ISACA-CRISC

Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?

After a risk has been identified, who is in the BESTposition to select the appropriate risk treatment option?

Which of the following is the MOST important requirement for monitoring key risk indicators (KRIs) using log analysis?

Who is the MOST appropriate owner for newly identified IT risk?

A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?

An IT license audit has revealed that there are several unlicensed copies of commercial applications installed on company laptops. The risk practitioner's BEST course of action would be to:

Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?

Which of the following BEST indicates effective information security incident management?

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?

An organization is considering allowing users to access company data from their personal devices. Which of the following is the MOST important factor when assessing the risk?

Whose risk tolerance matters MOST when making a risk decision?

Which of the following is the MOST effective way to mitigate identified risk scenarios?

Management has required information security awareness training to reduce the risk associated with credential compromise. What is the BEST way to assess the effectiveness of the training?

Which of the following is the MOST important outcome of reviewing the risk management process?

Which of the following is the MOST important characteristic of an effective risk management program?

The BEST key performance indicator (KPI) to measure the effectiveness of a backup process would be the number of:

When prioritizing risk response, management should FIRST:

Which of the following is the PRIMARY reason to perform ongoing risk assessments?

Which of the following is the PRIMARY objective of providing an aggregated view of IT risk to business management?

An organization has implemented a preventive control to lock user accounts after three unsuccessful login attempts. This practice has been proven to be unproductive, and a change in the control threshold value has been recommended. Who should authorize changing this threshold?

A rule-based data loss prevention (DLP) tool has recently been implemented to reduce the risk of sensitive data leakage. Which of the following is MOST likely to change as a result of this implementation?

An organization has completed a project to implement encryption on all databases that host customer data. Which of the following elements of the risk register should be updated to reflect this change?

A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?

Which of the following is the MOST critical element to maximize the potential for a successful security implementation?

Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system.These scenarios will be owned by the system manager. Which of the following would be the BEST method to use when developing the scenarios?

Which of the following is the MAIN reason for documenting the performance of controls?

Which of the following is the MOST important element of a successful risk awareness training program?

Whether the results of risk analysis should be presented in quantitative or qualitative terms should be based PRIMARILY on the:

Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?

Which of the following will BEST quantify the risk associated with malicious users in an organization?