Winter Special Sale Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 713PS592

CRISC Certified in Risk and Information Systems Control Questions and Answers

Questions 4

Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?

Options:

A.

A decrease in control layering effectiveness

B.

An increase in inherent risk

C.

An increase in control vulnerabilities

D.

An increase in the level of residual risk

Buy Now
Questions 5

Which of the following provides the BEST evidence of the effectiveness of an organization's account provisioning process?

Options:

A.

User provisioning

B.

Role-based access controls

C.

Security log monitoring

D.

Entitlement reviews

Buy Now
Questions 6

Which of the following is MOST critical when designing controls?

Options:

A.

Involvement of internal audit

B.

Involvement of process owner

C.

Quantitative impact of the risk

D.

Identification of key risk indicators

Buy Now
Questions 7

Which of the following is the GREATEST risk of relying on artificial intelligence (Al) within heuristic security systems?

Options:

A.

Al may result in less reliance on human intervention.

B.

Malicious activity may inadvertently be classified as normal during baselining.

C.

Risk assessments of heuristic security systems are more difficult.

D.

Predefined patterns of malicious activity may quickly become outdated.

Buy Now
Questions 8

An organization delegates its data processing to the internal IT team to manage information through its applications. Which of the following is the role of the internal IT team in this situation?

Options:

A.

Data controllers

B.

Data processors

C.

Data custodians

D.

Data owners

Buy Now
Questions 9

Who should be responsible for approving the cost of controls to be implemented for mitigating risk?

Options:

A.

Risk practitioner

B.

Risk owner

C.

Control owner

D.

Control implementer

Buy Now
Questions 10

Which of the following is the GREATEST benefit of using IT risk scenarios?

Options:

A.

They support compliance with regulations.

B.

They provide evidence of risk assessment.

C.

They facilitate communication of risk.

D.

They enable the use of key risk indicators (KRls)

Buy Now
Questions 11

IT management has asked for a consolidated view into the organization's risk profile to enable project prioritization and resource allocation. Which of the following materials would

be MOST helpful?

Options:

A.

IT risk register

B.

List of key risk indicators

C.

Internal audit reports

D.

List of approved projects

Buy Now
Questions 12

Who should be accountable for ensuring effective cybersecurity controls are established?

Options:

A.

Risk owner

B.

Security management function

C.

IT management

D.

Enterprise risk function

Buy Now
Questions 13

Which of the following BEST helps to mitigate risk associated with excessive access by authorized users?

Options:

A.

Conducting periodic reviews of authorizations granted

B.

Revoking access for users changing roles

C.

Monitoring user activity using security logs

D.

Granting access based on least privilege

Buy Now
Questions 14

A risk practitioner discovers several key documents detailing the design of a product currently in development have been posted on the Internet. What should be the risk practitioner's FIRST course of action?

Options:

A.

invoke the established incident response plan.

B.

Inform internal audit.

C.

Perform a root cause analysis

D.

Conduct an immediate risk assessment

Buy Now
Questions 15

Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?

Options:

A.

Encrypted storage of data

B.

Links to source data

C.

Audit trails for updates and deletions

D.

Check totals on data records and data fields

Buy Now
Questions 16

Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?

Options:

A.

Align business objectives to the risk profile.

B.

Assess risk against business objectives

C.

Implement an organization-specific risk taxonomy.

D.

Explain risk details to management.

Buy Now
Questions 17

Which of the following is the BEST method to identify unnecessary controls?

Options:

A.

Evaluating the impact of removing existing controls

B.

Evaluating existing controls against audit requirements

C.

Reviewing system functionalities associated with business processes

D.

Monitoring existing key risk indicators (KRIs)

Buy Now
Questions 18

Which of the following attributes of a key risk indicator (KRI) is MOST important?

Options:

A.

Repeatable

B.

Automated

C.

Quantitative

D.

Qualitative

Buy Now
Questions 19

The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:

Options:

A.

implement uniform controls for common risk scenarios.

B.

ensure business unit risk is uniformly distributed.

C.

build a risk profile for management review.

D.

quantify the organization's risk appetite.

Buy Now
Questions 20

Calculation of the recovery time objective (RTO) is necessary to determine the:

Options:

A.

time required to restore files.

B.

point of synchronization

C.

priority of restoration.

D.

annual loss expectancy (ALE).

Buy Now
Questions 21

Which of the following is the MOST important requirement for monitoring key risk indicators (KRls) using log analysis?

Options:

A.

Obtaining logs m an easily readable format

B.

Providing accurate logs m a timely manner

C.

Collecting logs from the entire set of IT systems

D.

implementing an automated log analysis tool

Buy Now
Questions 22

Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?

Options:

A.

Performing a benchmark analysis and evaluating gaps

B.

Conducting risk assessments and implementing controls

C.

Communicating components of risk and their acceptable levels

D.

Participating in peer reviews and implementing best practices

Buy Now
Questions 23

Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?

Options:

A.

It compares performance levels of IT assets to value delivered.

B.

It facilitates the alignment of strategic IT objectives to business objectives.

C.

It provides input to business managers when preparing a business case for new IT projects.

D.

It helps assess the effects of IT decisions on risk exposure

Buy Now
Questions 24

Which of the following is the MAIN reason to continuously monitor IT-related risk?

Options:

A.

To redefine the risk appetite and risk tolerance levels based on changes in risk factors

B.

To update the risk register to reflect changes in levels of identified and new IT-related risk

C.

To ensure risk levels are within acceptable limits of the organization's risk appetite and risk tolerance

D.

To help identify root causes of incidents and recommend suitable long-term solutions

Buy Now
Questions 25

A risk practitioner is organizing a training session lo communicate risk assessment methodologies to ensure a consistent risk view within the organization Which of the following i< the MOST important topic to cover in this training?

Options:

A.

Applying risk appetite

B.

Applying risk factors

C.

Referencing risk event data

D.

Understanding risk culture

Buy Now
Questions 26

Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?

Options:

A.

Completeness of system documentation

B.

Results of end user acceptance testing

C.

Variances between planned and actual cost

D.

availability of in-house resources

Buy Now
Questions 27

Establishing and organizational code of conduct is an example of which type of control?

Options:

A.

Preventive

B.

Directive

C.

Detective

D.

Compensating

Buy Now
Questions 28

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?

Options:

A.

Number of users that participated in the DRP testing

B.

Number of issues identified during DRP testing

C.

Percentage of applications that met the RTO during DRP testing

D.

Percentage of issues resolved as a result of DRP testing

Buy Now
Questions 29

Which of the following would be- MOST helpful to understand the impact of a new technology system on an organization's current risk profile?

Options:

A.

Hire consultants specializing m the new technology.

B.

Review existing risk mitigation controls.

C.

Conduct a gap analysis.

D.

Perform a risk assessment.

Buy Now
Questions 30

An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST.

Options:

A.

The risk owner who also owns the business service enabled by this infrastructure

B.

The data center manager who is also employed under the managed hosting services contract

C.

The site manager who is required to provide annual risk assessments under the contract

D.

The chief information officer (CIO) who is responsible for the hosted services

Buy Now
Questions 31

Which of the following is the BEST course of action to reduce risk impact?

Options:

A.

Create an IT security policy.

B.

Implement corrective measures.

C.

Implement detective controls.

D.

Leverage existing technology

Buy Now
Questions 32

An organization is concerned that a change in its market situation may impact the current level of acceptable risk for senior management. As a result, which of the following is MOST important to reevaluate?

Options:

A.

Risk classification

B.

Risk policy

C.

Risk strategy

D.

Risk appetite

Buy Now
Questions 33

Which of the following is the ULTIMATE objective of utilizing key control indicators (KCIs) in the risk management process?

Options:

A.

To provide a basis for determining the criticality of risk mitigation controls

B.

To provide early warning signs of a potential change in risk level

C.

To provide benchmarks for assessing control design effectiveness against industry peers

D.

To provide insight into the effectiveness of the intemnal control environment

Buy Now
Questions 34

Which of the following will BEST help to improve an organization's risk culture?

Options:

A.

Maintaining a documented risk register

B.

Establishing a risk awareness program

C.

Rewarding employees for reporting security incidents

D.

Allocating resources for risk remediation

Buy Now
Questions 35

After an annual risk assessment is completed, which of the following would be MOST important to communicate to stakeholders?

Options:

A.

A decrease in threats

B.

A change in the risk profile

C.

An increase in reported vulnerabilities

D.

An increase in identified risk scenarios

Buy Now
Questions 36

An organization has updated its acceptable use policy to mitigate the risk of employees disclosing confidential information. Which of the following is the BEST way to reinforce the effectiveness of this policy?

Options:

A.

Communicate sanctions for policy violations to all staff.

B.

Obtain signed acceptance of the new policy from employees.

C.

Train all staff on relevant information security best practices.

D.

Implement data loss prevention (DLP) within the corporate network.

Buy Now
Questions 37

Senior management has requested more information regarding the risk associated with introducing a new application into the environment. Which of the following should be done FIRST?

Options:

A.

Perform an audit.

B.

Conduct a risk analysis.

C.

Develop risk scenarios.

D.

Perform a cost-benefit analysis.

Buy Now
Questions 38

Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario?

Options:

A.

Assess the vulnerability management process.

B.

Conduct a control serf-assessment.

C.

Conduct a vulnerability assessment.

D.

Reassess the inherent risk of the target.

Buy Now
Questions 39

When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?

Options:

A.

Assess management's risk tolerance.

B.

Recommend management accept the low-risk scenarios.

C.

Propose mitigating controls

D.

Re-evaluate the risk scenarios associated with the control

Buy Now
Questions 40

Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Options:

A.

Using an aggregated view of organizational risk

B.

Ensuring relevance to organizational goals

C.

Relying on key risk indicator (KRI) data Including

D.

Trend analysis of risk metrics

Buy Now
Questions 41

Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs?

Options:

A.

Ensuring availability of resources for log analysis

B.

Implementing log analysis tools to automate controls

C.

Ensuring the control is proportional to the risk

D.

Building correlations between logs collected from different sources

Buy Now
Questions 42

Which group has PRIMARY ownership of reputational risk stemming from unethical behavior within the organization?

Options:

A.

Board of directors

B.

Human resources (HR)

C.

Risk management committee

D.

Audit committee

Buy Now
Questions 43

Which of the following is the PRIMARY factor in determining a recovery time objective (RTO)?

Options:

A.

Cost of offsite backup premises

B.

Cost of downtime due to a disaster

C.

Cost of testing the business continuity plan

D.

Response time of the emergency action plan

Buy Now
Questions 44

Which of the following will BEST quantify the risk associated with malicious users in an organization?

Options:

A.

Business impact analysis

B.

Risk analysis

C.

Threat risk assessment

D.

Vulnerability assessment

Buy Now
Questions 45

Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

Options:

A.

a gap analysis

B.

a root cause analysis.

C.

an impact assessment.

D.

a vulnerability assessment.

Buy Now
Questions 46

A risk practitioner identifies an increasing trend of employees copying company information unrelated to their job functions to USB drives. Which of the following elements of the risk register should be updated to reflect this observation?

Options:

A.

Risk impact

B.

Key risk indicator (KRI)

C.

Risk appetite

D.

Risk likelihood

Buy Now
Questions 47

Which of the following is MOST important to ensure risk management practices are effective at all levels within the organization?

Options:

A.

Communicating risk awareness materials regularly

B.

Establishing key risk indicators (KRIs) to monitor risk management processes

C.

Ensuring that business activities minimize inherent risk

D.

Embedding risk management in business activities

Buy Now
Questions 48

Which of the following provides the MOST reliable evidence to support conclusions after completing an information systems controls assessment?

Options:

A.

Risk and control self-assessment (CSA) reports

B.

Information generated by the systems

C.

Control environment narratives

D.

Confirmation from industry peers

Buy Now
Questions 49

What is senior management's role in the RACI model when tasked with reviewing monthly status reports provided by risk owners?

Options:

A.

Accountable

B.

Informed

C.

Responsible

D.

Consulted

Buy Now
Questions 50

Which of the following is MOST useful for measuring the existing risk management process against a desired state?

Options:

A.

Balanced scorecard

B.

Risk management framework

C.

Capability maturity model

D.

Risk scenario analysis

Buy Now
Questions 51

A penetration test reveals several vulnerabilities in a web-facing application. Which of the following should be the FIRST step in selecting a risk response?

Options:

A.

Correct the vulnerabilities to mitigate potential risk exposure.

B.

Develop a risk response action plan with key stakeholders.

C.

Assess the level of risk associated with the vulnerabilities.

D.

Communicate the vulnerabilities to the risk owner.

Buy Now
Questions 52

Which of the following provides the BEST evidence that robust risk management practices are in place within an organization?

Options:

A.

Regularly updated risk management procedures

B.

A management-approved risk dashboard

C.

A current control framework

D.

A regularly updated risk register

Buy Now
Questions 53

A risk practitioner has been asked to propose a risk acceptance framework for an organization. Which of the following is the MOST important consideration for the risk practitioner to address in the framework?

Options:

A.

Consistent forms to document risk acceptance rationales

B.

Acceptable scenarios to override risk appetite or tolerance thresholds

C.

Individuals or roles authorized to approve risk acceptance

D.

Communication protocols when a risk is accepted

Buy Now
Questions 54

Which of the following will MOST likely change as a result of the decrease in risk appetite due to a new privacy regulation?

Options:

A.

Key risk indicator (KRI) thresholds

B.

Risk trends

C.

Key performance indicators (KPIs)

D.

Risk objectives

Buy Now
Questions 55

Which of the following would BEST indicate to senior management that IT processes are improving?

Options:

A.

Changes in the number of security exceptions

B.

Changes to the structure of the risk register

C.

Changes in the number of intrusions detected

D.

Changes in the position in the maturity model

Buy Now
Questions 56

Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?

Options:

A.

To build an organizational risk-aware culture

B.

To continuously improve risk management processes

C.

To comply with legal and regulatory requirements

D.

To identify gaps in risk management practices

Buy Now
Questions 57

A review of an organization s controls has determined its data loss prevention {DLP) system is currently failing to detect outgoing emails containing credit card data. Which of the following would be MOST impacted?

Options:

A.

Key risk indicators (KRls)

B.

Inherent risk

C.

Residual risk

D.

Risk appetite

Buy Now
Questions 58

Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?

Options:

A.

Identify the potential risk.

B.

Monitor employee usage.

C.

Assess the potential risk.

D.

Develop risk awareness training.

Buy Now
Questions 59

Which of the following BEST facilitates the development of relevant risk scenarios?

Options:

A.

Perform quantitative risk analysis of historical data.

B.

Adopt an industry-recognized risk framework.

C.

Use qualitative risk assessment methodologies.

D.

Conduct brainstorming sessions with key stakeholders.

Buy Now
Questions 60

Which of the following is the MOST important benefit of key risk indicators (KRIs)'

Options:

A.

Assisting in continually optimizing risk governance

B.

Enabling the documentation and analysis of trends

C.

Ensuring compliance with regulatory requirements

D.

Providing an early warning to take proactive actions

Buy Now
Questions 61

The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:

Options:

A.

align with audit results.

B.

benchmark with competitor s actions.

C.

reference best practice.

D.

focus on the business drivers

Buy Now
Questions 62

Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

Options:

A.

Risk tolerance is decreased.

B.

Residual risk is increased.

C.

Inherent risk is increased.

D.

Risk appetite is decreased

Buy Now
Questions 63

Which of the following is the BEST way to determine the ongoing efficiency of control processes?

Options:

A.

Perform annual risk assessments.

B.

Interview process owners.

C.

Review the risk register.

D.

Analyze key performance indicators (KPIs).

Buy Now
Questions 64

When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?

Options:

A.

Risk analysis results

B.

Exception handling policy

C.

Vulnerability assessment results

D.

Benchmarking assessments

Buy Now
Questions 65

A contract associated with a cloud service provider MUST include:

Options:

A.

ownership of responsibilities.

B.

a business recovery plan.

C.

provision for source code escrow.

D.

the providers financial statements.

Buy Now
Questions 66

A risk practitioner has identified that the organization's secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?

Options:

A.

Business continuity director

B.

Disaster recovery manager

C.

Business application owner

D.

Data center manager

Buy Now
Questions 67

An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern?

Options:

A.

Potential increase in regulatory scrutiny

B.

Potential system downtime

C.

Potential theft of personal information

D.

Potential legal risk

Buy Now
Questions 68

A PRIMARY advantage of involving business management in evaluating and managing risk is that management:

Options:

A.

better understands the system architecture.

B.

is more objective than risk management.

C.

can balance technical and business risk.

D.

can make better-informed business decisions.

Buy Now
Questions 69

While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially Which of the following would be the BEST approach for the risk practitioner to take?

Options:

A.

Temporarily suspend emergency changes.

B.

Document the control deficiency in the risk register.

C.

Conduct a root cause analysis.

D.

Continue monitoring change management metrics.

Buy Now
Questions 70

Which of the following should be included in a risk scenario to be used for risk analysis?

Options:

A.

Risk appetite

B.

Threat type

C.

Risk tolerance

D.

Residual risk

Buy Now
Questions 71

Which of the following is MOST important when developing key risk indicators (KRIs)?

Options:

A.

Alignment with regulatory requirements

B.

Availability of qualitative data

C.

Properly set thresholds

D.

Alignment with industry benchmarks

Buy Now
Questions 72

Determining if organizational risk is tolerable requires:

Options:

A.

mapping residual risk with cost of controls

B.

comparing against regulatory requirements

C.

comparing industry risk appetite with the organizations.

D.

understanding the organization's risk appetite.

Buy Now
Questions 73

Which of the following is a drawback in the use of quantitative risk analysis?

Options:

A.

It assigns numeric values to exposures of assets.

B.

It requires more resources than other methods

C.

It produces the results in numeric form.

D.

It is based on impact analysis of information assets.

Buy Now
Questions 74

A risk practitioner has been asked to evaluate the adoption of a third-party blockchain integration platform based on the value added by the platform and the organization's risk appetite. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Conduct a risk assessment with stakeholders.

B.

Conduct third-party resilience tests.

C.

Update the risk register with the process changes.

D.

Review risk related to standards and regulations.

Buy Now
Questions 75

Which of the following is the PRIMARY accountability for a control owner?

Options:

A.

Communicate risk to senior management.

B.

Own the associated risk the control is mitigating.

C.

Ensure the control operates effectively.

D.

Identify and assess control weaknesses.

Buy Now
Questions 76

Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?

Options:

A.

Testing the transmission of credit card numbers

B.

Reviewing logs for unauthorized data transfers

C.

Configuring the DLP control to block credit card numbers

D.

Testing the DLP rule change control process

Buy Now
Questions 77

Which of the following is MOST effective against external threats to an organizations confidential information?

Options:

A.

Single sign-on

B.

Data integrity checking

C.

Strong authentication

D.

Intrusion detection system

Buy Now
Questions 78

An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:

Options:

A.

chief risk officer.

B.

project manager.

C.

chief information officer.

D.

business process owner.

Buy Now
Questions 79

When classifying and prioritizing risk responses, the areas to address FIRST are those with:

Options:

A.

low cost effectiveness ratios and high risk levels

B.

high cost effectiveness ratios and low risk levels.

C.

high cost effectiveness ratios and high risk levels

D.

low cost effectiveness ratios and low risk levels.

Buy Now
Questions 80

Which of the following is the PRIMARY purpose of a risk register?

Options:

A.

To assign control ownership of risk

B.

To provide a centralized view of risk

C.

To identify opportunities to transfer risk

D.

To mitigate organizational risk

Buy Now
Questions 81

A risk practitioner is defining metrics for security threats that were not identified by antivirus software. Which type of metric is being developed?

Options:

A.

Key control indicator (KCI)

B.

Key risk indicator (KRI)

C.

Operational level agreement (OLA)

D.

Service level agreement (SLA)

Buy Now
Questions 82

Which of the following BEST mitigates reputational risk associated with disinformation campaigns against an organization?

Options:

A.

Monitoring digital platforms that disseminate inaccurate or misleading news stories

B.

Engaging public relations personnel to debunk false stories and publications

C.

Restricting the use of social media on corporate networks during specific hours

D.

Providing awareness training to understand and manage these types of attacks

Buy Now
Questions 83

Which of the following describes the relationship between risk appetite and risk tolerance?

Options:

A.

Risk appetite is completely independent of risk tolerance.

B.

Risk tolerance is used to determine risk appetite.

C.

Risk appetite and risk tolerance are synonymous.

D.

Risk tolerance may exceed risk appetite.

Buy Now
Questions 84

Which of the following is the BEST method to track asset inventory?

Options:

A.

Periodic asset review by management

B.

Asset registration form

C.

Automated asset management software

D.

IT resource budgeting process

Buy Now
Questions 85

Which of the following emerging technologies is frequently used for botnet distributed denial of service (DDoS) attacks?

Options:

A.

Internet of Things (IoT)

B.

Quantum computing

C.

Virtual reality (VR)

D.

Machine learning

Buy Now
Questions 86

A data processing center operates in a jurisdiction where new regulations have significantly increased penalties for data breaches. Which of the following elements of the risk register is MOST important to update to reflect this change?

Options:

A.

Risk impact

B.

Risk trend

C.

Risk appetite

D.

Risk likelihood

Buy Now
Questions 87

Which of the following risk management practices BEST facilitates the incorporation of IT risk scenarios into the enterprise-wide risk register?

Options:

A.

Key risk indicators (KRls) are developed for key IT risk scenarios

B.

IT risk scenarios are assessed by the enterprise risk management team

C.

Risk appetites for IT risk scenarios are approved by key business stakeholders.

D.

IT risk scenarios are developed in the context of organizational objectives.

Buy Now
Questions 88

What is the PRIMARY reason to periodically review key performance indicators (KPIs)?

Options:

A.

Ensure compliance.

B.

Identify trends.

C.

Promote a risk-aware culture.

D.

Optimize resources needed for controls

Buy Now
Questions 89

The PRIMARY reason to have risk owners assigned to entries in the risk register is to ensure:

Options:

A.

risk is treated appropriately

B.

mitigating actions are prioritized

C.

risk entries are regularly updated

D.

risk exposure is minimized.

Buy Now
Questions 90

Which of the following represents a vulnerability?

Options:

A.

An identity thief seeking to acquire personal financial data from an organization

B.

Media recognition of an organization's market leadership in its industry

C.

A standard procedure for applying software patches two weeks after release

D.

An employee recently fired for insubordination

Buy Now
Questions 91

Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register?

Options:

A.

Corporate incident escalation protocols are established.

B.

Exposure is integrated into the organization's risk profile.

C.

Risk appetite cascades to business unit management

D.

The organization-wide control budget is expanded.

Buy Now
Questions 92

Which of the following would be a risk practitioners’ BEST recommendation for preventing cyber intrusion?

Options:

A.

Establish a cyber response plan

B.

Implement data loss prevention (DLP) tools.

C.

Implement network segregation.

D.

Strengthen vulnerability remediation efforts.

Buy Now
Questions 93

A key risk indicator (KRI) is reported to senior management on a periodic basis as exceeding thresholds, but each time senior management has decided to take no action to reduce the risk. Which of the following is the MOST likely reason for senior management's response?

Options:

A.

The underlying data source for the KRI is using inaccurate data and needs to be corrected.

B.

The KRI is not providing useful information and should be removed from the KRI inventory.

C.

The KRI threshold needs to be revised to better align with the organization s risk appetite

D.

Senior management does not understand the KRI and should undergo risk training.

Buy Now
Questions 94

Which of the following, who should be PRIMARILY responsible for performing user entitlement reviews?

Options:

A.

IT security manager

B.

IT personnel

C.

Data custodian

D.

Data owner

Buy Now
Questions 95

Which of the following sources is MOST relevant to reference when updating security awareness training materials?

Options:

A.

Risk management framework

B.

Risk register

C.

Global security standards

D.

Recent security incidents reported by competitors

Buy Now
Questions 96

An organization is participating in an industry benchmarking study that involves providing customer transaction records for analysis Which of the following is the MOST important control to ensure the privacy of customer information?

Options:

A.

Nondisclosure agreements (NDAs)

B.

Data anonymization

C.

Data cleansing

D.

Data encryption

Buy Now
Questions 97

Which of the following would BEST facilitate the implementation of data classification requirements?

Options:

A.

Implementing a data toss prevention (DLP) solution

B.

Assigning a data owner

C.

Scheduling periodic audits

D.

Implementing technical controls over the assets

Buy Now
Questions 98

A highly regulated enterprise is developing a new risk management plan to specifically address legal and regulatory risk scenarios What should be done FIRST by IT governance to support this effort?

Options:

A.

Request a regulatory risk reporting methodology

B.

Require critical success factors (CSFs) for IT risks.

C.

Establish IT-specific compliance objectives

D.

Communicate IT key risk indicators (KRIs) and triggers

Buy Now
Questions 99

A risk practitioner has reviewed new international regulations and realizes the new regulations will affect the organization. Which of the following should be the risk practitioner's NEXT course of

action?

Options:

A.

Conduct a peer response assessment.

B.

Update risk scenarios in the risk register.

C.

Reevaluate the risk management program.

D.

Ensure applications are compliant.

Buy Now
Questions 100

Which of the following methods is an example of risk mitigation?

Options:

A.

Not providing capability for employees to work remotely

B.

Outsourcing the IT activities and infrastructure

C.

Enforcing change and configuration management processes

D.

Taking out insurance coverage for IT-related incidents

Buy Now
Questions 101

Which of the following is the PRIMARY role of a data custodian in the risk management process?

Options:

A.

Performing periodic data reviews according to policy

B.

Reporting and escalating data breaches to senior management

C.

Being accountable for control design

D.

Ensuring data is protected according to the classification

Buy Now
Questions 102

An organization outsources the processing of us payroll data A risk practitioner identifies a control weakness at the third party trial exposes the payroll data. Who should own this risk?

Options:

A.

The third party's IT operations manager

B.

The organization's process owner

C.

The third party's chief risk officer (CRO)

D.

The organization's risk practitioner

Buy Now
Questions 103

Which of the following BEST indicates the efficiency of a process for granting access privileges?

Options:

A.

Average time to grant access privileges

B.

Number of changes in access granted to users

C.

Average number of access privilege exceptions

D.

Number and type of locked obsolete accounts

Buy Now
Questions 104

Which of the following is the PRIMARY benefit of using an entry in the risk register to track the aggregate risk associated with server failure?

Options:

A.

It provides a cost-benefit analysis on control options available for implementation.

B.

It provides a view on where controls should be applied to maximize the uptime of servers.

C.

It provides historical information about the impact of individual servers malfunctioning.

D.

It provides a comprehensive view of the impact should the servers simultaneously fail.

Buy Now
Questions 105

Who should have the authority to approve an exception to a control?

Options:

A.

information security manager

B.

Control owner

C.

Risk owner

D.

Risk manager

Buy Now
Questions 106

The PRIMARY objective for requiring an independent review of an organization's IT risk management process should be to:

Options:

A.

assess gaps in IT risk management operations and strategic focus.

B.

confirm that IT risk assessment results are expressed as business impact.

C.

verify implemented controls to reduce the likelihood of threat materialization.

D.

ensure IT risk management is focused on mitigating potential risk.

Buy Now
Questions 107

Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?

Options:

A.

Digital signatures

B.

Encrypted passwords

C.

One-time passwords

D.

Digital certificates

Buy Now
Questions 108

Which of the following risk register updates is MOST important for senior management to review?

Options:

A.

Extending the date of a future action plan by two months

B.

Retiring a risk scenario no longer used

C.

Avoiding a risk that was previously accepted

D.

Changing a risk owner

Buy Now
Questions 109

The MAIN purpose of conducting a control self-assessment (CSA) is to:

Options:

A.

gain a better understanding of the control effectiveness in the organization

B.

gain a better understanding of the risk in the organization

C.

adjust the controls prior to an external audit

D.

reduce the dependency on external audits

Buy Now
Questions 110

An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:

Options:

A.

validate control process execution.

B.

determine if controls are effective.

C.

identify key process owners.

D.

conduct a baseline assessment.

Buy Now
Questions 111

Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?

Options:

A.

impact due to failure of control

B.

Frequency of failure of control

C.

Contingency plan for residual risk

D.

Cost-benefit analysis of automation

Buy Now
Questions 112

IT risk assessments can BEST be used by management:

Options:

A.

for compliance with laws and regulations

B.

as a basis for cost-benefit analysis.

C.

as input for decision-making

D.

to measure organizational success.

Buy Now
Questions 113

Which of the following is the BEST indication of an effective risk management program?

Options:

A.

Risk action plans are approved by senior management.

B.

Residual risk is within the organizational risk appetite

C.

Mitigating controls are designed and implemented.

D.

Risk is recorded and tracked in the risk register

Buy Now
Questions 114

Which of the following would BEST help minimize the risk associated with social engineering threats?

Options:

A.

Enforcing employees’ sanctions

B.

Conducting phishing exercises

C.

Enforcing segregation of dunes

D.

Reviewing the organization's risk appetite

Buy Now
Questions 115

Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?

Options:

A.

Derive scenarios from IT risk policies and standards.

B.

Map scenarios to a recognized risk management framework.

C.

Gather scenarios from senior management.

D.

Benchmark scenarios against industry peers.

Buy Now
Questions 116

Risk mitigation procedures should include:

Options:

A.

buying an insurance policy.

B.

acceptance of exposures

C.

deployment of counter measures.

D.

enterprise architecture implementation.

Buy Now
Questions 117

Which of the following would be MOST important for a risk practitioner to provide to the internal audit department during the audit planning process?

Options:

A.

Closed management action plans from the previous audit

B.

Annual risk assessment results

C.

An updated vulnerability management report

D.

A list of identified generic risk scenarios

Buy Now
Questions 118

A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

Options:

A.

communication

B.

identification.

C.

treatment.

D.

assessment.

Buy Now
Questions 119

Which of the following would BEST help to ensure that suspicious network activity is identified?

Options:

A.

Analyzing intrusion detection system (IDS) logs

B.

Analyzing server logs

C.

Using a third-party monitoring provider

D.

Coordinating events with appropriate agencies

Buy Now
Questions 120

What is the BEST information to present to business control owners when justifying costs related to controls?

Options:

A.

Loss event frequency and magnitude

B.

The previous year's budget and actuals

C.

Industry benchmarks and standards

D.

Return on IT security-related investments

Buy Now
Questions 121

The PRIMARY objective for selecting risk response options is to:

Options:

A.

reduce risk 10 an acceptable level.

B.

identify compensating controls.

C.

minimize residual risk.

D.

reduce risk factors.

Buy Now
Questions 122

An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:

Options:

A.

reduce the risk to an acceptable level.

B.

communicate the consequences for violations.

C.

implement industry best practices.

D.

reduce the organization's risk appetite

Buy Now
Questions 123

An unauthorized individual has socially engineered entry into an organization's secured physical premises. Which of the following is the BEST way to prevent future occurrences?

Options:

A.

Employ security guards.

B.

Conduct security awareness training.

C.

Install security cameras.

D.

Require security access badges.

Buy Now
Questions 124

Which of the following is the MOST important key performance indicator (KPI) to establish in the service level agreement (SLA) for an outsourced data center?

Options:

A.

Percentage of systems included in recovery processes

B.

Number of key systems hosted

C.

Average response time to resolve system incidents

D.

Percentage of system availability

Buy Now
Questions 125

Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?

Options:

A.

Changes in control design

B.

A decrease in the number of key controls

C.

Changes in control ownership

D.

An increase in residual risk

Buy Now
Questions 126

The risk associated with an asset before controls are applied can be expressed as:

Options:

A.

a function of the likelihood and impact

B.

the magnitude of an impact

C.

a function of the cost and effectiveness of control.

D.

the likelihood of a given threat

Buy Now
Questions 127

Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:

Options:

A.

minimize the number of risk scenarios for risk assessment.

B.

aggregate risk scenarios identified across different business units.

C.

build a threat profile of the organization for management review.

D.

provide a current reference to stakeholders for risk-based decisions.

Buy Now
Questions 128

Which of the following would be considered a vulnerability?

Options:

A.

Delayed removal of employee access

B.

Authorized administrative access to HR files

C.

Corruption of files due to malware

D.

Server downtime due to a denial of service (DoS) attack

Buy Now
Questions 129

Which of the following roles would provide the MOST important input when identifying IT risk scenarios?

Options:

A.

Information security managers

B.

Internal auditors

C.

Business process owners

D.

Operational risk managers

Buy Now
Questions 130

The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner s BEST recommendation?

Options:

A.

Perform a root cause analysis

B.

Perform a code review

C.

Implement version control software.

D.

Implement training on coding best practices

Buy Now
Questions 131

A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?

Options:

A.

Implement a tool to create and distribute violation reports

B.

Raise awareness of encryption requirements for sensitive data.

C.

Block unencrypted outgoing emails which contain sensitive data.

D.

Implement a progressive disciplinary process for email violations.

Buy Now
Questions 132

A risk practitioner is assisting with the preparation of a report on the organization s disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?

Options:

A.

The percentage of systems meeting recovery target times has increased.

B.

The number of systems tested in the last year has increased.

C.

The number of systems requiring a recovery plan has increased.

D.

The percentage of systems with long recovery target times has decreased.

Buy Now
Questions 133

Which of the following is a risk practitioner's MOST important responsibility in managing risk acceptance that exceeds risk tolerance?

Options:

A.

Verify authorization by senior management.

B.

Increase the risk appetite to align with the current risk level

C.

Ensure the acceptance is set to expire over lime

D.

Update the risk response in the risk register.

Buy Now
Questions 134

An organization's control environment is MOST effective when:

Options:

A.

controls perform as intended.

B.

controls operate efficiently.

C.

controls are implemented consistent

D.

control designs are reviewed periodically

Buy Now
Questions 135

Which of the following is the MOST effective way 10 identify an application backdoor prior to implementation'?

Options:

A.

User acceptance testing (UAT)

B.

Database activity monitoring

C.

Source code review

D.

Vulnerability analysis

Buy Now
Questions 136

An organization has an approved bring your own device (BYOD) policy. Which of the following would BEST mitigate the security risk associated with the inappropriate use of enterprise applications on the devices?

Options:

A.

Periodically review application on BYOD devices

B.

Include BYOD in organizational awareness programs

C.

Implement BYOD mobile device management (MDM) controls.

D.

Enable a remote wee capability for BYOD devices

Buy Now
Questions 137

Which of the following is the BEST method to maintain a common view of IT risk within an organization?

Options:

A.

Collecting data for IT risk assessment

B.

Establishing and communicating the IT risk profile

C.

Utilizing a balanced scorecard

D.

Performing and publishing an IT risk analysis

Buy Now
Questions 138

Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?

Options:

A.

The program has not decreased threat counts.

B.

The program has not considered business impact.

C.

The program has been significantly revised

D.

The program uses non-customized training modules.

Buy Now
Questions 139

Which of the following is MOST helpful in providing an overview of an organization's risk management program?

Options:

A.

Risk management treatment plan

B.

Risk assessment results

C.

Risk management framework

D.

Risk register

Buy Now
Questions 140

Which of the following BEST helps to identify significant events that could impact an organization?

Options:

A.

Control analysis

B.

Vulnerability analysis

C.

Scenario analysis

D.

Heat map analysis

Buy Now
Questions 141

Which of the following is MOST important to update when an organization's risk appetite changes?

Options:

A.

Key risk indicators (KRIs)

B.

Risk reporting methodology

C.

Key performance indicators (KPIs)

D.

Risk taxonomy

Buy Now
Questions 142

Which of the following is the BEST way to determine whether system settings are in alignment with control baselines?

Options:

A.

Configuration validation

B.

Control attestation

C.

Penetration testing

D.

Internal audit review

Buy Now
Questions 143

When is the BEST to identify risk associated with major project to determine a mitigation plan?

Options:

A.

Project execution phase

B.

Project initiation phase

C.

Project closing phase

D.

Project planning phase

Buy Now
Questions 144

An organization is considering the adoption of an aggressive business strategy to achieve desired growth From a risk management perspective what should the risk practitioner do NEXT?

Options:

A.

Identify new threats resorting from the new business strategy

B.

Update risk awareness training to reflect current levels of risk appetite and tolerance

C.

Inform the board of potential risk scenarios associated with aggressive business strategies

D.

Increase the scale for measuring impact due to threat materialization

Buy Now
Questions 145

Using key risk indicators (KRIs) to illustrate changes in the risk profile PRIMARILY helps to:

Options:

A.

communicate risk trends to stakeholders.

B.

assign ownership of emerging risk scenarios.

C.

highlight noncompliance with the risk policy

D.

identify threats to emerging technologies.

Buy Now
Questions 146

An organization is implementing robotic process automation (RPA) to streamline business processes. Given that implementation of this technology is expected to impact existing controls, which of the following is the risk practitioner's BEST course of action?

Options:

A.

Reassess whether mitigating controls address the known risk in the processes.

B.

Update processes to address the new technology.

C.

Update the data governance policy to address the new technology.

D.

Perform a gap analysis of the impacted processes.

Buy Now
Questions 147

Which of the following management action will MOST likely change the likelihood rating of a risk scenario related to remote network access?

Options:

A.

Updating the organizational policy for remote access

B.

Creating metrics to track remote connections

C.

Implementing multi-factor authentication

D.

Updating remote desktop software

Buy Now
Questions 148

An organization has operations in a location that regularly experiences severe weather events. Which of the following would BEST help to mitigate the risk to operations?

Options:

A.

Prepare a cost-benefit analysis to evaluate relocation.

B.

Prepare a disaster recovery plan (DRP).

C.

Conduct a business impact analysis (BIA) for an alternate location.

D.

Develop a business continuity plan (BCP).

Buy Now
Questions 149

An organization's chief information officer (CIO) has proposed investing in a new. untested technology to take advantage of being first to market Senior management has concerns about the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization's risk:

Options:

A.

capacity.

B.

appetite.

C.

management capability.

D.

treatment strategy.

Buy Now
Questions 150

Which of the following would be of MOST concern to a risk practitioner reviewing risk action plans for documented IT risk scenarios?

Options:

A.

Individuals outside IT are managing action plans for the risk scenarios.

B.

Target dates for completion are missing from some action plans.

C.

Senior management approved multiple changes to several action plans.

D.

Many action plans were discontinued after senior management accepted the risk.

Buy Now
Questions 151

Of the following, who is BEST suited to assist a risk practitioner in developing a relevant set of risk scenarios?

Options:

A.

Internal auditor

B.

Asset owner

C.

Finance manager

D.

Control owner

Buy Now
Questions 152

An organization is concerned that its employees may be unintentionally disclosing data through the use of social media sites. Which of the following will MOST effectively mitigate tins risk?

Options:

A.

Requiring the use of virtual private networks (VPNs)

B.

Establishing a data classification policy

C.

Conducting user awareness training

D.

Requiring employee agreement of the acceptable use policy

Buy Now
Questions 153

A bank recently incorporated Blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner’s BEST course of action?

Options:

A.

Determine whether risk responses are still adequate.

B.

Analyze and update control assessments with the new processes.

C.

Analyze the risk and update the risk register as needed.

D.

Conduct testing of the control that mitigate the existing risk.

Buy Now
Questions 154

Which of the following is PRIMARILY a risk management responsibly of the first line of defense?

Options:

A.

Implementing risk treatment plans

B.

Validating the status of risk mitigation efforts

C.

Establishing risk policies and standards

D.

Conducting independent reviews of risk assessment results

Buy Now
Questions 155

Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)?

Options:

A.

KRIs provide an early warning that a risk threshold is about to be reached.

B.

KRIs signal that a change in the control environment has occurred.

C.

KRIs provide a basis to set the risk appetite for an organization.

D.

KRIs assist in the preparation of the organization's risk profile.

Buy Now
Questions 156

Which of the following is the BEST indicator of executive management's support for IT risk mitigation efforts?

Options:

A.

The number of stakeholders involved in IT risk identification workshops

B.

The percentage of corporate budget allocated to IT risk activities

C.

The percentage of incidents presented to the board

D.

The number of executives attending IT security awareness training

Buy Now
Questions 157

When performing a risk assessment of a new service to support a core business process, which of the following should be done FIRST to ensure continuity of operations?

Options:

A.

Define metrics for restoring availability.

B.

Identify conditions that may cause disruptions.

C.

Review incident response procedures.

D.

Evaluate the probability of risk events.

Buy Now
Questions 158

Which risk response strategy could management apply to both positive and negative risk that has been identified?

Options:

A.

Transfer

B.

Accept

C.

Exploit

D.

Mitigate

Buy Now
Questions 159

Which of the following would BEST mitigate an identified risk scenario?

Options:

A.

Conducting awareness training

B.

Executing a risk response plan

C.

Establishing an organization's risk tolerance

D.

Performing periodic audits

Buy Now
Questions 160

What is the BEST recommendation to reduce the risk associated with potential system compromise when a vendor stops releasing security patches and updates for a business-critical legacy system?

Options:

A.

Segment the system on its own network.

B.

Ensure regular backups take place.

C.

Virtualize the system in the cloud.

D.

Install antivirus software on the system.

Buy Now
Questions 161

What should be the PRIMARY consideration related to data privacy protection when there are plans for a business initiative to make use of personal information?

Options:

A.

Do not collect or retain data that is not needed.

B.

Redact data where possible.

C.

Limit access to the personal data.

D.

Ensure all data is encrypted at rest and during transit.

Buy Now
Questions 162

When a risk practitioner is determining a system's criticality. it is MOST helpful to review the associated:

Options:

A.

process flow.

B.

business impact analysis (BIA).

C.

service level agreement (SLA).

D.

system architecture.

Buy Now
Questions 163

Which key performance efficiency IKPI) BEST measures the effectiveness of an organization's disaster recovery program?

Options:

A.

Number of service level agreement (SLA) violations

B.

Percentage of recovery issues identified during the exercise

C.

Number of total systems recovered within tie recovery point objective (RPO)

D.

Percentage of critical systems recovered within tie recovery time objective (RTO)

Buy Now
Questions 164

Which of the following is the MOST important consideration for effectively maintaining a risk register?

Options:

A.

An IT owner is assigned for each risk scenario.

B.

The register is updated frequently.

C.

The register is shared with executive management.

D.

Compensating controls are identified.

Buy Now
Questions 165

When developing a response plan to address security incidents regarding sensitive data loss, it is MOST important

Options:

A.

revalidate current key risk indicators (KRIs).

B.

revise risk management procedures.

C.

review the data classification policy.

D.

revalidate existing risk scenarios.

Buy Now
Questions 166

Which of the following is the MOST effective way for a large and diversified organization to minimize risk associated with unauthorized software on company devices?

Options:

A.

Scan end points for applications not included in the asset inventory.

B.

Prohibit the use of cloud-based virtual desktop software.

C.

Conduct frequent reviews of software licenses.

D.

Perform frequent internal audits of enterprise IT infrastructure.

Buy Now
Questions 167

Which of the following is MOST important for successful incident response?

Options:

A.

The quantity of data logged by the attack control tools

B.

Blocking the attack route immediately

C.

The ability to trace the source of the attack

D.

The timeliness of attack recognition

Buy Now
Questions 168

A risk practitioner has identified that the agreed recovery time objective (RTO) with a Software as a Service (SaaS) provider is longer than the business expectation. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Collaborate with the risk owner to determine the risk response plan.

B.

Document the gap in the risk register and report to senior management.

C.

Include a right to audit clause in the service provider contract.

D.

Advise the risk owner to accept the risk.

Buy Now
Questions 169

Which of the following is the GREATEST benefit of centralizing IT systems?

Options:

A.

Risk reporting

B.

Risk classification

C.

Risk monitoring

D.

Risk identification

Buy Now
Questions 170

The PRIMARY objective of collecting information and reviewing documentation when performing periodic risk analysis should be to:

Options:

A.

Identify new or emerging risk issues.

B.

Satisfy audit requirements.

C.

Survey and analyze historical risk data.

D.

Understand internal and external threat agents.

Buy Now
Questions 171

Which stakeholder is MOST important to include when defining a risk profile during me selection process for a new third party application'?

Options:

A.

The third-party risk manager

B.

The application vendor

C.

The business process owner

D.

The information security manager

Buy Now
Questions 172

The BEST metric to demonstrate that servers are configured securely is the total number of servers:

Options:

A.

exceeding availability thresholds

B.

experiencing hardware failures

C.

exceeding current patching standards.

D.

meeting the baseline for hardening.

Buy Now
Questions 173

Which of the following is the BEST indication that key risk indicators (KRls) should be revised?

Options:

A.

A decrease in the number of critical assets covered by risk thresholds

B.

An Increase In the number of risk threshold exceptions

C.

An increase in the number of change events pending management review

D.

A decrease In the number of key performance indicators (KPls)

Buy Now
Questions 174

Which of the following would be of GREATEST concern regarding an organization's asset management?

Options:

A.

Lack of a mature records management program

B.

Lack of a dedicated asset management team

C.

Decentralized asset lists

D.

Incomplete asset inventory

Buy Now
Questions 175

Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the following would BEST help to prioritize investment efforts?

Options:

A.

Analyzing cyber intelligence reports

B.

Engaging independent cybersecurity consultants

C.

Increasing the frequency of updates to the risk register

D.

Reviewing the outcome of the latest security risk assessment

Buy Now
Questions 176

Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?

Options:

A.

To provide input to the organization's risk appetite

B.

To monitor the vendor's control effectiveness

C.

To verify the vendor's ongoing financial viability

D.

To assess the vendor's risk mitigation plans

Buy Now
Questions 177

Which of the following is MOST important when conducting a post-implementation review as part of the system development life cycle (SDLC)?

Options:

A.

Verifying that project objectives are met

B.

Identifying project cost overruns

C.

Leveraging an independent review team

D.

Reviewing the project initiation risk matrix

Buy Now
Questions 178

Recovery the objectives (RTOs) should be based on

Options:

A.

minimum tolerable downtime

B.

minimum tolerable loss of data.

C.

maximum tolerable downtime.

D.

maximum tolerable loss of data

Buy Now
Questions 179

Who is the BEST person to the employee personal data?

Options:

A.

Human resources (HR) manager

B.

System administrator

C.

Data privacy manager

D.

Compliance manager

Buy Now
Questions 180

During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition phase?

Options:

A.

Risk management framework adopted by each company

B.

Risk registers of both companies

C.

IT balanced scorecard of each company

D.

Most recent internal audit findings from both companies

Buy Now
Questions 181

Who should be responsible (of evaluating the residual risk after a compensating control has been

Options:

A.

Compliance manager

B.

Risk owner

C.

Control owner

D.

Risk practitioner

Buy Now
Questions 182

An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?

Options:

A.

Business benefits of shadow IT

B.

Application-related expresses

C.

Classification of the data

D.

Volume of data

Buy Now
Questions 183

Which of the following should be of GREATEST concern when reviewing the results of an independent control assessment to determine the effectiveness of a vendor's control environment?

Options:

A.

The report was provided directly from the vendor.

B.

The risk associated with multiple control gaps was accepted.

C.

The control owners disagreed with the auditor's recommendations.

D.

The controls had recurring noncompliance.

Buy Now
Questions 184

Which of the following would be the result of a significant increase in the motivation of a malicious threat actor?

Options:

A.

Increase in mitigating control costs

B.

Increase in risk event impact

C.

Increase in risk event likelihood

D.

Increase in cybersecurity premium

Buy Now
Questions 185

Which of the following s MOST likely to deter an employee from engaging in inappropriate use of company owned IT systems?

Options:

A.

A centralized computer security response team

B.

Regular performance reviews and management check-ins

C.

Code of ethics training for all employees

D.

Communication of employee activity monitoring

Buy Now
Questions 186

The MAIN reason for prioritizing IT risk responses is to enable an organization to:

Options:

A.

determine the risk appetite.

B.

determine the budget.

C.

define key performance indicators (KPIs).

D.

optimize resource utilization.

Buy Now
Questions 187

Which of the following is MOST important for maintaining the effectiveness of an IT risk register?

Options:

A.

Removing entries from the register after the risk has been treated

B.

Recording and tracking the status of risk response plans within the register

C.

Communicating the register to key stakeholders

D.

Performing regular reviews and updates to the register

Buy Now
Questions 188

Which of the following will BEST help to ensure the continued effectiveness of the IT risk management function within an organization experiencing high employee turnover?

Options:

A.

Well documented policies and procedures

B.

Risk and issue tracking

C.

An IT strategy committee

D.

Change and release management

Buy Now
Questions 189

When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes

Options:

A.

risk exposure in business terms

B.

a detailed view of individual risk exposures

C.

a summary of incidents that have impacted the organization.

D.

recommendations by an independent risk assessor.

Buy Now
Questions 190

Which of the following is MOST helpful to understand the consequences of an IT risk event?

Options:

A.

Fault tree analysis

B.

Historical trend analysis

C.

Root cause analysis

D.

Business impact analysis (BIA)

Buy Now
Questions 191

Which of the following is MOST important for mitigating ethical risk when establishing accountability for control ownership?

Options:

A.

Ensuring processes are documented to enable effective control execution

B.

Ensuring regular risk messaging is Included in business communications from leadership

C.

Ensuring schedules and deadlines for control-related deliverables are strictly monitored

D.

Ensuring performance metrics balance business goals with risk appetite

Buy Now
Questions 192

In order to determining a risk is under-controlled the risk practitioner will need to

Options:

A.

understand the risk tolerance

B.

monitor and evaluate IT performance

C.

identify risk management best practices

D.

determine the sufficiency of the IT risk budget

Buy Now
Questions 193

Which of the following is MOST important information to review when developing plans for using emerging technologies?

Options:

A.

Existing IT environment

B.

IT strategic plan

C.

Risk register

D.

Organizational strategic plan

Buy Now
Questions 194

Which of the following is MOST important for senior management to review during an acquisition?

Options:

A.

Risk appetite and tolerance

B.

Risk framework and methodology

C.

Key risk indicator (KRI) thresholds

D.

Risk communication plan

Buy Now
Questions 195

Which of the following BEST enables a risk practitioner to understand management's approach to organizational risk?

Options:

A.

Organizational structure and job descriptions

B.

Risk appetite and risk tolerance

C.

Industry best practices for risk management

D.

Prior year's risk assessment results

Buy Now
Questions 196

Risk appetite should be PRIMARILY driven by which of the following?

Options:

A.

Enterprise security architecture roadmap

B.

Stakeholder requirements

C.

Legal and regulatory requirements

D.

Business impact analysis (BIA)

Buy Now
Questions 197

Which of the following is the MOST important concern when assigning multiple risk owners for an identified risk?

Options:

A.

Accountability may not be clearly defined.

B.

Risk ratings may be inconsistently applied.

C.

Different risk taxonomies may be used.

D.

Mitigation efforts may be duplicated.

Buy Now
Questions 198

Senior management is deciding whether to share confidential data with the organization's business partners. The BEST course of action for a risk practitioner would be to submit a report to senior management containing the:

Options:

A.

possible risk and suggested mitigation plans.

B.

design of controls to encrypt the data to be shared.

C.

project plan for classification of the data.

D.

summary of data protection and privacy legislation.

Buy Now
Questions 199

An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure manuals for use by the part-time employees. Which of the following BEST describes this situation?

Options:

A.

Threat

B.

Risk

C.

Vulnerability

D.

Policy violation

Buy Now
Questions 200

Which of the following stakeholders are typically included as part of a line of defense within the three lines of defense model?

Options:

A.

Board of directors

B.

Vendors

C.

Regulators

D.

Legal team

Buy Now
Questions 201

Which of the blowing is MOST important when implementing an organization s security policy?

Options:

A.

Obtaining management support

B.

Benchmarking against industry standards

C.

Assessing compliance requirements

D.

Identifying threats and vulnerabilities

Buy Now
Questions 202

Which of the following is the PRIMARY reason for a risk practitioner to review an organization's IT asset inventory?

Options:

A.

To plan for the replacement of assets at the end of their life cycles

B.

To assess requirements for reducing duplicate assets

C.

To understand vulnerabilities associated with the use of the assets

D.

To calculate mean time between failures (MTBF) for the assets

Buy Now
Questions 203

Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data?

Options:

A.

The cost associated with incident response activities

The composition and number of records in the information asset

B.

The maximum levels of applicable regulatory fines

C.

The length of time between identification and containment of the incident

Buy Now
Questions 204

A recent vulnerability assessment of a web-facing application revealed several weaknesses. Which of the following should be done NEXT to determine the risk exposure?

Options:

A.

Code review

B.

Penetration test

C.

Gap assessment

D.

Business impact analysis (BIA)

Buy Now
Questions 205

Which of the following issues found during the review of a newly created disaster recovery plan (DRP) should be of MOST concern?

Options:

A.

Some critical business applications are not included in the plan

B.

Several recovery activities will be outsourced

C.

The plan is not based on an internationally recognized framework

D.

The chief information security officer (CISO) has not approved the plan

Buy Now
Questions 206

Which of the following would provide the MOST reliable evidence of the effectiveness of security controls implemented for a web application?

Options:

A.

Penetration testing

B.

IT general controls audit

C.

Vulnerability assessment

D.

Fault tree analysis

Buy Now
Questions 207

Which of the following BEST reduces the risk associated with the theft of a laptop containing sensitive information?

Options:

A.

Cable lock

B.

Data encryption

C.

Periodic backup

D.

Biometrics access control

Buy Now
Questions 208

Which of the following BEST enables effective IT control implementation?

Options:

A.

Key risk indicators (KRIs)

B.

Documented procedures

C.

Information security policies

D.

Information security standards

Buy Now
Questions 209

Which of the following is MOST important to promoting a risk-aware culture?

Options:

A.

Regular testing of risk controls

B.

Communication of audit findings

C.

Procedures for security monitoring

D.

Open communication of risk reporting

Buy Now
Questions 210

What is the PRIMARY reason an organization should include background checks on roles with elevated access to production as part of its hiring process?

Options:

A.

Reduce internal threats

B.

Reduce exposure to vulnerabilities

C.

Eliminate risk associated with personnel

D.

Ensure new hires have the required skills

Buy Now
Questions 211

Which of the following is the BEST way to ensure data is properly sanitized while in cloud storage?

Options:

A.

Deleting the data from the file system

B.

Cryptographically scrambling the data

C.

Formatting the cloud storage at the block level

D.

Degaussing the cloud storage media

Buy Now
Questions 212

A risk practitioner implemented a process to notify management of emergency changes that may not be approved. Which of the following is the BEST way to provide this information to management?

Options:

A.

Change logs

B.

Change management meeting minutes

C.

Key control indicators (KCIs)

D.

Key risk indicators (KRIs)

Buy Now
Questions 213

Which of the following is the GREATEST benefit of a three lines of defense structure?

Options:

A.

An effective risk culture that empowers employees to report risk

B.

Effective segregation of duties to prevent internal fraud

C.

Clear accountability for risk management processes

D.

Improved effectiveness and efficiency of business operations

Buy Now
Questions 214

Which of the following would be a risk practitioner's BEST course of action when a project team has accepted a risk outside the established risk appetite?

Options:

A.

Reject the risk acceptance and require mitigating controls.

B.

Monitor the residual risk level of the accepted risk.

C.

Escalate the risk decision to the project sponsor for review.

D.

Document the risk decision in the project risk register.

Buy Now
Questions 215

Which of the following would BEST facilitate the implementation of data classification requirements?

Options:

A.

Assigning a data owner

B.

Implementing technical control over the assets

C.

Implementing a data loss prevention (DLP) solution

D.

Scheduling periodic audits

Buy Now
Questions 216

Which of the following BEST indicates how well a web infrastructure protects critical information from an attacker?

Options:

A.

Failed login attempts

B.

Simulating a denial of service attack

C.

Absence of IT audit findings

D.

Penetration test

Buy Now
Questions 217

A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within the organization of the following, who should review the completed list and select the appropriate KRIs for implementation?

Options:

A.

IT security managers

B.

IT control owners

C.

IT auditors

D.

IT risk owners

Buy Now
Questions 218

What are the MOST essential attributes of an effective Key control indicator (KCI)?

Options:

A.

Flexibility and adaptability

B.

Measurability and consistency

C.

Robustness and resilience

D.

Optimal cost and benefit

Buy Now
Questions 219

Which of the following is MOST important when developing risk scenarios?

Options:

A.

Reviewing business impact analysis (BIA)

B.

Collaborating with IT audit

C.

Conducting vulnerability assessments

D.

Obtaining input from key stakeholders

Buy Now
Questions 220

A highly regulated organization acquired a medical technology startup company that processes sensitive personal information with weak data protection controls. Which of the following is the BEST way for the acquiring company to reduce its risk while still enabling the flexibility needed by the startup company?

Options:

A.

Identify previous data breaches using the startup company’s audit reports.

B.

Have the data privacy officer review the startup company’s data protection policies.

C.

Classify and protect the data according to the parent company's internal standards.

D.

Implement a firewall and isolate the environment from the parent company's network.

Buy Now
Questions 221

Which of the following is MOST important when considering risk in an enterprise risk management (ERM) process?

Options:

A.

Financial risk is given a higher priority.

B.

Risk with strategic impact is included.

C.

Security strategy is given a higher priority.

D.

Risk identified by industry benchmarking is included.

Buy Now
Questions 222

Which of The following should be of GREATEST concern for an organization considering the adoption of a bring your own device (BYOD) initiative?

Options:

A.

Device corruption

B.

Data loss

C.

Malicious users

D.

User support

Buy Now
Questions 223

Which of the following is the PRIMARY risk management responsibility of the second line of defense?

Options:

A.

Monitoring risk responses

B.

Applying risk treatments

C.

Providing assurance of control effectiveness

D.

Implementing internal controls

Buy Now
Questions 224

Which of the following BEST mitigates the risk of sensitive personal data leakage from a software development environment?

Options:

A.

Tokenized personal data only in test environments

B.

Data loss prevention tools (DLP) installed in passive mode

C.

Anonymized personal data in non-production environments

D.

Multi-factor authentication for access to non-production environments

Buy Now
Questions 225

In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data?

Options:

A.

Establishing an intellectual property agreement

B.

Evaluating each of the data sources for vulnerabilities

C.

Periodically reviewing big data strategies

D.

Benchmarking to industry best practice

Buy Now
Questions 226

Which of the following would BEST assist in reconstructing the sequence of events following a security incident across multiple IT systems in the organization's network?

Options:

A.

Network monitoring infrastructure

B.

Centralized vulnerability management

C.

Incident management process

D.

Centralized log management

Buy Now
Questions 227

The GREATEST benefit of including low-probability, high-impact events in a risk assessment is the ability to:

Options:

A.

develop a comprehensive risk mitigation strategy

B.

develop understandable and realistic risk scenarios

C.

identify root causes for relevant events

D.

perform an aggregated cost-benefit analysis

Buy Now
Questions 228

Which of the following describes the relationship between Key risk indicators (KRIs) and key control indicators (KCIS)?

Options:

A.

KCIs are independent from KRIs KRIs.

B.

KCIs and KRIs help in determining risk appetite.

C.

KCIs are defined using data from KRIs.

D.

KCIs provide input for KRIs

Buy Now
Questions 229

Which of the following is the GREATEST benefit for an organization with a strong risk awareness culture?

Options:

A.

Reducing the involvement by senior management

B.

Using more risk specialists

C.

Reducing the need for risk policies and guidelines

D.

Discussing and managing risk as a team

Buy Now
Questions 230

Which of the following would be the BEST key performance indicator (KPI) for monitoring the effectiveness of the IT asset management process?

Options:

A.

Percentage of unpatched IT assets

B.

Percentage of IT assets without ownership

C.

The number of IT assets securely disposed during the past year

D.

The number of IT assets procured during the previous month

Buy Now
Questions 231

Which of the following controls BEST helps to ensure that transaction data reaches its destination?

Options:

A.

Securing the network from attacks

B.

Providing acknowledgments from receiver to sender

C.

Digitally signing individual messages

D.

Encrypting data-in-transit

Buy Now
Questions 232

Which of the following is the MOST appropriate action when a tolerance threshold is exceeded?

Options:

A.

Communicate potential impact to decision makers.

B.

Research the root cause of similar incidents.

C.

Verify the response plan is adequate.

D.

Increase human resources to respond in the interim.

Buy Now
Questions 233

Which of the following BEST enables a risk practitioner to enhance understanding of risk among stakeholders?

Options:

A.

Key risk indicators (KRIs)

B.

Risk scenarios

C.

Business impact analysis (BIA)

D.

Threat analysis

Buy Now
Questions 234

Which of the following is MOST useful when communicating risk to management?

Options:

A.

Risk policy

B.

Audit report

C.

Risk map

D.

Maturity model

Buy Now
Questions 235

An organization recently received an independent security audit report of its cloud service provider that indicates significant control weaknesses. What should be done NEXT in response to this report?

Options:

A.

Migrate all data to another compliant service provider.

B.

Analyze the impact of the provider's control weaknesses to the business.

C.

Conduct a follow-up audit to verify the provider's control weaknesses.

D.

Review the contract to determine if penalties should be levied against the provider.

Buy Now
Questions 236

An organization discovers significant vulnerabilities in a recently purchased commercial off-the-shelf software product which will not be corrected until the next release. Which of the following is the risk manager's BEST course of action?

Options:

A.

Review the risk of implementing versus postponing with stakeholders.

B.

Run vulnerability testing tools to independently verify the vulnerabilities.

C.

Review software license to determine the vendor's responsibility regarding vulnerabilities.

D.

Require the vendor to correct significant vulnerabilities prior to installation.

Buy Now
Questions 237

Which of the following is the MOST important technology control to reduce the likelihood of fraudulent payments committed internally?

Options:

A.

Automated access revocation

B.

Daily transaction reconciliation

C.

Rule-based data analytics

D.

Role-based user access model

Buy Now
Questions 238

Which of the following provides the MOST useful information when developing a risk profile for management approval?

Options:

A.

Residual risk and risk appetite

B.

Strength of detective and preventative controls

C.

Effectiveness and efficiency of controls

D.

Inherent risk and risk tolerance

Buy Now
Questions 239

Which of the following provides the BEST measurement of an organization's risk management maturity level?

Options:

A.

Level of residual risk

B.

The results of a gap analysis

C.

IT alignment to business objectives

D.

Key risk indicators (KRIs)

Buy Now
Questions 240

Which of the following would present the MOST significant risk to an organization when updating the incident response plan?

Options:

A.

Obsolete response documentation

B.

Increased stakeholder turnover

C.

Failure to audit third-party providers

D.

Undefined assignment of responsibility

Buy Now
Questions 241

Which of the following is the STRONGEST indication an organization has ethics management issues?

Options:

A.

Employees do not report IT risk issues for fear of consequences.

B.

Internal IT auditors report to the chief information security officer (CISO).

C.

Employees face sanctions for not signing the organization's acceptable use policy.

D.

The organization has only two lines of defense.

Buy Now
Questions 242

After the review of a risk record, internal audit questioned why the risk was lowered from medium to low. Which of the following is the BEST course of action in responding to this inquiry?

Options:

A.

Obtain industry benchmarks related to the specific risk.

B.

Provide justification for the lower risk rating.

C.

Notify the business at the next risk briefing.

D.

Reopen the risk issue and complete a full assessment.

Buy Now
Questions 243

Which of the following is the GREATEST advantage of implementing a risk management program?

Options:

A.

Enabling risk-aware decisions

B.

Promoting a risk-aware culture

C.

Improving security governance

D.

Reducing residual risk

Buy Now
Questions 244

Which of the following is the MOST important factor when deciding on a control to mitigate risk exposure?

Options:

A.

Relevance to the business process

B.

Regulatory compliance requirements

C.

Cost-benefit analysis

D.

Comparison against best practice

Buy Now
Questions 245

An application runs a scheduled job that compiles financial data from multiple business systems and updates the financial reporting system. If this job runs too long, it can delay financial reporting. Which of the following is the risk practitioner's BEST recommendation?

Options:

A.

Implement database activity and capacity monitoring.

B.

Ensure the business is aware of the risk.

C.

Ensure the enterprise has a process to detect such situations.

D.

Consider providing additional system resources to this job.

Buy Now
Questions 246

Which of the following is the FIRST step in risk assessment?

Options:

A.

Review risk governance

B.

Asset identification

C.

Identify risk factors

D.

Inherent risk identification

Buy Now
Questions 247

Which of the following provides the MOST useful information when determining if a specific control should be implemented?

Options:

A.

Business impact analysis (BIA)

B.

Cost-benefit analysis

C.

Attribute analysis

D.

Root cause analysis

Buy Now
Questions 248

The BEST metric to monitor the risk associated with changes deployed to production is the percentage of:

Options:

A.

changes due to emergencies.

B.

changes that cause incidents.

C.

changes not requiring user acceptance testing.

D.

personnel that have rights to make changes in production.

Buy Now
Questions 249

Which of the following will BEST help in communicating strategic risk priorities?

Options:

A.

Heat map

B.

Business impact analysis (BIA)

C.

Balanced Scorecard

D.

Risk register

Buy Now
Questions 250

Which of the following should be done FIRST when developing a data protection management plan?

Options:

A.

Perform a cost-benefit analysis.

B.

Identify critical data.

C.

Establish a data inventory.

D.

Conduct a risk analysis.

Buy Now
Questions 251

Which of the following controls are BEST strengthened by a clear organizational code of ethics?

Options:

A.

Detective controls

B.

Administrative controls

C.

Technical controls

D.

Preventive controls

Buy Now
Questions 252

Which of the following statements describes the relationship between key risk indicators (KRIs) and key control indicators (KCIs)?

Options:

A.

KRI design must precede definition of KCIs.

B.

KCIs and KRIs are independent indicators and do not impact each other.

C.

A decreasing trend of KRI readings will lead to changes to KCIs.

D.

Both KRIs and KCIs provide insight to potential changes in the level of risk.

Buy Now
Questions 253

Which of the following BEST mitigates the risk of violating privacy laws when transferring personal information lo a supplier?

Options:

A.

Encrypt the data while in transit lo the supplier

B.

Contractually obligate the supplier to follow privacy laws.

C.

Require independent audits of the supplier's control environment

D.

Utilize blockchain during the data transfer

Buy Now
Questions 254

The BEST key performance indicator (KPI) to measure the effectiveness of a backup process would be the number of:

Options:

A.

resources to monitor backups

B.

restoration monitoring reports

C.

backup recovery requests

D.

recurring restore failures

Buy Now
Questions 255

Which of the following would require updates to an organization's IT risk register?

Options:

A.

Discovery of an ineffectively designed key IT control

B.

Management review of key risk indicators (KRls)

C.

Changes to the team responsible for maintaining the register

D.

Completion of the latest internal audit

Buy Now
Questions 256

The PRIMARY purpose of IT control status reporting is to:

Options:

A.

ensure compliance with IT governance strategy.

B.

assist internal audit in evaluating and initiating remediation efforts.

C.

benchmark IT controls with Industry standards.

D.

facilitate the comparison of the current and desired states.

Buy Now
Questions 257

Which of the following is the BEST way to manage the risk associated with malicious activities performed by database administrators (DBAs)?

Options:

A.

Activity logging and monitoring

B.

Periodic access review

C.

Two-factor authentication

D.

Awareness training and background checks

Buy Now
Questions 258

Which of the following roles is BEST suited to help a risk practitioner understand the impact of IT-related events on business objectives?

Options:

A.

IT management

B.

Internal audit

C.

Process owners

D.

Senior management

Buy Now
Questions 259

To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:

Options:

A.

require the vendor to sign a nondisclosure agreement

B.

clearly define the project scope.

C.

perform background checks on the vendor.

D.

notify network administrators before testing

Buy Now
Questions 260

Which of the following is the BEST way to determine the potential organizational impact of emerging privacy regulations?

Options:

A.

Evaluate the security architecture maturity.

B.

Map the new requirements to the existing control framework.

C.

Charter a privacy steering committee.

D.

Conduct a privacy impact assessment (PIA).

Buy Now
Questions 261

Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

Options:

A.

Implement segregation of duties.

B.

Enforce an internal data access policy.

C.

Enforce the use of digital signatures.

D.

Apply single sign-on for access control.

Buy Now
Questions 262

Which of the following will be the GREATEST concern when assessing the risk profile of an organization?

Options:

A.

The risk profile was not updated after a recent incident

B.

The risk profile was developed without using industry standards.

C.

The risk profile was last reviewed two years ago.

D.

The risk profile does not contain historical loss data.

Buy Now
Questions 263

When reporting on the performance of an organization's control environment including which of the following would BEST inform stakeholders risk decision-making?

Options:

A.

The audit plan for the upcoming period

B.

Spend to date on mitigating control implementation

C.

A report of deficiencies noted during controls testing

D.

A status report of control deployment

Buy Now
Questions 264

Which of the following is the BEST Key control indicator KCO to monitor the effectiveness of patch management?

Options:

A.

Percentage of legacy servers out of support

B.

Percentage of severs receiving automata patches

C.

Number of unpremeditated vulnerabilities

D.

Number of intrusion attempts

Buy Now
Questions 265

Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?

Options:

A.

Ongoing availability of data

B.

Ability to aggregate data

C.

Ability to predict trends

D.

Availability of automated reporting systems

Buy Now
Questions 266

Which of the following is the BEST way to determine whether new controls mitigate security gaps in a business system?

Options:

A.

Complete an offsite business continuity exercise.

B.

Conduct a compliance check against standards.

C.

Perform a vulnerability assessment.

D.

Measure the change in inherent risk.

Buy Now
Questions 267

When updating the risk register after a risk assessment, which of the following is MOST important to include?

Options:

A.

Historical losses due to past risk events

B.

Cost to reduce the impact and likelihood

C.

Likelihood and impact of the risk scenario

D.

Actor and threat type of the risk scenario

Buy Now
Questions 268

Which of the following is the BEST indicator of the effectiveness of IT risk management processes?

Options:

A.

Percentage of business users completing risk training

B.

Percentage of high-risk scenarios for which risk action plans have been developed

C.

Number of key risk indicators (KRIs) defined

D.

Time between when IT risk scenarios are identified and the enterprise's response

Buy Now
Questions 269

During a risk treatment plan review, a risk practitioner finds the approved risk action plan has not been completed However, there were other risk mitigation actions implemented. Which of the fallowing is the BEST course of action?

Options:

A.

Review the cost-benefit of mitigating controls

B.

Mark the risk status as unresolved within the risk register

C.

Verify the sufficiency of mitigating controls with the risk owner

D.

Update the risk register with implemented mitigating actions

Buy Now
Questions 270

From a risk management perspective, the PRIMARY objective of using maturity models is to enable:

Options:

A.

solution delivery.

B.

resource utilization.

C.

strategic alignment.

D.

performance evaluation.

Buy Now
Questions 271

A change management process has recently been updated with new testing procedures. What is the NEXT course of action?

Options:

A.

Monitor processes to ensure recent updates are being followed.

B.

Communicate to those who test and promote changes.

C.

Conduct a cost-benefit analysis to justify the cost of the control.

D.

Assess the maturity of the change management process.

Buy Now
Questions 272

Which of the following is MOST important to the integrity of a security log?

Options:

A.

Least privilege access

B.

Inability to edit

C.

Ability to overwrite

D.

Encryption

Buy Now
Questions 273

Which of the following is the BEST evidence that risk management is driving business decisions in an organization?

Options:

A.

Compliance breaches are addressed in a timely manner.

B.

Risk ownership is identified and assigned.

C.

Risk treatment options receive adequate funding.

D.

Residual risk is within risk tolerance.

Buy Now
Questions 274

Which of the following should be the risk practitioner's FIRST course of action when an organization plans to adopt a cloud computing strategy?

Options:

A.

Request a budget for implementation

B.

Conduct a threat analysis.

C.

Create a cloud computing policy.

D.

Perform a controls assessment.

Buy Now
Questions 275

Which of me following is MOST helpful to mitigate the risk associated with an application under development not meeting business objectives?

Options:

A.

Identifying tweets that may compromise enterprise architecture (EA)

B.

Including diverse Business scenarios in user acceptance testing (UAT)

C.

Performing risk assessments during the business case development stage

D.

Including key stakeholders in review of user requirements

Buy Now
Questions 276

An IT department has provided a shared drive for personnel to store information to which all employees have access. Which of the following parties is accountable for the risk of potential loss of confidential information?

Options:

A.

Risk manager

B.

Data owner

C.

End user

D.

IT department

Buy Now
Questions 277

Which of the following is the MOST appropriate key risk indicator (KRI) for backup media that is recycled monthly?

Options:

A.

Time required for backup restoration testing

B.

Change in size of data backed up

C.

Successful completion of backup operations

D.

Percentage of failed restore tests

Buy Now
Questions 278

A management team is on an aggressive mission to launch a new product to penetrate new markets and overlooks IT risk factors, threats, and vulnerabilities. This scenario BEST demonstrates an organization's risk:

Options:

A.

management.

B.

tolerance.

C.

culture.

D.

analysis.

Buy Now
Questions 279

Which of The following is the MOST comprehensive input to the risk assessment process specific to the effects of system downtime?

Options:

A.

Business continuity plan (BCP) testing results

B.

Recovery lime objective (RTO)

C.

Business impact analysis (BIA)

D.

results Recovery point objective (RPO)

Buy Now
Questions 280

Which of the following is the GREATEST benefit when enterprise risk management (ERM) provides oversight of IT risk management?

Options:

A.

Aligning IT with short-term and long-term goals of the organization

B.

Ensuring the IT budget and resources focus on risk management

C.

Ensuring senior management's primary focus is on the impact of identified risk

D.

Prioritizing internal departments that provide service to customers

Buy Now
Questions 281

An organization practices the principle of least privilege. To ensure access remains appropriate, application owners should be required to review user access rights on a regular basis by obtaining:

Options:

A.

business purpose documentation and software license counts

B.

an access control matrix and approval from the user's manager

C.

documentation indicating the intended users of the application

D.

security logs to determine the cause of invalid login attempts

Buy Now
Questions 282

Which of the following would BEST indicate to senior management that IT processes are improving?

Options:

A.

Changes in the number of intrusions detected

B.

Changes in the number of security exceptions

C.

Changes in the position in the maturity model

D.

Changes to the structure of the risk register

Buy Now
Questions 283

The BEST key performance indicator (KPI) for monitoring adherence to an organization's user accounts provisioning practices is the percentage of:

Options:

A.

accounts without documented approval

B.

user accounts with default passwords

C.

active accounts belonging to former personnel

D.

accounts with dormant activity.

Buy Now
Questions 284

Accountability for a particular risk is BEST represented in a:

Options:

A.

risk register

B.

risk catalog

C.

risk scenario

D.

RACI matrix

Buy Now
Questions 285

Which of the following is MOST important to have in place to ensure the effectiveness of risk and security metrics reporting?

Options:

A.

Organizational reporting process

B.

Incident reporting procedures

C.

Regularly scheduled audits

D.

Incident management policy

Buy Now
Questions 286

Which of the following presents the GREATEST risk to change control in business application development over the complete life cycle?

Options:

A.

Emphasis on multiple application testing cycles

B.

Lack of an integrated development environment (IDE) tool

C.

Introduction of requirements that have not been approved

D.

Bypassing quality requirements before go-live

Buy Now
Questions 287

A global organization is planning to collect customer behavior data through social media advertising. Which of the following is the MOST important business risk to be considered?

Options:

A.

Regulatory requirements may differ in each country.

B.

Data sampling may be impacted by various industry restrictions.

C.

Business advertising will need to be tailored by country.

D.

The data analysis may be ineffective in achieving objectives.

Buy Now
Questions 288

Which of the following information is MOST useful to a risk practitioner for developing IT risk scenarios?

Options:

A.

Published vulnerabilities relevant to the business

B.

Threat actors that can trigger events

C.

Events that could potentially impact the business

D.

IT assets requiring the greatest investment

Buy Now
Questions 289

Which of the following provides the MOST useful information to trace the impact of aggregated risk across an organization's technical environment?

Options:

A.

Business case documentation

B.

Organizational risk appetite statement

C.

Enterprise architecture (EA) documentation

D.

Organizational hierarchy

Buy Now
Questions 290

Which of the following is MOST important when determining risk appetite?

Options:

A.

Assessing regulatory requirements

B.

Benchmarking against industry standards

C.

Gaining management consensus

D.

Identifying risk tolerance

Buy Now
Questions 291

Which of the following is a risk practitioner's BEST recommendation regarding disaster recovery management (DRM) for Software as a Service (SaaS) providers?

Options:

A.

Conduct inoremental backups of data in the SaaS environment to a local data center.

B.

Implement segregation of duties between multiple SaaS solution providers.

C.

Codify availability requirements in the SaaS provider's contract.

D.

Conduct performance benchmarking against other SaaS service providers.

Buy Now
Questions 292

Zero Trust architecture is designed and deployed with adherence to which of the following basic tenets?

Options:

A.

Incoming traffic must be inspected before connection is established.

B.

Security frameworks and libraries should be leveraged.

C.

Digital identities should be implemented.

D.

All communication is secured regardless of network location.

Buy Now
Questions 293

Which of the following is the PRIMARY reason for a risk practitioner to report changes and trends in the IT risk profile to senior management?

Options:

A.

To ensure risk owners understand their responsibilities

B.

To ensure IT risk is managed within acceptable limits

C.

To ensure the organization complies with legal requirements

D.

To ensure the IT risk awareness program is effective

Buy Now
Questions 294

Which of the following should a risk practitioner do NEXT after learning that Internet of Things (loT) devices installed in the production environment lack appropriate security controls for

sensitive data?

Options:

A.

Assess the threat and associated impact.

B.

Evaluate risk appetite and tolerance levels

C.

Recommend device management controls

D.

Enable role-based access control.

Buy Now
Questions 295

Which of the following is PRIMARILY responsible for providing assurance to the board of directors and senior management during the evaluation of a risk management program implementation?

Options:

A.

Risk management

B.

Business units

C.

External audit

D.

Internal audit

Buy Now
Questions 296

Which of the following is the BEST approach for obtaining management buy-in

to implement additional IT controls?

Options:

A.

List requirements based on a commonly accepted IT risk management framework.

B.

Provide information on new governance, risk, and compliance (GRC) platform functionalities.

C.

Describe IT risk impact on organizational processes in monetary terms.

D.

Present new key risk indicators (KRIs) based on industry benchmarks.

Buy Now
Questions 297

Which of the following should be the PRIMARY focus of a disaster recovery management (DRM) framework and related processes?

Options:

A.

Restoring IT and cybersecurity operations

B.

Assessing the impact and probability of disaster scenarios

C.

Ensuring timely recovery of critical business operations

D.

Determining capacity for alternate sites

Buy Now
Questions 298

Which of the following would MOST likely cause management to unknowingly accept excessive risk?

Options:

A.

Satisfactory audit results

B.

Risk tolerance being set too low

C.

Inaccurate risk ratings

D.

Lack of preventive controls

Buy Now
Questions 299

Which of the following is the MOST important success factor when introducing risk management in an organization?

Options:

A.

Implementing a risk register

B.

Defining a risk mitigation strategy and plan

C.

Assigning risk ownership

D.

Establishing executive management support

Buy Now
Questions 300

Which of the following is the GREATEST benefit of having a mature enterprise architecture (EA) in place?

Options:

A.

Standards-based policies

B.

Audit readiness

C.

Efficient operations

D.

Regulatory compliance

Buy Now
Questions 301

During a recent security framework review, it was discovered that the marketing department implemented a non-fungible token asset program. This was done without following established risk procedures. Which of the following should the risk practitioner do FIRST?

Options:

A.

Report the infraction.

B.

Perform a risk assessment.

C.

Conduct risk awareness training.

D.

Discontinue the process.

Buy Now
Questions 302

Optimized risk management is achieved when risk is reduced:

Options:

A.

with strategic initiatives.

B.

to meet risk appetite.

C.

within resource availability.

D.

below risk appetite.

Buy Now
Questions 303

Which of the following is the BEST recommendation when a key risk indicator (KRI) is generating an excessive volume of events?

Options:

A.

Reevaluate the design of the KRIs.

B.

Develop a corresponding key performance indicator (KPI).

C.

Monitor KRIs within a specific timeframe.

D.

Activate the incident response plan.

Buy Now
Questions 304

An incentive program is MOST likely implemented to manage the risk associated with loss of which organizational asset?

Options:

A.

Employees

B.

Data

C.

Reputation

D.

Customer lists

Buy Now
Questions 305

A risk practitioner wants to identify potential risk events that affect the continuity of a critical business process. Which of the following should the risk practitioner do FIRST?

Options:

A.

Evaluate current risk management alignment with relevant regulations.

B.

Determine if business continuity procedures are reviewed and updated on a regular basis.

C.

Review the methodology used to conduct the business impact analysis (BIA).

D.

Conduct a benchmarking exercise against industry peers.

Buy Now
Questions 306

Which of the following is the BEST key performance indicator (KPI) to measure the ability to deliver uninterrupted IT services?

Options:

A.

Mean time between failures (MTBF)

B.

Mean time to recover (MTTR)

C.

Planned downtime

D.

Unplanned downtime

Buy Now
Questions 307

An organization recently experienced a cyber attack that resulted in the loss of confidential customer data. Which of the following is the risk practitioner's BEST recommendation after recovery steps have been completed?

Options:

A.

Develop new key risk indicators (KRIs).

B.

Perform a root cause analysis.

C.

Recommend the purchase of cyber insurance.

D.

Review the incident response plan.

Buy Now
Questions 308

Which of the following is the MOST significant indicator of the need to perform a penetration test?

Options:

A.

An increase in the number of high-risk audit findings

B.

An increase in the number of security incidents

C.

An increase in the percentage of turnover in IT personnel

D.

An increase in the number of infrastructure changes

Buy Now
Questions 309

Which of the following should be a risk practitioner's NEXT step after learning of an incident that has affected a competitor?

Options:

A.

Activate the incident response plan.

B.

Implement compensating controls.

C.

Update the risk register.

D.

Develop risk scenarios.

Buy Now
Questions 310

An organization has restructured its business processes, and the business continuity plan (BCP) needs to be revised accordingly. Which of the following should be identified FIRST?

Options:

A.

Variances in recovery times

B.

Ownership assignment for controls

C.

New potentially disruptive scenarios

D.

Contractual changes with customers

Buy Now
Questions 311

After the announcement of a new IT regulatory requirement, it is MOST important for a risk practitioner to;

Options:

A.

prepare an IT risk mitigation strategy.

B.

escalate to senior management.

C.

perform a cost-benefit analysis.

D.

review the impact to the IT environment.

Buy Now
Questions 312

A key performance indicator (KPI) shows that a process is operating inefficiently, even though no control issues were noted during the most recent risk assessment. Which of the following should be done FIRST?

Options:

A.

Implement new controls.

B.

Recalibrate the key performance indicator (KPI).

C.

Redesign the process.

D.

Re-evaluate the existing control design.

Buy Now
Questions 313

Which of the following situations would BEST justify escalation to senior management?

Options:

A.

Residual risk exceeds acceptable limits.

B.

Residual risk is inadequately recorded.

C.

Residual risk remains after controls have been applied.

D.

Residual risk equals current risk.

Buy Now
Questions 314

Which of the following is the PRIMARY benefit of integrating risk and security requirements in an organization's enterprise architecture (EA)?

Options:

A.

Adherence to legal and compliance requirements

B.

Reduction in the number of test cases in the acceptance phase

C.

Establishment of digital forensic architectures

D.

Consistent management of information assets

Buy Now
Questions 315

Which of the following is MOST important for a multinational organization to consider when developing its security policies and standards?

Options:

A.

Regional competitors' policies and standards

B.

Ability to monitor and enforce compliance

C.

Industry-standard templates

D.

Differences in regulatory requirements

Buy Now
Questions 316

Which of the following is the BEST indicator of the effectiveness of a control?

Options:

A.

Scope of the control coverage

B.

The number of exceptions granted

C.

Number of steps necessary to operate process

D.

Number of control deviations detected

Buy Now
Questions 317

What is the MOST important consideration when selecting key performance indicators (KPIs) for control monitoring?

Options:

A.

Source information is acquired at stable cost.

B.

Source information is tailored by removing outliers.

C.

Source information is readily quantifiable.

D.

Source information is consistently available.

Buy Now
Questions 318

If concurrent update transactions to an account are not processed properly, which of the following will MOST likely be affected?

Options:

A.

Confidentiality

B.

Accountability

C.

Availability

D.

Integrity

Buy Now
Questions 319

Which of the following is the MOST reliable validation of a new control?

Options:

A.

Approval of the control by senior management

B.

Complete and accurate documentation of control objectives

C.

Control owner attestation of control effectiveness

D.

Internal audit review of control design

Buy Now
Questions 320

Which of the following will BEST ensure that controls adequately support business goals and objectives?

Options:

A.

Using the risk management process

B.

Enforcing strict disciplinary procedures in case of noncompliance

C.

Reviewing results of the annual company external audit

D.

Adopting internationally accepted controls

Buy Now
Questions 321

Which of the following scenarios is MOST likely to cause a risk practitioner to request a formal risk acceptance sign-off?

Options:

A.

Residual risk in excess of the risk appetite cannot be mitigated.

B.

Inherent risk is too high, resulting in the cancellation of an initiative.

C.

Risk appetite has changed to align with organizational objectives.

D.

Residual risk remains at the same level over time without further mitigation.

Buy Now
Questions 322

Which of the following is the BEST method to track asset inventory?

Options:

A.

Periodic asset review by management

B.

Asset registration form

C.

IT resource budgeting process

D.

Automated asset management software

Buy Now
Questions 323

An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner's FIRST course of action?

Options:

A.

Determine whether the impact is outside the risk appetite.

B.

Report the ineffective control for inclusion in the next audit report.

C.

Request a formal acceptance of risk from senior management.

D.

Deploy a compensating control to address the identified deficiencies.

Buy Now
Questions 324

Which of the following management actions will MOST likely change the likelihood rating of a risk scenario related to remote network access?

Options:

A.

Creating metrics to track remote connections

B.

Updating the organizational policy for remote access

C.

Updating remote desktop software

D.

Implementing multi-factor authentication

Buy Now
Questions 325

Which of the following techniques is MOST helpful when quantifying the potential loss impact of cyber risk?

Options:

A.

Cost-benefit analysis

B.

Penetration testing

C.

Business impact analysis (BIA)

D.

Security assessment

Buy Now
Questions 326

Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?

Options:

A.

Improving risk awareness

B.

Obtaining buy-in from risk owners

C.

Leveraging existing metrics

D.

Optimizing risk treatment decisions

Buy Now
Questions 327

An organization plans to implement a new Software as a Service (SaaS) speech-to-text solution Which of the following is MOST important to mitigate risk associated with data privacy?

Options:

A.

Secure encryption protocols are utilized.

B.

Multi-factor authentication is set up for users.

C.

The solution architecture is approved by IT.

D.

A risk transfer clause is included in the contact

Buy Now
Questions 328

Which of the following is the result of a realized risk scenario?

Options:

A.

Threat event

B.

Vulnerability event

C.

Technical event

D.

Loss event

Buy Now
Questions 329

Which of the following would provide the MOST comprehensive information for updating an organization's risk register?

Options:

A.

Results of the latest risk assessment

B.

Results of a risk forecasting analysis

C.

A review of compliance regulations

D.

Findings of the most recent audit

Buy Now
Questions 330

Which of the following is the BEST indication that an organization's risk management program has not reached the desired maturity level?

Options:

A.

Significant increases in risk mitigation budgets

B.

Large fluctuations in risk ratings between assessments

C.

A steady increase in the time to recover from incidents

D.

A large number of control exceptions

Buy Now
Questions 331

A maturity model will BEST indicate:

Options:

A.

confidentiality and integrity.

B.

effectiveness and efficiency.

C.

availability and reliability.

D.

certification and accreditation.

Buy Now
Questions 332

A large organization is replacing its enterprise resource planning (ERP) system and has decided not to deploy the payroll module of the new system. Instead, the current payroll system will continue to be

used. Of the following, who should own the risk if the ERP and payroll system fail to operate as expected?

Options:

A.

The business owner

B.

The ERP administrator

C.

The project steering committee

D.

The IT project manager

Buy Now
Questions 333

The purpose of requiring source code escrow in a contractual agreement is to:

Options:

A.

ensure that the source code is valid and exists.

B.

ensure that the source code is available if the vendor ceases to exist.

C.

review the source code for adequacy of controls.

D.

ensure the source code is available when bugs occur.

Buy Now
Questions 334

Which of the following is the MOST effective way to mitigate identified risk scenarios?

Options:

A.

Assign ownership of the risk response plan

B.

Provide awareness in early detection of risk.

C.

Perform periodic audits on identified risk.

D.

areas Document the risk tolerance of the organization.

Buy Now
Questions 335

Which of the following observations would be GREATEST concern to a risk practitioner reviewing the implementation status of management action plans?

Options:

A.

Management has not determined a final implementation date.

B.

Management has not completed an early mitigation milestone.

C.

Management has not secured resources for mitigation activities.

D.

Management has not begun the implementation.

Buy Now
Questions 336

Which type of cloud computing deployment provides the consumer the GREATEST degree of control over the environment?

Options:

A.

Community cloud

B.

Private cloud

C.

Hybrid cloud

D.

Public cloud

Buy Now
Questions 337

A risk practitioner notices that a particular key risk indicator (KRI) has remained below its established trigger point for an extended period of time. Which of the following should be done FIRST?

Options:

A.

Recommend a re-evaluation of the current threshold of the KRI.

B.

Notify management that KRIs are being effectively managed.

C.

Update the risk rating associated with the KRI In the risk register.

D.

Update the risk tolerance and risk appetite to better align to the KRI.

Buy Now
Questions 338

Which of the following is the BEST course of action when risk is found to be above the acceptable risk appetite?

Options:

A.

Review risk tolerance levels

B.

Maintain the current controls.

C.

Analyze the effectiveness of controls.

D.

Execute the risk response plan

Buy Now
Questions 339

Which of the following should be considered FIRST when assessing risk associated with the adoption of emerging technologies?

Options:

A.

Organizational strategy

B.

Cost-benefit analysis

C.

Control self-assessment (CSA)

D.

Business requirements

Buy Now
Questions 340

Which of the following resources is MOST helpful when creating a manageable set of IT risk scenarios?

Options:

A.

Results of current and past risk assessments

B.

Organizational strategy and objectives

C.

Lessons learned from materialized risk scenarios

D.

Internal and external audit findings

Buy Now
Questions 341

An IT risk practitioner is evaluating an organization's change management controls over the last six months. The GREATEST concern would be an increase in:

Options:

A.

rolled back changes below management's thresholds.

B.

change-related exceptions per month.

C.

the average implementation time for changes.

D.

number of user stories approved for implementation.

Buy Now
Questions 342

Which of the following should be the MAIN consideration when validating an organization's risk appetite?

Options:

A.

Comparison against regulations

B.

Maturity of the risk culture

C.

Capacity to withstand loss

D.

Cost of risk mitigation options

Buy Now
Questions 343

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an anti-virus program?

Options:

A.

Frequency of anti-virus software updates

B.

Number of alerts generated by the anti-virus software

C.

Number of false positives detected over a period of time

D.

Percentage of IT assets with current malware definitions

Buy Now
Questions 344

Which of the following should a risk practitioner do FIRST when an organization decides to use a cloud service?

Options:

A.

Review the vendor selection process and vetting criteria.

B.

Assess whether use of service falls within risk tolerance thresholds.

C.

Establish service level agreements (SLAs) with the vendor.

D.

Check the contract for appropriate security risk and control provisions.

Buy Now
Questions 345

Which of the following will BEST help an organization select a recovery strategy for critical systems?

Options:

A.

Review the business impact analysis.

B.

Create a business continuity plan.

C.

Analyze previous disaster recovery reports.

D.

Conduct a root cause analysis.

Buy Now
Questions 346

Who should be responsible for strategic decisions on risk management?

Options:

A.

Chief information officer (CIO)

B.

Executive management team

C.

Audit committee

D.

Business process owner

Buy Now
Questions 347

Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis?

Options:

A.

Quantitative analysis might not be possible.

B.

Risk factors might not be relevant to the organization

C.

Implementation costs might increase.

D.

Inherent risk might not be considered.

Buy Now
Questions 348

Which of the following MOST effectively limits the impact of a ransomware attack?

Options:

A.

Cyber insurance

B.

Cryptocurrency reserve

C.

Data backups

D.

End user training

Buy Now
Questions 349

Which of the following is the PRIMARY responsibility of the first line of defense related to computer-enabled fraud?

Options:

A.

Providing oversight of risk management processes

B.

Implementing processes to detect and deter fraud

C.

Ensuring that risk and control assessments consider fraud

D.

Monitoring the results of actions taken to mitigate fraud

Buy Now
Questions 350

Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk?

Options:

A.

A data extraction tool

B.

An access control list

C.

An intrusion detection system (IDS)

D.

An acceptable usage policy

Buy Now
Questions 351

Which of the following would prompt changes in key risk indicator {KRI) thresholds?

Options:

A.

Changes to the risk register

B.

Changes in risk appetite or tolerance

C.

Modification to risk categories

D.

Knowledge of new and emerging threats

Buy Now
Questions 352

Implementing which of the following will BEST help ensure that systems comply with an established baseline before deployment?

Options:

A.

Vulnerability scanning

B.

Continuous monitoring and alerting

C.

Configuration management

D.

Access controls and active logging

Buy Now
Questions 353

Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications?

Options:

A.

Identify information security controls in the requirements analysis

B.

Identify key risk indicators (KRIs) as process output.

C.

Design key performance indicators (KPIs) for security in system specifications.

D.

Include information security control specifications in business cases.

Buy Now
Questions 354

The annualized loss expectancy (ALE) method of risk analysis:

Options:

A.

helps in calculating the expected cost of controls

B.

uses qualitative risk rankings such as low. medium and high.

C.

can be used m a cost-benefit analysts

D.

can be used to determine the indirect business impact.

Buy Now
Questions 355

A software developer has administrative access to a production application. Which of the following should be of GREATEST concern to a risk practitioner?

Options:

A.

The administrative access does not allow for activity log monitoring.

B.

The administrative access does not follow password management protocols.

C.

The administrative access represents a deviation from corporate policy.

D.

The administrative access represents a segregation of duties conflict.

Buy Now
Questions 356

The MOST important reason to aggregate results from multiple risk assessments on interdependent information systems is to:

Options:

A.

establish overall impact to the organization

B.

efficiently manage the scope of the assignment

C.

identify critical information systems

D.

facilitate communication to senior management

Buy Now
Questions 357

An internally developed payroll application leverages Platform as a Service (PaaS) infrastructure from the cloud. Who owns the related data confidentiality risk?

Options:

A.

IT infrastructure head

B.

Human resources head

C.

Supplier management head

D.

Application development head

Buy Now
Questions 358

The GREATEST concern when maintaining a risk register is that:

Options:

A.

impacts are recorded in qualitative terms.

B.

executive management does not perform periodic reviews.

C.

IT risk is not linked with IT assets.

D.

significant changes in risk factors are excluded.

Buy Now
Questions 359

Which of the following will BEST support management repotting on risk?

Options:

A.

Risk policy requirements

B.

A risk register

C.

Control self-assessment

D.

Key performance Indicators

Buy Now
Questions 360

Which of the following is MOST important when discussing risk within an organization?

Options:

A.

Adopting a common risk taxonomy

B.

Using key performance indicators (KPIs)

C.

Creating a risk communication policy

D.

Using key risk indicators (KRIs)

Buy Now
Questions 361

Which of the following would be of GREATEST concern to a risk practitioner reviewing current key risk indicators (KRIs)?

Options:

A.

The KRIs' source data lacks integrity.

B.

The KRIs are not automated.

C.

The KRIs are not quantitative.

D.

The KRIs do not allow for trend analysis.

Buy Now
Questions 362

An organization is measuring the effectiveness of its change management program to reduce the number of unplanned production changes. Which of the following would be the BEST metric to determine if the program is performing as expected?

Options:

A.

Decrease in the time to move changes to production

B.

Ratio of emergency fixes to total changes

C.

Ratio of system changes to total changes

D.

Decrease in number of changes without a fallback plan

Buy Now
Questions 363

Which of the following methods would BEST contribute to identifying obscure risk scenarios?

Options:

A.

Brainstorming sessions

B.

Control self-assessments

C.

Vulnerability analysis

D.

Monte Carlo analysis

Buy Now
Questions 364

Which of the following is MOST important for developing effective key risk indicators (KRIs)?

Options:

A.

Engaging sponsorship by senior management

B.

Utilizing data and resources internal to the organization

C.

Including input from risk and business unit management

D.

Developing in collaboration with internal audit

Buy Now
Questions 365

A risk practitioner is reviewing the status of an action plan to mitigate an emerging IT risk and finds the risk level has increased. The BEST course of action would be to:

Options:

A.

implement the planned controls and accept the remaining risk.

B.

suspend the current action plan in order to reassess the risk.

C.

revise the action plan to include additional mitigating controls.

D.

evaluate whether selected controls are still appropriate.

Buy Now
Questions 366

A risk practitioner has been notified that an employee sent an email in error containing customers' personally identifiable information (Pll). Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Report it to the chief risk officer.

B.

Advise the employee to forward the email to the phishing team.

C.

follow incident reporting procedures.

D.

Advise the employee to permanently delete the email.

Buy Now
Questions 367

Which of the following provides The MOST useful information when determining a risk management program's maturity level?

Options:

A.

Risk assessment results

B.

A recently reviewed risk register

C.

Key performance indicators (KPIs)

D.

The organization's risk framework

Buy Now
Questions 368

The PRIMARY purpose of a maturity model is to compare the:

Options:

A.

current state of key processes to their desired state.

B.

actual KPIs with target KPIs.

C.

organization to industry best practices.

D.

organization to peers.

Buy Now
Questions 369

Which of the following conditions presents the GREATEST risk to an application?

Options:

A.

Application controls are manual.

B.

Application development is outsourced.

C.

Source code is escrowed.

D.

Developers have access to production environment.

Buy Now
Questions 370

Which