ISACA-CRISC

Controls should be defined during the design phase of system development because:

Which of the following will BEST support management reporting on risk?

Which of the following provides the BEST evidence that a selected risk treatment plan is effective?

Which of the following conditions presents the GREATEST risk to an application?

To reduce costs, an organization is combining the second and third lines of defense in a new department that reports to a recently appointed C-level executive.Which of the following is the GREATEST concern with this situation?

Which of the following is the BEST way for a risk practitioner to verify that management has addressed control issues identified during a previous external audit?

Which of the following is MOST important to have in place to ensure the effectiveness of risk and security metrics reporting?

Which of the following is the MOST appropriate key risk indicator (KRI) for backup media that is recycled monthly?

Which of the following BEST indicates the efficiency of a process for granting access privileges?

Which of the following BEST indicates the effectiveness of anti-malware software?

When establishing an enterprise IT risk management program, it is MOST important to:

Which of the following is the BEST way to determine software license compliance?

Which of the following is the GREATEST benefit of updating the risk register to include outcomes from a risk assessment?

A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?

Which of the following provides the MOST important information to facilitate a risk response decision?

Which of the following BEST contributes to the implementation of an effective risk response action plan?

Implementing which of the following controls would BEST reduce the impact of a vulnerability that has been exploited?

Which of the following is the MOST important reason to test new controls?

A new international data privacy regulation requires personal data to be disposed after the specified retention period, which is different from the local regulatory requirement. Which of the following is the risk practitioner's BEST recommendation to resolve the disparity?

Which of the following should be the MAIN consideration when validating an organization's risk appetite?

Which of the following would MOST likely result in updates to an IT risk profile?

A risk practitioner notices a risk scenario associated with data loss at the organization's cloud provider is assigned to the provider. Who should the risk scenario be reassigned to?

Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy?

Which of the following is MOST important for an organization that wants to reduce IT operational risk?

The MAIN goal of the risk analysis process is to determine the:

An IT organization is replacing the customer relationship management (CRM) system. Who should own the risk associated with customer data leakage caused by insufficient IT security controls for the new system?

An organization has identified that terminated employee accounts are not disabled or deleted within the time required by corporate policy. Unsure of the reason, the organization has decided to monitor the situation for three months to obtain more information. As a result of this decision, the risk has been:

Which of the following is the BEST key performance indicator (KPI) for determining how well an IT policy is aligned to business requirements?

The PRIMARY purpose of a maturity model is to compare the:

Which of the following is the MAIN reason for analyzing risk scenarios?