ISACA-CRISC

A risk practitioner discovers that a data center's air conditioning system cannot provide sufficient cooling. What else is MOST important to consider when predicting the probability of adverse business impact from this issue?

A risk practitioner observes that the network team responsible for maintaining the network infrastructure is severely understaffed, which could lead to operational losses. Which of the following is MOST directly affected by the risk practitioner's observation?

Which of the following BEST enables the development of a successful IT strategy focused on business risk mitigation?

Which of the following should be the PRIMARY role of the data owner in a risk management program?

Which of the following is the PRIMARY advantage of aligning generic risk scenarios with business objectives?

Which of the following is a risk factor associated with migrating to an Infrastructure as a Service (IaaS) public cloud service provider?

An organizational code of ethics is MOST useful as a:

An organization has modified its disaster recovery plan (DRP) to reflect recent changes in its IT environment. Which of the following is the PRIMARY reason to test the new plan?

Which of the following should be the MOST important consideration for prioritizing the development of risk scenarios?

An organization has sustained significant losses from a series of cyber events. Which of the following control types would MOST likely help reduce further losses?

What is the MOST important information provided by key performance indicators (KPIs) in a risk management program?

A large organization plans to take advantage of cloud computing to reduce costs; however, there are data-use restrictions that require certain data to remain on premise. Which cloud model should the risk practitioner recommend for this deployment?

Which of the following provides the BEST assurance that an organization will be able to defend against cyber attacks?

While participating in a scenario analysis exercise, a risk practitioner was asked to determine the reputational impact of a system outage. Which of the following would be the BEST approach?

Which of the following should be a risk practitioner's PRIMARY consideration when evaluating the possible impact of an adverse event affecting corporate information assets?

Which of the following BEST enables an organization to increase the likelihood of identifying risk associated with unethical employee behavior?

Which of the following is MOST important to include in an IT risk management policy?

An organization recently completed a major restructuring project to reduce overhead costs by streamlining the approval hierarchy. Which of the following should be done FIRST by the control owner?

A risk practitioner wants to identify potential risk events that affect the continuity of a critical business process. Which of the following should the risk practitioner do FIRST?

Which of the following is the MOST important information for determining inherent risk?

Which of the following activities should only be performed by the third line of defense?

Which of the following is MOST helpful in reducing the likelihood of inaccurate risk assessment results?

Which of the following is a risk practitioner's BEST recommendation to management when testing results indicate the organization's recovery time objective (RTO) cannot be met?

Which of the following is the GREATEST benefit of establishing a program to design, report, and monitor key control indicators (KCIs) as part of the risk management process?

Which of the following is the PRIMARY focus of enterprise architecture (EA)?

From an IT risk perspective, which of the following has the GREATEST impact on organizational strategy?

An organization recently experienced multiple breaches that were detected months later. Which of the following would be MOST useful for timely monitoring and analysis going forward?

Which of the following scenarios is MOST likely to cause a risk practitioner to request a formal risk acceptance sign-off?

Which of the following should be done FIRST when developing a business continuity plan (BCP)?

An organization expects to continually deal with severe distributed denial of service (DDoS) attacks from hacktivist groups. Which of the following is the BEST recommendation to help address this threat?