ISACA-CRISC

Isaca's CRISC A risk practitioner has discovered a deficiency in a critical system that cannot be patched. Which of the following should be the risk practitioner's FIRST course of action?

Isaca's CRISC Which of the following will BEST help to ensure implementation of corrective action plans?

Isaca's CRISC What is the PRIMARY reason an organization should include background checks on roles with elevated access to production as part of its hiring process?

Isaca's CRISC An organization has implemented a system capable of comprehensive employee monitoring. Which of the following should direct how the system is used?

Isaca's CRISC Legal and regulatory risk associated with business conducted over the Internet is driven by:

Isaca's CRISC An organization is developing a security risk awareness training program for the IT help desk and has asked the risk practitioner for suggestions. In addition to technical topics, which of the following is MOST important to recommend be included in the training?

Isaca's CRISC Which of the following should be the PRIMARY goal of developing information security metrics?

Isaca's CRISC Which of the following is a drawback in the use of quantitative risk analysis?

Isaca's CRISC A large organization needs to report risk at all levels for a new centralized virtualization project to reduce cost and improve performance. Which of the following would MOST effectively represent the overall risk of the project to senior management?

Isaca's CRISC Which of the following would be the GREATEST challenge when implementing a corporate risk framework for a global organization?

Isaca's CRISC Which of the following is the PRIMARY reason to adopt key control indicators (KCIs) in the risk monitoring and reporting process?

Isaca's CRISC Which of the following management actions will MOST likely change the likelihood rating of a risk scenario related to remote network access?

Isaca's CRISC An organization has completed a risk assessment of one of its service providers. Who should be accountable for ensuring that risk responses are implemented?

Isaca's CRISC A risk practitioner identifies a database application that has been developed and implemented by the business independently of IT. Which of the following is theBEST course of action?

Isaca's CRISC Which of the following would be a risk practitioner's BEST course of action when a project team has accepted a risk outside the established risk appetite?

Isaca's CRISC Who should be responsible for evaluating the residual risk after a compensating control has been applied?

Isaca's CRISC Which of the following should a risk practitioner validate FIRST when a mitigating control cannot be implemented fully to support business objectives?

Isaca's CRISC Which of the following is the BEST way to determine whether system settings are in alignment with control baselines?

Isaca's CRISC A maturity model is MOST useful to an organization when it:

Isaca's CRISC It was determined that replication of a critical database used by two business units failed. Which of the following should be of GREATEST concern?

Isaca's CRISC Which of the following is the BEST control to mitigate the risk when a critical customer-facing application has been susceptible to recent credential stuffing attacks?

Isaca's CRISC Which of the following is MOST important to the effective monitoring of key risk indicators (KRIs)?

Isaca's CRISC A multinational organization is considering implementing standard background checks for all new employees. A KEY concern regarding this approach is that it may:

Isaca's CRISC A core data center went offline abruptly for several hours, affecting many transactions across multiple locations. Which of the following would provide the MOST useful information to determine mitigating controls?

Isaca's CRISC A recent internal risk review reveals the majority of core IT application recovery time objectives (RTOs) have exceeded the maximum time defined by the business application owners. Which of the following is MOST likely to change as a result?

Isaca's CRISC A project team recommends accepting the residual risk associated with known regulatory control deficiencies. Which of the following is the risk practitioner'sMOST important recommendation to the project manager?

Isaca's CRISC The BEST key performance indicator (KPI) to measure the effectiveness of the security patching process is the percentage of patches installed:

Isaca's CRISC Which of the following is the BEST recommendation of a risk practitioner for an organization that recently changed its organizational structure?

Isaca's CRISC The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning process is to:

Isaca's CRISC A financial institution has identified high risk of fraud in several business applications. Which of the following controls will BEST help reduce the risk of fraudulent internal transactions?