CRISC TOPIC 3 EXAM LONG
Question #:219 - (Exam Topic 3) An organization recently received an independent security audit report of its cloud service provider that indicates significant control weaknesses. What should be done NEXT in response to this report? A. Migrate all data to another compliant service provider. B. Analyze the impact of the provider's control weaknesses to the business. C. Conduct a follow-up audit to verify the provider's control weaknesses. D. Review the contract to determine if penalties should be levied against the provider.
B. Analyze the impact of the provider's control weaknesses to the business.
Question #:76 - (Exam Topic 3) Which of the following should be a risk practitioner's PRIMARY focus when tasked with ensuring organization records are being retained for a sufficient period of time to meet legal obligations? A. Data duplication processes B. Data archival processes C. Data anonymization processes D. Data protection processes
B. Data archival processes.
Question #:229 - (Exam Topic 3) A business unit is implementing a data analytics platform to enhance its customer relationship management (CRM) system primarily to process data that has been provided by its customers. Which of the following presents the GREATEST risk to the organization's reputation? A. Third-party software is used for data analytics. B. Data usage exceeds individual consent. C. Revenue generated is not disclosed to customers. D. Use of a data analytics system is not disclosed to customers.
B. Data usage exceeds individual consent.
Question #:128 - (Exam Topic 3) Which of the following would be a risk practitioner'$ BEST recommendation to help ensure cyber risk is assessed and reflected in the enterprise-level risk profile? A. Manage cyber risk according to the organization's risk management framework. B. Define cyber roles and responsibilities across the organization C. Conduct cyber risk awareness training tailored specifically for senior management D. Implement a cyber risk program based on industry best practices
B. Define cyber roles and responsibilities across the organization.
Question #:32 - (Exam Topic 3) An organization has provided legal text explaining the rights and expected behavior of users accessing a system from geographic locations that have strong privacy regulations. Which of the following control types has been applied? A. Detective B. Directive C. Preventive D. Compensating
B. Directive.
Question #:189 - (Exam Topic 3) To minimize the risk of a potential acquisition being exposed externally, an organization has selected a few key employees to be engaged in the due diligence process. A member of the due diligence team realizes a close acquaintance is a high-ranking IT professional at a subsidiary of the company about to be acquired. What is the BEST course of action for this team member? A. Enforce segregation of duties. B. Disclose potential conflicts of interest. C. Delegate responsibilities involving the acquaintance. D. Notify the subsidiary's legal team.
B. Disclose potential conflicts of interest.
Question #:243 - (Exam Topic 3) An organization operates in an environment where reduced time-to-market for new software products is a top business priority. Which of the following should be the risk practitioner's GREATEST concern? A. Sufficient resources are not assigned to IT development projects. B. Customer support help desk staff does not have adequate training. C. Email infrastructure does not have proper rollback plans. D. The corporate email system does not identify and store phishing emails.
A. Sufficient resources are not assigned to IT development projects.
Question #:66 - (Exam Topic 3) Which of the following is the BEST recommendation to senior management when the results of a risk and control assessment indicate a risk scenario can only be partially mitigated? A. Implement controls to bring the risk to a level within appetite and accept the residual risk. B. Implement a key performance indicator (KPI) to monitor the existing control performance. C. Accept the residual risk in its entirety and obtain executive management approval. D. Separate the risk into multiple components and avoid the risk components that cannot be mitigated.
A. Implement controls to bring the risk to a level within appetite and accept the residual risk.
Question #:126 - (Exam Topic 3) Which of the following should be the FIRST consideration when a business unit wants to use personal information for a purpose other than for which it was originally collected? A. Informed consent B. Cross border controls C. Business impact analysis (BIA) D. Data breach protection
A. Informed consent.
Question #:116 - (Exam Topic 3) A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner's BEST course of action when a compensating control needs to be applied? A. Obtain the risk owner's approval. B. Record the risk as accepted in the risk register. C. Inform senior management. D. update the risk response plan.
A. Obtain the risk owner's approval.
Question #:50 - (Exam Topic 3) In an organization where each division manages risk independently, which of the following would BEST enable management of risk at the enterprise level? A. A standardized risk taxonomy B. A list of control deficiencies C. An enterprise risk ownership policy D. An updated risk tolerance metric
A. A standardized risk taxonomy.
Question #:193 - (Exam Topic 3) An organization has been notified that a disgruntled, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization? A. Authentication logs have been disabled. B. An external vulnerability scan has been detected. C. A brute force attack has been detected. D. An increase in support requests has been observed.
A. Authentication logs have been disabled.
Question #:168 - (Exam Topic 3) During an internal IT audit, an active network account belonging to a former employee was identified. Which of the following is the BEST way to prevent future occurrences? A. Conduct a comprehensive review of access management processes. B. Declare a security incident and engage the incident response team. C. Conduct a comprehensive awareness session for system administrators. D. Evaluate system administrators' technical skills to identify if training is required.
A. Conduct a comprehensive review of access management processes.
Question #:18 - (Exam Topic 3) A cote data center went offline abruptly for several hours affecting many transactions across multiple locations. Which of the to" owing would provide the MOST useful information to determine mitigating controls? A. Forensic analysis B. Risk assessment C. Root cause analysis D. Business impact analysis (BlA)
A. Forensic analysis
Question #:257 - (Exam Topic 3) An organization is considering the adoption of an aggressive business strategy to achieve desired growth from a risk management perspective what should the risk practitioner do NEXT? A. Identify new threats resorting from the new business strategy B. Update risk awareness training to reflect current levels of risk appetite and tolerance C. Inform the board of potential risk scenarios associated with aggressive business strategies D. Increase the scale for measuring impact due to threat materialization
A. Identify new threats resorting from the new business strategy.
Question #:20 - (Exam Topic 3) An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack? A. Identify systems that are vulnerable to being exploited by the attack. B. Confirm with the antivirus solution vendor whether the next update will detect the attack. C. Verify the data backup process and confirm which backups are the most recent ones available. D. Obtain approval for funding to purchase a cyber insurance plan.
A. Identify systems that are vulnerable to being exploited by the attack.
Question #:82 - (Exam Topic 3) Which of the following should be of MOST concern to a risk practitioner reviewing an organization risk register after the completion of a series of risk assessments? A. Several risk action plans have missed target completion dates. B. Senior management has accepted more risk than usual. C. Risk associated with many assets is only expressed in qualitative terms. D. Many risk scenarios are owned by the same senior manager.
A. Several risk action plans have missed target completion dates.
Question #:26 - (Exam Topic 3) An organization is considering outsourcing user administration controls tor a critical system. The potential vendor has offered to perform quarterly sett-audits of its controls instead of having annual independent audits. Which of the following should be of GREATEST concern to me risk practitioner? A. The controls may not be properly tested B. The vendor will not ensure against control failure C. The vendor will not achieve best practices D. Lack of a risk-based approach to access control
A. The controls may not be properly tested.
Question #:70 - (Exam Topic 3) A risk practitioner identifies a database application that has been developed and implemented by the business independently of IT. Which of the following is the BEST course of action? A. Escalate the concern to senior management. B. Document the reasons for the exception. C. Include the application in IT risk assessments. D. Propose that the application be transferred to IT.
B. Document the reasons for the exception.
Question #:21 - (Exam Topic 3) While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BES reduce the risk associated with such a data breach? A. Ensuring the vendor does not know the encryption key B. Engaging a third party to validate operational controls C. Using the same cloud vendor as a competitor D. Using field-level encryption with a vendor supplied key
B. Engaging a third party to validate operational controls
Question #:110 - (Exam Topic 3) A chief information officer (CIO) has identified risk associated with shadow systems being maintained by business units to address specific functionality gaps in the organization's enterprise resource planning (ERP) system. What is the BEST way to reduce this risk going forward? A. Align applications to business processes. B. Implement an enterprise architecture (EA). C. Define the software development life cycle (SDLC). D. Define enterprise-wide system procurement requirements.
B. Implement an enterprise architecture (EA).
Question #:191 - (Exam Topic 3) Days before the realization of an acquisition, a data breach is discovered at the company to be acquired. For the accruing organization, this situation represents which of the following? A. Threat event B. Inherent risk C. Risk event D. Security incident
B. Inherent risk.
Question #:8 - (Exam Topic 3) A recent vulnerability assessment of a web-facing application revealed several weaknesses. Which of the following should be done NEXT to determine the risk exposure? A. Code review B. Penetration test C. Gap assessment D. Business impact analysis (BIA)
B. Penetration test
Question #:22 - (Exam Topic 3) An IT department has organized training sessions to improve user awareness of organizational information security policies. Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training? A. Number of training sessions completed B. Percentage of staff members who complete the training with a passing score C. Percentage of attendees versus total staff D. Percentage of staff members who attend the training with positive feedback
B. Percentage of staff members who complete the training with a passing score.
Question #:212 - (Exam Topic 3) An organization maintains independent departmental risk registers that are not automatically aggregated. Which of the following is the GREATEST concern? A. Management may be unable to accurately evaluate the risk profile. B. Resources may be inefficiently allocated. C. The same risk factor may be identified in multiple areas. D. Multiple risk treatment efforts may be initiated to treat a given risk.
B. Resources may be inefficiently allocated.
Question #:112 - (Exam Topic 3) While reviewing the risk register, a risk practitioner notices that different business units have significant variances in inherent risk for the same risk scenario. Which of the following is the BEST course of action? A. Update the risk register with the average of residual risk for both business units. B. Review the assumptions of both risk scenarios to determine whether the variance is reasonable. C. Update the risk register to ensure both risk scenarios have the highest residual risk. D. Request that both business units conduct another review of the risk.
B. Review the assumptions of both risk scenarios to determine whether the variance is reasonable.
Question #:150 - (Exam Topic 3) An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure manuals for use by the part-time employees. Which of the following BEST describes this situation? A. Threat B. Risk C. Vulnerability D. Policy violation
B. Risk
Question #:44 - (Exam Topic 3) The following is the snapshot of a recently approved IT risk register maintained by an organization's information security department. After implementing countermeasures listed in ''Risk Response Descriptions'' for each of the Risk IDs, which of the following component of the register MUST change? A. Risk Impact Rating B. Risk Owner C. Risk Likelihood Rating D. Risk Exposure
B. Risk Owner.
Question #:164 - (Exam Topic 3) Which of the following will BEST help to ensure the continued effectiveness of the IT risk management function within an organization experiencing high employee turnover? A. Well documented policies and procedures B. Risk and issue tracking C. An IT strategy committee D. Change and release management
B. Risk and issue tracking.
Question #:15 - (Exam Topic 3) To reduce costs, an organization is combining the second and third tines of defense in a new department that reports to a recently appointed C-level executive. Which of the following is the GREATEST concern with this situation? A. The risk governance approach of the second and third lines of defense may differ. B. The independence of the internal third line of defense may be compromised. C. Cost reductions may negatively impact the productivity of other departments. D. The new structure is not aligned to the organization's internal control framework.
B. The independence of the internal third line of defense may be compromised.
Question #:211 - (Exam Topic 3) An organization outsources the processing of us payroll data A risk practitioner identifies a control weakness at the third-party trial exposes the payroll data. Who should own this risk? A. The third party's IT operations manager B. The organization's process owner C. The third party's chief risk officer (CRO) D. The organization's risk practitioner
B. The organization's process owner.
Question #:187 - (Exam Topic 3) An organization moved its payroll system to a Software as a Service (SaaS) application. A new data privacy regulation stipulates that data can only be processed within the country where it is collected. Which of the following should be done FIRST when addressing this situation? A. Analyze data protection methods. B. Understand data flows. C. Include a right-to-audit clause. D. Implement strong access controls.
B. Understand data flows.
Question #:222 - (Exam Topic 3) Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents: A. a threat. B. a vulnerability. C. an impact D. a control.
B. a vulnerability.
Question #:71 - (Exam Topic 3) An organization practices the principle of least privilege. To ensure access remains appropriate, application owners should be required to review user access rights on a regular basis by obtaining: A. business purpose documentation and software license counts B. an access control matrix and approval from the user's manager C. documentation indicating the intended users of the application D. security logs to determine the cause of invalid login attempts
B. an access control matrix and approval from the user's manager.
Question #:79 - (Exam Topic 3) In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities. The risk practitioner's BEST recommendation to further reduce the impact of ransomware attacks would be to implement: A. two-factor authentication. B. continuous data backup controls. C. encryption for data at rest. D. encryption for data in motion.
B. continuous data backup controls.
Question #:92 - (Exam Topic 3) A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to: A. include detailed deviations from industry benchmarks, B. include a summary linking information to stakeholder needs, C. include a roadmap to achieve operational excellence, D. publish the report on-demand for stakeholders.
B. include a summary linking information to stakeholder needs,
Question #:107 - (Exam Topic 3) An organizations chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a denial-of-service (DoS) attack. In this situation, the risk practitioner's BEST course of action is to: A. identify key risk indicators (KRls) for ongoing monitoring B. validate the CTO's decision with the business process owner C. update the risk register with the selected risk response D. recommend that the CTO revisit the risk acceptance decision.
B. validate the CTO's decision with the business process owner.
Question #:139 - (Exam Topic 3) When reporting on the performance of an organization's control environment including which of the following would BEST inform stakeholders risk decision-making? A. The audit plan for the upcoming period B. Spend to date on mitigating control implementation C. A report of deficiencies noted during controls testing D. A status report of control deployment
C. A report of deficiencies noted during controls testing.
Question #:253 - (Exam Topic 3) Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system. These scenarios will be owned by the system manager. Which of the following would be the BEST method to use when developing the scenarios? A. Cause-and-effect diagram B. Delphi technique C. Bottom-up approach D. Top-down approach
C. Bottom-up approach.
Question #:158 - (Exam Topic 3) Which of the following is a risk practitioner's BEST recommendation to address an organization's need to secure multiple systems with limited IT resources? A. Apply available security patches. B. Schedule a penetration test. C. Conduct a business impact analysis (BIA) D. Perform a vulnerability analysis.
C. Conduct a business impact analysis (BIA).
Question #:60 - (Exam Topic 3) While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially Which of the following would be the BEST approach for the risk practitioner to take? A. Temporarily suspend emergency changes. B. Document the control deficiency in the risk register. C. Conduct a root cause analysis. D. Continue monitoring change management metrics.
C. Conduct a root cause analysis.
Question #:24 - (Exam Topic 3) What is the PRIMARY reason an organization should include background checks on roles with elevated access to production as part of its hiring process? A. Reduce internal threats B. Reduce exposure to vulnerabilities C. Eliminate risk associated with personnel D. Ensure new hires have the required skills
C. Eliminate risk associated with personnel.
Question #:180 - (Exam Topic 3) An application runs a scheduled job that compiles financial data from multiple business systems and updates the financial reporting system. If this job runs too long, it can delay financial reporting. Which of the following is the risk practitioner's BEST recommendation? A. Implement database activity and capacity monitoring. B. Ensure the business is aware of the risk. C. Ensure the enterprise has a process to detect such situations. D. Consider providing additional system resources to this job.
C. Ensure the enterprise has a process to detect such situations.
Question #:106 - (Exam Topic 3) An organization has an approved bring your own device (BYOD) policy. Which of the following would BEST mitigate the security risk associated with the inappropriate use of enterprise applications on the devices? A. Periodically review application on BYOD devices B. Include BYOD in organizational awareness programs C. Implement BYOD mobile device management (MDM) controls. D. Enable a remote wee capability for BYOD devices
C. Implement BYOD mobile device management (MDM) controls.
Question #:88 - (Exam Topic 3) An organization has made a decision to purchase a new IT system. During when phase of the system development life cycle (SDLC) will identify risk MOST likely lead to architecture and design trade-offs? A. Acquisition B. Implementation C. Initiation D. Operation and maintenance
C. Initiation.
Question #:10 - (Exam Topic 3) An organization wants to grant remote access to a system containing sensitive data to an overseas third party. Which of the following should be of GREATEST concern to management? A. Transborder data transfer restrictions B. Differences in regional standards C. Lack of monitoring over vendor activities D. Lack of after-hours incident management support
C. Lack of monitoring over vendor activities
Question #:100 - (Exam Topic 3) A department allows multiple users to perform maintenance on a system using a single set of credentials. A risk practitioner determined this practice to be high-risk. Which of the following is the MOST effective way to mitigate this risk? A. Single sign-on B. Audit trail review C. Multi-factor authentication D. Data encryption at rest
C. Multi-factor authentication.
Question #:37 - (Exam Topic 3) Which of the following is the BEST method for assessing control effectiveness against technical vulnerabilities that could be exploited to compromise an information system? A. Vulnerability scanning B. Systems log correlation analysis C. Penetration testing D. Monitoring of intrusion detection system (IDS) alerts
C. Penetration testing.
Question #:246 - (Exam Topic 3) A vulnerability assessment of a vendor-supplied solution has revealed that the software is susceptible to cross-site scripting and SQL injection attacks. Which of the following will BEST mitigate this issue? A. Monitor the databases for abnormal activity B. Approve exception to allow the software to continue operating C. Require the software vendor to remediate the vulnerabilities D. Accept the risk and let the vendor run the software as is
C. Require the software vendor to remediate the vulnerabilities.
Question #:87 - (Exam Topic 3) Following an acquisition, the acquiring company's risk practitioner has been asked to update the organization's IT risk profile What is the MOST important information to review from the acquired company to facilitate this task? A. Internal and external audit reports B. Risk disclosures in financial statements C. Risk assessment and risk register D. Business objectives and strategies
C. Risk assessment and risk register.
Question #:51 - (Exam Topic 3) During a risk treatment plan review, a risk practitioner finds the approved risk action plan has not been completed However, there were other risk mitigation actions implemented. Which of the fallowing is the BEST course of action? A. Review the cost-benefit of mitigating controls B. Mark the risk status as unresolved within the risk register C. Verify the sufficiency of mitigating controls with the risk owner D. Update the risk register with implemented mitigating actions
C. Verify the sufficiency of mitigating controls with the risk owner.
Question #:192 - (Exam Topic 3) An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the risk associated with these new entries has been; A. mitigated B. deferred C. accepted. D. transferred
C. accepted.
Question #:208 - (Exam Topic 3) During implementation of an intrusion detection system (IDS) to monitor network traffic, a high number of alerts is reported. The risk practitioner should recommend to: A. reset the alert threshold based on peak traffic B. analyze the traffic to minimize the false negatives C. analyze the alerts to minimize the false positives D. sniff the traffic using a network analyzer
C. analyze the alerts to minimize the false positives.
Question #:93 - (Exam Topic 3) A management team is on an aggressive mission to launch a new product to penetrate new markets and overlooks IT risk factors, threats, and vulnerabilities. This scenario BEST demonstrates an organization's risk: A. management. B. tolerance. C. culture. D. analysis.
C. culture.
Question #:97 - (Exam Topic 3) The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for. A. data logging and monitoring B. data mining and analytics C. data classification and labeling D. data retention and destruction
C. data classification and labeling.
Question #:145 - (Exam Topic 3) A risk practitioner observed Vial a high number of pokey exceptions were approved by senior management. Which of the following is the risk practitioner's BEST course of action to determine root cause? A. Review the risk profile B. Review pokey change history C. interview the control owner D. Perform control testing
C. interview the control owner.
Question #:225 - (Exam Topic 3) An organization is preparing to transfer a large number of customer service representatives to the sales department. Of the following, who is responsible for mitigating the risk associated with residual system access? A. IT service desk manager B. Sales manager C. Customer service manager D. Access control manager
D. Access control manager.
Question #:215 - (Exam Topic 3) An organization must make a choice among multiple options to respond to a risk. The stakeholders cannot agree and decide to postpone the decision. Which of the following risk responses has the organization adopted? A. Transfer B. Mitigation C. Avoidance D. Acceptance
D. Acceptance.
Question #:262 - (Exam Topic 3) A risk practitioner has been asked by executives to explain how existing risk treatment plans would affect risk posture at the end of the year. Which of the following is MOST helpful in responding to this request? A. Assessing risk with no controls in place B. Showing projected residual risk C. Providing peer benchmarking results D. Assessing risk with current controls in place
D. Assessing risk with current controls in place.
Question #:186 - (Exam Topic 3) An organization has outsourced its billing function to an external service provider. Who should own the risk of customer data leakage caused by the service provider? A. The service provider B. Vendor risk manager C. Legal counsel D. Business process owner
D. Business process owner.
Question #:118 - (Exam Topic 3) An organization's risk register contains a large volume of risk scenarios that senior management considers overwhelming. Which of the following would BEST help to improve the risk register? A. Analyzing the residual risk components B. Performing risk prioritization C. Validating the risk appetite level D. Conducting a risk assessment
D. Conducting a risk assessment.
Question #:72 - (Exam Topic 3) A peer review of a risk assessment finds that a relevant threat community was not included. Mitigation of the risk will require substantial changes to a software application. Which of the following is the BEST course of action? A. Ask the business to make a budget request to remediate the problem. B. Build a business case to remediate the fix. C. Research the types of attacks the threat can present. D. Determine the impact of the missing threat.
D. Determine the impact of the missing threat.
Question #:137 - (Exam Topic 3) An organization is implementing encryption for data at rest to reduce the risk associated with unauthorized access. Which of the following MUST be considered to assess the residual risk? A. Data retention requirements B. Data destruction requirements C. Cloud storage architecture D. Key management
D. Key management.
Question #:84 - (Exam Topic 3) Which of the following is the MOST important key performance indicator (KPI) to monitor the effectiveness of disaster recovery processes? A. Percentage of IT systems recovered within the mean time to restore (MTTR) during the disaster recovery test B. Percentage of issues arising from the disaster recovery test resolved on time C. Percentage of IT systems included in the disaster recovery test scope D. Percentage of IT systems meeting the recovery time objective (RTO) during the disaster recovery test
D. Percentage of IT systems meeting the recovery time objective (RTO) during the disaster recovery test.
Question #:200 - (Exam Topic 3) An organization wants to launch a campaign to advertise a new product Using data analytics, the campaign can be targeted to reach potential customers. Which of the following should be of GREATEST concern to the risk practitioner? A. Data minimization B. Accountability C. Accuracy D. Purpose limitation
D. Purpose limitation.
Question #:151 - (Exam Topic 3) An organization has experienced several incidents of extended network outages that have exceeded tolerance. Which of the following should be the risk practitioner's FIRST step to address this situation? A. Recommend additional controls to address the risk. B. Update the risk tolerance level to acceptable thresholds. C. Update the incident-related risk trend in the risk register. D. Recommend a root cause analysis of the incidents.
D. Recommend a root cause analysis of the incidents.
Question #:231 - (Exam Topic 3) Which of the following BEST indicates the risk appetite and tolerance level (or the risk associated with business interruption caused by IT system failures? A. Mean time to recover (MTTR) B. IT system criticality classification C. Incident management service level agreement (SLA) D. Recovery time objective (RTO)
D. Recovery time objective (RTO).
Question #:152 - (Exam Topic 3) A risk practitioner has discovered a deficiency in a critical system that cannot be patched. Which of the following should be the risk practitioner's FIRST course of action? A. Report the issue to internal audit. B. Submit a request to change management. C. Conduct a risk assessment. D. Review the business impact assessment.
D. Review the business impact assessment.
Question #:102 - (Exam Topic 3) Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the following would BEST help to prioritize investment efforts? A. Analyzing cyber intelligence reports B. Engaging independent cybersecurity consultants C. Increasing the frequency of updates to the risk register D. Reviewing the outcome of the latest security risk assessment
D. Reviewing the outcome of the latest security risk assessment.
Question #:41 - (Exam Topic 3) An organization has decided to use an external auditor to review the control environment of an outsourced service provider. The BEST control criteria to evaluate the provider would be based on: A. a recognized industry control framework B. guidance provided by the external auditor C. the service provider's existing controls D. The organization's specific control requirements
D. The organization's specific control requirements.
Question #:236 - (Exam Topic 3) After the implementation of internal of Things (IoT) devices, new risk scenarios were identified. What is the PRIMARY reason to report this information to risk owners? A. To reevaluate continued use to IoT devices B. The add new controls to mitigate the risk C. The recommend changes to the IoT policy D. To confirm the impact to the risk profile
D. To confirm the impact to the risk profile.
Question #:242 - (Exam Topic 3) A deficient control has been identified which could result in great harm to an organization should a low frequency threat event occur. When communicating the associated risk to senior management the risk practitioner should explain: A. mitigation plans for threat events should be prepared in the current planning period. B. this risk scenario is equivalent to more frequent but lower impact risk scenarios. C. the current level of risk is within tolerance. D. an increase in threat events could cause a loss sooner than anticipated.
D. an increase in threat events could cause a loss sooner than anticipated.
Question #:249 - (Exam Topic 3) A service provider is managing a client's servers. During an audit of the service, a noncompliant control is discovered that will not be resolved before the next audit because the client cannot afford the downtime required to correct the issue. The service provider's MOST appropriate action would be to: A. develop a risk remediation plan overriding the client's decision B. make a note for this item in the next audit explaining the situation C. insist that the remediation occur for the benefit of other customers D. ask the client to document the formal risk acceptance for the provider
D. ask the client to document the formal risk acceptance for the provider.
Question #:81 - (Exam Topic 3) While conducting an organization-wide risk assessment, it is noted that many of the information security policies have not changed in the past three years. The BEST course of action is to: A. review and update the policies to align with industry standards. B. determine that the policies should be updated annually. C. report that the policies are adequate and do not need to be updated frequently. D. review the policies against current needs to determine adequacy.
D. review the policies against current needs to determine adequacy.