The objective of aligning mitigating controls to risk appetite is to ensure that:
Which of the following is the MOST important key performance indicator (KPI) to monitor the effectiveness of disaster recovery processes?
An organization has experienced a cyber attack that exposed customer personally identifiable information (Pll) and caused extended outages of network services. Which of the following stakeholders are MOST important to include in the cyber response team to determine response actions?
The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning process is to:
Which of the following would present the GREATEST challenge for a risk practitioner during a merger of two organizations?
Which of the following will BEST help to ensure key risk indicators (KRIs) provide value to risk owners?
What is the MAIN benefit of using a top-down approach to develop risk scenarios?
A recent vulnerability assessment of a web-facing application revealed several weaknesses. Which of the following should be done NEXT to determine the risk exposure?
As pan of business continuity planning, which of the following is MOST important to include m a business impact analysis (BlA)?
Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?
Which of me following is MOST helpful to mitigate the risk associated with an application under development not meeting business objectives?
An organization's recovery team is attempting to recover critical data backups following a major flood in its data center. However, key team members do not know exactly what steps should be taken to address this crisis. Which of the following is the MOST likely cause of this situation?
Which of The following should be of GREATEST concern for an organization considering the adoption of a bring your own device (BYOD) initiative?
A risk practitioner has been asked to advise management on developing a log collection and correlation strategy. Which of the following should be the MOST important consideration when developing this strategy?
An organization has initiated a project to launch an IT-based service to customers and take advantage of being the first to market. Which of the following should be of GREATEST concern to senior management?
Which of the following is the MOST important factor when deciding on a control to mitigate risk exposure?
The BEST way to obtain senior management support for investment in a control implementation would be to articulate the reduction in:
Which of the following BEST assists in justifying an investment in automated controls?
Several network user accounts were recently created without the required management approvals. Which of the following would be the risk practitioner's BEST recommendation to address this situation?
Which of the following scenarios presents the GREATEST risk for a global organization when implementing a data classification policy?
To minimize the risk of a potential acquisition being exposed externally, an organization has selected a few key employees to be engaged in the due diligence process. A member of the due diligence team realizes a close acquaintance is a high-ranking IT professional at a subsidiary of the company about to be acquired. What is the BEST course of action for this team member?
The BEST way to determine the likelihood of a system availability risk scenario is by assessing the:
The design of procedures to prevent fraudulent transactions within an enterprise resource planning (ERP) system should be based on:
A peer review of a risk assessment finds that a relevant threat community was not included. Mitigation of the risk will require substantial changes to a software application. Which of the following is the BEST course of action?
During a risk treatment plan review, a risk practitioner finds the approved risk action plan has not been completed However, there were other risk mitigation actions implemented. Which of the fallowing is the BEST course of action?
A department allows multiple users to perform maintenance on a system using a single set of credentials. A risk practitioner determined this practice to be high-risk. Which of the following is the MOST effective way to mitigate this risk?
An organization must make a choice among multiple options to respond to a risk. The stakeholders cannot agree and decide to postpone the decision. Which of the following risk responses has the organization adopted?
Which of the following is the MOST important objective of establishing an enterprise risk management (ERM) function within an organization?
Which of the following is a risk practitioner's BEST recommendation to address an organization's need to secure multiple systems with limited IT resources?
Which of the following is the BEST course of action to help reduce the probability of an incident recurring?
A risk practitioner has been notified that an employee sent an email in error containing customers' personally identifiable information (Pll). Which of the following is the risk practitioner's BEST course of action?
An organization has initiated a project to implement an IT risk management program for the first time. The BEST time for the risk practitioner to start populating the risk register is when:
Which of the following provides the BEST measurement of an organization's risk management maturity level?
A newly hired risk practitioner finds that the risk register has not been updated in the past year. What is the risk practitioner's BEST course of action?
Which of the following is the BEST way to assess the effectiveness of an access management process?
An organization outsources the processing of us payroll data A risk practitioner identifies a control weakness at the third party trial exposes the payroll data. Who should own this risk?
Which of the following practices MOST effectively safeguards the processing of personal data?
To reduce costs, an organization is combining the second and third tines of defense in a new department that reports to a recently appointed C-level executive. Which of the following is the GREATEST concern with this situation?
Winch of the following is the BEST evidence of an effective risk treatment plan?
Winch of the following key control indicators (KCIs) BEST indicates whether security requirements are identified and managed throughout a project He cycle?
When presenting risk, the BEST method to ensure that the risk is measurable against the organization's risk appetite is through the use of a:
A risk practitioner notices that a particular key risk indicator (KRI) has remained below its established trigger point for an extended period of time. Which of the following should be done FIRST?
Which of the following is the BEST way to identify changes in the risk profile of an organization?
Which of the following BEST indicates that an organizations risk management program is effective?
Which of the following BEST indicates the risk appetite and tolerance level (or the risk associated with business interruption caused by IT system failures?
An organization is implementing encryption for data at rest to reduce the risk associated with unauthorized access. Which of the following MUST be considered to assess the residual risk?
Which of the following is the PRIMARY reason to adopt key control indicators (KCIs) in the risk monitoring and reporting process?
The PRIMARY reason for tracking the status of risk mitigation plans is to ensure:
Which of the following is the GREATEST risk associated with the misclassification of data?
An IT department originally planned to outsource the hosting of its data center at an overseas location to reduce operational expenses. After a risk assessment, the department has decided to keep the data center in-house. How should the risk treatment response be reflected in the risk register?
An organization practices the principle of least privilege. To ensure access remains appropriate, application owners should be required to review user access rights on a regular basis by obtaining:
Which of the following can be interpreted from a single data point on a risk heat map?
The effectiveness of a control has decreased. What is the MOST likely effect on the associated risk?
Which of the following BEST indicates effective information security incident management?
A risk practitioner observes that the fraud detection controls in an online payment system do not perform as expected. Which of the following will MOST likely change as a result?
Which of the following is MOST helpful in determining the effectiveness of an organization's IT risk mitigation efforts?
Which of the following is MOST influential when management makes risk response decisions?
Which stakeholders are PRIMARILY responsible for determining enterprise IT risk appetite?
An organization is making significant changes to an application. At what point should the application risk profile be updated?
IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:
Which of the following BEST protects an organization against breaches when using a software as a service (SaaS) application?
Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?
Which of the following BEST indicates the effectiveness of anti-malware software?
Which of the following provides the MOST useful information when developing a risk profile for management approval?
Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system?
Which of the following is MOST important for an organization to update following a change in legislation requiring notification to individuals impacted by data breaches?
Which of the following should be the risk practitioner's FIRST course of action when an organization plans to adopt a cloud computing strategy?
Which of the following is the PRIMARY reason for an organization to ensure the risk register is updated regularly?
An organization has engaged a third party to provide an Internet gateway encryption service that protects sensitive data uploaded to a cloud service. This is an example of risk:
Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk?
Implementing which of the following will BEST help ensure that systems comply with an established baseline before deployment?
What should a risk practitioner do FIRST upon learning a risk treatment owner has implemented a different control than what was specified in the IT risk action plan?
Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?
An organization's risk tolerance should be defined and approved by which of the following?
A bank has outsourced its statement printing function to an external service provider. Which of the following is the MOST critical requirement to include in the contract?
An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?
What is the GREATEST concern with maintaining decentralized risk registers instead of a consolidated risk register?
Business areas within an organization have engaged various cloud service providers directly without assistance from the IT department. What should the risk practitioner do?
A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges. What is the risk practitioner's BEST course of action?
As part of an overall IT risk management plan, an IT risk register BEST helps management:
Which of the following is MOST important to sustainable development of secure IT services?
Which of the following is the BEST key performance indicator (KPI) for determining how well an IT policy is aligned to business requirements?
Controls should be defined during the design phase of system development because:
The risk associated with data loss from a website which contains sensitive customer information is BEST owned by:
Which of the following would MOST likely cause a risk practitioner to reassess risk scenarios?
Which of the following risk register elements is MOST likely to be updated if the attack surface or exposure of an asset is reduced?
Which of the following is the MAIN reason for documenting the performance of controls?
Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?
Which of the following is the PRIMARY role of the board of directors in corporate risk governance?
Which of the following is the BEST measure of the effectiveness of an employee deprovisioning process?
Which of the following would be- MOST helpful to understand the impact of a new technology system on an organization's current risk profile?
Which of the following would BEST help to ensure that identified risk is efficiently managed?
Which of the following would BEST ensure that identified risk scenarios are addressed?
Which of the following is the PRIMARY factor in determining a recovery time objective (RTO)?
Which of the following would be MOST helpful when estimating the likelihood of negative events?
When implementing an IT risk management program, which of the following is the BEST time to evaluate current control effectiveness?
Which of the following is the PRIMARY reason to perform ongoing risk assessments?
Which of the following is the MOST important benefit of key risk indicators (KRIs)'
An organization is planning to engage a cloud-based service provider for some of its data-intensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?
Which of the following should be the HIGHEST priority when developing a risk response?
An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?
Improvements in the design and implementation of a control will MOST likely result in an update to:
Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?
Which of the following is the BEST indication of an effective risk management program?
During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?
Which of the following is MOST important when developing key performance indicators (KPIs)?
It is MOST appropriate for changes to be promoted to production after they are:
A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?
Which of the following is the MOST important element of a successful risk awareness training program?
When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?
A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?
The risk associated with an asset before controls are applied can be expressed as:
The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:
Which of the following would BEST help an enterprise prioritize risk scenarios?
Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?
Which of the following is the BEST way to identify changes to the risk landscape?
A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization. Which of the following components of this review would provide the MOST useful information?
The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner s BEST recommendation?
A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?
The acceptance of control costs that exceed risk exposure MOST likely demonstrates:
In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization's risk profile?
Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?
Which of the following is the MOST important consideration when sharing risk management updates with executive management?
An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk?
Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?
Which of the following is the BEST method for assessing control effectiveness?
An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:
A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:
Which of the following is the BEST metric to demonstrate the effectiveness of an organization's change management process?
Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?
Which of the following is the MOST effective way to help ensure accountability for managing risk?
Which of the following is the PRIMARY purpose of creating and documenting control procedures?
Which of the following is the PRIMARY reason for a risk practitioner to review an organization's IT asset inventory?
When developing risk scenario using a list of generic scenarios based on industry best practices, it is MOST imported to:
Which of the following is MOST helpful in identifying loss magnitude during risk analysis of a new system?
When classifying and prioritizing risk responses, the areas to address FIRST are those with:
Which of the following BEST balances the costs and benefits of managing IT risk*?
Which of the following would provide the MOST reliable evidence of the effectiveness of security controls implemented for a web application?
A risk practitioner is reviewing accountability assignments for data risk in the risk register. Which of the following would pose the GREATEST concern?
A penetration test reveals several vulnerabilities in a web-facing application. Which of the following should be the FIRST step in selecting a risk response?
Which of the following BEST enables a risk practitioner to understand management's approach to organizational risk?
A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access. Who is responsible for ensuring the control is designed to effectively address risk?
Which of the following is the PRIMARY objective of establishing an organization's risk tolerance and appetite?
Which of the blowing is MOST important when implementing an organization s security policy?
Which of the following is the BEST recommendation to address recent IT risk trends that indicate social engineering attempts are increasing in the organization?
A risk practitioner recently discovered that personal information from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation?
Which of the following is a risk practitioner's BEST course of action after identifying risk scenarios related to noncompliance with new industry regulations?
Which of the following is the MOST important reason to validate that risk responses have been executed as outlined in the risk response plan''
Which of the following practices would be MOST effective in protecting personality identifiable information (Ptl) from unauthorized access m a cloud environment?
Which of the following is the MOST important concern when assigning multiple risk owners for an identified risk?
Which component of a software inventory BEST enables the identification and mitigation of known vulnerabilities?
After the implementation of internal of Things (IoT) devices, new risk scenarios were identified. What is the PRIMARY reason to report this information to risk owners?
Which stakeholder is MOST important to include when defining a risk profile during me selection process for a new third party application'?
Which of the following is the BEST course of action when an organization wants to reduce likelihood in order to reduce a risk level?
A multinational organization is considering implementing standard background checks to' all new employees A KEY concern regarding this approach
A control process has been implemented in response to a new regulatory requirement, but has significantly reduced productivity. Which of the following is the BEST way to resolve this concern?