ISACA Certified in Risk and Information Systems Control

QUESTION NO: 1
Which of the following BEST indicates that additional or improved controls ate needed m the environment?

A. merging risk scenarios have been identified B. Management, has decreased organisational risk appetite C. Risk events and losses exceed risk tolerance D. The risk register and portfolio do not include all risk scenarios

Correct Answer: C

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

QUESTION NO: 2
The MOST important consideration when selecting a control to mitigate an identified risk is whether:

A. the cost of control exceeds the mitigation value B. the mitigation measures create compounding effects C. there are sufficient internal resources to implement the control D. the control eliminates the risk

Correct Answer: A

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

QUESTION NO: 3
Which of the following controls would BEST mitigate the risk of user passwords being compromised by a man in the middle technique?

A. Require users to change password as frequently as possible. B. Block user sessions after short periods of inactivity. C. Require users to select long passwords. D. Implement a passwordless access mechanism.

Correct Answer: A

QUESTION NO: 4
An organization practices the principle of least privilege. To ensure access remains appropriate, application owners should be required to review user access rights on a regular basis by obtaining:

A. business purpose documentation and software license counts B. documentation indicating the intended users of the application C. security logs to determine the cause of invalid login attempts D. an access control matrix and approval from the user ' s manager

Correct Answer: D

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

QUESTION NO: 5
Which of the following is the GREATEST benefit of centralizing IT systems?

A. Risk identification B. Risk classification C. Risk monitoring D. Risk reporting

Correct Answer: D

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

QUESTION NO: 6
A risk practitioner is concerned with potential data loss in the event of a breach at a hosted third-party provider. Which of the following is the BEST way to mitigate this risk?

A. Ensure appropriate security controls are in place through independent audits. B. Include an indemnification clause in the provider ' s contract. C. Monitor provider performance against service level agreements (SLAs). D. Purchase cyber insurance to protect against data breaches.

Correct Answer: A

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

QUESTION NO: 7
Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs?

A. Ensuring the control is proportional to the risk B. Ensuring availability of resources for log analysis C. Building correlations between logs collected from different sources D. Implementing log analysis tools to automate controls

Correct Answer: A

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

QUESTION NO: 8
Which of the following is MOST helpful in aligning IT risk with business objectives?

A. Integrating the results of top-down risk scenario analyses B. Introducing an approved IT governance framework C. Implementing a risk classification system D. Performing a business impact analysis (BlA)

Correct Answer: A

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

QUESTION NO: 9
Which of the following should be the risk practitioner ' s FIRST course of action when an organization plans to adopt a cloud computing strategy?

A. Request a budget for implementation B. Perform a controls assessment. C. Conduct a threat analysis. D. Create a cloud computing policy.

Correct Answer: D

QUESTION NO: 10
A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access. Who is responsible for ensuring the control is designed to effectively address risk?

A. Control owner B. Risk manager C. Control tester D. Risk owner

Correct Answer: A

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

QUESTION NO: 11
Which of the following is the BEST metric to measure employee adherence to organizational security policies?

A. Total number of opened phishing emails B. Total number of regulatory violations C. Total number of security policy exceptions D. Total number of security policy audit findings

Correct Answer: A

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

ISACA Certified in Risk and Information Systems Control - CRISC Exam Questions