Special Summer Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Isaca CRISC Certified in Risk and Information Systems Control Exam Practice Test

Page: 1 / 158
Total 1575 questions

Certified in Risk and Information Systems Control Questions and Answers

Question 1

it was determined that replication of a critical database used by two business units failed. Which of the following should be of GREATEST concern1?

Options:

A.

The underutilization of the replicated Iink

B.

The cost of recovering the data

C.

The lack of integrity of data

D.

The loss of data confidentiality

Question 2

Which of the following BEST enables effective IT control implementation?

Options:

A.

Key risk indicators (KRIs)

B.

Documented procedures

C.

Information security policies

D.

Information security standards

Question 3

Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board''

Options:

A.

A summary of risk response plans with validation results

B.

A report with control environment assessment results

C.

A dashboard summarizing key risk indicators (KRIs)

D.

A summary of IT risk scenarios with business cases

Question 4

Which of the following will BEST help to ensure the continued effectiveness of the IT risk management function within an organization experiencing high employee turnover?

Options:

A.

Well documented policies and procedures

B.

Risk and issue tracking

C.

An IT strategy committee

D.

Change and release management

Question 5

Which of the following activities BEST facilitates effective risk management throughout the organization?

Options:

A.

Reviewing risk-related process documentation

B.

Conducting periodic risk assessments

C.

Performing a business impact analysis (BIA)

D.

Performing frequent audits

Question 6

Which of the following resources is MOST helpful to a risk practitioner when updating the likelihood rating in the risk register?

Options:

A.

Risk control assessment

B.

Audit reports with risk ratings

C.

Penetration test results

D.

Business impact analysis (BIA)

Question 7

After entering a large number of low-risk scenarios into the risk register, it is MOST important for the risk practitioner to:

Options:

A.

prepare a follow-up risk assessment.

B.

recommend acceptance of the risk scenarios.

C.

reconfirm risk tolerance levels.

D.

analyze changes to aggregate risk.

Question 8

When evaluating a number of potential controls for treating risk, it is MOST important to consider:

Options:

A.

risk appetite and control efficiency.

B.

inherent risk and control effectiveness.

C.

residual risk and cost of control.

D.

risk tolerance and control complexity.

Question 9

When of the following standard operating procedure (SOP) statements BEST illustrates appropriate risk register maintenance?

Options:

A.

Remove risk that has been mitigated by third-party transfer

B.

Remove risk that management has decided to accept

C.

Remove risk only following a significant change in the risk environment

D.

Remove risk when mitigation results in residual risk within tolerance levels

Question 10

When establishing an enterprise IT risk management program, it is MOST important to:

Options:

A.

review alignment with the organizations strategy.

B.

understand the organization's information security policy.

C.

validate the organization's data classification scheme.

D.

report identified IT risk scenarios to senior management.

Question 11

Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)?

Options:

A.

KRIs assist in the preparation of the organization's risk profile.

B.

KRIs signal that a change in the control environment has occurred.

C.

KRIs provide a basis to set the risk appetite for an organization

D.

KRIs provide an early warning that a risk threshold is about to be reached.

Question 12

The BEST metric to demonstrate that servers are configured securely is the total number of servers:

Options:

A.

exceeding availability thresholds

B.

experiencing hardware failures

C.

exceeding current patching standards.

D.

meeting the baseline for hardening.

Question 13

An organization wants to grant remote access to a system containing sensitive data to an overseas third party. Which of the following should be of GREATEST concern to management?

Options:

A.

Transborder data transfer restrictions

B.

Differences in regional standards

C.

Lack of monitoring over vendor activities

D.

Lack of after-hours incident management support

Question 14

The MAJOR reason to classify information assets is

Options:

A.

maintain a current inventory and catalog of information assets

B.

determine their sensitivity and critical

C.

establish recovery time objectives (RTOs)

D.

categorize data into groups

Question 15

A company has recently acquired a customer relationship management (CRM) application from a certified software vendor. Which of the following will BE ST help lo prevent technical vulnerabilities from being exploded?

Options:

A.

implement code reviews and Quality assurance on a regular basis

B.

Verity me software agreement indemnifies the company from losses

C.

Review the source coda and error reporting of the application

D.

Update the software with the latest patches and updates

Question 16

Which of the following is the PRIMARY reason for sharing risk assessment reports with senior stakeholders?

Options:

A.

To support decision-making for risk response

B.

To hold risk owners accountable for risk action plans

C.

To secure resourcing for risk treatment efforts

D.

To enable senior management to compile a risk profile

Question 17

Which of the following is the BEST way to determine whether system settings are in alignment with control baselines?

Options:

A.

Configuration validation

B.

Control attestation

C.

Penetration testing

D.

Internal audit review

Question 18

During a risk assessment, a key external technology supplier refuses to provide control design and effectiveness information, citing confidentiality concerns. What should the risk practitioner do NEXT?

Options:

A.

Escalate the non-cooperation to management

B.

Exclude applicable controls from the assessment.

C.

Review the supplier's contractual obligations.

D.

Request risk acceptance from the business process owner.

Question 19

An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure manuals for use by the part-time employees. Which of the following BEST describes this situation?

Options:

A.

Threat

B.

Risk

C.

Vulnerability

D.

Policy violation

Question 20

Which of the following is the MOST comprehensive resource for prioritizing the implementation of information systems controls?

Options:

A.

Data classification policy

B.

Emerging technology trends

C.

The IT strategic plan

D.

The risk register

Question 21

Which of the following would BEST mitigate an identified risk scenario?

Options:

A.

Conducting awareness training

B.

Executing a risk response plan

C.

Establishing an organization's risk tolerance

D.

Performing periodic audits

Question 22

Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?

Options:

A.

The program has not decreased threat counts.

B.

The program has not considered business impact.

C.

The program has been significantly revised

D.

The program uses non-customized training modules.

Question 23

When developing risk scenario using a list of generic scenarios based on industry best practices, it is MOST imported to:

Options:

A.

Assess generic risk scenarios with business users.

B.

Validate the generic risk scenarios for relevance.

C.

Select the maximum possible risk scenarios from the list.

D.

Identify common threats causing generic risk scenarios

Question 24

A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access. Who is responsible for ensuring the control is designed to effectively address risk?

Options:

A.

Risk manager

B.

Control owner

C.

Control tester

D.

Risk owner

Question 25

Which risk response strategy could management apply to both positive and negative risk that has been identified?

Options:

A.

Transfer

B.

Accept

C.

Exploit

D.

Mitigate

Question 26

Which of the following would be the result of a significant increase in the motivation of a malicious threat actor?

Options:

A.

Increase in mitigating control costs

B.

Increase in risk event impact

C.

Increase in risk event likelihood

D.

Increase in cybersecurity premium

Question 27

Which of the following potential scenarios associated with the implementation of a new database technology presents the GREATEST risk to an organization?

Options:

A.

The organization may not have a sufficient number of skilled resources.

B.

Application and data migration cost for backups may exceed budget.

C.

Data may not be recoverable due to system failures.

D.

The database system may not be scalable in the future.

Question 28

When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes

Options:

A.

risk exposure in business terms

B.

a detailed view of individual risk exposures

C.

a summary of incidents that have impacted the organization.

D.

recommendations by an independent risk assessor.

Question 29

Which of the following issues found during the review of a newly created disaster recovery plan (DRP) should be of MOST concern?

Options:

A.

Some critical business applications are not included in the plan

B.

Several recovery activities will be outsourced

C.

The plan is not based on an internationally recognized framework

D.

The chief information security officer (CISO) has not approved the plan

Question 30

Which of the following is the MOST effective way to reduce potential losses due to ongoing expense fraud?

Options:

A.

Implement user access controls

B.

Perform regular internal audits

C.

Develop and communicate fraud prevention policies

D.

Conduct fraud prevention awareness training.

Question 31

Which of the following should be of GREATEST concern when reviewing the results of an independent control assessment to determine the effectiveness of a vendor's control environment?

Options:

A.

The report was provided directly from the vendor.

B.

The risk associated with multiple control gaps was accepted.

C.

The control owners disagreed with the auditor's recommendations.

D.

The controls had recurring noncompliance.

Question 32

Which of the following is the GREATEST benefit of centralizing IT systems?

Options:

A.

Risk reporting

B.

Risk classification

C.

Risk monitoring

D.

Risk identification

Question 33

Who should be responsible (of evaluating the residual risk after a compensating control has been

Options:

A.

Compliance manager

B.

Risk owner

C.

Control owner

D.

Risk practitioner

Question 34

Which of the following is the MOST important information to cover a business continuity awareness Ira nine, program for all employees of the organization?

Options:

A.

Recovery time objectives (RTOs)

B.

Segregation of duties

C.

Communication plan

D.

Critical asset inventory

Question 35

Which of the following is MOST important for successful incident response?

Options:

A.

The quantity of data logged by the attack control tools

B.

Blocking the attack route immediately

C.

The ability to trace the source of the attack

D.

The timeliness of attack recognition

Question 36

Which of the following is the BEST way to ensure adequate resources will be allocated to manage identified risk?

Options:

A.

Prioritizing risk within each business unit

B.

Reviewing risk ranking methodology

C.

Promoting an organizational culture of risk awareness

D.

Assigning risk ownership to appropriate roles

Question 37

Which of the following is the BEST method to mitigate the risk of an unauthorized employee viewing confidential data in a database''

Options:

A.

Implement role-based access control

B.

Implement a data masking process

C.

Include sanctions in nondisclosure agreements (NDAs)

D.

Install a data loss prevention (DLP) tool

Question 38

Which of the following is the PRIMARY objective of maintaining an information asset inventory?

Options:

A.

To provide input to business impact analyses (BIAs)

B.

To protect information assets

C.

To facilitate risk assessments

D.

To manage information asset licensing

Question 39

Which of the following should be used as the PRIMARY basis for evaluating the state of an organization's cloud computing environment against leading practices?

Options:

A.

The cloud environment's capability maturity model

B.

The cloud environment's risk register

C.

The cloud computing architecture

D.

The organization's strategic plans for cloud computing

Question 40

Which of the following BEST facilitates the identification of appropriate key performance indicators (KPIs) for a risk management program?

Options:

A.

Reviewing control objectives

B.

Aligning with industry best practices

C.

Consulting risk owners

D.

Evaluating KPIs in accordance with risk appetite

Question 41

A risk practitioner implemented a process to notify management of emergency changes that may not be approved. Which of the following is the BEST way to provide this information to management?

Options:

A.

Change logs

B.

Change management meeting minutes

C.

Key control indicators (KCIs)

D.

Key risk indicators (KRIs)

Question 42

When documenting a risk response, which of the following provides the STRONGEST evidence to support the decision?

Options:

A.

Verbal majority acceptance of risk by committee

B.

List of compensating controls

C.

IT audit follow-up responses

D.

A memo indicating risk acceptance

Question 43

An organization is considering outsourcing user administration controls tor a critical system. The potential vendor has offered to perform quarterly sett-audits of its controls instead of having annual independent audits. Which of the following should be of GREATEST concern to me risk practitioner?

Options:

A.

The controls may not be properly tested

B.

The vendor will not ensure against control failure

C.

The vendor will not achieve best practices

D.

Lack of a risk-based approach to access control

Question 44

When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:

Options:

A.

information risk assessments with enterprise risk assessments.

B.

key risk indicators (KRIs) with risk appetite of the business.

C.

the control key performance indicators (KPIs) with audit findings.

D.

control performance with risk tolerance of business owners.

Question 45

Which of the following provides the MOST comprehensive information when developing a risk profile for a system?

Options:

A.

Results of a business impact analysis (BIA)

B.

Risk assessment results

C.

A mapping of resources to business processes

D.

Key performance indicators (KPIs)

Question 46

What is the BEST recommendation to reduce the risk associated with potential system compromise when a vendor stops releasing security patches and updates for a business-critical legacy system?

Options:

A.

Segment the system on its own network.

B.

Ensure regular backups take place.

C.

Virtualize the system in the cloud.

D.

Install antivirus software on the system.

Question 47

Which of the following situations presents the GREATEST challenge to creating a comprehensive IT risk profile of an organization?

Options:

A.

Manual vulnerability scanning processes

B.

Organizational reliance on third-party service providers

C.

Inaccurate documentation of enterprise architecture (EA)

D.

Risk-averse organizational risk appetite

Question 48

Which of the following would be of GREATEST concern regarding an organization's asset management?

Options:

A.

Lack of a mature records management program

B.

Lack of a dedicated asset management team

C.

Decentralized asset lists

D.

Incomplete asset inventory

Question 49

Which of the following is the BEST approach for selecting controls to minimize risk?

Options:

A.

Industry best practice review

B.

Risk assessment

C.

Cost-benefit analysis

D.

Control-effectiveness evaluation

Question 50

Which of the following is the result of a realized risk scenario?

Options:

A.

Technical event

B.

Threat event

C.

Vulnerability event

D.

Loss event

Question 51

Following an acquisition, the acquiring company's risk practitioner has been asked to update the organization's IT risk profile What is the MOST important information to review from the acquired company to facilitate this task?

Options:

A.

Internal and external audit reports

B.

Risk disclosures in financial statements

C.

Risk assessment and risk register

D.

Business objectives and strategies

Question 52

An organization is considering the adoption of an aggressive business strategy to achieve desired growth From a risk management perspective what should the risk practitioner do NEXT?

Options:

A.

Identify new threats resorting from the new business strategy

B.

Update risk awareness training to reflect current levels of risk appetite and tolerance

C.

Inform the board of potential risk scenarios associated with aggressive business strategies

D.

Increase the scale for measuring impact due to threat materialization

Question 53

Which of the following is MOST important for an organization to consider when developing its IT strategy?

Options:

A.

IT goals and objectives

B.

Organizational goals and objectives

C.

The organization's risk appetite statement

D.

Legal and regulatory requirements

Question 54

Which of the following is the MOST important objective from a cost perspective for considering aggregated risk responses in an organization?

Options:

A.

Prioritize risk response options

B.

Reduce likelihood.

C.

Address more than one risk response

D.

Reduce impact

Question 55

A global company s business continuity plan (BCP) requires the transfer of its customer information….

event of a disaster. Which of the following should be the MOST important risk consideration?

Options:

A.

The difference In the management practices between each company

B.

The cloud computing environment is shared with another company

C.

The lack of a service level agreement (SLA) in the vendor contract

D.

The organizational culture differences between each country

Question 56

An organization recently configured a new business division Which of the following is MOST likely to be affected?

Options:

A.

Risk profile

B.

Risk culture

C.

Risk appetite

D.

Risk tolerance

Question 57

Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the following would BEST help to prioritize investment efforts?

Options:

A.

Analyzing cyber intelligence reports

B.

Engaging independent cybersecurity consultants

C.

Increasing the frequency of updates to the risk register

D.

Reviewing the outcome of the latest security risk assessment

Question 58

Which of the following is MOST important information to review when developing plans for using emerging technologies?

Options:

A.

Existing IT environment

B.

IT strategic plan

C.

Risk register

D.

Organizational strategic plan

Question 59

A multinational organization is considering implementing standard background checks to' all new employees A KEY concern regarding this approach

Options:

A.

fail to identity all relevant issues.

B.

be too costly

C.

violate laws in other countries

D.

be too line consuming

Question 60

Which of the following is MOST important for senior management to review during an acquisition?

Options:

A.

Risk appetite and tolerance

B.

Risk framework and methodology

C.

Key risk indicator (KRI) thresholds

D.

Risk communication plan

Question 61

In order to efficiently execute a risk response action plan, it is MOST important for the emergency response team members to understand:

Options:

A.

system architecture in target areas.

B.

IT management policies and procedures.

C.

business objectives of the organization.

D.

defined roles and responsibilities.

Question 62

Which of the following is the BEST course of action when an organization wants to reduce likelihood in order to reduce a risk level?

Options:

A.

Monitor risk controls.

B.

Implement preventive measures.

C.

Implement detective controls.

D.

Transfer the risk.

Question 63

Which of the following is the MOST important outcome of a business impact analysis (BIA)?

Options:

A.

Understanding and prioritization of critical processes

B.

Completion of the business continuity plan (BCP)

C.

Identification of regulatory consequences

D.

Reduction of security and business continuity threats

Question 64

Which of the following will BEST help to ensure new IT policies address the enterprise's requirements?

Options:

A.

involve IT leadership in the policy development process

B.

Require business users to sign acknowledgment of the poises

C.

involve business owners in the pokey development process

D.

Provide policy owners with greater enforcement authority

Question 65

Of the following, who is responsible for approval when a change in an application system is ready for release to production?

Options:

A.

Information security officer

B.

IT risk manager

C.

Business owner

D.

Chief risk officer (CRO)

Question 66

What is the PRIMARY reason an organization should include background checks on roles with elevated access to production as part of its hiring process?

Options:

A.

Reduce internal threats

B.

Reduce exposure to vulnerabilities

C.

Eliminate risk associated with personnel

D.

Ensure new hires have the required skills

Question 67

To define the risk management strategy which of the following MUST be set by the board of directors?

Options:

A.

Operational strategies

B.

Risk governance

C.

Annualized loss expectancy (ALE)

D.

Risk appetite

Question 68

A risk practitioner is utilizing a risk heat map during a risk assessment. Risk events that are coded with the same color will have a similar:

Options:

A.

risk score

B.

risk impact

C.

risk response

D.

risk likelihood.

Question 69

Which of the following is MOST important to consider before determining a response to a vulnerability?

Options:

A.

The likelihood and impact of threat events

B.

The cost to implement the risk response

C.

Lack of data to measure threat events

D.

Monetary value of the asset

Question 70

Which of the following is the BEST approach for an organization in a heavily regulated industry to comprehensively test application functionality?

Options:

A.

Use production data in a non-production environment

B.

Use masked data in a non-production environment

C.

Use test data in a production environment

D.

Use anonymized data in a non-production environment

Question 71

Which of the following is the BEST indicator of executive management's support for IT risk mitigation efforts?

Options:

A.

The number of stakeholders involved in IT risk identification workshops

B.

The percentage of corporate budget allocated to IT risk activities

C.

The percentage of incidents presented to the board

D.

The number of executives attending IT security awareness training

Question 72

Who is BEST suited to provide objective input when updating residual risk to reflect the results of control effectiveness?

Options:

A.

Control owner

B.

Risk owner

C.

Internal auditor

D.

Compliance manager

Question 73

Which of the following, who should be PRIMARILY responsible for performing user entitlement reviews?

Options:

A.

IT security manager

B.

IT personnel

C.

Data custodian

D.

Data owner

Question 74

Which of the following provides the MOST useful information for developing key risk indicators (KRIs)?

Options:

A.

Business impact analysis (BIA) results

B.

Risk scenario ownership

C.

Risk thresholds

D.

Possible causes of materialized risk

Question 75

Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?

Options:

A.

To provide input to the organization's risk appetite

B.

To monitor the vendor's control effectiveness

C.

To verify the vendor's ongoing financial viability

D.

To assess the vendor's risk mitigation plans

Question 76

Recovery the objectives (RTOs) should be based on

Options:

A.

minimum tolerable downtime

B.

minimum tolerable loss of data.

C.

maximum tolerable downtime.

D.

maximum tolerable loss of data

Question 77

Which of the following management action will MOST likely change the likelihood rating of a risk scenario related to remote network access?

Options:

A.

Updating the organizational policy for remote access

B.

Creating metrics to track remote connections

C.

Implementing multi-factor authentication

D.

Updating remote desktop software

Question 78

Which of the following would be the GREATEST concern for an IT risk practitioner when an employees.....

Options:

A.

The organization's structure has not been updated

B.

Unnecessary access permissions have not been removed.

C.

Company equipment has not been retained by IT

D.

Job knowledge was not transferred to employees m the former department

Question 79

The MAIN purpose of selecting a risk response is to.

Options:

A.

ensure compliance with local regulatory requirements

B.

demonstrate the effectiveness of risk management practices.

C.

ensure organizational awareness of the risk level

D.

mitigate the residual risk to be within tolerance

Question 80

Which of the following will BEST help to ensure implementation of corrective action plans?

Options:

A.

Establishing employee awareness training

B.

Assigning accountability to risk owners

C.

Selling target dates to complete actions

D.

Contracting to third parties

Question 81

Which of the following is the MOST important concern when assigning multiple risk owners for an identified risk?

Options:

A.

Accountability may not be clearly defined.

B.

Risk ratings may be inconsistently applied.

C.

Different risk taxonomies may be used.

D.

Mitigation efforts may be duplicated.

Question 82

Which of the following presents the GREATEST challenge to managing an organization's end-user devices?

Options:

A.

Incomplete end-user device inventory

B.

Unsupported end-user applications

C.

Incompatible end-user devices

D.

Multiple end-user device models

Question 83

Which organization is implementing a project to automate the purchasing process, including the modification of approval controls. Which of the following tasks is lie responsibility of the risk practitioner*?

Options:

A.

Verify that existing controls continue to properly mitigate defined risk

B.

Test approval process controls once the project is completed

C.

Update the existing controls for changes in approval processes from this project

D.

Perform a gap analysis of the impacted control processes

Question 84

Which of the following is the MOST important key performance indicator (KPI) to monitor the effectiveness of disaster recovery processes?

Options:

A.

Percentage of IT systems recovered within the mean time to restore (MTTR) during the disaster recovery test

B.

Percentage of issues arising from the disaster recovery test resolved on time

C.

Percentage of IT systems included in the disaster recovery test scope

D.

Percentage of IT systems meeting the recovery time objective (RTO) during the disaster recovery test

Question 85

Which of the following contributes MOST to the effective implementation of risk responses?

Options:

A.

Clear understanding of the risk

B.

Comparable industry risk trends

C.

Appropriate resources

D.

Detailed standards and procedures

Question 86

Which of the following is the MOST important consideration when communicating the risk associated with technology end-of-life to business owners?

Options:

A.

Cost and benefit

B.

Security and availability

C.

Maintainability and reliability

D.

Performance and productivity

Question 87

Which of the following is MOST helpful in defining an early-warning threshold associated with insufficient network bandwidth’’?

Options:

A.

Average bandwidth usage

B.

Peak bandwidth usage

C.

Total bandwidth usage

D.

Bandwidth used during business hours

Question 88

An organization has made a decision to purchase a new IT system. During when phase of the system development life cycle (SDLC) will identified risk MOST likely lead to architecture and design trade-offs?

Options:

A.

Acquisition

B.

Implementation

C.

Initiation

D.

Operation and maintenance

Question 89

Which of The following BEST represents the desired risk posture for an organization?

Options:

A.

Inherent risk is lower than risk tolerance.

B.

Operational risk is higher than risk tolerance.

C.

Accepted risk is higher than risk tolerance.

D.

Residual risk is lower than risk tolerance.

Question 90

An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning of the associated risk entries?

Options:

A.

The volume of risk scenarios is too large

B.

Risk aggregation has not been completed

C.

Risk scenarios are not applicable

D.

The risk analysts for each scenario is incomplete

Question 91

An organization control environment is MOST effective when:

Options:

A.

control designs are reviewed periodically

B.

controls perform as intended.

C.

controls are implemented consistently.

D.

controls operate efficiently

Question 92

An internal audit report reveals that a legacy system is no longer supported Which of the following is the risk practitioner's MOST important action before recommending a risk response'

Options:

A.

Review historical application down me and frequency

B.

Assess the potential impact and cost of mitigation

C.

identify other legacy systems within the organization

D.

Explore the feasibility of replacing the legacy system

Question 93

The PRIMARY objective of collecting information and reviewing documentation when performing periodic risk analysis should be to:

Options:

A.

Identify new or emerging risk issues.

B.

Satisfy audit requirements.

C.

Survey and analyze historical risk data.

D.

Understand internal and external threat agents.

Question 94

Which of the following is the BEST way to help ensure risk will be managed properly after a business process has been re-engineered?

Options:

A.

Reassessing control effectiveness of the process

B.

Conducting a post-implementation review to determine lessons learned

C.

Reporting key performance indicators (KPIs) for core processes

D.

Establishing escalation procedures for anomaly events

Question 95

Which of the following is the MOST useful information for a risk practitioner when planning response activities after risk identification?

Options:

A.

Risk register

B.

Risk appetite

C.

Risk priorities

D.

Risk heat maps

Question 96

Within the three lines of defense model, the responsibility for managing risk and controls resides with:

Options:

A.

operational management.

B.

the risk practitioner.

C.

the internal auditor.

D.

executive management.

Question 97

Who should be responsible for approving the cost of controls to be implemented for mitigating risk?

Options:

A.

Risk practitioner

B.

Risk owner

C.

Control owner

D.

Control implementer

Question 98

Which strategy employed by risk management would BEST help to prevent internal fraud?

Options:

A.

Require control owners to conduct an annual control certification.

B.

Conduct regular internal and external audits on the systems supporting financial reporting.

C.

Ensure segregation of duties are implemented within key systems or processes.

D.

Require the information security officer to review unresolved incidents.

Question 99

During the creation of an organization's IT risk management program, the BEST time to identify key risk indicators (KRIs) is while:

Options:

A.

Interviewing data owners

B.

Reviewing risk response plans with internal audit

C.

Developing a risk monitoring process

D.

Reviewing an external risk assessment

Question 100

Which of the following observations from a third-party service provider review would be of GREATEST concern to a risk practitioner?

Options:

A.

Service level agreements (SLAs) have not been met over the last quarter.

B.

The service contract is up for renewal in less than thirty days.

C.

Key third-party personnel have recently been replaced.

D.

Monthly service charges are significantly higher than industry norms.

Question 101

A business impact analysis (BIA) has documented the duration of maximum allowable outage for each of an organization's applications. Which of the following MUST be aligned with the maximum allowable outage?

Options:

A.

Mean time to restore (MTTR)

B.

Recovery time objective (RTO)

C.

Recovery point objective (RPO)

D.

Mean time to detect (MTTD)

Question 102

A risk action plan has been changed during the risk mitigation effort. Which of the following is MOST important for the risk practitioner to verify?

Options:

A.

Impact of the change on inherent risk

B.

Approval for the change by the risk owner

C.

Business rationale for the change

D.

Risk to the mitigation effort due to the change

Question 103

Which of the following BEST helps to mitigate risk associated with excessive access by authorized users?

Options:

A.

Monitoring user activity using security logs

B.

Revoking access for users changing roles

C.

Granting access based on least privilege

D.

Conducting periodic reviews of authorizations granted

Question 104

Risk mitigation is MOST effective when which of the following is optimized?

Options:

A.

Operational risk

B.

Residual risk

C.

Inherent risk

D.

Regulatory risk

Question 105

Which process is MOST effective to determine relevance of threats for risk scenarios?

Options:

A.

Vulnerability assessment

B.

Business impact analysis (BIA)

C.

Penetration testing

D.

Root cause analysis

Question 106

Which of the following BEST enables the integration of IT risk management across an organization?

Options:

A.

Enterprise risk management (ERM) framework

B.

Enterprise-wide risk awareness training

C.

Robust risk reporting practices

D.

Risk management policies

Question 107

Which of the following is the MOST important update for keeping the risk register current?

Options:

A.

Modifying organizational structures when lines of business merge

B.

Adding new risk assessment results annually

C.

Retiring risk scenarios that have been avoided

D.

Changing risk owners due to employee turnover

Question 108

Which of the following should be done FIRST upon learning that the organization will be affected by a new regulation in its industry?

Options:

A.

Transfer the risk.

B.

Perform a gap analysis.

C.

Determine risk appetite for the new regulation.

D.

Implement specific monitoring controls.

Question 109

A risk practitioner has been asked to evaluate a new cloud-based service to enhance an organization's access management capabilities. When is the BEST time for the risk practitioner to provide opinions on control strength?

Options:

A.

After the initial design

B.

Before production rollout

C.

After a few weeks in use

D.

Before end-user testing

Question 110

Which of the following is the PRIMARY risk management responsibility of the third line of defense?

Options:

A.

Providing assurance of the effectiveness of risk management activities

B.

Providing guidance on the design of effective controls

C.

Providing advisory services on enterprise risk management (ERM)

D.

Providing benchmarking on other organizations' risk management programs

Question 111

A recent regulatory requirement has the potential to affect an organization's use of a third party to supply outsourced business services. Which of the following is the BEST course of action?

Options:

A.

Conduct a gap analysis.

B.

Terminate the outsourcing agreement.

C.

Identify compensating controls.

D.

Transfer risk to the third party.

Question 112

Which of the following is the MOST important reason to restrict access to the risk register on a need-to-know basis?

Options:

A.

It contains vulnerabilities and threats.

B.

The risk methodology is intellectual property.

C.

Contents may be used as auditable findings.

D.

Risk scenarios may be misinterpreted.

Question 113

Zero Trust architecture is designed and deployed with adherence to which of the following basic tenets?

Options:

A.

Incoming traffic must be inspected before connection is established.

B.

Security frameworks and libraries should be leveraged.

C.

Digital identities should be implemented.

D.

All communication is secured regardless of network location.

Question 114

A robotic process automation (RPA) project has implemented new robots to enhance the efficiency of a sales business process. Which of the following provides the BEST evidence that the new controls have been implemented successfully?

Options:

A.

A post-implementation review has been conducted by key personnel.

B.

A qualified independent party assessed the new controls as effective.

C.

Senior management has signed off on the design of the controls.

D.

Robots have operated without human interference on a daily basis.

Question 115

A risk practitioner's BEST guidance to help an organization develop relevant risk scenarios is to ensure the scenarios are:

Options:

A.

Aligned with risk management capabilities.

B.

Based on industry trends.

C.

Related to probable events.

D.

Mapped to incident response plans.

Question 116

An organization has built up its cash reserves and has now become financially able to support additional risk while meeting its objectives. What is this change MOST likely to impact?

Options:

A.

Risk profile

B.

Risk capacity

C.

Risk indicators

D.

Risk tolerance

Question 117

Which of the following would BEST prevent an unscheduled application of a patch?

Options:

A.

Network-based access controls

B.

Compensating controls

C.

Segregation of duties

D.

Change management

Question 118

Which of the following is the MOST critical consideration when awarding a project to a third-party service provider whose servers are located offshore?

Options:

A.

Difficulty of monitoring compliance due to geographical distance

B.

Cost implications due to installation of network intrusion detection systems (IDSs)

C.

Delays in incident communication

D.

Potential impact on data governance

Question 119

Which of the following scenarios is MOST important to communicate to senior management?

Options:

A.

Accepted risk scenarios with detailed plans for monitoring

B.

Risk scenarios that have been shared with vendors and third parties

C.

Accepted risk scenarios with impact exceeding the risk tolerance

D.

Risk scenarios that have been identified, assessed, and responded to by the risk owners

Question 120

When classifying and prioritizing risk responses, the areas to address FIRST are those with:

Options:

A.

low cost effectiveness ratios and high risk levels

B.

high cost effectiveness ratios and low risk levels.

C.

high cost effectiveness ratios and high risk levels

D.

low cost effectiveness ratios and low risk levels.

Question 121

Which of the following presents the GREATEST security risk associated with Internet of Things (IoT) technology?

Options:

A.

The inability to monitor via network management solutions

B.

The lack of relevant IoT security frameworks to guide the risk assessment process

C.

The heightened level of IoT threats via the widespread use of smart devices

D.

The lack of updates for vulnerable firmware

Question 122

Which of the following should be the MOST important consideration when determining controls necessary for a highly critical information system?

Options:

A.

The number of threats to the system

B.

The organization's available budget

C.

The number of vulnerabilities to the system

D.

The level of acceptable risk to the organization

Question 123

Which of the following would MOST effectively reduce the potential for inappropriate exposure of vulnerabilities documented in an organization's risk register?

Options:

A.

Limit access to senior management only.

B.

Encrypt the risk register.

C.

Implement role-based access.

D.

Require users to sign a confidentiality agreement.

Question 124

Which of the following is the GREATEST benefit of using IT risk scenarios?

Options:

A.

They support compliance with regulations.

B.

They provide evidence of risk assessment.

C.

They facilitate communication of risk.

D.

They enable the use of key risk indicators (KRls)

Question 125

A risk practitioner has been notified of a social engineering attack using artificial intelligence (Al) technology to impersonate senior management personnel. Which of the following would BEST mitigate the impact of such attacks?

Options:

A.

Training and awareness of employees for increased vigilance

B.

Increased monitoring of executive accounts

C.

Subscription to data breach monitoring sites

D.

Suspension and takedown of malicious domains or accounts

Question 126

An organization has updated its acceptable use policy to mitigate the risk of employees disclosing confidential information. Which of the following is the BEST way to reinforce the effectiveness of this policy?

Options:

A.

Communicate sanctions for policy violations to all staff.

B.

Obtain signed acceptance of the new policy from employees.

C.

Train all staff on relevant information security best practices.

D.

Implement data loss prevention (DLP) within the corporate network.

Question 127

An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner's FIRST course of action?

Options:

A.

Determine whether the impact is outside the risk appetite.

B.

Report the ineffective control for inclusion in the next audit report.

C.

Request a formal acceptance of risk from senior management.

D.

Deploy a compensating control to address the identified deficiencies.

Question 128

Which of the following is the BEST way to determine the value of information assets for risk management purposes?

Options:

A.

Assess the loss impact if the information is inadvertently disclosed.

B.

Calculate the overhead required to keep the information secure throughout its life cycle.

C.

Calculate the replacement cost of obtaining the information from alternate sources.

D.

Assess the market value offered by consumers of the information.

Question 129

A migration from an in-house developed system to an external cloud-based solution is affecting a previously rated key risk scenario related to payroll processing. Which part of the risk register should be updated FIRST?

Options:

A.

Payroll system risk factors

B.

Payroll system risk mitigation plans

C.

Payroll process owner

D.

Payroll administrative controls

Question 130

Which of the following is the PRIMARY benefit of consistently recording risk assessment results in the risk register?

Options:

A.

Assessment of organizational risk appetite

B.

Compliance with best practice

C.

Accountability for loss events

D.

Accuracy of risk profiles

Question 131

Which of the following is the GREATEST concern when using artificial intelligence (AI) language models?

Options:

A.

The model could be hacked or exploited.

B.

The model could be used to generate inaccurate content.

C.

Staff could become overly reliant on the model.

D.

It could lead to biased recommendations.

Question 132

An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?

Options:

A.

Review assignments of data ownership for key assets.

B.

Identify staff who have access to the organization’s sensitive data.

C.

Identify recent and historical incidents involving data loss.

D.

Review the organization's data inventory.

Question 133

Which of the following should be a risk practitioner's NEXT step after learning of an incident that has affected a competitor?

Options:

A.

Activate the incident response plan.

B.

Implement compensating controls.

C.

Update the risk register.

D.

Develop risk scenarios.

Question 134

An organization has outsourced its customer management database to an external service provider. Of the following, who should be accountable for ensuring customer data privacy?

Options:

A.

The organization's business process owner

B.

The organization's information security manager

C.

The organization's vendor management officer

D.

The vendor's risk manager

Question 135

Who is MOST important lo include in the assessment of existing IT risk scenarios?

Options:

A.

Technology subject matter experts

B.

Business process owners

C.

Business users of IT systems

D.

Risk management consultants

Question 136

Which of the following should be of MOST concern to a risk practitioner reviewing the system development life cycle (SDLC)?

Options:

A.

Testing is completed in phases, with user testing scheduled as the final phase.

B.

Segregation of duties controls are overridden during user testing phases.

C.

Data anonymization is used during all cycles of end-user testing.

D.

Testing is completed by IT support users without input from end users.

Question 137

When creating a separate IT risk register for a large organization, which of the following is MOST important to consider with regard to the existing corporate risk 'register?

Options:

A.

Leveraging business risk professionals

B.

Relying on generic IT risk scenarios

C.

Describing IT risk in business terms

D.

Using a common risk taxonomy

Question 138

The cost of maintaining a control has grown to exceed the potential loss. Which of the following BEST describes this situation?

Options:

A.

Insufficient risk tolerance

B.

Optimized control management

C.

Effective risk management

D.

Over-controlled environment

Question 139

An organization has adopted an emerging technology without following proper processes. Which of the following is the risk practitioner's BEST course of action to address this risk?

Options:

A.

Accept the risk because the technology has already been adopted.

B.

Propose a transfer of risk to a third party with subsequent monitoring.

C.

Conduct a risk assessment to determine risk exposure.

D.

Recommend to senior management to decommission the technology.

Question 140

A risk practitioner discovers that an IT operations team manager bypassed web filtering controls by using a mobile device, in violation of the network security policy. Which of the following should the risk practitioner do FIRST?

Options:

A.

Report the incident.

B.

Plan a security awareness session.

C.

Assess the new risk.

D.

Update the risk register.

Question 141

Which of the following provides the MOST reliable evidence to support conclusions after completing an information systems controls assessment?

Options:

A.

Risk and control self-assessment (CSA) reports

B.

Information generated by the systems

C.

Control environment narratives

D.

Confirmation from industry peers

Question 142

Which of the following should be the PRIMARY basis for deciding whether to disclose information related to risk events that impact external stakeholders?

Options:

A.

Stakeholder preferences

B.

Contractual requirements

C.

Regulatory requirements

D.

Management assertions

Question 143

An organization needs to send files to a business partner to perform a quality control audit on the organization’s record-keeping processes. The files include personal information on the organization's customers. Which of the following is the BEST recommendation to mitigate privacy risk?

Options:

A.

Obfuscate the customers’ personal information.

B.

Require the business partner to delete personal information following the audit.

C.

Use a secure channel to transmit the files.

D.

Ensure the contract includes provisions for sharing personal information.

Question 144

The MOST important measure of the effectiveness of risk management in project implementation is the percentage of projects:

Options:

A.

introduced into production without high-risk issues.

B.

having the risk register updated regularly.

C.

having key risk indicators (KRIs) established to measure risk.

D.

having an action plan to remediate overdue issues.

Question 145

Which of the following is a risk practitioner's BEST recommendation to help reduce IT risk associated with scheduling overruns when starting a new application development project?

Options:

A.

Implement a tool to track the development team's deliverables.

B.

Review the software development life cycle.

C.

Involve the development team in planning.

D.

Assign more developers to the project team.

Question 146

The software version of an enterprise's critical business application has reached end-of-life and is no longer supported by the vendor. IT has decided to develop an in-house replacement application. Which of the following should be the PRIMARY concern?

Options:

A.

The system documentation is not available.

B.

Enterprise risk management (ERM) has not approved the decision.

C.

The board of directors has not approved the decision.

D.

The business process owner is not an active participant.

Question 147

Which of the following will MOST likely change as a result of the decrease in risk appetite due to a new privacy regulation?

Options:

A.

Key risk indicator (KRI) thresholds

B.

Risk trends

C.

Key performance indicators (KPIs)

D.

Risk objectives

Question 148

An organization recently implemented a machine learning-based solution to monitor IT usage and analyze user behavior in an effort to detect internal fraud. Which of the following is MOST likely to be reassessed as a result of this initiative?

Options:

A.

Risk likelihood

B.

Risk culture

C.

Risk appetite

D.

Risk capacity

Question 149

Which of the following is the BEST approach when a risk treatment plan cannot be completed on time?

Options:

A.

Implement compensating controls until the preferred action can be completed.

B.

Develop additional key risk indicators (KRIs) until the preferred action can be completed.

C.

Replace the action owner with a more experienced individual.

D.

Change the risk response strategy of the relevant risk to risk avoidance.

Question 150

Which of the following factors will have the GREATEST impact on the implementation of a risk mitigation strategy for an organization?

Options:

A.

Cost-benefit analysis

B.

Risk tolerance

C.

Known vulnerabilities

D.

Cyber insurance

Question 151

An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following should be the risk practitioner's NEXT course of action?

Options:

A.

Remove the associated risk from the register.

B.

Validate control effectiveness and update the risk register.

C.

Review the contract and service level agreements (SLAs).

D.

Obtain an assurance report from the third-party provider.

Question 152

Which of the following activities should only be performed by the third line of defense?

Options:

A.

Operating controls for risk mitigation

B.

Testing the effectiveness and efficiency of internal controls

C.

Providing assurance on risk management processes

D.

Recommending risk treatment options

Question 153

What is senior management's role in the RACI model when tasked with reviewing monthly status reports provided by risk owners?

Options:

A.

Accountable

B.

Informed

C.

Responsible

D.

Consulted

Question 154

Which of the following is the MOST significant indicator of the need to perform a penetration test?

Options:

A.

An increase in the number of high-risk audit findings

B.

An increase in the number of security incidents

C.

An increase in the percentage of turnover in IT personnel

D.

An increase in the number of infrastructure changes

Question 155

Which of the following is MOST important to update following a change in organizational risk appetite and tolerance?

Options:

A.

Business impact assessment (BIA)

B.

Key performance indicators (KPIs)

C.

Risk profile

D.

Industry benchmark analysis

Question 156

Which of the following should be the FIRST course of action if the risk associated with a new technology is found to be increasing?

Options:

A.

Re-evaluate current controls.

B.

Revise the current risk action plan.

C.

Escalate the risk to senior management.

D.

Implement additional controls.

Question 157

When confirming whether implemented controls are operating effectively, which of the following is MOST important to review?

Options:

A.

Results of benchmarking studies

B.

Results of risk assessments

C.

Number of emergency change requests

D.

Maturity model

Question 158

Which of the following should be the PRIMARY driver for the prioritization of risk responses?

Options:

A.

Residual risk

B.

Risk appetite

C.

Mitigation cost

D.

Inherent risk

Question 159

An organization operates in an environment where the impact of ransomware attacks is high, with a low likelihood. After quantifying the impact of the risk associated with ransomware attacks exceeds the organization's risk appetite and tolerance, which of the following is the risk practitioner's BEST recommendation?

Options:

A.

Obtain adequate cybersecurity insurance coverage.

B.

Ensure business continuity assessments are up to date.

C.

Adjust the organization's risk appetite and tolerance.

D.

Obtain certification to a global information security standard.

Question 160

An organization has been made aware of a newly discovered critical vulnerability in a regulatory reporting system. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Perform an impact assessment.

B.

Perform a penetration test.

C.

Request an external audit.

D.

Escalate the risk to senior management.

Question 161

In addition to the risk exposure, which of the following is MOST important for senior management to understand prior to approving the use of artificial intelligence (Al) solutions?

Options:

A.

Potential benefits from use of Al solutions

B.

Monitoring techniques required for AI solutions

C.

Changes to existing infrastructure to support Al solutions

D.

Skills required to support Al solutions

Question 162

Which of the following is the GREATEST concern associated with the use of artificial intelligence (AI) language models?

Options:

A.

The model could be hacked or exploited.

B.

The model could be used to generate inaccurate content.

C.

Staff could become overly reliant on the model.

D.

It could lead to biased recommendations.

Question 163

A penetration test reveals several vulnerabilities in a web-facing application. Which of the following should be the FIRST step in selecting a risk response?

Options:

A.

Correct the vulnerabilities to mitigate potential risk exposure.

B.

Develop a risk response action plan with key stakeholders.

C.

Assess the level of risk associated with the vulnerabilities.

D.

Communicate the vulnerabilities to the risk owner.

Question 164

Which group has PRIMARY ownership of reputational risk stemming from unethical behavior within the organization?

Options:

A.

Board of directors

B.

Human resources (HR)

C.

Risk management committee

D.

Audit committee

Question 165

An incentive program is MOST likely implemented to manage the risk associated with loss of which organizational asset?

Options:

A.

Employees

B.

Data

C.

Reputation

D.

Customer lists

Question 166

Which of the following criteria for assigning owners to IT risk scenarios provides the GREATEST benefit to an organization?

Options:

A.

The risk owner understands the effect of loss events on business operations.

B.

The risk owner is a member of senior leadership in the IT organization.

C.

The risk owner has strong technical aptitude across multiple business systems.

D.

The risk owner has extensive risk management experience.

Question 167

Who is accountable for authorizing application access in a cloud Software as a Service (SaaS) solution?

Options:

A.

Cloud service provider

B.

IT department

C.

Senior management

D.

Business unit owner

Question 168

Which of the following is the BEST metric to demonstrate the effectiveness of an organization's patch management process?

Options:

A.

Average time to implement patches after vendor release

B.

Number of patches tested prior to deployment

C.

Increase in the frequency of patches deployed into production

D.

Percent of patches implemented within established timeframe

Question 169

Which of the following BEST helps to mitigate risk associated with excessive access by authorized users?

Options:

A.

Conducting periodic reviews of authorizations granted

B.

Revoking access for users changing roles

C.

Monitoring user activity using security logs

D.

Granting access based on least privilege

Question 170

A risk practitioner has established that a particular control is working as desired, but the annual cost of maintenance has increased and now exceeds the expected annual loss exposure. The result is that the control is:

Options:

A.

mature

B.

ineffective.

C.

optimized.

D.

inefficient.

Question 171

Which of the following is the PRIMARY objective of aggregating the impact of IT risk scenarios and reflecting the results in the enterprise risk register?

Options:

A.

To ensure IT risk appetite is communicated across the organization

B.

To ensure IT risk impact can be compared to the IT risk appetite

C.

To ensure IT risk ownership is assigned at the appropriate organizational level

D.

To ensure IT risk scenarios are consistently assessed within the organization

Question 172

Which of the following is the MOST important for an organization to have in place to ensure IT asset protection?

Options:

A.

Procedures for risk assessments on IT assets

B.

An IT asset management checklist

C.

An IT asset inventory populated by an automated scanning tool

D.

A plan that includes processes for the recovery of IT assets

Question 173

Reviewing which of the following would provide the MOST useful information when preparing to evaluate the effectiveness of existing controls?

Options:

A.

Previous audit reports

B.

Control objectives

C.

Risk responses in the risk register

D.

Changes in risk profiles

Question 174

A risk practitioner's BEST guidance to help an organization develop relevant risk scenarios is to ensure the scenarios are:

Options:

A.

based on industry trends.

B.

mapped to incident response plans.

C.

related to probable events.

D.

aligned with risk management capabilities.

Question 175

Which organizational role should be accountable for ensuring information assets are appropriately classified?

Options:

A.

Data protection officer

B.

Chief information officer (CIO)

C.

Information asset custodian

D.

Information asset owner

Question 176

Which of the following is MOST important requirement to include in a Software as a Service (SaaS) vendor contract to ensure data is protected?

Options:

A.

The vendor must provide periodic independent assurance reports.

B.

The vendor must host data in a specific geographic location.

C.

The vendor must be held liable for regulatory fines for failure to protect data.

D.

The vendor must participate in an annual vendor performance review.

Question 177

Which of the following BEST enables the timely detection of changes in the security control environment?

Options:

A.

Control self-assessment (CSA)

B.

Log analysis

C.

Security control reviews

D.

Random sampling checks

Question 178

Which of the following BEST enables detection of ethical violations committed by employees?

Options:

A.

Transaction log monitoring

B.

Whistleblower program

C.

Access control attestation

D.

Periodic job rotation

Question 179

An organization has committed to a business initiative with the knowledge that the risk exposure is higher than the risk appetite. Which of the following is the risk practitioner's MOST important action related to this decision?

Options:

A.

Recommend rejection of the initiative.

B.

Change the level of risk appetite.

C.

Document formal acceptance of the risk.

D.

Initiate a reassessment of the risk.

Question 180

Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization's risk appetite?

Options:

A.

Establishing a series of key risk indicators (KRIs).

B.

Adding risk triggers to entries in the risk register.

C.

Implementing key performance indicators (KPIs).

D.

Developing contingency plans for key processes.

Question 181

A risk practitioner has been notified of a social engineering attack using artificial intelligence (AI) technology to impersonate senior management personnel. Which of the following would BEST mitigate the impact of such attacks?

Options:

A.

Subscription to data breach monitoring sites

B.

Suspension and takedown of malicious domains or accounts

C.

Increased monitoring of executive accounts

D.

Training and awareness of employees for increased vigilance

Question 182

An organization's IT team has proposed the adoption of cloud computing as a cost-saving measure for the business. Which of the following should be of GREATEST concern to the risk practitioner?

Options:

A.

Due diligence for the recommended cloud vendor has not been performed.

B.

The business can introduce new Software as a Service (SaaS) solutions without IT approval.

C.

The maintenance of IT infrastructure has been outsourced to an Infrastructure as a Service (laaS) provider.

D.

Architecture responsibilities may not be clearly defined.

Question 183

A risk practitioner finds that data has been misclassified. Which of the following is the GREATEST concern?

Options:

A.

Unauthorized access

B.

Data corruption

C.

Inadequate retention schedules

D.

Data disruption

Question 184

The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for:

Options:

A.

data classification and labeling.

B.

data logging and monitoring.

C.

data retention and destruction.

D.

data mining and analytics.

Question 185

Which of the following provides the MOST useful information to trace the impact of aggregated risk across an organization's technical environment?

Options:

A.

Business case documentation

B.

Organizational risk appetite statement

C.

Enterprise architecture (EA) documentation

D.

Organizational hierarchy

Question 186

Which of the following is the PRIMARY reason to engage business unit managers in risk management processes'?

Options:

A.

Improved alignment will technical risk

B.

Better-informed business decisions

C.

Enhanced understanding of enterprise architecture (EA)

D.

Improved business operations efficiency

Question 187

Which of the following provides the BEST evidence that robust risk management practices are in place within an organization?

Options:

A.

A management-approved risk dashboard

B.

A current control framework

C.

A regularly updated risk register

D.

Regularly updated risk management procedures

Question 188

Which of the following is the BEST recommendation to address recent IT risk trends that indicate social engineering attempts are increasing in the organization?

Options:

A.

Conduct a simulated phishing attack.

B.

Update spam filters

C.

Revise the acceptable use policy

D.

Strengthen disciplinary procedures

Question 189

Which of the following is MOST important to consider when determining the value of an asset during the risk identification process?

Options:

A.

The criticality of the asset

B.

The monetary value of the asset

C.

The vulnerability profile of the asset

D.

The size of the asset's user base

Question 190

Which of the following is the BEST recommendation when a key risk indicator (KRI) is generating an excessive volume of events?

Options:

A.

Reevaluate the design of the KRIs.

B.

Develop a corresponding key performance indicator (KPI).

C.

Monitor KRIs within a specific timeframe.

D.

Activate the incident response plan.

Question 191

A risk assessment has identified that departments have installed their own WiFi access points on the enterprise network. Which of the following would be MOST important to include in a report to senior management?

Options:

A.

The network security policy

B.

Potential business impact

C.

The WiFi access point configuration

D.

Planned remediation actions

Question 192

An organization is planning to engage a cloud-based service provider for some of its data-intensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?

Options:

A.

Service level agreement

B.

Customer service reviews

C.

Scope of services provided

D.

Right to audit the provider

Question 193

The PRIMARY advantage of implementing an IT risk management framework is the:

Options:

A.

establishment of a reliable basis for risk-aware decision making.

B.

compliance with relevant legal and regulatory requirements.

C.

improvement of controls within the organization and minimized losses.

D.

alignment of business goals with IT objectives.

Question 194

Which of the following elements of a risk register is MOST likely to change as a result of change in management's risk appetite?

Options:

A.

Key risk indicator (KRI) thresholds

B.

Inherent risk

C.

Risk likelihood and impact

D.

Risk velocity

Question 195

Risk management strategies are PRIMARILY adopted to:

Options:

A.

take necessary precautions for claims and losses.

B.

achieve acceptable residual risk levels.

C.

avoid risk for business and IT assets.

D.

achieve compliance with legal requirements.

Question 196

Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?

Options:

A.

To build an organizational risk-aware culture

B.

To continuously improve risk management processes

C.

To comply with legal and regulatory requirements

D.

To identify gaps in risk management practices

Question 197

An organization delegates its data processing to the internal IT team to manage information through its applications. Which of the following is the role of the internal IT team in this situation?

Options:

A.

Data controllers

B.

Data processors

C.

Data custodians

D.

Data owners

Question 198

Which of the following is the BEST method to ensure a terminated employee's access to IT systems is revoked upon departure from the organization?

Options:

A.

Login attempts are reconciled to a list of terminated employees.

B.

A list of terminated employees is generated for reconciliation against current IT access.

C.

A process to remove employee access during the exit interview is implemented.

D.

The human resources (HR) system automatically revokes system access.

Question 199

What is the BEST approach for determining the inherent risk of a scenario when the actual likelihood of the risk is unknown?

Options:

A.

Use the severity rating to calculate risk.

B.

Classify the risk scenario as low-probability.

C.

Use the highest likelihood identified by risk management.

D.

Rely on range-based estimates provided by subject-matter experts.

Question 200

Which of the following is the BEST indication of an effective risk management program?

Options:

A.

Risk action plans are approved by senior management.

B.

Residual risk is within the organizational risk appetite

C.

Mitigating controls are designed and implemented.

D.

Risk is recorded and tracked in the risk register

Question 201

Which of the following is the MOST important outcome of reviewing the risk management process?

Options:

A.

Assuring the risk profile supports the IT objectives

B.

Improving the competencies of employees who performed the review

C.

Determining what changes should be made to IS policies to reduce risk

D.

Determining that procedures used in risk assessment are appropriate

Question 202

The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:

Options:

A.

implement uniform controls for common risk scenarios.

B.

ensure business unit risk is uniformly distributed.

C.

build a risk profile for management review.

D.

quantify the organization's risk appetite.

Question 203

During testing, a risk practitioner finds the IT department's recovery time objective (RTO) for a key system does not align with the enterprise's business continuity plan (BCP). Which of the following should be done NEXT?

Options:

A.

Report the gap to senior management

B.

Consult with the IT department to update the RTO

C.

Complete a risk exception form.

D.

Consult with the business owner to update the BCP

Question 204

Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:

Options:

A.

minimize the number of risk scenarios for risk assessment.

B.

aggregate risk scenarios identified across different business units.

C.

build a threat profile of the organization for management review.

D.

provide a current reference to stakeholders for risk-based decisions.

Question 205

Which of the following is the MOST important key performance indicator (KPI) to establish in the service level agreement (SLA) for an outsourced data center?

Options:

A.

Percentage of systems included in recovery processes

B.

Number of key systems hosted

C.

Average response time to resolve system incidents

D.

Percentage of system availability

Question 206

Which of the following will BEST quantify the risk associated with malicious users in an organization?

Options:

A.

Business impact analysis

B.

Risk analysis

C.

Threat risk assessment

D.

Vulnerability assessment

Question 207

A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization. Which of the following components of this review would provide the MOST useful information?

Options:

A.

Risk appetite statement

B.

Enterprise risk management framework

C.

Risk management policies

D.

Risk register

Question 208

Which of the following is the BEST way to validate the results of a vulnerability assessment?

Options:

A.

Perform a penetration test.

B.

Review security logs.

C.

Conduct a threat analysis.

D.

Perform a root cause analysis.

Question 209

Which of the following controls would BEST reduce the risk of account compromise?

Options:

A.

Enforce password changes.

B.

Enforce multi-factor authentication (MFA).

C.

Enforce role-based authentication.

D.

Enforce password encryption.

Question 210

A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?

Options:

A.

Document the finding in the risk register.

B.

Invoke the incident response plan.

C.

Re-evaluate key risk indicators.

D.

Modify the design of the control.

Question 211

When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?

Options:

A.

Assess management's risk tolerance.

B.

Recommend management accept the low-risk scenarios.

C.

Propose mitigating controls

D.

Re-evaluate the risk scenarios associated with the control

Question 212

After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:

Options:

A.

recommend a program that minimizes the concerns of that production system.

B.

inform the development team of the concerns, and together formulate risk reduction measures.

C.

inform the process owner of the concerns and propose measures to reduce them

D.

inform the IT manager of the concerns and propose measures to reduce them.

Question 213

Which of the following would BEST provide early warning of a high-risk condition?

Options:

A.

Risk register

B.

Risk assessment

C.

Key risk indicator (KRI)

D.

Key performance indicator (KPI)

Question 214

To implement the MOST effective monitoring of key risk indicators (KRIs), which of the following needs to be in place?

Options:

A.

Threshold definition

B.

Escalation procedures

C.

Automated data feed

D.

Controls monitoring

Question 215

A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

Options:

A.

communication

B.

identification.

C.

treatment.

D.

assessment.

Question 216

Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

Options:

A.

a gap analysis

B.

a root cause analysis.

C.

an impact assessment.

D.

a vulnerability assessment.

Question 217

Improvements in the design and implementation of a control will MOST likely result in an update to:

Options:

A.

inherent risk.

B.

residual risk.

C.

risk appetite

D.

risk tolerance

Question 218

During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:

Options:

A.

compensating controls are in place.

B.

a control mitigation plan is in place.

C.

risk management is effective.

D.

residual risk is accepted.

Question 219

Which of the following is the MOST important foundational element of an effective three lines of defense model for an organization?

Options:

A.

A robust risk aggregation tool set

B.

Clearly defined roles and responsibilities

C.

A well-established risk management committee

D.

Well-documented and communicated escalation procedures

Question 220

An organization's senior management is considering whether to acquire cyber insurance. Which of the following is the BEST way for the risk practitioner to enable management’s decision?

Options:

A.

Perform a cost-benefit analysis.

B.

Conduct a SWOT analysis.

C.

Provide data on the number of risk events from the last year.

D.

Report on recent losses experienced by industry peers.

Question 221

An effective control environment is BEST indicated by controls that:

Options:

A.

minimize senior management's risk tolerance.

B.

manage risk within the organization's risk appetite.

C.

reduce the thresholds of key risk indicators (KRIs).

D.

are cost-effective to implement

Question 222

Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?

Options:

A.

Better understanding of the risk appetite

B.

Improving audit results

C.

Enabling risk-based decision making

D.

Increasing process control efficiencies

Question 223

The MAIN purpose of conducting a control self-assessment (CSA) is to:

Options:

A.

gain a better understanding of the control effectiveness in the organization

B.

gain a better understanding of the risk in the organization

C.

adjust the controls prior to an external audit

D.

reduce the dependency on external audits

Question 224

Real-time monitoring of security cameras implemented within a retail store is an example of which type of control?

Options:

A.

Preventive

B.

Deterrent

C.

Compensating

D.

Detective

Question 225

Risk mitigation procedures should include:

Options:

A.

buying an insurance policy.

B.

acceptance of exposures

C.

deployment of counter measures.

D.

enterprise architecture implementation.

Question 226

Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?

Options:

A.

Testing the transmission of credit card numbers

B.

Reviewing logs for unauthorized data transfers

C.

Configuring the DLP control to block credit card numbers

D.

Testing the DLP rule change control process

Question 227

Which of the following risk register updates is MOST important for senior management to review?

Options:

A.

Extending the date of a future action plan by two months

B.

Retiring a risk scenario no longer used

C.

Avoiding a risk that was previously accepted

D.

Changing a risk owner

Question 228

Which of the following is the MOST important data source for monitoring key risk indicators (KRIs)?

Options:

A.

Directives from legal and regulatory authorities

B.

Audit reports from internal information systems audits

C.

Automated logs collected from different systems

D.

Trend analysis of external risk factors

Question 229

Which of the following will BEST mitigate the risk associated with IT and business misalignment?

Options:

A.

Establishing business key performance indicators (KPIs)

B.

Introducing an established framework for IT architecture

C.

Establishing key risk indicators (KRIs)

D.

Involving the business process owner in IT strategy

Question 230

The acceptance of control costs that exceed risk exposure is MOST likely an example of:

Options:

A.

low risk tolerance.

B.

corporate culture misalignment.

C.

corporate culture alignment.

D.

high risk tolerance

Question 231

Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?

Options:

A.

Continuous monitoring

B.

A control self-assessment

C.

Transaction logging

D.

Benchmarking against peers

Question 232

A data processing center operates in a jurisdiction where new regulations have significantly increased penalties for data breaches. Which of the following elements of the risk register is MOST important to update to reflect this change?

Options:

A.

Risk impact

B.

Risk trend

C.

Risk appetite

D.

Risk likelihood

Question 233

Which of the following is MOST critical when designing controls?

Options:

A.

Involvement of internal audit

B.

Involvement of process owner

C.

Quantitative impact of the risk

D.

Identification of key risk indicators

Question 234

The PRIMARY objective of testing the effectiveness of a new control before implementation is to:

Options:

A.

ensure that risk is mitigated by the control.

B.

measure efficiency of the control process.

C.

confirm control alignment with business objectives.

D.

comply with the organization's policy.

Question 235

Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?

Options:

A.

Maintain and review the classified data inventor.

B.

Implement mandatory encryption on data

C.

Conduct an awareness program for data owners and users.

D.

Define and implement a data classification policy

Question 236

An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?

Options:

A.

Invoke the disaster recovery plan during an incident.

B.

Prepare a cost-benefit analysis of alternatives available

C.

Implement redundant infrastructure for the application.

D.

Reduce the recovery time by strengthening the response team.

Question 237

Which of the following is the MOST effective key performance indicator (KPI) for change management?

Options:

A.

Percentage of changes with a fallback plan

B.

Number of changes implemented

C.

Percentage of successful changes

D.

Average time required to implement a change

Question 238

Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?

Options:

A.

Encrypted storage of data

B.

Links to source data

C.

Audit trails for updates and deletions

D.

Check totals on data records and data fields

Question 239

Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?

Options:

A.

Align business objectives to the risk profile.

B.

Assess risk against business objectives

C.

Implement an organization-specific risk taxonomy.

D.

Explain risk details to management.

Question 240

Which of the following is the MOST important benefit of key risk indicators (KRIs)'

Options:

A.

Assisting in continually optimizing risk governance

B.

Enabling the documentation and analysis of trends

C.

Ensuring compliance with regulatory requirements

D.

Providing an early warning to take proactive actions

Question 241

Which of the following is MOST important for effective communication of a risk profile to relevant stakeholders?

Options:

A.

Emphasizing risk in the risk profile that is related to critical business activities

B.

Customizing the presentation of the risk profile to the intended audience

C.

Including details of risk with high deviation from the risk appetite

D.

Providing information on the efficiency of controls for risk mitigation

Question 242

Which of the following is MOST important when developing key performance indicators (KPIs)?

Options:

A.

Alignment to risk responses

B.

Alignment to management reports

C.

Alerts when risk thresholds are reached

D.

Identification of trends

Question 243

When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?

Options:

A.

Risk analysis results

B.

Exception handling policy

C.

Vulnerability assessment results

D.

Benchmarking assessments

Question 244

Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization's risk appetite?

Options:

A.

Developing contingency plans for key processes

B.

Implementing key performance indicators (KPIs)

C.

Adding risk triggers to entries in the risk register

D.

Establishing a series of key risk indicators (KRIs)

Question 245

Which of the following would be considered a vulnerability?

Options:

A.

Delayed removal of employee access

B.

Authorized administrative access to HR files

C.

Corruption of files due to malware

D.

Server downtime due to a denial of service (DoS) attack

Question 246

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?

Options:

A.

Number of users that participated in the DRP testing

B.

Number of issues identified during DRP testing

C.

Percentage of applications that met the RTO during DRP testing

D.

Percentage of issues resolved as a result of DRP testing

Question 247

A risk practitioner is assisting with the preparation of a report on the organization s disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?

Options:

A.

The percentage of systems meeting recovery target times has increased.

B.

The number of systems tested in the last year has increased.

C.

The number of systems requiring a recovery plan has increased.

D.

The percentage of systems with long recovery target times has decreased.

Question 248

Which of the following is the MOST important requirement for monitoring key risk indicators (KRls) using log analysis?

Options:

A.

Obtaining logs m an easily readable format

B.

Providing accurate logs m a timely manner

C.

Collecting logs from the entire set of IT systems

D.

implementing an automated log analysis tool

Question 249

Which of the following tools is MOST effective in identifying trends in the IT risk profile?

Options:

A.

Risk self-assessment

B.

Risk register

C.

Risk dashboard

D.

Risk map

Question 250

During which phase of the system development life cycle (SDLC) should information security requirements for the implementation of a new IT system be defined?

Options:

A.

Monitoring

B.

Development

C.

Implementation

D.

Initiation

Question 251

A risk practitioner has identified that the organization's secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?

Options:

A.

Business continuity director

B.

Disaster recovery manager

C.

Business application owner

D.

Data center manager

Question 252

Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?

Options:

A.

Identification of controls gaps that may lead to noncompliance

B.

Prioritization of risk action plans across departments

C.

Early detection of emerging threats

D.

Accurate measurement of loss impact

Question 253

A risk practitioner is MOST likely to use a SWOT analysis to assist with which risk process?

Options:

A.

Risk assessment

B.

Risk reporting

C.

Risk mitigation

D.

Risk identification

Question 254

Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?

Options:

A.

Performing a benchmark analysis and evaluating gaps

B.

Conducting risk assessments and implementing controls

C.

Communicating components of risk and their acceptable levels

D.

Participating in peer reviews and implementing best practices

Question 255

Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?

Options:

A.

Control chart

B.

Sensitivity analysis

C.

Trend analysis

D.

Decision tree

Question 256

The risk associated with an asset before controls are applied can be expressed as:

Options:

A.

a function of the likelihood and impact

B.

the magnitude of an impact

C.

a function of the cost and effectiveness of control.

D.

the likelihood of a given threat

Question 257

Which of the following is the MOST important element of a successful risk awareness training program?

Options:

A.

Customizing content for the audience

B.

Providing incentives to participants

C.

Mapping to a recognized standard

D.

Providing metrics for measurement

Question 258

Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?

Options:

A.

Risk mitigation budget

B.

Business Impact analysis

C.

Cost-benefit analysis

D.

Return on investment

Question 259

Which of the following is MOST helpful in identifying new risk exposures due to changes in the business environment?

Options:

A.

Standard operating procedures

B.

SWOT analysis

C.

Industry benchmarking

D.

Control gap analysis

Question 260

Which of the following is the MOST cost-effective way to test a business continuity plan?

Options:

A.

Conduct interviews with key stakeholders.

B.

Conduct a tabletop exercise.

C.

Conduct a disaster recovery exercise.

D.

Conduct a full functional exercise.

Question 261

Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?

Options:

A.

It compares performance levels of IT assets to value delivered.

B.

It facilitates the alignment of strategic IT objectives to business objectives.

C.

It provides input to business managers when preparing a business case for new IT projects.

D.

It helps assess the effects of IT decisions on risk exposure

Question 262

Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?

Options:

A.

Identify the potential risk.

B.

Monitor employee usage.

C.

Assess the potential risk.

D.

Develop risk awareness training.

Question 263

IT management has asked for a consolidated view into the organization's risk profile to enable project prioritization and resource allocation. Which of the following materials would

be MOST helpful?

Options:

A.

IT risk register

B.

List of key risk indicators

C.

Internal audit reports

D.

List of approved projects

Question 264

Establishing and organizational code of conduct is an example of which type of control?

Options:

A.

Preventive

B.

Directive

C.

Detective

D.

Compensating

Question 265

Which of the following is the MOST important consideration when developing an organization's risk taxonomy?

Options:

A.

Leading industry frameworks

B.

Business context

C.

Regulatory requirements

D.

IT strategy

Question 266

Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs?

Options:

A.

Ensuring availability of resources for log analysis

B.

Implementing log analysis tools to automate controls

C.

Ensuring the control is proportional to the risk

D.

Building correlations between logs collected from different sources

Question 267

The MOST important characteristic of an organization s policies is to reflect the organization's:

Options:

A.

risk assessment methodology.

B.

risk appetite.

C.

capabilities

D.

asset value.

Question 268

Which of the following is the MAIN reason to continuously monitor IT-related risk?

Options:

A.

To redefine the risk appetite and risk tolerance levels based on changes in risk factors

B.

To update the risk register to reflect changes in levels of identified and new IT-related risk

C.

To ensure risk levels are within acceptable limits of the organization's risk appetite and risk tolerance

D.

To help identify root causes of incidents and recommend suitable long-term solutions

Question 269

Which of the following is the MOST important consideration when multiple risk practitioners capture risk scenarios in a single risk register?

Options:

A.

Aligning risk ownership and control ownership

B.

Developing risk escalation and reporting procedures

C.

Maintaining up-to-date risk treatment plans

D.

Using a consistent method for risk assessment

Question 270

An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST.

Options:

A.

The risk owner who also owns the business service enabled by this infrastructure

B.

The data center manager who is also employed under the managed hosting services contract

C.

The site manager who is required to provide annual risk assessments under the contract

D.

The chief information officer (CIO) who is responsible for the hosted services

Question 271

Which of the following would be MOST helpful when estimating the likelihood of negative events?

Options:

A.

Business impact analysis

B.

Threat analysis

C.

Risk response analysis

D.

Cost-benefit analysis

Question 272

Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Options:

A.

Using an aggregated view of organizational risk

B.

Ensuring relevance to organizational goals

C.

Relying on key risk indicator (KRI) data Including

D.

Trend analysis of risk metrics

Question 273

The MOST effective way to increase the likelihood that risk responses will be implemented is to:

Options:

A.

create an action plan

B.

assign ownership

C.

review progress reports

D.

perform regular audits.

Question 274

A rule-based data loss prevention {DLP) tool has recently been implemented to reduce the risk of sensitive data leakage. Which of the following is MOST likely to change as a result of this implementation?

Options:

A.

Risk likelihood

B.

Risk velocity

C.

Risk appetite

D.

Risk impact

Question 275

Which of the following should be a risk practitioner's NEXT step upon learning the impact of an organization's noncompliance with a specific legal regulation?

Options:

A.

Identify risk response options.

B.

Implement compensating controls.

C.

Invoke the incident response plan.

D.

Document the penalties for noncompliance.

Question 276

Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario?

Options:

A.

Assess the vulnerability management process.

B.

Conduct a control serf-assessment.

C.

Conduct a vulnerability assessment.

D.

Reassess the inherent risk of the target.

Question 277

Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

Options:

A.

Risk tolerance is decreased.

B.

Residual risk is increased.

C.

Inherent risk is increased.

D.

Risk appetite is decreased

Question 278

Which of the following is the BEST indication of an improved risk-aware culture following the implementation of a security awareness training program for all employees?

Options:

A.

A reduction in the number of help desk calls

B.

An increase in the number of identified system flaws

C.

A reduction in the number of user access resets

D.

An increase in the number of incidents reported

Question 279

Which of the following is the MOST important characteristic of an effective risk management program?

Options:

A.

Risk response plans are documented

B.

Controls are mapped to key risk scenarios.

C.

Key risk indicators are defined.

D.

Risk ownership is assigned

Question 280

A trusted third-party service provider has determined that the risk of a client's systems being hacked is low. Which of the following would be the client's BEST course of action?

Options:

A.

Perform their own risk assessment

B.

Implement additional controls to address the risk.

C.

Accept the risk based on the third party's risk assessment

D.

Perform an independent audit of the third party.

Question 281

Which of the following is the BEST way to determine the ongoing efficiency of control processes?

Options:

A.

Perform annual risk assessments.

B.

Interview process owners.

C.

Review the risk register.

D.

Analyze key performance indicators (KPIs).

Question 282

After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?

Options:

A.

The risk practitioner

B.

The business process owner

C.

The risk owner

D.

The control owner

Question 283

It is MOST appropriate for changes to be promoted to production after they are:

Options:

A.

communicated to business management

B.

tested by business owners.

C.

approved by the business owner.

D.

initiated by business users.

Question 284

Whether the results of risk analyses should be presented in quantitative or qualitative terms should be based PRIMARILY on the:

Options:

A.

requirements of management.

B.

specific risk analysis framework being used.

C.

organizational risk tolerance

D.

results of the risk assessment.

Question 285

The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner s BEST recommendation?

Options:

A.

Perform a root cause analysis

B.

Perform a code review

C.

Implement version control software.

D.

Implement training on coding best practices

Question 286

Which of the following is MOST important when developing key risk indicators (KRIs)?

Options:

A.

Alignment with regulatory requirements

B.

Availability of qualitative data

C.

Properly set thresholds

D.

Alignment with industry benchmarks

Question 287

Which of the following provides the BEST measurement of an organization's risk management maturity level?

Options:

A.

Level of residual risk

B.

The results of a gap analysis

C.

IT alignment to business objectives

D.

Key risk indicators (KRIs)

Question 288

Which of the following should be the PRIMARY focus of an IT risk awareness program?

Options:

A.

Ensure compliance with the organization's internal policies

B.

Cultivate long-term behavioral change.

C.

Communicate IT risk policy to the participants.

D.

Demonstrate regulatory compliance.

Question 289

Which of the following is the GREATEST benefit of analyzing logs collected from different systems?

Options:

A.

A record of incidents is maintained.

B.

Forensic investigations are facilitated.

C.

Security violations can be identified.

D.

Developing threats are detected earlier.

Question 290

Which of the following is the MOST effective control to maintain the integrity of system configuration files?

Options:

A.

Recording changes to configuration files

B.

Implementing automated vulnerability scanning

C.

Restricting access to configuration documentation

D.

Monitoring against the configuration standard

Question 291

Which of the following BEST indicates the efficiency of a process for granting access privileges?

Options:

A.

Average time to grant access privileges

B.

Number of changes in access granted to users

C.

Average number of access privilege exceptions

D.

Number and type of locked obsolete accounts

Question 292

Which of the following BEST indicates how well a web infrastructure protects critical information from an attacker?

Options:

A.

Failed login attempts

B.

Simulating a denial of service attack

C.

Absence of IT audit findings

D.

Penetration test

Question 293

Which of the following should be implemented to BEST mitigate the risk associated with infrastructure updates?

Options:

A.

Role-specific technical training

B.

Change management audit

C.

Change control process

D.

Risk assessment

Question 294

Which of the following describes the relationship between Key risk indicators (KRIs) and key control indicators (KCIS)?

Options:

A.

KCIs are independent from KRIs KRIs.

B.

KCIs and KRIs help in determining risk appetite.

C.

KCIs are defined using data from KRIs.

D.

KCIs provide input for KRIs

Question 295

Which of the following is the BEST evidence that risk management is driving business decisions in an organization?

Options:

A.

Compliance breaches are addressed in a timely manner.

B.

Risk ownership is identified and assigned.

C.

Risk treatment options receive adequate funding.

D.

Residual risk is within risk tolerance.

Question 296

Days before the realization of an acquisition, a data breach is discovered at the company to be acquired. For the accruing organization, this situation represents which of the following?

Options:

A.

Threat event

B.

Inherent risk

C.

Risk event

D.

Security incident

Question 297

Which of the following is the MOST important consideration for protecting data assets m a Business application system?

Options:

A.

Application controls are aligned with data classification lutes

B.

Application users are periodically trained on proper data handling practices

C.

Encrypted communication is established between applications and data servers

D.

Offsite encrypted backups are automatically created by the application

Question 298

Which of the following BEST indicates whether security awareness training is effective?

Options:

A.

User self-assessment

B.

User behavior after training

C.

Course evaluation

D.

Quality of training materials

Question 299

Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?

Options:

A.

Occurrences of specific events

B.

A performance measurement

C.

The risk tolerance level

D.

Risk scenarios

Question 300

The BEST key performance indicator (KPI) for monitoring adherence to an organization's user accounts provisioning practices is the percentage of:

Options:

A.

accounts without documented approval

B.

user accounts with default passwords

C.

active accounts belonging to former personnel

D.

accounts with dormant activity.

Question 301

While reviewing the risk register, a risk practitioner notices that different business units have significant variances in inherent risk for the same risk scenario. Which of the following is the BEST course of action?

Options:

A.

Update the risk register with the average of residual risk for both business units.

B.

Review the assumptions of both risk scenarios to determine whether the variance is reasonable.

C.

Update the risk register to ensure both risk scenarios have the highest residual risk.

D.

Request that both business units conduct another review of the risk.

Question 302

During an internal IT audit, an active network account belonging to a former employee was identified. Which of the following is the BEST way to prevent future occurrences?

Options:

A.

Conduct a comprehensive review of access management processes.

B.

Declare a security incident and engage the incident response team.

C.

Conduct a comprehensive awareness session for system administrators.

D.

Evaluate system administrators' technical skills to identify if training is required.

Question 303

An organization's IT infrastructure is running end-of-life software that is not allowed without exception approval. Which of the following would provide the MOST helpful information to justify investing in updated software?

Options:

A.

The balanced scorecard

B.

A cost-benefit analysis

C.

The risk management frameworkD, A roadmap of IT strategic planning

Question 304

Which of the following roles is BEST suited to help a risk practitioner understand the impact of IT-related events on business objectives?

Options:

A.

IT management

B.

Internal audit

C.

Process owners

D.

Senior management

Question 305

When of the following is the MOST significant exposure when an application uses individual user accounts to access the underlying database?

Options:

A.

Users may share accounts with business system analyst

B.

Application may not capture a complete audit trail.

C.

Users may be able to circumvent application controls.

D.

Multiple connects to the database are used and slow the process

Question 306

Which of the following is the FIRST step when conducting a business impact analysis (BIA)?

Options:

A.

Identifying critical information assets

B.

Identifying events impacting continuity of operations.

C.

Creating a data classification scheme

D.

Analyzing previous risk assessment results

Question 307

Which of the following should be determined FIRST when a new security vulnerability is made public?

Options:

A.

Whether the affected technology is used within the organization

B.

Whether the affected technology is Internet-facing

C.

What mitigating controls are currently in place

D.

How pervasive the vulnerability is within the organization

Question 308

An organization automatically approves exceptions to security policies on a recurring basis. This practice is MOST likely the result of:

Options:

A.

a lack of mitigating actions for identified risk

B.

decreased threat levels

C.

ineffective service delivery

D.

ineffective IT governance

Question 309

Senior management has asked the risk practitioner for the overall residual risk level for a process that contains numerous risk scenarios. Which of the following should be provided?

Options:

A.

The sum of residual risk levels for each scenario

B.

The loss expectancy for aggregated risk scenarios

C.

The highest loss expectancy among the risk scenarios

D.

The average of anticipated residual risk levels

Question 310

A peer review of a risk assessment finds that a relevant threat community was not included. Mitigation of the risk will require substantial changes to a software application. Which of the following is the BEST course of action?

Options:

A.

Ask the business to make a budget request to remediate the problem.

B.

Build a business case to remediate the fix.

C.

Research the types of attacks the threat can present.

D.

Determine the impact of the missing threat.

Question 311

A highly regulated organization acquired a medical technology startup company that processes sensitive personal information with weak data protection controls. Which of the following is the BEST way for the acquiring company to reduce its risk while still enabling the flexibility needed by the startup company?

Options:

A.

Identify previous data breaches using the startup company’s audit reports.

B.

Have the data privacy officer review the startup company’s data protection policies.

C.

Classify and protect the data according to the parent company's internal standards.

D.

Implement a firewall and isolate the environment from the parent company's network.

Question 312

Which of the following should be the FIRST step when a company is made aware of new regulatory requirements impacting IT?

Options:

A.

Perform a gap analysis.

B.

Prioritize impact to the business units.

C.

Perform a risk assessment.

D.

Review the risk tolerance and appetite.

Question 313

Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Options:

A.

Including trend analysis of risk metrics

B.

Using an aggregated view of organizational risk

C.

Relying on key risk indicator (KRI) data

D.

Ensuring relevance to organizational goals

Question 314

Which of the following presents the GREATEST risk to change control in business application development over the complete life cycle?

Options:

A.

Emphasis on multiple application testing cycles

B.

Lack of an integrated development environment (IDE) tool

C.

Introduction of requirements that have not been approved

D.

Bypassing quality requirements before go-live

Question 315

Which of the following is the BEST way to quantify the likelihood of risk materialization?

Options:

A.

Balanced scorecard

B.

Threat and vulnerability assessment

C.

Compliance assessments

D.

Business impact analysis (BIA)

Question 316

An organization is conducting a review of emerging risk. Which of the following is the BEST input for this exercise?

Options:

A.

Audit reports

B.

Industry benchmarks

C.

Financial forecasts

D.

Annual threat reports

Question 317

The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning process is to:

Options:

A.

obtain the support of executive management.

B.

map the business processes to supporting IT and other corporate resources.

C.

identify critical business processes and the degree of reliance on support services.

D.

document the disaster recovery process.

Question 318

An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern?

Options:

A.

Potential increase in regulatory scrutiny

B.

Potential system downtime

C.

Potential theft of personal information

D.

Potential legal risk

Question 319

Which of The following should be of GREATEST concern for an organization considering the adoption of a bring your own device (BYOD) initiative?

Options:

A.

Device corruption

B.

Data loss

C.

Malicious users

D.

User support

Question 320

Who should be accountable for monitoring the control environment to ensure controls are effective?

Options:

A.

Risk owner

B.

Security monitoring operations

C.

Impacted data owner

D.

System owner

Question 321

When an organization’s disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment options is being applied?

Options:

A.

Acceptance

B.

Mitigation

C.

Transfer

D.

Avoidance

Question 322

While conducting an organization-wide risk assessment, it is noted that many of the information security policies have not changed in the past three years. The BEST course of action is to:

Options:

A.

review and update the policies to align with industry standards.

B.

determine that the policies should be updated annually.

C.

report that the policies are adequate and do not need to be updated frequently.

D.

review the policies against current needs to determine adequacy.

Question 323

Which of the following is MOST important for a risk practitioner to verify when evaluating the effectiveness of an organization's existing controls?

Options:

A.

Senior management has approved the control design.

B.

Inherent risk has been reduced from original levels.

C.

Residual risk remains within acceptable levels.

D.

Costs for control maintenance are reasonable.

Question 324

The BEST way to obtain senior management support for investment in a control implementation would be to articulate the reduction in:

Options:

A.

detected incidents.

B.

residual risk.

C.

vulnerabilities.

D.

inherent risk.

Question 325

Which of the following is the BEST method for assessing control effectiveness against technical vulnerabilities that could be exploited to compromise an information system?

Options:

A.

Vulnerability scanning

B.

Systems log correlation analysis

C.

Penetration testing

D.

Monitoring of intrusion detection system (IDS) alerts

Question 326

Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system. These scenarios will be owned by the system manager. Which of the following would be the BEST method to use when developing the scenarios?

Options:

A.

Cause-and-effect diagram

B.

Delphi technique

C.

Bottom-up approach

D.

Top-down approach

Question 327

Which of the following is the BEST way for an organization to enable risk treatment decisions?

Options:

A.

Allocate sufficient funds for risk remediation.

B.

Promote risk and security awareness.

C.

Establish clear accountability for risk.

D.

Develop comprehensive policies and standards.

Question 328

An organization has recently been experiencing frequent data corruption incidents. Implementing a file corruption detection tool as a risk response strategy will help to:

Options:

A.

reduce the likelihood of future events

B.

restore availability

C.

reduce the impact of future events

D.

address the root cause

Question 329

Accountability for a particular risk is BEST represented in a:

Options:

A.

risk register

B.

risk catalog

C.

risk scenario

D.

RACI matrix

Question 330

Which of the following is MOST important to have in place to ensure the effectiveness of risk and security metrics reporting?

Options:

A.

Organizational reporting process

B.

Incident reporting procedures

C.

Regularly scheduled audits

D.

Incident management policy

Question 331

Which of the following should be the FIRST consideration when a business unit wants to use personal information for a purpose other than for which it was originally collected?

Options:

A.

Informed consent

B.

Cross border controls

C.

Business impact analysis (BIA)

D.

Data breach protection

Question 332

The MAIN reason for creating and maintaining a risk register is to:

Options:

A.

assess effectiveness of different projects.

B.

define the risk assessment methodology.

C.

ensure assets have low residual risk.

D.

account for identified key risk factors.

Question 333

The BEST metric to monitor the risk associated with changes deployed to production is the percentage of:

Options:

A.

changes due to emergencies.

B.

changes that cause incidents.

C.

changes not requiring user acceptance testing.

D.

personnel that have rights to make changes in production.

Question 334

An information system for a key business operation is being moved from an in-house application to a Software as a Service (SaaS) vendor. Which of the following will have the GREATEST impact on the ability to monitor risk?

Options:

A.

Reduced ability to evaluate key risk indicators (KRIs)

B.

Reduced access to internal audit reports

C.

Dependency on the vendor's key performance indicators (KPIs)

D.

Dependency on service level agreements (SLAs)

Question 335

Winch of the following key control indicators (KCIs) BEST indicates whether security requirements are identified and managed throughout a project He cycle?

Options:

A.

Number of projects going live without a security review

B.

Number of employees completing project-specific security training

C.

Number of security projects started in core departments

D.

Number of security-related status reports submitted by project managers

Question 336

A risk practitioner has been asked by executives to explain how existing risk treatment plans would affect risk posture at the end of the year. Which of the following is MOST helpful in responding to this request?

Options:

A.

Assessing risk with no controls in place

B.

Showing projected residual risk

C.

Providing peer benchmarking results

D.

Assessing risk with current controls in place

Question 337

The design of procedures to prevent fraudulent transactions within an enterprise resource planning (ERP) system should be based on:

Options:

A.

stakeholder risk tolerance.

B.

benchmarking criteria.

C.

suppliers used by the organization.

D.

the control environment.

Question 338

Which of the following is MOST important to the successful development of IT risk scenarios?

Options:

A.

Cost-benefit analysis

B.

Internal and external audit reports

C.

Threat and vulnerability analysis

D.

Control effectiveness assessment

Question 339

What are the MOST essential attributes of an effective Key control indicator (KCI)?

Options:

A.

Flexibility and adaptability

B.

Measurability and consistency

C.

Robustness and resilience

D.

Optimal cost and benefit

Question 340

Which of the following poses the GREATEST risk to an organization's operations during a major it transformation?

Options:

A.

Lack of robust awareness programs

B.

infrequent risk assessments of key controls

C.

Rapid changes in IT procedures

D.

Unavailability of critical IT systems

Question 341

A risk practitioner has discovered a deficiency in a critical system that cannot be patched. Which of the following should be the risk practitioner's FIRST course of action?

Options:

A.

Report the issue to internal audit.

B.

Submit a request to change management.

C.

Conduct a risk assessment.

D.

Review the business impact assessment.

Question 342

Which of the following represents a vulnerability?

Options:

A.

An identity thief seeking to acquire personal financial data from an organization

B.

Media recognition of an organization's market leadership in its industry

C.

A standard procedure for applying software patches two weeks after release

D.

An employee recently fired for insubordination

Question 343

Which of the following BEST represents a critical threshold value for a key control indicator (KCI)?

Options:

A.

The value at which control effectiveness would fail

B.

Thresholds benchmarked to peer organizations

C.

A typical operational value

D.

A value that represents the intended control state

Question 344

What information is MOST helpful to asset owners when classifying organizational assets for risk assessment?

Options:

A.

Potential loss to tie business due to non-performance of the asset

B.

Known emerging environmental threats

C.

Known vulnerabilities published by the asset developer

D.

Cost of replacing the asset with a new asset providing similar services

Question 345

The MOST important reason for implementing change control procedures is to ensure:

Options:

A.

only approved changes are implemented

B.

timely evaluation of change events

C.

an audit trail exists.

D.

that emergency changes are logged.

Question 346

Which of the following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?

Options:

A.

Perform a post-implementation review.

B.

Conduct user acceptance testing.

C.

Review the key performance indicators (KPIs).

D.

Interview process owners.

Question 347

Which of the following is the GREATEST risk associated with the misclassification of data?

Options:

A.

inadequate resource allocation

B.

Data disruption

C.

Unauthorized access

D.

Inadequate retention schedules

Question 348

A financial institution has identified high risk of fraud in several business applications. Which of the following controls will BEST help reduce the risk of fraudulent internal transactions?

Options:

A.

Periodic user privileges review

B.

Log monitoring

C.

Periodic internal audits

D.

Segregation of duties

Question 349

The BEST indication that risk management is effective is when risk has been reduced to meet:

Options:

A.

risk levels.

B.

risk budgets.

C.

risk appetite.

D.

risk capacity.

Question 350

A chief information officer (CIO) has identified risk associated with shadow systems being maintained by business units to address specific functionality gaps in the organization'senterprise resource planning (ERP) system. What is the BEST way to reduce this risk going forward?

Options:

A.

Align applications to business processes.

B.

Implement an enterprise architecture (EA).

C.

Define the software development life cycle (SDLC).

D.

Define enterprise-wide system procurement requirements.

Question 351

Upon learning that the number of failed back-up attempts continually exceeds the current risk threshold, the risk practitioner should:

Options:

A.

inquire about the status of any planned corrective actions

B.

keep monitoring the situation as there is evidence that this is normal

C.

adjust the risk threshold to better reflect actual performance

D.

initiate corrective action to address the known deficiency

Question 352

Which of the following methods is an example of risk mitigation?

Options:

A.

Not providing capability for employees to work remotely

B.

Outsourcing the IT activities and infrastructure

C.

Enforcing change and configuration management processes

D.

Taking out insurance coverage for IT-related incidents

Question 353

Which of the following is the BEST indicator of the effectiveness of IT risk management processes?

Options:

A.

Percentage of business users completing risk training

B.

Percentage of high-risk scenarios for which risk action plans have been developed

C.

Number of key risk indicators (KRIs) defined

D.

Time between when IT risk scenarios are identified and the enterprise's response

Question 354

Which of the following should be done FIRST when developing a data protection management plan?

Options:

A.

Perform a cost-benefit analysis.

B.

Identify critical data.

C.

Establish a data inventory.

D.

Conduct a risk analysis.

Question 355

A service provider is managing a client’s servers. During an audit of the service, a noncompliant control is discovered that will not be resolved before the next audit because the client cannot afford the downtime required to correct the issue. The service provider’s MOST appropriate action would be to:

Options:

A.

develop a risk remediation plan overriding the client's decision

B.

make a note for this item in the next audit explaining the situation

C.

insist that the remediation occur for the benefit of other customers

D.

ask the client to document the formal risk acceptance for the provider

Question 356

An organization has been notified that a disgruntled, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization?

Options:

A.

Authentication logs have been disabled.

B.

An external vulnerability scan has been detected.

C.

A brute force attack has been detected.

D.

An increase in support requests has been observed.

Question 357

Which of the following should be included in a risk scenario to be used for risk analysis?

Options:

A.

Risk appetite

B.

Threat type

C.

Risk tolerance

D.

Residual risk

Question 358

Which of the following would provide the MOST useful information to a risk owner when reviewing the progress of risk mitigation?

Options:

A.

Key audit findings

B.

Treatment plan status

C.

Performance indicators

D.

Risk scenario results

Question 359

Which of the following is the MOST important factor when deciding on a control to mitigate risk exposure?

Options:

A.

Relevance to the business process

B.

Regulatory compliance requirements

C.

Cost-benefit analysis

D.

Comparison against best practice

Question 360

Which of the following statements describes the relationship between key risk indicators (KRIs) and key control indicators (KCIs)?

Options:

A.

KRI design must precede definition of KCIs.

B.

KCIs and KRIs are independent indicators and do not impact each other.

C.

A decreasing trend of KRI readings will lead to changes to KCIs.

D.

Both KRIs and KCIs provide insight to potential changes in the level of risk.

Question 361

During implementation of an intrusion detection system (IDS) to monitor network traffic, a high number of alerts is reported. The risk practitioner should recommend to:

Options:

A.

reset the alert threshold based on peak traffic

B.

analyze the traffic to minimize the false negatives

C.

analyze the alerts to minimize the false positives

D.

sniff the traffic using a network analyzer

Question 362

Which type of indicators should be developed to measure the effectiveness of an organization's firewall rule set?

Options:

A.

Key risk indicators (KRIs)

B.

Key management indicators (KMIs)

C.

Key performance indicators (KPIs)

D.

Key control indicators (KCIs)

Question 363

Which of the following is the PRIMARY purpose of periodically reviewing an organization's risk profile?

Options:

A.

Align business objectives with risk appetite.

B.

Enable risk-based decision making.

C.

Design and implement risk response action plans.

D.

Update risk responses in the risk register

Question 364

Which of the following is the PRIMARY reason to adopt key control indicators (KCIs) in the risk monitoring and reporting process?

Options:

A.

To provide data for establishing the risk profile

B.

To provide assurance of adherence to risk management policies

C.

To provide measurements on the potential for risk to occur

D.

To provide assessments of mitigation effectiveness

Question 365

Winch of the following can be concluded by analyzing the latest vulnerability report for the it infrastructure?

Options:

A.

Likelihood of a threat

B.

Impact of technology risk

C.

Impact of operational risk

D.

Control weakness

Question 366

Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness?

Options:

A.

To measure business exposure to risk

B.

To identify control vulnerabilities

C.

To monitor the achievement of set objectives

D.

To raise awareness of operational issues

Question 367

Which of the following BEST informs decision-makers about the value of a notice and consent control for the collection of personal information?

Options:

A.

A comparison of the costs of notice and consent control options

B.

Examples of regulatory fines incurred by industry peers for noncompliance

C.

A report of critical controls showing the importance of notice and consent

D.

A cost-benefit analysis of the control versus probable legal action

Question 368

Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?

Options:

A.

Obtain objective assessment of the control environment.

B.

Ensure the risk profile is defined and communicated.

C.

Validate the threat management process.

D.

Obtain an objective view of process gaps and systemic errors.

Question 369

An organization has initiated a project to launch an IT-based service to customers and take advantage of being the first to market. Which of the following should be of GREATEST concern to senior management?

Options:

A.

More time has been allotted for testing.

B.

The project is likely to deliver the product late.

C.

A new project manager is handling the project.

D.

The cost of the project will exceed the allotted budget.

Question 370

An organization outsources the processing of us payroll data A risk practitioner identifies a control weakness at the third party trial exposes the payroll data. Who should own this risk?

Options:

A.

The third party's IT operations manager

B.

The organization's process owner

C.

The third party's chief risk officer (CRO)

D.

The organization's risk practitioner

Question 371

Which of the following is MOST important when considering risk in an enterprise risk management (ERM) process?

Options:

A.

Financial risk is given a higher priority.

B.

Risk with strategic impact is included.

C.

Security strategy is given a higher priority.

D.

Risk identified by industry benchmarking is included.

Question 372

Print jobs containing confidential information are sent to a shared network printer located in a secure room. Which of the following is the BEST control to prevent the inappropriate disclosure of confidential information?

Options:

A.

Requiring a printer access code for each user

B.

Using physical controls to access the printer room

C.

Using video surveillance in the printer room

D.

Ensuring printer parameters are properly configured

Question 373

When an organization is having new software implemented under contract, which of the following is key to controlling escalating costs?

Options:

A.

Risk management

B.

Change management

C.

Problem management

D.

Quality management

Question 374

Which of the following is the PRIMARY objective of providing an aggregated view of IT risk to business management?

Options:

A.

To enable consistent data on risk to be obtained

B.

To allow for proper review of risk tolerance

C.

To identify dependencies for reporting risk

D.

To provide consistent and clear terminology

Question 375

A risk practitioner has become aware of production data being used in a test environment. Which of the following should be the practitioner's PRIMARY concern?

Options:

A.

Sensitivity of the data

B.

Readability of test data

C.

Security of the test environment

D.

Availability of data to authorized staff

Question 376

An IT control gap has been identified in a key process. Who would be the MOST appropriate owner of the risk associated with this gap?

Options:

A.

Key control owner

B.

Operational risk manager

C.

Business process owner

D.

Chief information security officer (CISO)

Question 377

Which of the following should be management's PRIMARY consideration when approving risk response action plans?

Options:

A.

Ability of the action plans to address multiple risk scenarios

B.

Ease of implementing the risk treatment solution

C.

Changes in residual risk after implementing the plans

D.

Prioritization for implementing the action plans

Question 378

Which of the following would BEST help an enterprise define and communicate its risk appetite?

Options:

A.

Gap analysis

B.

Risk assessment

C.

Heat map

D.

Risk register

Question 379

The PRIMARY advantage of involving end users in continuity planning is that they:

Options:

A.

have a better understanding of specific business needs

B.

can balance the overall technical and business concerns

C.

can see the overall impact to the business

D.

are more objective than information security management.

Question 380

An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?

Options:

A.

Identify systems that are vulnerable to being exploited by the attack.

B.

Confirm with the antivirus solution vendor whether the next update will detect the attack.

C.

Verify the data backup process and confirm which backups are the most recent ones available.

D.

Obtain approval for funding to purchase a cyber insurance plan.

Question 381

Which of the following is the BEST method for identifying vulnerabilities?

Options:

A.

Batch job failure monitoring

B.

Periodic network scanning

C.

Annual penetration testing

D.

Risk assessments

Question 382

To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:

Options:

A.

risk mitigation approach

B.

cost-benefit analysis.

C.

risk assessment results.

D.

vulnerability assessment results

Question 383

Which of the following is the MOST important reason to create risk scenarios?

Options:

A.

To assist with risk identification

B.

To determine risk tolerance

C.

To determine risk appetite

D.

To assist in the development of risk responses

Question 384

Which of the following BEST indicates effective information security incident management?

Options:

A.

Monthly trend of information security-related incidents

B.

Average time to identify critical information security incidents

C.

Frequency of information security incident response plan testing

D.

Percentage of high-risk security incidents

Question 385

Which of the following risk register elements is MOST likely to be updated if the attack surface or exposure of an asset is reduced?

Options:

A.

Likelihood rating

B.

Control effectiveness

C.

Assessment approach

D.

Impact rating

Question 386

The risk associated with inadvertent disclosure of database records from a public cloud service provider (CSP) would MOST effectively be reduced by:

Options:

A.

encrypting the data

B.

including a nondisclosure clause in the CSP contract

C.

assessing the data classification scheme

D.

reviewing CSP access privileges

Question 387

A large organization needs to report risk at all levels for a new centralized visualization project to reduce cost and improve performance. Which of the following would MOST effectively represent the overall risk of the project to senior management?

Options:

A.

Aggregated key performance indicators (KPls)

B.

Key risk indicators (KRIs)

C.

Centralized risk register

D.

Risk heat map

Question 388

Which of the following IT key risk indicators (KRIs) provides management with the BEST feedback on IT capacity?

Options:

A.

Trends in IT resource usage

B.

Trends in IT maintenance costs

C.

Increased resource availability

D.

Increased number of incidents

Question 389

Which of the following would BEST enable a risk practitioner to embed risk management within the organization?

Options:

A.

Provide risk management feedback to key stakeholders.

B.

Collect and analyze risk data for report generation.

C.

Monitor and prioritize risk data according to the heat map.

D.

Engage key stakeholders in risk management practices.

Question 390

Which of the following can be interpreted from a single data point on a risk heat map?

Options:

A.

Risk tolerance

B.

Risk magnitude

C.

Risk response

D.

Risk appetite

Question 391

Who should be responsible for strategic decisions on risk management?

Options:

A.

Chief information officer (CIO)

B.

Executive management team

C.

Audit committee

D.

Business process owner

Question 392

Which of the following provides The MOST useful information when determining a risk management program's maturity level?

Options:

A.

Risk assessment results

B.

A recently reviewed risk register

C.

Key performance indicators (KPIs)

D.

The organization's risk framework

Question 393

Which of the following will BEST support management repotting on risk?

Options:

A.

Risk policy requirements

B.

A risk register

C.

Control self-assessment

D.

Key performance Indicators

Question 394

Mapping open risk issues to an enterprise risk heat map BEST facilitates:

Options:

A.

risk response.

B.

control monitoring.

C.

risk identification.

D.

risk ownership.

Question 395

The effectiveness of a control has decreased. What is the MOST likely effect on the associated risk?

Options:

A.

The risk impact changes.

B.

The risk classification changes.

C.

The inherent risk changes.

D.

The residual risk changes.

Question 396

Which of the following MUST be assessed before considering risk treatment options for a scenario with significant impact?

Options:

A.

Risk magnitude

B.

Incident probability

C.

Risk appetite

D.

Cost-benefit analysis

Question 397

The risk associated with data loss from a website which contains sensitive customer information is BEST owned by:

Options:

A.

the third-party website manager

B.

the business process owner

C.

IT security

D.

the compliance manager

Question 398

Which of the following is the BEST indication that an organization's risk management program has not reached the desired maturity level?

Options:

A.

Significant increases in risk mitigation budgets

B.

Large fluctuations in risk ratings between assessments

C.

A steady increase in the time to recover from incidents

D.

A large number of control exceptions

Question 399

The PRIMARY reason for periodic penetration testing of Internet-facing applications is to:

Options:

A.

ensure policy and regulatory compliance.

B.

assess the proliferation of new threats.

C.

verify Internet firewall control settings.

D.

identify vulnerabilities in the system.

Question 400

Which of the following is the BEST measure of the effectiveness of an employee deprovisioning process?

Options:

A.

Number of days taken to remove access after staff separation dates

B.

Number of days taken for IT to remove access after receipt of HR instructions

C.

Number of termination requests processed per reporting period

D.

Number of days taken for HR to provide instructions to IT after staff separation dates

Question 401

Implementing which of the following controls would BEST reduce the impact of a vulnerability that has been exploited?

Options:

A.

Detective control

B.

Deterrent control

C.

Preventive control

D.

Corrective control

Question 402

Which of the following should be initiated when a high number of noncompliant conditions are observed during review of a control procedure?

Options:

A.

Disciplinary action

B.

A control self-assessment

C.

A review of the awareness program

D.

Root cause analysis

Question 403

The BEST key performance indicator (KPI) to measure the effectiveness of a vendor risk management program is the percentage of:

Options:

A.

vendors providing risk assessments on time.

B.

vendor contracts reviewed in the past year.

C.

vendor risk mitigation action items completed on time.

D.

vendors that have reported control-related incidents.

Question 404

Which of the following is the MOST important objective of embedding risk management practices into the initiation phase of the project management life cycle?

Options:

A.

To deliver projects on time and on budget

B.

To assess inherent risk

C.

To include project risk in the enterprise-wide IT risk profit.

D.

To assess risk throughout the project

Question 405

A risk owner has identified a risk with high impact and very low likelihood. The potential loss is covered by insurance. Which of the following should the risk practitioner do NEXT?

Options:

A.

Recommend avoiding the risk.

B.

Validate the risk response with internal audit.

C.

Update the risk register.

D.

Evaluate outsourcing the process.

Question 406

The MAIN purpose of having a documented risk profile is to:

Options:

A.

comply with external and internal requirements.

B.

enable well-informed decision making.

C.

prioritize investment projects.

D.

keep the risk register up-to-date.

Question 407

Which of the following is MOST important for a risk practitioner to consider when determining the control requirements for data privacy arising from emerging technologies?

Options:

A.

internal audit recommendations

B.

Laws and regulations

C.

Policies and procedures

D.

Standards and frameworks

Question 408

Which of the following is the BEST way for a risk practitioner to verify that management has addressed control issues identified during a previous external audit?

Options:

A.

Interview control owners.

B.

Observe the control enhancements in operation.

C.

Inspect external audit documentation.

D.

Review management's detailed action plans.

Question 409

Which of the following is the PRIMARY reason to establish the root cause of an IT security incident?

Options:

A.

Prepare a report for senior management.

B.

Assign responsibility and accountability for the incident.

C.

Update the risk register.

D.

Avoid recurrence of the incident.

Question 410

Which of these documents is MOST important to request from a cloud service

provider during a vendor risk assessment?

Options:

A.

Nondisclosure agreement (NDA)

B.

Independent audit report

C.

Business impact analysis (BIA)

D.

Service level agreement (SLA)

Question 411

Which of the following MOST effectively limits the impact of a ransomware attack?

Options:

A.

Cyber insurance

B.

Cryptocurrency reserve

C.

Data backups

D.

End user training

Question 412

Which of the following is the BEST key performance indicator (KPI) for determining how well an IT policy is aligned to business requirements?

Options:

A.

Total cost to support the policy

B.

Number of exceptions to the policy

C.

Total cost of policy breaches

D.

Number of inquiries regarding the policy

Question 413

Which of the following is the MOST effective way to mitigate identified risk scenarios?

Options:

A.

Assign ownership of the risk response plan

B.

Provide awareness in early detection of risk.

C.

Perform periodic audits on identified risk.

D.

areas Document the risk tolerance of the organization.

Question 414

A bank wants to send a critical payment order via email to one of its offshore branches. Which of the following is the BEST way to ensure the message reaches the intended recipient without alteration?

Options:

A.

Add a digital certificate

B.

Apply multi-factor authentication

C.

Add a hash to the message

D.

Add a secret key

Question 415

The maturity of an IT risk management program is MOST influenced by:

Options:

A.

the organization's risk culture

B.

benchmarking results against similar organizations

C.

industry-specific regulatory requirements

D.

expertise available within the IT department

Question 416

Which of the following should be of GREATEST concern to a risk practitioner when determining the effectiveness of IT controls?

Options:

A.

Configuration updates do not follow formal change control.

B.

Operational staff perform control self-assessments.

C.

Controls are selected without a formal cost-benefit

D.

analysis-Management reviews security policies once every two years.

Question 417

Which of the following requirements is MOST important to include in an outsourcing contract to help ensure sensitive data stored with a service provider is secure?

Options:

A.

A third-party assessment report of control environment effectiveness must be provided at least annually.

B.

Incidents related to data toss must be reported to the organization immediately after they occur.

C.

Risk assessment results must be provided to the organization at least annually.

D.

A cyber insurance policy must be purchased to cover data loss events.

Question 418

Which of the following BEST enables the risk profile to serve as an effective resource to support business objectives?

Options:

A.

Engaging external risk professionals to periodically review the risk

B.

Prioritizing global standards over local requirements in the risk profile

C.

Updating the risk profile with risk assessment results

D.

Assigning quantitative values to qualitative metrics in the risk register

Question 419

The MOST essential content to include in an IT risk awareness program is how to:

Options:

A.

populate risk register entries and build a risk profile for management reporting.

B.

prioritize IT-related actions by considering risk appetite and risk tolerance.

C.

define the IT risk framework for the organization.

D.

comply with the organization's IT risk and information security policies.

Question 420

Which of the following BEST enables a proactive approach to minimizing the potential impact of unauthorized data disclosure?

Options:

A.

Cyber insurance

B.

Data backups

C.

Incident response plan

D.

Key risk indicators (KRIs)

Question 421

Which of the following BEST measures the efficiency of an incident response process?

Options:

A.

Number of incidents escalated to management

B.

Average time between changes and updating of escalation matrix

C.

Average gap between actual and agreed response times

D.

Number of incidents lacking responses

Question 422

Which of the following is the MOST important consideration when performing a risk assessment of a fire suppression system within a data center?

Options:

A.

Insurance coverage

B.

Onsite replacement availability

C.

Maintenance procedures

D.

Installation manuals

Question 423

Which of the following is MOST important for a risk practitioner to update when a software upgrade renders an existing key control ineffective?

Options:

A.

Audit engagement letter

B.

Risk profile

C.

IT risk register

D.

Change control documentation

Question 424

A risk practitioner notices a trend of noncompliance with an IT-related control. Which of the following would BEST assist in making a recommendation to management?

Options:

A.

Assessing the degree to which the control hinders business objectives

B.

Reviewing the IT policy with the risk owner

C.

Reviewing the roles and responsibilities of control process owners

D.

Assessing noncompliance with control best practices

Question 425

Which of the following should an organization perform to forecast the effects of a disaster?

Options:

A.

Develop a business impact analysis (BIA).

B.

Define recovery time objectives (RTO).

C.

Analyze capability maturity model gaps.

D.

Simulate a disaster recovery.

Question 426

Which of the following is MOST important when developing risk scenarios?

Options:

A.

The scenarios are based on industry best practice.

B.

The scenarios focus on current vulnerabilities.

C.

The scenarios are relevant to the organization.

D.

The scenarios include technical consequences.

Question 427

Which of the following is MOST important for an organization that wants to reduce IT operational risk?

Options:

A.

Increasing senior management's understanding of IT operations

B.

Increasing the frequency of data backups

C.

Minimizing complexity of IT infrastructure

D.

Decentralizing IT infrastructure

Question 428

Which of the following conditions presents the GREATEST risk to an application?

Options:

A.

Application controls are manual.

B.

Application development is outsourced.

C.

Source code is escrowed.

D.

Developers have access to production environment.

Question 429

As part of an overall IT risk management plan, an IT risk register BEST helps management:

Options:

A.

align IT processes with business objectives.

B.

communicate the enterprise risk management policy.

C.

stay current with existing control status.

D.

understand the organizational risk profile.

Question 430

Which of the following is a crucial component of a key risk indicator (KRI) to ensure appropriate action is taken to mitigate risk?

Options:

A.

Management intervention

B.

Risk appetite

C.

Board commentary

D.

Escalation triggers

Question 431

Which of the following is the GREATEST concern when an organization uses a managed security service provider as a firewall administrator?

Options:

A.

Exposure of log data

B.

Lack of governance

C.

Increased number of firewall rules

D.

Lack of agreed-upon standards

Question 432

A control owner has completed a year-long project To strengthen existing controls. It is MOST important for the risk practitioner to:

Options:

A.

update the risk register to reflect the correct level of residual risk.

B.

ensure risk monitoring for the project is initiated.

C.

conduct and document a business impact analysis (BIA).

D.

verify cost-benefit of the new controls being implemented.

Question 433

The implementation of a risk treatment plan will exceed the resources originally allocated for the risk response. Which of the following should be the risk owner's NEXT action?

Options:

A.

Perform a risk assessment.

B.

Accept the risk of not implementing.

C.

Escalate to senior management.

D.

Update the implementation plan.

Question 434

Which of the following BEST promotes commitment to controls?

Options:

A.

Assigning control ownership

B.

Assigning appropriate resources

C.

Assigning a quality control review

D.

Performing regular independent control reviews

Question 435

Which of the following BEST supports the communication of risk assessment results to stakeholders?

Options:

A.

Monitoring of high-risk areas

B.

Classification of risk profiles

C.

Periodic review of the risk register

D.

Assignment of risk ownership

Question 436

Which of the following should be the PRIMARY recipient of reports showing the

progress of a current IT risk mitigation project?

Options:

A.

Senior management

B.

Project manager

C.

Project sponsor

D.

IT risk manager

Question 437

Which of the following BEST confirms the existence and operating effectiveness of information systems controls?

Options:

A.

Self-assessment questionnaires completed by management

B.

Review of internal audit and third-party reports

C.

Management review and sign-off on system documentation

D.

First-hand direct observation of the controls in operation

Question 438

A recent internal risk review reveals the majority of core IT application recovery time objectives (RTOs) have exceeded the maximum time defined by the business application owners. Which of the following is MOST likely to change as a result?

Options:

A.

Risk forecasting

B.

Risk tolerance

C.

Risk likelihood

D.

Risk appetite

Question 439

A new policy has been published to forbid copying of data onto removable media. Which type of control has been implemented?

Options:

A.

Preventive

B.

Detective

C.

Directive

D.

Deterrent

Question 440

A control owner identifies that the organization's shared drive contains personally identifiable information (Pll) that can be accessed by all personnel. Which of the following is the MOST effective risk response?

Options:

A.

Protect sensitive information with access controls.

B.

Implement a data loss prevention (DLP) solution.

C.

Re-communicate the data protection policy.

D.

Implement a data encryption solution.

Question 441

An organization has completed a project to implement encryption on all databases that host customer data. Which of the following elements of the risk register should be updated the reflect this change?

Options:

A.

Risk likelihood

B.

Inherent risk

C.

Risk appetite

D.

Risk tolerance

Question 442

The PRIMARY basis for selecting a security control is:

Options:

A.

to achieve the desired level of maturity.

B.

the materiality of the risk.

C.

the ability to mitigate risk.

D.

the cost of the control.

Question 443

An organization has raised the risk appetite for technology risk. The MOST likely result would be:

Options:

A.

increased inherent risk.

B.

higher risk management cost

C.

decreased residual risk.

D.

lower risk management cost.

Question 444

Which of the following is MOST important when discussing risk within an organization?

Options:

A.

Adopting a common risk taxonomy

B.

Using key performance indicators (KPIs)

C.

Creating a risk communication policy

D.

Using key risk indicators (KRIs)

Question 445

A bank has outsourced its statement printing function to an external service provider. Which of the following is the MOST critical requirement to include in the contract?

Options:

A.

Monitoring of service costs

B.

Provision of internal audit reports

C.

Notification of sub-contracting arrangements

D.

Confidentiality of customer data

Question 446

A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?

Options:

A.

The alternative site is a hot site with equipment ready to resume processing immediately.

B.

The contingency plan provides for backup media to be taken to the alternative site.

C.

The contingency plan for high priority applications does not involve a shared cold site.

D.

The alternative site does not reside on the same fault to matter how the distance apart.

Question 447

Which of the following is MOST important to include in a Software as a Service (SaaS) vendor agreement?

Options:

A.

An annual contract review

B.

A service level agreement (SLA)

C.

A requirement to adopt an established risk management framework

D.

A requirement to provide an independent audit report

Question 448

It is MOST important for a risk practitioner to have an awareness of an organization s processes in order to:

Options:

A.

perform a business impact analysis.

B.

identify potential sources of risk.

C.

establish risk guidelines.

D.

understand control design.

Question 449

IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:

Options:

A.

the cost associated with each control.

B.

historical risk assessments.

C.

key risk indicators (KRls).

D.

information from the risk register.

Question 450

An organization's risk tolerance should be defined and approved by which of the following?

Options:

A.

The chief risk officer (CRO)

B.

The board of directors

C.

The chief executive officer (CEO)

D.

The chief information officer (CIO)

Question 451

The PRIMARY objective of the board of directors periodically reviewing the risk profile is to help ensure:

Options:

A.

the risk strategy is appropriate

B.

KRIs and KPIs are aligned

C.

performance of controls is adequate

D.

the risk monitoring process has been established

Question 452

When presenting risk, the BEST method to ensure that the risk is measurable against the organization's risk appetite is through the use of a:

Options:

A.

risk map

B.

cause-and-effect diagram

C.

maturity model

D.

technology strategy plan.

Question 453

Which of the following is MOST commonly compared against the risk appetite?

Options:

A.

IT risk

B.

Inherent risk

C.

Financial risk

D.

Residual risk

Question 454

An organization is unable to implement a multi-factor authentication requirement until the next fiscal year due to budget constraints. Consequently, a policy exception must be submitted. Which of the following is MOST important to include in the analysis of the exception?

Options:

A.

Sections of the policy that may justify not implementing the requirement

B.

Risk associated with the inability to implement the requirement

C.

Budget justification to implement the new requirement during the current year

D.

Industry best practices with respect to implementation of the proposed control

Question 455

Who is PRIMARILY accountable for risk treatment decisions?

Options:

A.

Risk owner

B.

Business manager

C.

Data owner

D.

Risk manager

Question 456

An organization is considering modifying its system to enable acceptance of credit card payments. To reduce the risk of data exposure, which of the following should the organization do FIRST?

Options:

A.

Conduct a risk assessment.

B.

Update the security strategy.

C.

Implement additional controls.

D.

Update the risk register.

Question 457

Which of the following will BEST communicate the importance of risk mitigation initiatives to senior management?

Options:

A.

Business case

B.

Balanced scorecard

C.

Industry standards

D.

Heat map

Question 458

Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?

Options:

A.

A companion of risk assessment results to the desired state

B.

A quantitative presentation of risk assessment results

C.

An assessment of organizational maturity levels and readiness

D.

A qualitative presentation of risk assessment results

Question 459

Which of the following is the MOST important consideration when selecting either a qualitative or quantitative risk analysis?

Options:

A.

Expertise in both methodologies

B.

Maturity of the risk management program

C.

Time available for risk analysis

D.

Resources available for data analysis

Question 460

Which stakeholders are PRIMARILY responsible for determining enterprise IT risk appetite?

Options:

A.

Audit and compliance management

B.

The chief information officer (CIO) and the chief financial officer (CFO)

C.

Enterprise risk management and business process owners

D.

Executive management and the board of directors

Question 461

An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?

Options:

A.

Project sponsor

B.

Process owner

C.

Risk manager

D.

Internal auditor

Question 462

Which of the following is the PRIMARY benefit of identifying and communicating with stakeholders at the onset of an IT risk assessment?

Options:

A.

Obtaining funding support

B.

Defining the risk assessment scope

C.

Selecting the risk assessment framework

D.

Establishing inherent risk

Question 463

A risk practitioner has been notified that an employee sent an email in error containing customers' personally identifiable information (Pll). Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Report it to the chief risk officer.

B.

Advise the employee to forward the email to the phishing team.

C.

follow incident reporting procedures.

D.

Advise the employee to permanently delete the email.

Question 464

Which of the following risk scenarios would be the GREATEST concern as a result of a single sign-on implementation?

Options:

A.

User access may be restricted by additional security.

B.

Unauthorized access may be gained to multiple systems.

C.

Security administration may become more complex.

D.

User privilege changes may not be recorded.

Question 465

An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following is the risk practitioner s BEST course of action?

Options:

A.

Accept the risk and document contingency plans for data disruption.

B.

Remove the associated risk scenario from the risk register due to avoidance.

C.

Mitigate the risk with compensating controls enforced by the third-party cloud provider.

D.

Validate the transfer of risk and update the register to reflect the change.

Question 466

Which of the following is the BEST approach for determining whether a risk action plan is effective?

Options:

A.

Comparing the remediation cost against budget

B.

Assessing changes in residual risk

C.

Assessing the inherent risk

D.

Monitoring changes of key performance indicators(KPIs)

Question 467

What is the GREATEST concern with maintaining decentralized risk registers instead of a consolidated risk register?

Options:

A.

Aggregated risk may exceed the enterprise's risk appetite and tolerance.

B.

Duplicate resources may be used to manage risk registers.

C.

Standardization of risk management practices may be difficult to enforce.

D.

Risk analysis may be inconsistent due to non-uniform impact and likelihood scales.

Question 468

An organization has implemented a system capable of comprehensive employee monitoring. Which of the following should direct how the system is used?

Options:

A.

Organizational strategy

B.

Employee code of conduct

C.

Industry best practices

D.

Organizational policy

Question 469

An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?

Options:

A.

Identify staff members who have access to the organization's sensitive data.

B.

Identify locations where the organization's sensitive data is stored.

C.

Identify risk scenarios and owners associated with possible data loss vectors.

D.

Identify existing data loss controls and their levels of effectiveness.

Question 470

When communicating changes in the IT risk profile, which of the following should be included to BEST enable stakeholder decision making?

Options:

A.

List of recent incidents affecting industry peers

B.

Results of external attacks and related compensating controls

C.

Gaps between current and desired states of the control environment

D.

Review of leading IT risk management practices within the industry

Question 471

An organization's risk practitioner learns a new third-party system on the corporate network has introduced vulnerabilities that could compromise corporate IT systems. What should the risk practitioner do

FIRST?

Options:

A.

Confirm the vulnerabilities with the third party

B.

Identify procedures to mitigate the vulnerabilities.

C.

Notify information security management.

D.

Request IT to remove the system from the network.

Question 472

An organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard. Which risk treatment was adopted by the organization?

Options:

A.

Acceptance

B.

Transfer

C.

Mitigation

D.

Avoidance

Page: 1 / 158
Total 1575 questions