ISACA-CRISC

Which of the following is the PRIMARY consideration when establishing an organization's risk management methodology?

Which of the following is the BEST metric to demonstrate the effectiveness of an organization's change management process?

Which of the following is MOST helpful in developing key risk indicator thresholds?

What is the PRIMARY reason to categorize risk scenarios by business process?

Which of the following BEST indicates the effectiveness of an organization's data loss prevention (DLP) program?

An organization has outsourced its IT security management function to an external service provider. The BEST party to own the IT security controls under this arrangement is the:

Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?

A risk practitioner has populated the risk register with industry-based generic risk scenarios to be further assessed by risk owners. Which of the following is theGREATEST concern with this approach?

An identified high-probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy (ALE). Which of the following is the BEST risk response?

Which of the following should be the PRIMARY focus of an IT risk awareness program?

Which of the following is the BEST indicator of an effective IT security awareness program?

Which of the following is the MOST important benefit of key risk indicators (KRIs)?

Which of the following is the GREATEST concern associated with redundant data in an organization's inventory system?

Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behaviorBEST represents:

Which of the following would BEST help minimize the risk associated with social engineering threats?

When reviewing a business continuity plan (BCP), which of the following would be the MOST significant deficiency?

An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:

Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?

An organization has experienced several incidents of extended network outages that have exceeded tolerance. Which of the following should be the risk practitioner's FIRST step to address this situation?

Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario?

The compensating control that MOST effectively addresses the risk associated with piggybacking into a restricted area without a dead-man door is:

During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:

An IT control gap has been identified in a key process. Who would be the MOST appropriate owner of the risk associated with this gap?

Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?

An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner's FIRST course of action?

Which of the following is the GREATEST advantage of implementing a risk management program?

Which of the following should be of MOST concern to a risk practitioner reviewing findings from a recent audit of an organization's data center?

A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?

When developing risk scenarios, it is MOST important to ensure they are:

An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?