Udemy CRISC Test Set 2

Which of the following is the MOST important consideration when developing risk strategies?

Long-term organizational goals

-foremost consideration is ensuring that the strategies align with the long-term organizational goals

Which of the following is a risk practitioner's BEST recommendation upon learning that an employee inadvertently disclosed sensitive data to a vendor?

Invoke the incident response plan

-incident response plan is designed to coordinate a timely and effective response to security incidents, including data breaches or accidental disclosures

Which of the following is the MOST effective way for a large and diversified organization to minimize risk associated with unauthorized software on company devices?

Scan end points for applications not included in the asset inventory

-Continuous and automated scanning ensures that any unauthorized or unmanaged software is identified and removed promptly

Which of the following is the BEST way to help ensure risk will be managed properly after a business process has been re-engineered?

Reassessing control effectiveness of the process

This ensures new risks are identified and addressed, Existing controls are still effective, compliance and security requirements are maintained,Gaps are identified before exploitation

The BEST way for an organization to ensure that servers are compliant to security policy is to review:

configuration settings

ensure that servers are compliant with security policy because security policies define how systems should be configured to maintain security and compliance

Which of the following BEST balances the costs and benefits of managing IT risk?

Prioritizing and addressing risk in line with risk appetite

-aligning with risk appetite, the organization achieves optimal balance between protection and cost efficiency

Which of the following is MOST helpful in identifying appropriate business stakeholders to construct and assess IT risk scenarios?

Mapping each risk event to related business processes

-ensures that stakeholders who are directly involved in the affected business processes are included in the risk assessment

Which of the following elements of a risk register is MOST useful to share with key stakeholders to influence informed decision-making?

Mitigation plan

-it provides actionable information on how risks are being addressed

Which of the following roles should be assigned accountability for monitoring risk levels?

Risk owner

- Monitoring the risk levels over time.

- Ensuring that controls are functioning effectively to mitigate the risk.

- Escalating issues if the risk exceeds acceptable thresholds (risk appetite/tolerance).

- Coordinating with control owners and risk practitioners to manage and monitor the risk on an ongoing basis.

An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program. Which of the following is MOST useful for this purpose?

Balanced scorecard

-The BSC enables senior management to make data-driven risk decisions by aligning IT risk performance with overall business goals.

Which of the following information would BEST promote understanding of IT risk among senior management?

IT incident trends

-Since senior management focuses on business impact and strategic decision-making, they are more likely to engage with historical incident data and trend analysis rather than purely technical reports.

Which of the following will BEST support management reporting on risk?

A risk register

It provides a structured and up-to-date view of organizational risks, making it the most effective tool for management reporting on risk trends, mitigation efforts, and overall risk exposure.

A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner's GREATEST concern?

Aggregate risk is approaching the tolerance threshold

-A high number of exceptions granted to information security policies increases aggregate risk, which could exceed the organization's risk tolerance and expose it to potential security threats.

An organization's control environment is MOST effective when:

controls perform as intended

-organization's control environment is best measured by the extent to which controls achieve their intended objectives

Implementing which of the following controls would BEST reduce the impact of a vulnerability that has been exploited?

Corrective control

-minimize damage and restore systems after an attack or exploitation has occurred

Which of the following will BEST help to ensure key risk indicators (KRIs) provide value to risk owners?

Timely notification

ensures that risk owners can take proactive action to mitigate the potential impact before it escalates into an incident or breach

Which of the following is the MOST effective way to help ensure senior management is informed about the organization's risk environment?

Create a risk program that includes a bottom-up approach

-ensures that risks identified at the operational and process levels are escalated to senior management, providing a complete and realistic picture of the organization's actual risk landscape.

An organization wants to transfer risk by purchasing cyber insurance. Which of the following would be MOST important for the risk practitioner to communicate to senior management for contract negotiation purposes?

Current annualized loss expectancy report

provides this critical information by quantifying potential losses in monetary terms. senior management needs to understand the financial exposure the organization faces in case of a cyber incident

An organization is preparing to transfer a large number of customer service representatives to the sales department. Of the following, who is responsible for mitigating the risk associated with residual system access?

Customer service manager

-Customer Service Manager is ultimately responsible for mitigating risks associated with residual system access because they own the employees who are transferring

An incentive program is MOST likely implemented to manage the risk associated with loss of which organizational asset?

Employees

-Incentive programs are primarily implemented to manage the risk of losing key employees.

Which of the following should be of MOST concern to a risk practitioner reviewing the system development life cycle (SDLC)?

Segregation of duties controls are overridden during user testing phases

-Segregation of duties (SoD) is a fundamental internal control designed to prevent fraud, unauthorized transactions, and errors.

An organization is participating in an industry benchmarking study that involves providing customer transaction records for analysis. Which of the following is the MOST important control to ensure the privacy of customer information?

Correct answer

Data anonymization

-Anonymization involves removing or obfuscating personally identifiable information (PII) so that individual customers cannot be identified from the data.

Which of the following potential scenarios associated with the implementation of a new database technology presents the GREATEST risk to an organization?

Data may not be recoverable due to system failures

-risk management from ISACA's CRISC perspective, the GREATEST risk is the potential loss of data due to system failures—this is a direct threat to data integrity and availability,

Who is PRIMARILY accountable for risk treatment decisions?

Risk owner

-Evaluating risk response options (mitigation, transfer, acceptance, or avoidance).

- Ensuring risk treatment aligns with business objectives and risk appetite.

- Implementing and monitoring controls to manage the risk effectively.

- Escalating unresolved risks to senior management when necessary.

Which of the following BEST protects an organization against breaches when using a software as a service (SaaS) application

Data loss prevention (DLP) tools

DLP tools are designed to monitor and control the flow of sensitive data across your environment, including SaaS applications

The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for

data retention and destruction

with potential litigation is to have well-defined data retention and destruction policies and procedures

Which of the following would have the GREATEST impact on reducing the risk associated with the implementation of a big data project?

Data governance

because it provides a structured framework for data security, compliance, quality, and management

Which of the following is the PRIMARY responsibility of a risk owner?

Deciding responses to identified risk

risk owner is to decide the appropriate response to identified risks affecting their area of responsibility

Which of the following is the MAIN purpose of monitoring risk?

Decision support

primary purpose of monitoring risk is to provide timely and relevant information that supports management decisions

An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the risk associated with these new entries has been

accepted

-Acceptance indicates that the organization acknowledges the risks but has chosen not to take any immediate action to mitigate, transfer, or treat them at this time

-deferred is informal and not a valid strategy

Which of the following is performed after a risk assessment is completed?

Which of the following is performed after a risk assessment is completed?

-After a risk assessment is completed, the next logical step is to define and decide on risk response options

The PRIMARY reason to implement a formalized risk taxonomy is to:

reduce subjectivity in risk management

- ensures a consistent, standardized, and structured way of defining, categorizing, and assessing risks

Which of the following would BEST support the integrity of online financial transactions?

Implementing blockchain technology

-Immutable records, Decentralization, Cryptographic security, Transparency and auditability

Performing a background check on a new employee candidate before hiring is an example of what type of control?

Preventive

conducting a background check before hiring helps prevent hiring individuals

The MAJOR reason to classify information assets is to:

determine their sensitivity and criticality

drives the level of protection needed for each asset

What is the PRIMARY role of the application owner when changes are being introduced into an existing environment?

Approving the proposed changes based on impact analysis

PRIMARY role of the application owner in a change management process is to review and approve proposed changes that affect their application

The results of a risk assessment reveal risk scenarios with high impact and low likelihood of occurrence. Which of the following would be the BEST action to address these scenarios?

Develop a risk response plan

-after risk assessement, create risk response plan, structured approach to mitigate or respond to such risks

An organization expects to continually deal with severe distributed denial of service (DDoS) attacks from hacktivist groups. Which of the following is the BEST recommendation to help address this threat

Implement Internet service provider (ISP) redundancy

redundancy is the best long-term strategy to maintain service availability

Which of the following would present the GREATEST challenge for a risk practitioner during a merger of two organizations

Variances between organizational risk appetites

-strategic-level concern that affects every aspect of risk management, from risk identification to risk response

Which of the following MOST effectively ensures controls are built into applications during development

Engagement of security team early in the systems development life cycle (SDLC)

-allows security requirements to be addressed from the initial design stage rather than being retrofitted at later stages

Which of the following BEST assists in justifying an investment in automated controls?

Cost-benefit analysis

Which of the following risk-related information is MOST valuable to senior management when formulating an IT strategic plan?

IT risk appetite statement

A framework for decision-making

Clarity on acceptable risk levels

Alignment with business goals

foundation for resource allocation

Which of the following is the BEST indication that an organization has a mature risk awareness program?

Employees consider risk when making decisions

-mature risk awareness program is when employees naturally integrate risk considerations

Which of the following should be the PRIMARY goal of developing information security metrics?

Enabling continuous improvement

primarily developed to provide objective data on the performance and effectiveness of security controls and processes

Which of the following is the BEST way to protect sensitive data from administrators within a public cloud?

Encrypt data before it leaves the organization.

-ensure that the data is encrypted before it ever leaves the organization's premises

Which of the following methods is an example of risk mitigation?

Enforcing change and configuration management processes

Which of the following is the PRIMARY reason for monitoring activities performed in a production database environment?

Deterring illicit actions of database administrators

Without proper monitoring, DBAs could abuse these privileges to manipulate records, steal data, or cover up unauthorized actions

Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the following would BEST help to prioritize investment efforts?

Reviewing the outcome of the latest security risk assessment

organization can align cybersecurity investments with the most critical risks and ensure the best return on investment (ROI) for security enhancements

Which of the following is the MOST important consideration for the board and senior leadership regarding the organization's approach to risk management for emerging technologies?

Ensuring the risk framework and policies are suitable for emerging technologies

Ensuring framework adaptability allows for agility in managing evolving threats, compliance requirements, and operational risks

Which of the following should be the PRIMARY consideration when assessing tools for automated control monitoring?

Cost-benefit analysis

-This ensures that the investment in automation tools provides a tangible return in terms of efficiency, risk mitigation, and overall operational effectiveness

Which of the following provides the MOST useful information to trace the impact of aggregated risk across an organization's technical environment?

Enterprise architecture (EA) documentation

By using EA documentation, a risk practitioner can assess how a single point of failure or security issue in one system might cascade into other systems, leading to a broader organizational impact.

Which of the following controls will BEST mitigate risk associated with excessive access privileges?

Entitlement reviews

-Entitlement reviews allow management to validate the principle of least privilege and remove unnecessary access.

A risk assessment of an organization's architecture reveals that the middleware systems have a severe vulnerability that could compromise the confidentiality of record processing. Which of the following is the risk practitioner's BEST course of action

Develop a remediation plan with the business process owner.

Developing a remediation plan with the business process owner ensures a structured and business-aligned approach to mitigating the severe vulnerability, making it the most effective initial response

Which of the following should be done FIRST to enable consistent understanding of risk across the organization?

Establish a common risk taxonomy for the organization.

A common risk taxonomy is essential for ensuring a consistent and standardized understanding of risk across the organization

Which of the following is MOST important for managing ethical risk?

Establishing a code of conduct for employee behavior

-A code of conduct is the foundation of ethical risk management within an organization

Which of the following is the MOST important risk management activity during project initiation?

Identifying key risk stakeholders

Without knowing who the key stakeholders are, the project's risk management efforts lack alignment with business needs, and important risk-related decisions

Which of the following is MOST helpful in preventing risk events from materializing?

Establishing key risk indicators (KRIs)

KRIs allow organizations to monitor critical risk areas continuously, ensuring that preventive measures can be implemented before a risk event escalates.

Which of the following should be done FIRST when developing a business continuity plan (BCP)?

Identifying critical business functions

-While BIA is crucial, it comes after identifying critical business functions

A risk owner has identified a risk with high impact and very low likelihood. The potential loss is covered by insurance. Which of the following should the risk practitioner do NEXT

Update the risk register

Once the risk owner has identified the risk and determined that the potential loss is covered by insurance, this means the organization has transferred the risk — a valid risk response option

The PRIMARY objective of testing the effectiveness of a new control before implementation is to

evaluate the degree of risk mitigation

The primary objective of testing the effectiveness of a new control before implementation is to determine whether the control sufficiently mitigates the identified risk to an acceptable level.

The BEST metric to demonstrate that servers are configured securely is the total number of servers:

meeting the baseline for hardening

Ensuring that servers meet the baseline for hardening confirms that industry best practices and organizational security policies are followed, making it the best metric to demonstrate secure configuration.