Udemy CRISC Test Set 3

Which of the following is the BEST control to mitigate the risk when a critical customer-facing application has been susceptible to recent credential stuffing attacks

Implement multi-factor authentication

-ensuring that even if credentials are stolen, attackers cannot access the application without the additional authentication factor

Which of the following is the PRIMARY objective of risk management?

Achieve business objectives

-The PRIMARY objective of risk management is to ensure that the organization can achieve its business objectives

Employees of an organization are using an unapproved cloud-based service to share their company calendars. The employees have been attaching files to calendar invitations. Which of the following would MOST effectively mitigate the risk of data loss

Implement a technical solution that prevents syncing

- Preventing the sync ensures that sensitive files never leave the organization's control.

Which of the following BEST helps to identify significant events that could impact an organization?

Scenario analysis

- proactive risk assessment method that helps organizations identify, analyze, and plan for significant events that could disrupt operations. By using scenario-based risk identification, organizations can anticipate potential crises and plan accordingly, ensuring resilience and business continuity.

Which of the following presents the GREATEST risk to an organization with a large number of Internet of Things (IoT) devices within its network?

Insufficient IoT policies and procedures

-GREATEST risk is the lack of sufficient policies and procedures to govern the management, security, and lifecycle of these devices. unauthorized access, data breaches, and compromise of critical system if polices and procedures not there.

Which of the following will MOST effectively align IT controls with corporate risk tolerance?

Internal policies approved by stakeholders

- Policies serve as the foundation for IT governance and risk management, ensuring that IT controls are aligned with best practices and tailored to the organization's specific risk posture

Which of the following BEST enables effective IT control implementation?

Information security standards

- requires clear standards that define the minimum requirements for controls. This ensures that all teams work toward the same objectives with consistent expectations and measurable outcomes

An organization has made a decision to purchase a new IT system. During which phase of the system development life cycle (SDLC) will identified risk MOST likely lead to architecture and design trade-offs?

Acquisition phase

- risks identified during earlier planning and feasibility assessments are taken into account when evaluating vendors, system architectures, and design alternatives. This is when trade-offs in architecture and design occur—balancing factors such as security, performance, integration capabilities, and cost.

The PRIMARY purpose of IT control status reporting is to:

facilitate the comparison of the current and desired states

- IT control status reporting tracks and evaluates the effectiveness of implemented controls by comparing the current state (actual performance) with the desired state (expected performance or compliance goals).

Which of the following would be the GREATEST risk associated with conducting a parallel run during the replacement of a legacy system?

Undetected data inconsistency

- The GREATEST risk associated with conducting a parallel run during the replacement of a legacy system is undetected data inconsistency between the legacy system and the new system. Detecting and reconciling these inconsistencies is critical to ensuring data integrity and system accuracy before fully switching to the new system.

As part of business continuity planning, which of the following is MOST important to include in a business impact analysis (BIA)?

An assessment of recovery scenarios

- identifying critical business functions, quantifying the potential losses or impacts if those functions are disrupted, and determining the recovery requirements

Which of the following is MOST important for the organization to consider before implementing a new in-house developed artificial intelligence (AI) solution?

Expected algorithm outputs

- the organization must ensure proper oversight of the algorithms used for artificial learning

Which of the following is the PRIMARY risk management responsibility of the second line of defense?

Monitoring risk responses

- the second line of defense—comprising risk management, compliance, and similar functions—plays a critical oversight role. primary responsibility is to monitor the effectiveness of the risk management process.

An IT risk profile should be reviewed and updated when a new

risk scenario has been developed

- When a new risk scenario is developed, it introduces new potential events, threats, and vulnerabilities that could impact the organization

From a risk management perspective, which of the following is the PRIMARY benefit of using automated system configuration validation tools?

Residual risk is reduced

- help detect and remediate misconfigurations before they can be exploited

Before assigning sensitivity levels to information, it is MOST important to

define the information classification policy

-Before assigning sensitivity levels, an information classification policy must be established to ensure consistency, clarity, and alignment with business and regulatory requirements.

An organization recently completed a major restructuring project to reduce overhead costs by streamlining the approval hierarchy. Which of the following should be done FIRST by the control owner?

-Evaluate effectiveness of risk responses

After a major restructuring that affects the approval hierarchy, the FIRST action for the control owner should be to evaluate the effectiveness of risk responses

An organization must implement changes as the result of new regulations. Which of the following should the risk practitioner do FIRST to prepare for these changes?

Conduct a gap analysis

-A gap analysis is the first step in understanding the difference between current processes and the new regulatory requirements.

Management has implemented two new preventative controls to address a risk found in an audit. Following closure of the issue, which of the following is MOST important to update in the risk register?

Likelihood

- When preventative controls are implemented, they reduce the likelihood that a risk event will occur.

Which of the following will MOST likely change as a result of the decrease in risk appetite due to a new privacy regulation?

Key risk indicator (KRI) thresholds

- organization's risk appetite decreases due to a new privacy regulation, it means the organization is now less willing to accept certain levels of risk. This will likely result in adjusting the KRI thresholds to align with the stricter regulatory requirements.

Which of the following is the GREATEST concern if the recovery time objective (RTO) is not achieved during a disaster recovery test?

Inadequate system availability

- System availability is the core purpose of disaster recovery, and failure to meet the defined RTO signals that availability expectations have not been met, which directly impacts business continuity

Which element of an organization's risk register is MOST important to update following the commissioning of a new financial reporting system?

The risk rating of affected financial processes

- When a new financial reporting system is introduced, the risk profile of financial processes changes, requiring an update in the risk rating of affected processes. By updating the risk rating, the organization ensures that its risk management efforts remain aligned with actual risk exposure and can implement appropriate mitigation strategies.

Which of the following are the MOST important inputs when determining the desired state of IT risk during gap analysis?

IT risk strategy and organizational requirements

- IT risk strategy defines how the organization intends to manage IT risks in alignment with business goals. Organizational requirements encompass the business objectives, regulatory requirements, stakeholder expectations, and operational needs. lements describe where the organization wants to be in terms of IT risk management — the desired state

Which of the following is the MOST valuable data source to support the optimization of an existing key risk indicator (KRI)?

Historical losses and incidents

-Optimizing a Key Risk Indicator (KRI) requires accurate, real-world data that reflects how risks have materialized in the past.

Which of the following is MOST helpful in providing a high-level overview of current IT risk severity?

Heat map

- A heat map visually represents risks based on their likelihood and impact, making it particularly effective for providing a high-level overview of the current severity of IT risks

Which of me following groups would provide the MOST relevant perspective when reporting loss exposure based on a risk analysis exercise?

Senior management

-When reporting loss exposure based on a risk analysis exercise, senior management provides the MOST relevant perspective

-While process owners understand operational risks, they typically focus on specific process-level risks rather than an organization-wide perspective on loss exposure.

Which of the following is MOST likely to introduce risk for financial institutions that use blockchain?

Increase in attack surface area

- using blockchain technology is the increase in attack surface area.

An organization has updated its acceptable use policy to mitigate the risk of employees disclosing confidential information. Which of the following is the BEST way to reinforce the effectiveness of this policy?

Train all staff on relevant information security best practices

- Security awareness training is a fundamental component of any information security program

The objective of aligning mitigating controls to risk appetite is to ensure that:

the cost of controls does not exceed the expected loss

-The primary objective of aligning mitigating controls to risk appetite is to ensure that:

1. The organization does not over-control or under-control risks.

2. The cost of the control is justified by the level of risk reduction it provides (also known as cost-effectiveness or cost-benefit analysis in risk management).

3. Residual risk is kept within the defined risk appetite — but without unnecessary overspending on controls.

Which of the following is BEST to use as a basis for developing a comprehensive list of IT risk scenarios?

IT asset inventory

- A comprehensive IT risk scenario list should be based on IT assets because risks originate from vulnerabilities, threats, and exposures related to these assets

Which of the following is the PRIMARY reason to ensure policies and standards are properly documented within the risk management process?

It establishes a means for senior management to formally approve risk practices.

-Properly documenting policies and standards within the risk management process is critical for ensuring that senior management has a formal record of risk management practices, which can be reviewed and formally approved

Controls should be defined during the design phase of system development because:

its more cost-effective to determine controls in the early design phase

- proactive approach reduces the cost and effort required to implement, test, and fix security gaps later in the development lifecycle.

What is the PRIMARY benefit of risk monitoring?

It facilitates risk-aware decision making

- oversight provides management with up-to-date information on the organization's risk posture, enabling them to make informed and timely decision.

Which of the following should be the PRIMARY consideration when quantifying the risk associated with regulatory noncompliance?

Value of punitive penalties and fines

- When assessing regulatory noncompliance risk, organizations must quantify the financial impact of potential violations.

Which of the following enterprise architecture (EA) practices BEST reduces the impact of a successful attack?

Segmentation

- Network and system segmentation is the best enterprise architecture (EA) practice to reduce the impact of a successful attack because it limits lateral movement within the network and restricts an attacker's ability to escalate privileges or access critical systems

External auditors have found that management has not effectively monitored key security technologies that support regulatory objectives. Which type of indicator would BEST enable the organization to identify and correct this situation?

Key control indicator (KCI)

-Since the finding relates to the effectiveness of monitoring (a control activity), the best type of indicator would be a KCI that tracks whether key controls (such as monitoring processes) are operating as intended.

Which of the following would MOST likely result in updates to an IT risk profile?

External audit findings

-Since audits provide independent verification of risk controls and effectiveness, their findings often directly lead to updates in the IT risk profile.

Which of the following is MOST important to the integrity of a security log?

Inability to edit

- Security logs must be tamper-proof to ensure their integrity, reliability, and usefulness for forensic analysis, auditing, and compliance

A risk practitioner has been hired to establish risk management practices to be embedded across an organization. Which of the following should be the FIRST course of action?

Establish an organization-wide risk taxonomy

- CRISC emphasizes that risk management processes must be built on a clear, agreed-upon foundation — and that starts with defining terms, categories, and classifications in the form of a risk taxonomy.

Which of the following is MOST useful when performing a quantitative risk assessment?

Financial models

-A quantitative risk assessment. relies on numerical data to measure risk, typically in financial terms. Financial models are the most useful tool

Which of the following is the MOST appropriate action when a tolerance threshold is exceeded?

Communicate potential impact to decision makers

-The immediate priority is to ensure that decision makers are made aware of this change so that they can review and adjust risk responses as needed.

Which of the following should a risk practitioner validate FIRST when a mitigating control cannot be implemented fully to support business objectives?

If the risk owner has accepted the risk

- The implementation of compensating controls is an important step, but before considering alternative controls, the practitioner must ensure that the risk owner has officially accepted the risk that arises from the incomplete mitigation.

A highly regulated organization acquired a medical technology startup company that processes sensitive personal information with weak data protection controls. Which of the following is the BEST way for the acquiring company to reduce its risk while still enabling the flexibility needed by the startup company?

Classify and protect the data according to the parent company's internal standards

- This approach prioritizes data security while allowing the startup to continue operations with controlled risk exposure

Which of the following is the MOST important document regarding the treatment of sensitive data?

Information classification policy

-The Information Classification Policy is the most critical document because it defines how data should be categorized based on sensitivity, risk, and business impact.

A risk practitioner implemented a process to notify management of emergency changes that may not be approved. Which of the following is the BEST way to provide this information to management?

Key risk indicators (KRIs)

- By using KRIs, management can be alerted to these risks in a timely manner, allowing them to take corrective action before the risk materializes into an actual incident

Which of the following MUST be updated to maintain an IT risk register?

Expected frequency and potential impact

- An IT risk register is a living document that must reflect the current state of risk exposure. To do so effectively, it is critical to update the risk's expected frequency and potential impact

Which of the following would be the BEST way for a risk practitioner to validate the effectiveness of a patching program?

Conduct vulnerability scans.

- The BEST way to validate the effectiveness of a patching program is to conduct vulnerability scans. b/c it directly identify unpatched systems and highlight whether known vulnerabilities still exist after patches are supposed to have been applied