ISACA-CRISC

An organization is considering outsourcing user administration controls for a critical system. The potential vendor has offered to perform quarterly self-audits of its controls instead of having annual independent audits. Which of the following should be of GREATEST concern to the risk practitioner?

The analysis of which of the following will BEST help validate whether suspicious network activity is malicious?

Which of the following activities would BEST facilitate effective risk management throughout the organization?

Which of the following data would be used when performing a business impact analysis (BIA)?

Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?

Which of the following is the MOST important factor affecting risk management in an organization?

Which of the following provides the BEST measurement of an organization's risk management maturity level?

When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?

The BEST way to determine the likelihood of a system availability risk scenario is by assessing the:

When an organization's disaster recovery plan has a reciprocal agreement, which of the following risk treatment options is being applied?

The BEST reason to classify IT assets during a risk assessment is to determine the:

Which of the following would BEST help to ensure that suspicious network activity is identified?

Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:

Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)?

What should be PRIMARILY responsible for establishing an organization's IT risk culture?

Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment?

After a high-profile systems breach at an organization's key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

A change management process has recently been updated with new testing procedures. The NEXT course of action is to:

For a large software development project, risk assessments are MOST effective when performed:

All business units within an organization have the same risk response plan for creating local disaster recovery plans. In an effort to achieve cost effectiveness., theBEST course of action would be to:

Which of the following approaches would BEST help to identify relevant risk scenarios?

When developing IT risk scenarios, it is CRITICAL to involve:

Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk?

Which of the following would be an IT business owner's BEST course of action following an unexpected increase in emergency changes?

Which of the following would require updates to an organization's IT risk register?

IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:

To help ensure the success of a major IT project, it is MOST important to:

A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:

When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?