documents detailing the design of a product currently in development have been posted on the Internet. What should be the risk practitioner's FIRST course of action?
Which of the following BEST provides an early warning that network access of terminated employees is not being revoked in accordance with the service level agreement (SLA)?
Which of the following would BEST help minimize the risk associated with social engineering threats?
A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?
What is the BEST information to present to business control owners when justifying costs related to controls?
A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?
A review of an organization s controls has determined its data loss prevention {DLP) system is currently failing to detect outgoing emails containing credit card data. Which of the following would be MOST impacted?
An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:
Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?
The PRIMARY reason a risk practitioner would be interested in an internal audit report is to:
Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?
Which of the following risk register updates is MOST important for senior management to review?
Which of the following would be considered a vulnerability?
During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?
In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date?
The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:
Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?
Which of the following would BEST help to ensure that identified risk is efficiently managed?
After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?
Which of the following should be the HIGHEST priority when developing a risk response?
Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?
Which of the following is the BEST method to identify unnecessary controls?
A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?
The PRIMARY objective of testing the effectiveness of a new control before implementation is to:
Which of the following elements of a risk register is MOST likely to change as a result of change in management's risk appetite?
Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?
IT management has asked for a consolidated view into the organization's risk profile to enable project prioritization and resource allocation. Which of the following materials would
be MOST helpful?
During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:
Which of the following is the MOST important outcome of reviewing the risk management process?
Which of the following is the MOST important benefit of key risk indicators (KRIs)'
Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?
In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization's risk profile?
Which of the following will BEST quantify the risk associated with malicious users in an organization?
Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?
Which of the following would be- MOST helpful to understand the impact of a new technology system on an organization's current risk profile?
Who should be accountable for ensuring effective cybersecurity controls are established?
Which of the following would be MOST useful when measuring the progress of a risk response action plan?
Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?
Which of the following is the GREATEST concern when an organization uses a managed security service provider as a firewall administrator?
Performing a background check on a new employee candidate before hiring is an example of what type of control?
Which of the following should be initiated when a high number of noncompliant conditions are observed during review of a control procedure?
An organization's risk practitioner learns a new third-party system on the corporate network has introduced vulnerabilities that could compromise corporate IT systems. What should the risk practitioner do
FIRST?
Which of the following is the BEST way to identify changes in the risk profile of an organization?
Which of the following would be MOST beneficial as a key risk indicator (KRI)?
An organization has introduced risk ownership to establish clear accountability for each process. To ensure effective risk ownership, it is MOST important that:
Which of The following is the PRIMARY consideration when establishing an organization's risk management methodology?
The implementation of a risk treatment plan will exceed the resources originally allocated for the risk response. Which of the following should be the risk owner's NEXT action?
Which of the following can be interpreted from a single data point on a risk heat map?
A bank has outsourced its statement printing function to an external service provider. Which of the following is the MOST critical requirement to include in the contract?
A control owner identifies that the organization's shared drive contains personally identifiable information (Pll) that can be accessed by all personnel. Which of the following is the MOST effective risk response?
A risk practitioner has been notified that an employee sent an email in error containing customers' personally identifiable information (Pll). Which of the following is the risk practitioner's BEST course of action?
An organization's risk tolerance should be defined and approved by which of the following?
A bank wants to send a critical payment order via email to one of its offshore branches. Which of the following is the BEST way to ensure the message reaches the intended recipient without alteration?
Which of the following would MOST likely cause a risk practitioner to reassess risk scenarios?
Which of the following is MOST important to ensure when continuously monitoring the performance of a client-facing application?
Objectives are confirmed with the business owner.
Control owners approve control changes.
End-user acceptance testing has been conducted.
Performance information in the log is encrypted.
Which of the following could BEST detect an in-house developer inserting malicious functions into a web-based application?
Which of the following provides the BEST evidence that risk responses have been executed according to their risk action plans?
Which of the following is the BEST approach for performing a business impact analysis (BIA) of a supply-chain management application?
Which of the following will BEST help an organization evaluate the control environment of several third-party vendors?
The BEST way to demonstrate alignment of the risk profile with business objectives is through:
Which of the following would BEST help secure online financial transactions from improper users?
Which of the following is the BEST course of action when risk is found to be above the acceptable risk appetite?
Which of the following is a KEY outcome of risk ownership?
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an anti-virus program?
Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis?
Which of the following is performed after a risk assessment is completed?
After migrating a key financial system to a new provider, it was discovered that a developer could gain access to the production environment. Which of the following is the BEST way to mitigate the risk in this situation?
Which of the following is MOST important when discussing risk within an organization?
What are the MOST important criteria to consider when developing a data classification scheme to facilitate risk assessment and the prioritization of risk mitigation activities?
Which of the following risk scenarios would be the GREATEST concern as a result of a single sign-on implementation?
The PRIMARY reason for periodic penetration testing of Internet-facing applications is to:
Which of the following is the BEST way to support communication of emerging risk?
The risk associated with a high-risk vulnerability in an application is owned by the:
Which of the following should be included in a risk assessment report to BEST facilitate senior management's understanding of the results?
A risk practitioner is reviewing a vendor contract and finds there is no clause to control privileged access to the organization's systems by vendor employees. Which of the following is the risk practitioner's BEST course of action?
A key risk indicator (KRI) indicates a reduction in the percentage of appropriately patched servers. Which of the following is the risk practitioner's BEST course of action?
The MAIN purpose of having a documented risk profile is to:
The GREATEST concern when maintaining a risk register is that:
A new regulator/ requirement imposes severe fines for data leakage involving customers' personally identifiable information (Pll). The risk practitioner has recommended avoiding the risk. Which of the following actions would BEST align with this recommendation?
A risk practitioner has just learned about new done FIRST?
A recent internal risk review reveals the majority of core IT application recovery time objectives (RTOs) have exceeded the maximum time defined by the business application owners. Which of the following is MOST likely to change as a result?
Within the three lines of defense model, the accountability for the system of internal control resides with:
Which of the following risk register elements is MOST likely to be updated if the attack surface or exposure of an asset is reduced?
Which of the following is the MOST important information to cover a business continuity awareness Ira nine, program for all employees of the organization?
Which of the following is the MOST important objective from a cost perspective for considering aggregated risk responses in an organization?
A zero-day vulnerability has been discovered in a globally used brand of hardware server that allows hackers to gain
access to affected IT systems. Which of the following is MOST likely to change as a result of this situation?
The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for.
Which of the following stakeholders are typically included as part of a line of defense within the three lines of defense model?
Which of the following is the BEST indication that key risk indicators (KRls) should be revised?
When implementing an IT risk management program, which of the following is the BEST time to evaluate current control effectiveness?
A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner's NEXT step?
Which of the following would BEST enable a risk-based decision when considering the use of an emerging technology for data processing?
An organization is implementing robotic process automation (RPA) to streamline business processes. Given that implementation of this technology is expected to impact existing controls, which of the following is the risk practitioner's BEST course of action?
Which of the following is the MOST important characteristic of a key risk indicator (KRI) to enable decision-making?
Which of the following would provide the MOST reliable evidence of the effectiveness of security controls implemented for a web application?
Which of the following would MOST likely require a risk practitioner to update the risk register?
Which of the following is the BEST method of creating risk awareness in an organization?
Which of the following is the MOST effective way for a large and diversified organization to minimize risk associated with unauthorized software on company devices?
Which of the following would be the BEST way for a risk practitioner to validate the effectiveness of a patching program?
Senior management is deciding whether to share confidential data with the organization's business partners. The BEST course of action for a risk practitioner would be to submit a report to senior management containing the:
Which of the following is the result of a realized risk scenario?
Which of the following is the BEST way to validate whether controls to reduce user device vulnerabilities have been implemented according to management's action plan?
An organization is adopting blockchain for a new financial system. Which of the following should be the GREATEST concern for a risk practitioner evaluating the system's production readiness?
A root because analysis indicates a major service disruption due to a lack of competency of newly hired IT system administrators Who should be accountable for resolving the situation?
A MAJOR advantage of using key risk indicators (KRis) is that (hey
Which of the following proposed benefits is MOST likely to influence senior management approval to reallocate budget for a new security initiative?
When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes
Which of the following BEST enables risk-based decision making in support of a business continuity plan (BCP)?
Which of the following resources is MOST helpful to a risk practitioner when updating the likelihood rating in the risk register?
When reviewing the business continuity plan (BCP) of an online sales order system, a risk practitioner notices that the recovery time objective (RTO) has a shorter lime than what is defined in the disaster recovery plan (DRP). Which of the following is the BEST way for the risk practitioner to address this concern?
An organization has made a decision to purchase a new IT system. During when phase of the system development life cycle (SDLC) will identified risk MOST likely lead to architecture and design trade-offs?
During a risk assessment, a key external technology supplier refuses to provide control design and effectiveness information, citing confidentiality concerns. What should the risk practitioner do NEXT?
Which of the following is MOST important for senior management to review during an acquisition?
What is the MAIN benefit of using a top-down approach to develop risk scenarios?
Which of the following would BEST facilitate the implementation of data classification requirements?
Which of the following is the GREATEST benefit of centralizing IT systems?
Which of the following is the PRIMARY objective of risk management?
An organization has experienced several incidents of extended network outages that have exceeded tolerance. Which of the following should be the risk practitioner's FIRST step to address this situation?
The BEST metric to demonstrate that servers are configured securely is the total number of servers:
The MOST important measure of the effectiveness of risk management in project implementation is the percentage of projects:
Which of the following is MOST important to update when an organization's risk appetite changes?
Who is the BEST person to the employee personal data?
A company has recently acquired a customer relationship management (CRM) application from a certified software vendor. Which of the following will BE ST help lo prevent technical vulnerabilities from being exploded?
An organization's chief information officer (CIO) has proposed investing in a new. untested technology to take advantage of being first to market Senior management has concerns about the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization's risk:
A risk practitioner implemented a process to notify management of emergency changes that may not be approved. Which of the following is the BEST way to provide this information to management?
Which of the following activities BEST facilitates effective risk management throughout the organization?
Which of the following would be the result of a significant increase in the motivation of a malicious threat actor?