Free CIS-RC Sample Questions — Certified Implementation Specialist - Risk and Compliance

What actions can be executed by a user with the GRC Business User role? (Choose two.)

• A. Take risk assessments
• B. Group Issues
• C. Group attestations
• D. Create policies
• E. Create risks

Which GRC tables serve as primary parent tables for the GRC applications? (Choose three.)

• A. Content
• B. Item
• C. Asset
• D. Task
• E. Document

What can assessors do when a risk is in the state of Assess on a classic risk assessment? (Choose two.)

• A. Delete the risk
• B. Answer the assessment
• C. Deactivate the risk
• D. Set the risk to Monitor
• E. Set the risk back to Draft

The Risk Scoring values are entered on the Risk Statement. What records inherits the values from the Risk Statement?

• A. Risk Criteria Matrix
• B. Risk Framework
• C. Registered Risk
• D. Risk Response Issue

Which ServiceNow roles can manually move a Control record into the Monitor state? (Choose two.)

• A. Control owner
• B. System admin
• C. Process owner
• D. Compliance manager

Possible regulations when Entity scoping for Healthcare: (Choose two.)

• A. HITRUST
• B. FISMA
• C. HIPAA
• D. HETRUST

Control indicators may be triggered or scheduled in which state?

• A. Retired
• B. Monitor
• C. Review
• D. Attest
• E. Draft

On which records is the entity a required field? (Choose two.)

• A. Risk
• B. Control
• C. Policy
• D. Control objective
• E. Risk statement

In which state can reviewers either send the Policy back to draft or forward it by requesting approval?

• A. Retired
• B. Published
• C. Awaiting Approval
• D. Review

Which of the following statements is true of a Risk Response task?

• A. Only one Risk Response task can be related to a Risk at a time
• B. Only users with the risk_manager role or higher can be assigned to a Risk Response task
• C. The risk admin role is required to assign the Risk Response task
• D. The Risk Response task is automatically progressed through the states using a workflow

Control Objectives are not active until the parent policy is in which of the following states?

• A. Awaiting Approval
• B. Draft
• C. Published
• D. Review

Which Script include can be modified to change how the compliance scores roll up?

• A. ScoreRollUp
• B. ComplianceUtils
• C. ComplianceScoreCalculator
• D. AssessmentStrategy

Which of the following tables are within the GRC: Policy and Compliance Management application scope? (Choose two.)

• A. Authority Document
• B. Assessment
• C. Policy Exception
• D. Audit Task

Control Failure Factor represents the impact of Control Failures on what score?

• A. Inherent
• B. Residual
• C. Total
• D. Calculated

The overall goal of Entity Classes is to:

• A. To enable reporting and to support advanced risk assessment
• B. Show relationships between Entities and policies and map them directly to Citations
• C. Associate Control Objectives and Risk Statements with Risks and Controls
• D. To provide specific information about an Entity, such as who owns the Entity

The Single Loss Expectancy is $1.000.000 and the Annual Rate of Occurrence is 20%. What is the Annualized Loss Expectancy?

• A. $1,000,000
• B. $200,000
• C. $2,000,000
• D. $10,000

Risk criteria typically include definitions of different levels of what? (Choose two.)

• A. Impact
• B. Likelihood
• C. Criticality
• D. Importance
• E. Priority

What are key prerequisites for a control test task to be generated?

• A. Engagement is Scope
• B. Risks have associated assessments
• C. Entity being scoped has associated controls with test plans
• D. Controls have a set frequency
• E. Entity being scoped has associated risks

How can you get the SOX content pack?

• A. ServiceNow Store
• B. Patch Update
• C. Platform Upgrade
• D. Professional Services

What would you leverage in order to provide users with an alternate user experience to view policies, create policy exceptions, and search for controls?

• A. Help Desk Portal
• B. Catalog Portal
• C. Access Portal
• D. Service Portal