MioTest
COMMENTS |
STATISTICS |
RECORDS
|
Title of test: MioTest Description: prova esame |
Nuevo Comentario| New Comment |
|---|
NO RECORDS |
|
The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for: data classification and labeling. data mining and analytics. data retention and destruction. data logging and monitoring. Which of the following is the MOST effective way to validate organizational awareness of cybersecurity risk?. Implementing mock phishing exercises. Requiring two-factor authentication. Updating the information security policy. Conducting security awareness training. Which of the following is the ULTIMATE objective of utilizing key control indicators (KCIs) in the risk management process?. To provide benchmarks for assessing control design effectiveness against industry peers. To provide insight into the effectiveness of the internal control environment. To provide early warning signs of a potential change in risk level. To provide a basis for determining the criticality of risk mitigation controls. Which of the following information in a risk monitoring report will provide the MOST insight to stakeholders regarding risk status?. Heat map. Mitigation plans. Risk ownership. Independent verification. An organization moved one of its applications to a public cloud, but after migration decided to move it back on-premise after an issue caused the application to be down for one day. What does this scenario indicate?. The organization has high risk tolerance. The organization has low risk tolerance. The organization has high risk appetite. The organization has low risk appetite. A risk practitioner discovers that a data center's air conditioning system cannot provide sufficient cooling. What else is MOST important to consider when predicting the probability of adverse business impact from this issue?. Maintenance history. Compensating controls. Replacement cost. Applicable threats. A risk practitioner observes that the network team responsible for maintaining the network infrastructure is severely understaffed, which could lead to operational losses. Which of the following is MOST directly affected by the risk practitioner's observation?. Inherent risk. Impact rating. Likelihood rating. Control risk. Which of the following BEST enables the development of a successful IT strategy focused on business risk mitigation?. Providing risk awareness training for business units. Conducting a business impact analysis (BIA). Obtaining input from business management. Understanding the business controls currently in place. Which of the following should be the PRIMARY role of the data owner in a risk management program?. Maintaining data syntax rules. Establishing enterprise system security levels. Applying data classification policy. Specifying retention requirements. Which of the following is the PRIMARY advantage of aligning generic risk scenarios with business objectives?. It ensures relevance to the organization. It provides better estimates of the impact of current threats. It establishes where controls should be implemented. It quantifies the materiality of any losses that may occur. Which of the following is a risk factor associated with migrating to an Infrastructure as a Service (IaaS) public cloud service provider?. Reduced availability. Reduced storage capacity. Reduced elasticity of the infrastructure. Reduced control of the infrastructure. An organizational code of ethics is MOST useful as a: detective control. recovery control. corrective control. directive control. An organization has modified its disaster recovery plan (DRP) to reflect recent changes in its IT environment. Which of the following is the PRIMARY reason to test the new plan?. To ensure all assets have been identified. To ensure the risk assessment is validated. To ensure the plan is comprehensive. To ensure staff is sufficiently trained on the plan. Which of the following should be the MOST important consideration for prioritizing the development of risk scenarios?. Potential impact. Risk trend. Likelihood of occurrence. Data classification. An organization has sustained significant losses from a series of cyber events. Which of the following control types would MOST likely help reduce further losses?. Preventive controls. Recovery controls. Detective controls. Directive controls. What is the MOST important information provided by key performance indicators (KPIs) in a risk management program?. Effectiveness of internal controls. Effectiveness of risk ownership. Performance of data loss controls. Level of inherent business risk. A large organization plans to take advantage of cloud computing to reduce costs; however, there are data-use restrictions that require certain data to remain on premise. Which cloud model should the risk practitioner recommend for this deployment?. Community cloud. Private cloud. Hybrid cloud. Public cloud. Which of the following provides the BEST assurance that an organization will be able to defend against cyber attacks?. Penetration testing. Preparedness testing. Vulnerability testing. Compliance testing. While participating in a scenario analysis exercise, a risk practitioner was asked to determine the reputational impact of a system outage. Which of the following would be the BEST approach?. Determine the likelihood of negative media coverage and social media response. Calculate impact from third-party concerns about contractual obligations related to the outage. Report the value as high because cyber reputational impacts are significant. Work with the business to estimate the number and value of lost customers. Which of the following should be a risk practitioner's PRIMARY consideration when evaluating the possible impact of an adverse event affecting corporate information assets?. Authentication and authorization requirements for personnel accessing the assets. Potential regulatory fines as a result of the adverse event. The amount of data processed by the assets. Criticality classification of the assets needed for normal business operations. Which of the following BEST enables an organization to increase the likelihood of identifying risk associated with unethical employee behavior?. Conduct background checks for new employees. Establish a channel to anonymously report unethical behavior. Require a signed agreement by employees to comply with ethics policies. Implement mandatory ethics training for employees. Which of the following is MOST important to include in an IT risk management policy?. Risk treatment types. Risk ownership requirements. Risk assessment requirements. Risk scoring methodology. An organization recently completed a major restructuring project to reduce overhead costs by streamlining the approval hierarchy. Which of the following should be done FIRST by the control owner?. Evaluate effectiveness of risk responses. Revise risk classifications. Execute control test plans. Analyze the control assessments. A risk practitioner wants to identify potential risk events that affect the continuity of a critical business process. Which of the following should the risk practitioner do FIRST?. Evaluate current risk management alignment with relevant regulations. Conduct a benchmarking exercise against industry peers. Determine if business continuity procedures are reviewed and updated on a regular basis. Review the methodology used to conduct the business impact analysis (BIA). Which of the following is the MOST important information for determining inherent risk?. The effectiveness of controls in place to prevent the risk. Loss the risk has historically caused. The IT risk manager's view of emerging risk. The maturity of the control environment. A risk assessment has been completed on an application and reported to the application owner. The report includes validated vulnerability findings that require mitigation. Which of the following should be the NEXT step?. Report the findings to executive management to enable treatment decisions. Prepare a risk response that is aligned to the organization's risk tolerance. Reassess each vulnerability to evaluate the risk profile of the application. Conduct a penetration test to determine how to mitigate the vulnerabilities. Which of the following activities should only be performed by the third line of defense?. Operating controls for risk mitigation. Testing the effectiveness and efficiency of internal controls. Providing assurance on risk management processes. Recommending risk treatment options. Which of the following is MOST helpful in reducing the likelihood of inaccurate risk assessment results?. Having internal audit validate control effectiveness. Updating organizational risk tolerance levels. Reviewing the applicable risk assessment methodologies. Involving relevant stakeholders in the risk assessment process. Which of the following is a risk practitioner's BEST recommendation to management when testing results indicate the organization's recovery time objective (RTO) cannot be met?. Engage IT and the business to re-evaluate the RTO. Engage business users to develop and document alternative procedures. Adjust the recovery point objectives (RPOs) to align with the RTO. Revise the RTO in the business impact analysis (BIA). Which of the following is the GREATEST benefit of establishing a program to design, report, and monitor key control indicators (KCIs) as part of the risk management process?. Reducing overall total cost of managing controls. Reducing the amount of audit effort. Providing reference data for key performance indicators (KPIs). Detecting early signs of potential control failure. Which of the following is the PRIMARY focus of enterprise architecture (EA)?. To facilitate the alignment of IT with business strategy. To facilitate organization-wide risk assessments. To reduce the number of platform components. To integrate secure coding practices into development operations. Which of the following would be the GREATEST concern for a risk practitioner when evaluating a proposed risk response action plan?. The plan was not developed based on a standard methodology. The plan is not aligned with the organization's risk appetite and risk tolerance. The plan was developed by the IT manager and approved by business management. The plan requires approval for additional funds by the business. Which of the following is the BEST indication that an organization has a mature risk awareness program?. Residual risk levels are consistently below inherent risk levels. Employees consider risk when making decisions. Employees comply with approved risk policies. Annual risk awareness training is provided with 100% attendance. From an IT risk perspective, which of the following has the GREATEST impact on organizational strategy?. Changes in IT risk tolerance. Methodology for IT risk identification. Complexity of recovery plans. Complexity of IT architecture. An organization recently experienced multiple breaches that were detected months later. Which of the following would be MOST useful for timely monitoring and analysis going forward?. Threat intelligence information. Security information and event management (SIEM). Security incident and problem reports. External information security reviews. Which of the following scenarios is MOST likely to cause a risk practitioner to request a formal risk acceptance sign-off?. Residual risk in excess of the risk appetite cannot be mitigated. Risk appetite has changed to align with organizational objectives. Residual risk remains at the same level over time without further mitigation. Inherent risk is too high, resulting in the cancellation of an initiative. Automated code reviews to reduce the risk associated with web applications are MOST effective when performed: in the design phase. during pre-production testing. throughout development. once in the production environment. Employees of an organization are using an unapproved cloud-based service to share their company calendars. The employees have been attaching files to calendar invitations. Which of the following would MOST effectively mitigate the risk of data loss?. Implement an information classification policy. Implement a technical solution that prevents syncing. Instruct employees not to use attachments in calendar entries. Update the security awareness program. Which of the following is the responsibility of the second line of defense?. Auditing compliance with corporate risk policies and standards. Approving enterprise risk appetite thresholds. Providing oversight of the organization's financial statements. Monitoring the result of actions taken to mitigate risk. Well-developed, data-driven risk measurements should be: focused on providing a forward-looking view. a data feed taken directly from operational production systems. reported to management the same day data is collected. reflective of the lowest organizational level. Which of the following changes in a business-critical application is MOST likely to require a revision to a successfully tested disaster recovery plan (ORP)?. A change to the confidentiality level of processed data. An increase in the number of concurrent users. Replacement of the technical support team. A new integration with an existing system. Which of the following is the MOST important consideration when determining which data elements should be captured in the risk register?. International risk management standards. Prior experience of risk managers. Specific needs of the organization. Recommendations from internal audit. Which of the following situations would create the GREATEST need to review the organization's risk appetite?. Increased adoption of personal devices for business use. Increasing business reliance on legacy infrastructure. Recent acquisition of a large business partner. New privacy laws affecting the organization's processing of personal data. Which of the following should be done FIRST when developing a business continuity plan (BCP)?. Identifying costs associated with continuity requirements. Performing business impact analysis (BIA). Establishing recovery time objectives (RTOs). Identifying critical business functions. Which of the following would be MOST useful to management when allocating resources to mitigate risk to the organization?. Risk-based audits. Control self-assessments (CSAs). Risk assessments. Vulnerability analysis. An organization expects to continually deal with severe distributed denial of service (DDoS) attacks from hacktivist groups. Which of the following is the BEST recommendation to help address this threat?. Implement Internet service provider (ISP) redundancy. Implement an intrusion prevention system (IPS). Develop an incident response plan. Plan data center redundancy. Which of the following is the MOST significant benefit of using quantitative risk analysis instead of qualitative risk analysis?. Minimized time to completion. Decreased cost. Decreased structure. Minimized subjectivity. An operations manager has requested risk acceptance after the execution of a mitigation plan has failed. Which of the following is the risk practitioner's BEST response?. Ask the risk owner to review the request. Document the risk acceptance in the risk register. Reassess the risk scenario associated with the action plan. Adjust the organization's risk profile by the amount of risk accepted. Which of the following would be MOST helpful when selecting appropriate protection for data?. Data classification. Data access requirements. Risk tolerance level. Business objectives. Which of the following information would BEST promote understanding of IT risk among senior management?. IT risk treatment plans. Threat modeling summary. Control self-assessment (CSA) results. IT incident trends. Which of the following is the MOST appropriate key performance indicator (KPI) to measure change management performance?. Percentage of rejected change requests. Percentage of changes implemented successfully. Number of after-hours emergency changes. Number of change control requests. During a data loss incident, which role in the RACI chart would be aligned to the risk practitioner?. Accountable. Informed. Responsible. Consulted. An organizational policy requires critical security patches to be deployed in production within three weeks of patch availability. Which of the following is the BEST metric to verify adherence to the policy?. Maximum time gap between patch availability and deployment. Percentage of critical patches deployed within three weeks. Minimum time gap between patch availability and deployment. Number of critical patches deployed within three weeks. An organization has been made aware of a newly discovered critical vulnerability in a regulatory reporting system. Which of the following is the risk practitioner's BEST course of action?. Perform an impact assessment. Perform a penetration test. Request an external audit. Escalate the risk to senior management. Which of the following should be the PRIMARY driver for an organization on a multi-year cloud implementation to publish a cloud security policy?. Evaluating gaps in the on-premise and cloud security profiles. Establishing minimum cloud security requirements. Enforcing compliance with cloud security parameters. Educating IT staff on variances between on-premise and cloud security. Which organizational role should be accountable for ensuring information assets are appropriately classified?. Data protection officer. Chief information officer (CIO). Information asset custodian. Information asset owner. An organization's IT team has proposed the adoption of cloud computing as a cost-saving measure for the business. Which of the following should be of GREATEST concern to the risk practitioner?. Due diligence for the recommended cloud vendor has not been performed. The business can introduce new Software as a Service (SaaS) solutions without IT approval. The maintenance of IT infrastructure has been outsourced to an Infrastructure as a Service (IaaS) provider. Architecture responsibilities may not be clearly defined. Which of the following provides the MOST useful information to trace the impact of aggregated risk across an organization's technical environment?. Business case documentation. Organizational risk appetite statement. Enterprise architecture (EA) documentation. Organizational hierarchy. Which of the following is the PRIMARY reason for a risk practitioner to report changes and trends in the IT risk profile to senior management?. To ensure risk owners understand their responsibilities. To ensure IT risk is managed within acceptable limits. To ensure the organization complies with legal requirements. To ensure the IT risk awareness program is effective. An organization allows programmers to change production systems in emergency situations. Which of the following is the BEST control?. Implementing an emergency change authorization process. Periodically reviewing operator logs. Limiting the number of super users. Reviewing the programmers’ emergency change reports. Which of the following is the BEST recommendation when a key risk indicator (KRI) is generating an excessive volume of events?. Reevaluate the design of the KRIs. Develop a corresponding key performance indicator (KPI). Monitor KRIs within a specific timeframe. Activate the incident response plan. Which of the following BEST protects organizational data within a production cloud environment?. Right to audit. Data encryption. Data obfuscation. Continuous log monitoring. Which of the following is the MOST important responsibility of a business process owner to enable effective IT risk management?. Prioritizing risk for appropriate response. Escalating risk to senior management. Collecting and analyzing risk data. Delivering risk reports in a timely manner. Which of the following is the MOST important course of action to foster an ethical, risk-aware culture?. Establish an enterprise-wide ethics training and awareness program. Ensure the alignment of the organization's policies and standards to the defined risk appetite. Implement a fraud detection and prevention framework. Perform a comprehensive review of all applicable legislative frameworks and requirements. After automated controls have been implemented and tested, which of the following is MOST useful to perform?. Continuous control monitoring. Internal audit review. Control self-assessment (CSA). Cost-benefit analysis. The software version of an enterprise's critical business application has reached end-of-life and is no longer supported by the vendor. IT has decided to develop an in-house replacement application. Which of the following should be the PRIMARY concern?. The business process owner is not an active participant. The board of directors has not approved the decision. The system documentation is not available. Enterprise risk management (ERM) has not approved the decision. Which of the following BEST enables the accurate assessment of potential impact to a particular business area?. Risk classification. Control self-assessments (CSAs). Risk scenarios. Business continuity testing. Which of the following is the BEST key performance indicator (KPI) to measure the ability to deliver uninterrupted IT services?. Mean time to recover (MTTR). Mean time between failures (MTBF). Planned downtime. Unplanned downtime. Before selecting a final risk response option for a given risk scenario, management should FIRST: determine the remediation timeline. evaluate the risk response of similar sized organizations. determine control ownership. evaluate the organization’s ability to implement the solution. Which of the following is the PRIMARY benefit of consistently recording risk assessment results in the risk register?. Accuracy of risk profiles. Compliance with best practice. Assessment of organizational risk appetite. Accountability for loss events. The PRIMARY focus of an ongoing risk awareness program should be to: enable better risk-based decisions. expand understanding of risk indicators. define appropriate controls to mitigate risk. determine impact of risk scenarios. Which of the following is the BEST indication that key risk indicators (KRIs) should be revised?. An increase in the number of change events pending management review. A decrease in the number of critical assets covered by risk thresholds. A decrease in the number of key performance indicators (KPIs). An increase in the number of risk threshold exceptions. Which of the following risk activities is BEST facilitated by enterprise architecture (EA)?. Determining attack likelihood per business unit. Aligning business unit risk responses to organizational priorities. Customizing incident response plans for each business unit. Adjusting business unit risk tolerances. An organization's stakeholders are unable to agree on appropriate risk responses. Which of the following would be the BEST course of action?. Reassess risk scenarios. Identify a risk transfer option. Benchmark with similar industries. Escalate to senior management. Which of the following deficiencies identified during a review of an organization’s cybersecurity policy should be of MOST concern?. The policy has gaps against relevant cybersecurity standards and frameworks. The policy lacks specifics on how to secure the organization's systems from cyberattacks. The policy has not been reviewed by the cybersecurity team in over a year. The policy has not been approved by the organization's board. Which of the following is the BEST way to help ensure risk will be managed properly after a business process has been re-engineered?. Reassessing control effectiveness of the process. Reporting key performance indicators (KPIs) for core processes. Conducting a post-implementation review to determine lessons learned. Establishing escalation procedures for anomaly events. Which of the following is MOST important to update following a change in organizational risk appetite and tolerance?. Risk profile. Industry benchmark analysis. Business impact assessment (BIA). Key performance indicators (KPIs). Of the following, who should be responsible for determining the inherent risk rating of an application?. Application owner. Senior management. Business process owner. Risk practitioner. Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an organization’s patch management process?. Percentage of systems with the latest patches. Average time to implement system patches. Number of updates to the patch management policy. Number of systems subject to regular vulnerability scans. Which of the following should be of GREATEST concern to a risk practitioner reviewing the implementation of an emerging technology?. Lack of management approval. Lack of risk and control procedures. Lack of risk assessment. Lack of alignment to best practices. Which of the following is the GREATEST concern if user acceptance testing (UAT) is not conducted when implementing a new application?. The probability of application defects will increase. The application could fail to meet defined business requirements. Data confidentiality could be compromised. Increase in the use of redundant processes. Which process is MOST effective to determine relevance of threats for risk scenarios?. Penetration testing. Vulnerability assessment. Root cause analysis. Business impact analysis (BIA). Which of the following is MOST useful in developing risk scenarios?. Threat modeling. Past audit findings. Vulnerabilities. Risk appetite. Which of the following is the MOST important requirement when implementing a data loss prevention (DLP) system?. Determining the value of data. Defining the data retention period. Identifying users who have access. Selecting an encryption solution. Which of the following should be of GREATEST concern to a risk practitioner reviewing an organization’s disaster recovery plan (DRP)?. Risk scenarios used for the plan were last tested two years ago. The call list in the plan was last updated a year ago. The disaster recovery plan (DRP) does not identify a hot site. The IT steering committee determined the application recovery priorities. It was discovered that a service provider's administrator was accessing sensitive information without the approval of the customer in an Infrastructure as a Service (IaaS) model. Which of the following would BEST protect against a future recurrence?. Intrusion prevention system (IPS). Contractual requirements. Data encryption. Two-factor authentication. A risk practitioner has been asked to assist in developing a third-party agreement for a Software as a Service (SaaS) vendor that will store personally identifiable data. Which of the following would BEST enable management to verify the vendor's data security practices over the life of the agreement?. Nondisclosure agreement (NDA) clause. Annual third-party assurance report clause. Service level agreement (SLA) clause. Annual vendor attestation clause. Which group has PRIMARY ownership of reputational risk stemming from unethical behavior within the organization?. Audit committee. Board of directors. Human resources (HR). Risk management committee. Which of the following presents the GREATEST challenge for an IT risk practitioner who wants to report on trends in historical IT risk levels?. Qualitative measures for potential loss events. Changes in owners for identified IT risk scenarios. Changes in methods used to calculate probability. Frequent use of risk acceptance as a treatment option. The BEST key performance indicator (KPI) to measure the ongoing effectiveness of a risk awareness training program is the percentage of staff members who have: passed subsequent random testing. passed the training session test. attended annual training. accessed online training materials. Which of the following metrics would be MOST helpful to management in understanding the effectiveness of the organization’s security awareness controls?. Number of false positive alerts in a given time frame. Number of employees who have not completed training. Number of data exfiltration attempts. Number of malware incidents identified on a system. Which of the following sources is MOST relevant to reference when updating security awareness training materials?. Global security standards. Risk management framework. Recent security incidents reported by competitors. Risk register. Which of the following would BEST indicate to senior management that IT processes are improving?. Changes in the position in the maturity model. Changes to the structure of the risk register. Changes in the number of intrusions detected. Changes in the number of security exceptions. Which of the following should be the PRIMARY consideration when identifying and assigning ownership of IT-related risk?. Accountability for control operation. Accountability for losses due to impact. Ability to design controls to mitigate the risk. Span of control within the organization. An organization's risk profile indicates that residual risk levels have fallen significantly below management's risk appetite. Which of the following is the BEST course of action?. Add more risk scenarios to the risk register. Decrease monitoring of residual risk levels. Optimize controls. Increase risk appetite. A multinational company needs to implement a new centralized security system. The risk practitioner has identified a conflict between the organization's data-handling policy and local privacy regulations. Which of the following would be the BEST recommendation?. Request a policy exception from senior management. Request an exception from the local regulatory agency. Comply with the organizational policy. Report the noncompliance to the local regulatory agency. In addition to the risk exposure, which of the following is MOST important for senior management to understand prior to approving the use of artificial intelligence (AI) solutions?. Changes to existing infrastructure to support AI solutions. Potential benefits from use of AI solutions. Monitoring techniques required for AI solutions. Skills required to support AI solutions. If a control cannot be developed to prevent an inevitable operational event, which of the following is the MOST effective risk treatment option?. Raise the risk threshold. Evaluate alternative controls. Reduce the threat. Minimize the impact. Which of the following BEST enables an organization to mitigate ethical risk?. Reorganization of business processes to deter unethical activities. Ethics training for staff during onboarding. A culture of ethical integrity from the top down. Senior leadership communication of ethics policies. A risk practitioner is performing a risk assessment of recent external advancements in quantum computing. Which of the following would pose the GREATEST concern for the risk practitioner?. The organization has not reviewed its encryption standards. The organization has not adopted Infrastructure as a Service (IaaS) for its operations. The organization has implemented heuristics on its network firewall. The organization has incorporated blockchain technology in its operations. While reviewing the risk register, a risk practitioner notices that different business units have significant variances in inherent risk for the same risk scenario. Which of the following is the BEST course of action?. Request that both business units conduct another review of the risk. Review the assumptions of both risk scenarios to determine whether the variance is reasonable. Update the risk register with the average of residual risk for both business units. Update the risk register to ensure both risk scenarios have the highest residual risk. Which of the following is MOST important for developing effective key risk indicators (KRIs)?. Including input from risk and business unit management. Engaging sponsorship by senior management. Utilizing data and resources internal to the organization. Developing in collaboration with internal audit. Which of the following is the MOST essential factor for managing risk in a highly dynamic environment?. Obtaining support from senior leadership. Ongoing sharing of information among industry peers. Adhering to industry-recognized risk management standards. Implementing detection and response measures. A global organization has initiated a project to migrate its existing IT infrastructure to cloud-based products. Which of the following should the risk practitioner do FIRST?. Analyze the risk register for potential changes to risk scenarios. Reassess whether risk responses properly address known risk. Update processes within impacted control assessments. Evaluate existing control test plans for potential changes. Which of the following is MOST helpful for communicating the significance of IT-related risk to business managers?. Industry trends. Risk awareness training. Risk scenarios. Event-driven risk reporting. If concurrent update transactions to an account are not processed properly, which of the following will MOST likely be affected?. Accountability. Availability. Confidentiality. Integrity. Which of the following is BEST to use as a basis for developing a comprehensive list of IT risk scenarios?. IT architecture roadmap. IT strategic plan. IT asset inventory. IT key risk indicators (KRIs). An organization has built up its cash reserves and has now become financially able to support additional risk while meeting its objectives. What is this change MOST likely to impact?. Risk tolerance. Risk indicators. Risk capacity. Risk profile. Which of the following is MOST important to consider when determining key performance indicators (KPIs) for a process?. Success criteria for the process. Known problems with the process. Alignment with established industry frameworks. Historical trends in process-related incidents. Which of the following is the FIRST step when conducting a business impact analysis (BIA)?. Creating a data classification scheme. Analyzing previous risk assessment results. Identifying events impacting continuity of operations. Identifying critical information assets. Which of the following practices MOST effectively safeguards the processing of personal data?. Personal data attributed to a specific data subject is tokenized. Data protection impact assessments are performed on a regular basis. Personal data certifications are performed to prevent excessive data collection. Data retention guidelines are documented, established, and enforced. Which of the following enterprise architecture (EA) practices BEST reduces the impact of a successful attack?. Virtual machines. Antivirus. Firewalls. Segmentation. An organization is moving its critical assets to the cloud. Which of the following is the MOST important key performance indicator (KPI) to include in the service level agreement (SLA)?. Average time to respond to incidents. Number of assets included in recovery processes. Percentage of standard supplier uptime. Number of key applications hosted. The BEST way for an organization to ensure that servers are compliant to security policy is to review: server access logs. anti-malware compliance. configuration settings. change logs. For no apparent reason, the time required to complete daily processing for a legacy application is approaching a risk threshold. Which of the following activities should be performed FIRST?. Suspend processing to investigate the problem. Conduct a root cause analysis. Temporarily increase the risk threshold. Initiate a feasibility study for a new application. Which of the following is the risk practitioner's BEST course of action after management successfully implements a security information and event management (SIEM) tool?. Review and update key risk indicators (KRIs). Reassess control effectiveness to determine the level of residual risk. Reassess the impact of scenarios to reflect use of the new control. Update the IT risk profile to reflect the change in residual risk. A risk practitioner notes control design changes when comparing risk response to a previously approved action plan. Which of the following is MOST important for the practitioner to confirm?. The effectiveness of the resulting control. Appropriate approvals for the control changes. The risk owner's approval of the revised action plan. The reason the action plan was modified. Which of the following is the MOST important consideration for the board and senior leadership regarding the organization's approach to risk management for emerging technologies?. Ensuring the risk framework and policies are suitable for emerging technologies. Ensuring the organization follows risk management industry best practices. Ensuring IT risk scenarios are updated and include emerging technologies. Ensuring threat intelligence services are used to gather data about emerging technologies. Before defining a response strategy for a specific risk scenario, it is MOST important to confirm that: the risk register has been reviewed by management. annual less expectancy (ALE) is less than the remediation cost. compensating controls are available. the risk rating exceeds risk appetite. An IT operations team implements disaster recovery controls based on decisions from application owners regarding the level of resiliency needed. Who is the control owner in this scenario?. The IT operations team. The application owner. The disaster recovery team. The business resilience team. Which of the following should be the PRIMARY consideration when assessing tools for automated control monitoring?. Cost-benefit analysis. Continuity plan. Enterprise architecture (EA). Risk register. Which of the following is the MOST important reason to restrict access to the risk register on a need-to-know basis?. Contents may be used as auditable findings. It contains vulnerabilities and threats. Risk scenarios may be misinterpreted. The risk methodology is intellectual property. An organization wants to grant remote access to a system containing sensitive data to an overseas third party. Which of the following should be of GREATEST concern to management?. Lack of monitoring over vendor activities. Differences in regional standards. Transborder data transfer restrictions. Lack of after-hours incident management support. Which of the following is MOST helpful when prioritizing action plans for identified risk?. Comparing risk rating against appetite. Determining cost of controls to mitigate risk. Obtaining input from business units. Ranking the risk based on likelihood of occurrence. Which of the following is MOST important when implementing an organization's security policy?. Assessing compliance requirements. Identifying threats and vulnerabilities. Benchmarking against industry standards. Obtaining management support. Within the three lines of defense model, the responsibility for managing risk and controls resides with: the internal auditor. the risk practitioner. operational management. executive management. An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?. Application-related expenses. Classification of the data. Business benefits of shadow IT. Volume of data. Which of the following risk impacts should be the PRIMARY consideration for determining recovery priorities in a disaster recovery situation?. Data security. Business disruption. Recovery resource availability. Recovery costs. Which of the following is the BEST criterion to determine whether higher residual risk ratings in the risk register should be accepted?. Risk maturity. Risk policy. Risk culture. Risk appetite. A cloud service provider has completed upgrades to its cloud infrastructure to enhance service availability. Which of the following is the MOST important key risk indicator (KRI) for management to monitor?. Peak demand on the cloud service during business hours. Number of incidents with downtime exceeding contract threshold. Percentage of servers not patched per policy. Percentage of technology upgrades resulting in security breaches. A migration from an in-house developed system to an external cloud-based solution is affecting a previously rated key risk scenario related to payroll processing. Which part of the risk register should be updated FIRST?. Payroll system risk factors. Payroll system risk mitigation plans. Payroll administrative controls. Payroll process owner. Which of the following types of controls is MOST effective to mitigate the risk of users bypassing controls?. Corrective. Preventive. Detective. Directive. Which of the following will MOST likely change as a result of the decrease in risk appetite due to a new privacy regulation?. Key performance indicators (KPIs). Risk objectives. Key risk indicator (KRI) thresholds. Risk trends. An IT project sponsor has approved the removal of some test cases to expedite user acceptance testing (UAT). It would be MOST important for the risk practitioner to: evaluate the savings associated with the revised testing. review changes to the test environment. monitor potential impact of untested business scenarios. monitor and report the number of failed test results. When reporting to senior management on changes in trends related to IT risk, which of the following is MOST important?. Maturity. Materiality. Confidentiality. Transparency. An organization recently implemented an automated interface for uploading payment files to its banking system to replace manual processing. Which of the following elements of the risk register is MOST appropriate for the risk practitioner to update to reflect the improved control?. Risk likelihood. Risk scenarios. Risk impact. Risk ownership. Which of the following is the GREATEST benefit of involving business owners in risk scenario development?. Business owners are able to assess the impact. Business owners understand the residual risk of competitors. Business owners have the ability to effectively manage risk. Business owners have authority to approve control implementation. Which of the following is the PRIMARY reason to ensure policies and standards are properly documented within the risk management process?. It facilitates the use of a framework for risk management. It encourages risk-based decision making for stakeholders. It establishes a means for senior management to formally approve risk practices. It provides a basis for benchmarking against industry standards. Which of the following has the GREATEST positive impact on ethical compliance within the risk management process?. An independent ethics investigation team has been established. The risk practitioner is required to consult with the ethics committee. Senior management demonstrates ethics in their day-to-day decision making. Employees are required to complete ethics training courses annually. Which of the following information MUST be included in a business impact analysis (BIA) to facilitate risk assessments related to business continuity?. Critical business processes with their dependent resources. List of threats impacting critical business processes. Vulnerabilities identified within critical business processes. Business continuity and disaster recovery testing requirements. Which of the following is the BEST source of information for identifying suitable key risk indicators (KRIs)?. Business impact analysis (BIA). Risk register. Audit findings. Laws and regulations. A multinational bank is considering a product that involves using personal data to tailor customer financial plans. Which of the following is the PRIMARY privacy consideration when deciding whether to use this product?. The ability to update customer data. Data anonymization capabilities. Data retention requirements. Customer consent for use of data. Which of the following should an organization do FIRST upon learning of the potential risk of noncompliance with new regulations in its industry?. Determine availability of resources to address noncompliance. Identify and assess threats. Perform a business impact analysis (BIA). Implement controls to comply with the new regulations. Which of the following BEST demonstrates that an implemented control is effective in mitigating the intended risk?. Successful outcome of an external audit. Accurate reporting of control test results to management. Successful completion of risk action plans related to the control. Appropriate assignment of control ownership to mitigate risk. Which of the following is MOST important when identifying an organization's risk exposure associated with Internet of Things (IoT) devices?. Defined remediation plans. Management sign-off on the scope. Manual testing of device vulnerabilities. Visibility into all networked devices. An organization uses a web application hosted by a cloud service that is populated by data sent to the vendor via email on a monthly basis. Which of the following should be the FIRST consideration when analyzing the risk associated with the application?. Whether the service provider contract allows right of onsite audit. Whether the service provider's data center is located in the same country. Whether the data has been appropriately classified. Whether the data sent by email has been encrypted. To measure improvements in the performance of spam email filtering software, which of the following key performance indicators (KPIs) would be MOST useful to monitor?. The number of spam messages not detected by the email filter. The number of spam messages received by the email filtering software. The number of messages classified as spam by the email filter. The number of phishing attacks conducted through spam email messages. Which of the following is MOST important for management to consider when deciding whether to invest in an IT initiative that exceeds management's risk appetite?. Risk management budget. Risk tolerance. Risk capacity. Risk management industry trends. Which of the following provides the MOST useful input to the development of realistic risk scenarios?. Risk map. Balanced scorecard. Risk appetite. Risk events. An organization has established a contract with a vendor that includes penalties for loss of availability. Which risk treatment has been adopted by the organization?. Reduction. Acceptance. Avoidance. Transfer. Which of me following groups would provide the MOST relevant perspective when reporting loss exposure based on a risk analysis exercise?. Process owners. Senior management. Internal auditors. Independent risk consultants. When a risk practitioner is developing a set of risk scenarios, the scenarios MUST include information about: control efficiency. threat impact analysis results. the relevant threat agents. the severity of occurrences. Which of the following is the BEST response when a potential IT control deficiency has been identified?. Verify the deficiency and then notify the business process owner. Verify the deficiency and then notify internal audit. Remediate and report the deficiency to senior executive management. Remediate and report the deficiency to the enterprise risk committee. Which of the following observations would be the GREATEST concern to a risk practitioner evaluating an organization’s risk management practices?. Several risk scenarios have art on plans spanning mu t pie years. Business leaders provide final approval for information security policies. Senior management has approved numerous requests for risk acceptance. Senior management does not set risk tolerance. Which of the following will BEST help to improve an organization’s risk culture?. Allocating resources for risk remediation. Maintaining a documented risk register. Rewarding employees for reporting security incidents. Establishing a risk awareness program. Which of the following BEST enables the alignment of risk management with organizational objectives?. Management policies are periodically reviewed and updated. Control architectures meet industry standards. Risk assessment results articulate business goals. Business risk appetite and tolerance are defined. A risk assessment has revealed that the probability of a successful cybersecurity attack is increasing. The potential loss could exceed the organization’s risk appetite. Which of the following would be the MOST effective course of action?. Purchase cybersecurity insurance. Re-evaluate the organization’s risk appetite. Outsource the cybersecurity function. Review cybersecurity incident response procedures. Senior management has asked the risk practitioner for the overall residual risk level for a process that contains numerous risk scenarios. Which of the following should be provided?. The sum of residual risk levels for each scenario. The highest loss expectancy among the risk scenarios. The loss expectancy for aggregated risk scenarios. The average of anticipated residual risk levels. Which of the following provides the BEST aggregation of risk factors for an enterprise?. Risk scenario analysis. Risk tolerance and appetite statement. Risk register. Business area risk profile. Which of the following is the PRIMARY reason to obtain independent reviews of risk assessment and response mechanisms?. To minimize the subjectivity of risk assessment results. To correct errors in the risk assessment process. To ensure risk thresholds are properly defined. To validate impact and probability ratings. Which of the following is the MOST important criteria for selecting key risk indicators (KRIs)?. Historical data availability. Sensitivity and reliability. Ability to display trends. Implementation and reporting effort. A data privacy regulation has been revised to incorporate more stringent requirements on personal data protection. Which of the following will provide the MOST important input to help ensure compliance with the revised regulation?. Gap analysts. Risk profile update. Business impact analysis (BIA). Current control attestation. Which of the following should be the FIRST course of action if the risk associated with a new technology is found to be increasing?. Implement additional controls. Re-evaluate current controls. Revise the current risk action plan. Escalate the risk to senior management. Who should be responsible for approving the cost of controls to be implemented for mitigating risk?. Risk owner. Control implementer. Control owner. Risk practitioner. Which of the following should be of MOST concern to a risk practitioner reviewing the system development life cycle (SDLC)?. Segregation of duties controls are overridden during user testing phases. Testing is completed by IT support users without input from end users. Data anonymization is used during all cycles of end user testing. Testing is completed in phases with user testing scheduled as the final phase. Which of the following process controls BEST mitigates the risk of an employee issuing fraudulent payments to a vendor?. Enforcing segregation of duties between the vendor master file and invoicing. Conducting system access reviews to ensure least privilege and appropriate access. Performing regular reconciliation of payments to the check registers. Performing credit verification of third-party vendors prior to payment. Which of the following is an example of risk avoidance?. Outsourcing a software development project. Insurance coverage. Configuration management. Delaying entry into an emerging market. An organization uses an automated vulnerability scanner to identify potential vulnerabilities on various enterprise systems. Who is accountable for ensuring the vulnerabilities are mitigated?. System administrators. Data owners. System owners. Information security manager. Which of the following would MOST likely cause senior management to lower the risk tolerance level?. Organizational restructuring. Increase in penalties for unauthorized data disclosure. Outsourcing of in-house software development. Decrease in budget allocated for risk mitigation activities. An organization has updated its acceptable use policy to mitigate the risk of employees disclosing confidential information. Which of the following is the BEST way to reinforce the effectiveness of this policy?. Communicate sanctions for policy violations to all staff. Obtain signed acceptance of the new policy from employees. Implement data loss prevention (DLP) with n the corporate network. Train all staff on relevant information security best practices. An organization recently experienced a cyber attack that resulted in the loss of confidential customer data. Which of the following is the risk practitioner’s BEST recommendation after recovery steps have been completed?. Review the incident response plan. Perform a root cause analysis. Develop new key risk indicators (KRIs). Recommend the purchase of cyber insurance. Which of the following is MOST important to review when evaluating the ongoing effectiveness of the IT risk register?. The timeframes for risk response actions. The costs associated with mitigation options. The cost-benefit analysis of each risk response. The status of identified risk scenarios. Which of the following is MOST important for a multinational organization to consider when developing its security policies and standards?. Industry-standard templates. Ability to monitor and enforce compliance. Differences in regulatory requirements. Regional competitors’ policies and standards. An application development team has a backlog of user requirements for a new system that will process insurance claim payments for customers. Which of the following should be the MOST important consideration for a risk-based review of the user requirements?. Number of claims affected by the user requirements. Level of resources required to implement the user requirements. Impact to the accuracy of claim calculation. Number of customers impacted. A Software as a Service (SaaS) company wants to use aggregated data from its clients to improve its services via a machine learning model. However, its contracts do not clearly allow this use of aggregated data. What should the organization do NEXT?. Update the organization’s data processing agreement template. Request internal risk acceptance from senior management. Request formal consent from clients to use their data. Update the organization’s privacy policy to reflect the use of aggregated data. Who is BEST suited to own an IT risk scenario in an organization where only one IT support person knows how to maintain a core business application?. Business owner. IT manager. Application business analyst. Risk manager. Which types of controls are BEST used to minimize the risk associated with a vulnerability?. Preventive. Deterrent. Detective. Directive. An organization has an internal control that requires all access for employees be removed within 15 days of their termination date. Which of the following should the risk practitioner use to monitor adherence to the 15-day threshold?. Service level agreement (SLA). Operation level agreement (OLA). Key performance indicator (KPI). Key risk indicator (KRI). An organization recently implemented new technologies that enable the use of robotic process automation. Which of the following is MOST important to reassess?. Risk capacity. Risk appetite. Risk tolerance. Risk profile. Which of the following BEST indicates that security requirements have been incorporated into the system development life cycle (SDLC)?. Completed user acceptance testing (UAT). Compliance with laws and regulatory requirements. Validated security requirements and design documents. Comprehensive security training of developers. Which of the following will be MOST effective in helping to ensure control failures are appropriately managed?. Peer review. Compensating controls. Control ownership. Control procedures. A risk practitioner has implemented a key risk indicator (KRI) that triggers a warning when the number of untreated IT control deficiencies exceeds a given threshold. Which of the following should be the GREATEST concern regarding the design of this KRI?. Setting unrealistic targets for compliance. Ignoring the significance of the control deficiencies. Generating a large number of false-positive warnings. Failing to attract sufficient management support. An organization has contracted with a cloud service provider to support the deployment of a new product. Of the following, who should own the associated risk?. The IT risk manager. The information security manager. The product owner. The head of enterprise architecture (EA). Which of the following BEST enables an organization to determine whether risk management is aligned with its goals and objectives?. Environmental changes that impact risk are continually evaluated. Organizational controls are in place to effectively manage risk appetite. The organization has approved policies that provide operational boundaries. The organization has an approved enterprise architecture (EA) program. An organization is implementing data warehousing infrastructure. Senior management is concerned about safeguarding client data security in this new environment. Which of the following should the risk practitioner recommend be done NEXT?. Ensure an attribute-based access control model is implemented. Ensure a role-based access control model is implemented. Perform a gap analysis regarding the organization’s client data access model. Establish new controls addressing a consistently applied data access model. Key control indicators (KCIs) help to assess the effectiveness of the internal control environment PRIMARILY by: enabling senior leadership to better understand the level of risk the organization is facing. ensuring controls are operating efficiently and facilitating productivity. monitoring changes in the likelihood of adverse events due to ineffective controls. providing information on the degree to which controls are meeting intended objectives. Which of the following is the BEST metric to demonstrate the effectiveness of an organization’s patch management process?. Number of patches tested prior to deployment. Average time to implement patches after vendor release. Percent of patches implemented within established timeframe. Increase in the frequency of patches deployed into production. Which of the following is the BEST way to determine the value of information assets for risk management purposes?. Assess the loss impact if the information is inadvertently disclosed. Calculate the overhead required to keep the information secure throughout its life cycle. Calculate the replacement cost of obtaining the information from alternate sources. Assess the market value offered by consumers of the information. Which of the following situations would BEST justify escalation to senior management?. Residual risk equals current risk. Residual risk remains after controls have been applied. Residual risk is inadequately recorded. Residual risk exceeds acceptable limits. Which of the following would be MOST effective in promoting a risk-aware culture within an organization?. Allocating budget for IT initiatives based on IT risk assessment results. Appointing a risk committee to prioritize identified and assessed risk. Issuing penalties to those who do not attend the risk awareness program. Using risk scenarios to inform organizational strategy. Which of the following is MOST helpful to a risk practitioner in determining whether assessed risk requires a risk treatment plan?. Business objectives. Risk tolerance. Risk appetite. Cost-benefit analysis. Which of the following BEST supports an accurate asset inventory system?. Asset management metrics are aligned to industry benchmarks. There are defined processes in place for onboarding assets. Organizational information risk controls are continuously monitored. The asset management team is involved in the budgetary planning process. An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following should be the risk practitioner's NEXT course of action?. Remove the associated risk from the register. Validate control effectiveness and update the risk register. Review the contract and service level agreements (SLAs). Obtain an assurance report from the third-party provider. Which of the following is the BEST indicator of the effectiveness of a control?. Number of steps necessary to operate process. Scope of the control coverage. Number of control deviations detected. The number of exceptions granted. Which of the following activities is a responsibility of the second line of defense?. Implementing risk response plans. Establishing organizational risk appetite. Challenging risk decision making. Developing controls to manage risk scenarios. The PRIMARY reason to use a bottom-up approach to analyze risk scenarios is to: identify the relationship to enterprise risk. identify key stakeholders. ensure risk details are appropriately gathered. determine positional risk ranking. Which of the following is the PRIMARY purpose of developing a risk register?. To provide a means to identify risk scenarios requiring mitigation. To provide a means to respond to risk as it arises. To provide a means to identify relevant threat actors. To provide a means to track risk as it is identified. Which of the following is a risk practitioner’s BEST recommendation to help reduce IT risk associated with scheduling overruns when starting a new application development project?. Assign more developers to the project team. Involve the development team in planning. Implement a tool to track the development team’s deliverables. Review the software development life cycle. Which of the following is the BEST key performance indicator (KPI) for a server patch management process?. The number of servers with local credentials to install patches. The number of servers running the software patching service. The percentage of servers patched within required service level agreements. The percentage of servers with allowed patching exceptions. Which of the following BEST mitigates ethical risk?. Ethics committees. Contingency scenarios. Routine changes in senior management. Awareness of consequences for violations. Which of the following will have the GREATEST influence when determining an organization’s risk appetite?. Risk culture. Risk management budget. Organizational structure. Industry benchmarks. A data center has recently been migrated to a jurisdiction where heavy fines will be imposed should leakage of customer personal data occur. Assuming no other changes to the operating environment, which factor should be updated to reflect this situation as an input to scenario development for this particular risk event?. Risk impact. Risk appetite. Risk likelihood. Risk capacity. Which of the following is BEST to use when creating cyber risk scenarios focused on the operational concerns of the organization’s cyber team?. Qualitative cyber risk assessment. Top-down approach. Bottom-up approach. Quantitative cyber risk assessment. Which of the following would be the BEST input when evaluating the risk associated with a proposed adoption of robotic process automation (RPA) of a business service?. Control objectives. Cost-benefit analysis results. Code review results. Business continuity plan (BCP). Which of the following is the MOST effective way to minimize the impact associated with the loss of key employees?. Maintain and publish a RACI chart. Promote incentive programs. Perform succession planning. Develop a robust onboarding program. Which of the following provides the MOST reliable information to evaluate the current state of control effectiveness?. Business impact analysis (BIA). Control self-assessment (CSA) results. Audit results. Key performance indicators (KPIs). When assigning an IT risk owner, it is ESSENTIAL that the owner has: ownership of the service where the risk exists. authority to commit resources to manage the risk. oversight of the IT function. relevant experience with risk mitigation strategy. Which of the following is an example of risk sharing?. Rejecting a high-risk project. Outsourcing the hosting of a critical system. Investing in fault-tolerant technology. Engaging in a code escrow agreement. Which of the following is MOST important to identify when developing top-down risk scenarios?. Hypothetical scenarios. Key procedure control gaps. Senior management's risk appetite. Business objectives. What is a risk practitioner's BEST approach to monitor and measure how quickly an exposure to a specific risk can affect the organization?. Create key performance indicators (KPIs). Create key risk indicators (KRIs). Create a risk volatility report. Create an asset valuation report. Which of the following is the BEST approach for obtaining management buy-in to implement additional IT controls?. Present new key risk indicators (KRIs) based on industry benchmarks. Provide information on new governance, risk, and compliance (GRC) platform functionalities. Describe IT risk impact on organizational processes in monetary terms. List requirements based on a commonly accepted IT risk management framework. Which of the following is the MOST important consideration when creating a risk management framework?. Assigning roles and responsibilities. Aligning with corporate goals and objectives. Adjusting risk appetite and tolerance. Defining acceptable residual risk. Which of the following is the MOST effective way to help ensure a risk treatment plan remains on track?. Documenting risk treatment procedures for relevant stakeholders. Adopting an agile project management approach. Requiring approval by the second line of defense. Assigning sufficient resources to implement the plan. Which of the following is the BEST method to track asset inventory?. Asset registration form. Periodic asset review by management. Automated asset management software. IT resource budgeting process. Which of the following is the MOST important reason to communicate control effectiveness to senior management?. To ensure management understands the current risk status. To demonstrate alignment with industry best practices. To align risk management with strategic objectives. To assure management that control ownership is assigned. Which of the following is the FIRST step when identifying risk items related to a new IT project?. Review the IT control environment. Conduct a cost-benefit analysis. Review the business case. Conduct a gap analysis. What is the MOST important consideration when selecting key performance indicators (KPIs) for control monitoring?. Source information is acquired at stable cost. Source information is tailored by removing outliers. Source information is readily quantifiable. Source information is consistently available. A risk practitioner is defining metrics for security threats that were not identified by antivirus software. Which type of metric is being developed?. Operational level agreement (OLA). Key risk indicator (KRI). Key control indicator (KCI). Service level agreement (SLA). Which of the following should be done FIRST upon learning that the organization will be affected by a new regulation in its industry?. Transfer the risk. Perform a gap analysis. Determine risk appetite for the new regulation. Implement specific monitoring controls. Which of the following is a PRIMARY responsibility of a control owner?. Assessing levels of risk. Identifying trends in the risk profile. Selecting controls to mitigate risk. Monitoring status of risk response. An organization is considering an Internet of Things (IoT) technology solution to manage its supply chain. Which of the following presents the GREATEST risk to the organization in this situation?. IoT devices with hard-coded passwords. Lack of physical hardening. Lack of regulatory guidance regarding IoT. Outdated out-of-the-box IoT firmware. The MOST important reason for establishing clear ownership of firewall rules is to: hold owners accountable for incidents. enable removal of unused rules. support strong change control. comply with regulatory requirements. Which of the following should be done FIRST when a new risk scenario has been identified?. Design control improvements. Identify the risk owner. Establish key risk indicators (KRIs). Estimate the residual risk. Which of the following is the PRIMARY objective of a risk awareness program?. To demonstrate senior management support. To clearly define ownership of risk. To increase awareness of risk mitigation controls. To enhance organizational risk culture. An organization is in the process of reviewing its risk appetite statement and re-defining the risk tolerance threshold. Which of the following elements of the risk register is MOST likely to change as a result of this review?. Risk impact. Risk response. Risk likelihood. Risk ownership. A large organization recently restructured the IT department and has decided to outsource certain functions. What action should the control owners in the IT department take?. Determine whether risk responses still effectively address risk. Conduct risk classification for associated IT controls. Perform vulnerability and threat assessments. Analyze and update IT control assessments. An organization wants to leverage artificial intelligence (AI) to help identify and analyze root causes of data breaches involving multiple systems. Which of the following is BEST suited for this purpose?. Intrusion detection and prevention systems. Security information and event management (SIEM) system. Application event logging system. Database activity monitoring system. The MAIN benefit of defining an organization's risk tolerance and appetite is that it helps to ensure: a top-down approach to risk management is used. risk is managed to an acceptable level. risk is assessed within acceptable tolerance. key risk indicators (KRIs) are aligned with risk scenarios. What type of controls will provide the MOST useful information for reporting on attempted system security breaches?. Preventive. Deterrent. Corrective. Detective. It has been identified that segregation of duties controls failed due to the automation of an accounts payable system. Which of the following would BEST mitigate the associated risk?. Implementing multi-level authentication. Adding manual approvals to the departmental workflow. Analyzing transaction reports for suspicious activity. Automating account reconciliation. Which of the following is the PRIMARY benefit of integrating risk and security requirements in an organization's enterprise architecture (EA)?. Consistent management of information assets. Establishment of digital forensic architectures. Reduction in the number of test cases in the acceptance phase. Adherence to legal and compliance requirements. Which of the following is the BEST control for a large organization to implement to effectively mitigate risk related to fraudulent transactions?. Password policies. Monetary approval limits. Clear roles and responsibilities. Segregation of duties. Which of the following is the BEST course of action for a system administrator who suspects a colleague may be intentionally weakening a system's validation controls in order to pass through fraudulent transactions?. Implement compensating controls to deter fraud attempts. Determine whether the system environment has flaws that may motivate fraud attempts. Share the concern through a whistleblower communication channel. Monitor the activity to collect evidence. Which of the following is a PRIMARY benefit of using facilitated workshops to develop IT risk scenarios?. Enhancing the risk culture within the organization. Expressing IT risk scenarios in business terms. Building consensus regarding risk priorities. Developing an efficient process to identify risk. Information that is no longer required to support business objectives should be: securely deleted according to the disposal policy. transferred and archived to an enterprise data vault. managed according to the retention policy. recoverable according to the business impact analysis (BIA). Which of the following would be the BEST way to proactively identify changes in organizational risk levels?. Develop risk scenarios. Conduct compliance reviews. Monitor key risk indicators (KRIs). Perform business impact analyses. How does an organization benefit by purchasing cyber theft insurance?. It decreases the amount of organizational loss if risk events occur. It justifies the acceptance of risk associated with cyber theft events. It decreases the likelihood of risk events occurring. It transfers risk ownership along with associated liabilities to a third party. Which of the following actions should a risk practitioner do NEXT when an increased industry trend of external cyber attacks is identified?. Update the key risk indicator (KRI) in the risk register. Update the risk impact rating in the risk register. Notify senior management of the new risk scenario. Conduct a threat and vulnerability analysis. Which of the following would be MOST helpful in assessing the risk associated with data loss due to human vulnerabilities?. Reviewing password change history. Reviewing the results of security awareness surveys. Conducting social engineering exercises. Performing periodic access recertifications. Which of the following is MOST important to review when an organization needs to transition the majority of its employees to remote work during a crisis?. Customer notification plans. Capacity management. Access management. Impacts on IT project delivery. Which of the following emerging technologies is frequently used for botnet distributed denial of service (DDoS) attacks?. Machine learning. Internet of Things (IoT). Quantum computing. Virtual reality (VR). What should be the immediate action upon discovery that users of a critical finance application have potentially excessive privileges?. Recommend compensating controls be implemented. Request the service owner to perform an entitlement review. Review system logs for potentially malicious behavior. Inform the risk owner so access can be removed. Which of the following is the BEST method for determining an enterprise's current appetite for risk?. Reviews of brokerage firm assessments. Trend analysis using prior annual reports. Comparative analysis of peer companies. Interviews with senior management. A risk practitioner learns that a risk owner has been accepting gifts from a supplier of IT products. Some of these IT products are used to implement controls and to mitigate risk to acceptable levels. Which of the following should the risk practitioner do FIRST?. Reassess the risk and review the underlying controls. Initiate disciplinary action against the risk owner. Report the activity to the supervisor. Review organizational ethics policies. Which of the following is MOST important requirement to include in a Software as a Service (SaaS) vendor contract to ensure data is protected?. The vendor must host data in a specific geographic location. The vendor must be held liable for regulatory fines for failure to protect data. The vendor must provide periodic independent assurance reports. The vendor must participate in an annual vendor performance review. Which of the following is MOST critical to the successful adoption of an enterprise architecture (EA) program?. Adequate funding. Skilled resources. A mature governance plan. Stakeholder support. Management has implemented additional administrative and technical controls to reduce the likelihood of a high-impact risk in a key information system. What is the BEST way to validate the effectiveness of the control implementation?. Perform a vulnerability scan. Perform an audit. Perform a penetration test. Perform a risk assessment. The MAIN reason to use the risk register to monitor aggregated risk is to provide: insight on control gaps. a basis for risk management resource allocation. a comprehensive view of risk impact. historical information about risk impact. Which of the following is the MOST likely reason an organization would engage an independent reviewer to assess its IT risk management program?. To identify gaps in the alignment of IT risk management processes and strategy. To confirm that IT risk assessment results are expressed in quantitative terms. To evaluate threats to the organization's operations and strategy. To ensure IT risk management is focused on mitigating emerging risk. Which of the following should a risk practitioner do NEXT after learning that Internet of Things (IoT) devices installed in the production environment lack appropriate security controls for sensitive data?. Enable role-based access control. Recommend device management controls. Assess the threat and associated impact. Evaluate risk appetite and tolerance levels. Which of the following is the MOST effective method for a risk practitioner to identify risk scenarios?. Review IT strategic plans. Conduct a control maturity assessment. Conduct interviews with key stakeholders. Analyze industry threat intelligence. When outsourcing a business process to a cloud service provider, it is MOST important to understand that: insurance could be acquired for the risk associated with the outsourced process. service accountability remains with the cloud service provider. a risk owner must be designated within the cloud service provider. accountability for the risk will remain with the organization. Which of the following criteria for assigning owners to IT risk scenarios provides the GREATEST benefit to an organization?. The risk owner has strong technical aptitude across multiple business systems. The risk owner has extensive risk management experience. The risk owner is a member of senior leadership in the IT organization. The risk owner understands the effect of loss events on business operations. Which of the following BEST facilitates the development of relevant risk scenarios?. Perform quantitative risk analysis of historical data. Conduct brainstorming sessions with key stakeholders. Use qualitative risk assessment methodologies. Adopt an industry-recognized risk framework. Which of the following situations would cause the GREATEST concern around the integrity of application logs?. Lack of a security information and event management (SIEM) system. Lack of data classification policies. Use of hashing algorithms. Weak privileged access management controls. An organization has recently implemented an emerging technology across multiple business units. Which of the following is the responsibility of the control owners in the impacted departments?. Perform a business impact analysis (BIA) on the controls. Review and document classifications for controls. Perform a gap analysis of the impacted processes. Analyze and update control assessments for changes. Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an organization's cybersecurity program?. Percentage of systems being monitored. Average time to contain security incidents. Number of false positives reported. Number of personnel dedicated to security monitoring. Which of the following is the MOST significant risk factor associated with the use of blockchain in legacy systems?. Lack of transaction traceability. Decentralized data processing. Cross-system incompatibility. Increased implementation costs. Which of the following should be the starting point when performing a risk analysis for an asset?. Assess controls. Assess risk scenarios. Evaluate threats. Update the risk register. Who should be accountable for authorizing information system access to internal users?. Information security manager. Information owner. Information custodian. Information security officer. Which of the following is the MOST important consideration during control implementation to ensure risk is managed to an acceptable level?. Organizational risk appetite. Availability of budget and personnel. Alignment with organizational objectives. Risk management strategy. A user has contacted the risk practitioner regarding malware spreading laterally across the organization's corporate network. Which of the following is the risk practitioner's BEST course of action?. Update the risk register. Notify the cybersecurity incident response team. Perform a root cause analysis. Review all log files generated during the period of malicious activity. Which of the following is MOST important to document when accepting risk?. Risk mitigation date. Risk owner. Risk impact level. Risk identification date. Which of the following provides the BEST evidence that robust risk management practices are in place within an organization?. A management-approved risk dashboard. A current control framework. A regularly updated risk register. Regularly updated risk management procedures. Which of the following is the MOST important prerequisite for an effective risk management program?. Established key risk indicators (KRIs). Risk awareness training. An established risk policy. Executive sponsorship. What is the MOST important consideration when establishing key risk indicator (KRI) tolerance levels?. Aligning KRI thresholds with the organization's business operations. Aligning KRI thresholds with the organization's risk appetite. Identifying KRIs that track changes in the organization's risk profile. Establishing a reporting and escalation framework. Which of the following would be MOST effectively communicated through the use of an IT risk management dashboard report?. Trends in the risk profile. The emergence of threats. Changes in risk appetite. The reconciliation of remediation costs. Which of the following would MOST likely result in agreement on accountability for risk scenarios?. Using a facilitated risk management workshop. Distributing predefined scenarios for review. Relying on external IT risk professionals. Relying on generic risk scenarios. Which of the following indicators BEST demonstrates the effectiveness of a disaster recovery management (DRM) program?. Percentage of applications that have met disaster recovery test requirements. Number of audit findings related to disaster recovery. Number of disaster recovery tests completed on time. Percentage of applications with a defined recovery time objective (RTO). A risk practitioner has been notified of a social engineering attack using artificial intelligence (AI) technology to impersonate senior management personnel. Which of the following would BEST mitigate the impact of such attacks?. Training and awareness of employees for increased vigilance. Subscription to data breach monitoring sites. Suspension and takedown of malicious domains or accounts. Increased monitoring of executive accounts. A risk practitioner has reviewed new international regulations and realizes the new regulations will affect the organization. Which of the following should be the risk practitioner's NEXT course of action?. Conduct a peer response assessment. Reevaluate the risk management program. Update risk scenarios in the risk register. Ensure applications are compliant. The risk to an organization's reputation due to a recent cybersecurity breach is PRIMARILY considered to be: operational risk. data risk. strategic risk. financial risk. Which of the following is the MOST important factor when determining a risk owner for a newly identified risk?. The risk owner is accountable for the risk. The risk owner has the most in-depth knowledge of the risk. The risk owner has completed risk training. The risk owner is a member of senior management. A risk practitioner learns that department managers are attesting to application access reviews without actually performing the reviews. Which of the following would be the risk practitioner's BEST recommendation?. Redesign and relaunch the review process. Review role descriptions and job titles. Implement separation of duties. Invoke the incident response process. Which of the following is the BEST way to address a board's concern about the organization's current cybersecurity posture?. Assess security capabilities against an industry framework. Create a new security risk officer role. Update security risk scenarios. Increase the frequency of vulnerability testing. Which of the following should be of MOST concern to a risk practitioner reviewing an organization's risk register after the completion of a series of risk assessments?. Several risk action plans have missed target completion dates. Many risk scenarios are owned by the same senior manager. Risk associated with many assets is only expressed in qualitative terms. Senior management has accepted more risk than usual. Making decisions about risk mitigation actions is the PRIMARY role of the: risk manager. risk officer. risk owner. risk practitioner. An organization operates in an environment where the impact of ransomware attacks is high, with a low likelihood. After quantifying the impact of the risk associated with ransomware attacks exceeds the organization's risk appetite and tolerance, which of the following is the risk practitioner's BEST recommendation?. Ensure business continuity assessments are up to date. Obtain adequate cybersecurity insurance coverage. Obtain certification to a global information security standard. Adjust the organization's risk appetite and tolerance. In an organization with mature risk management practices, the risk appetite can be inferred from which of the following?. Control taxonomy. Inherent risk. Compliance reports. Residual risk. An organization wants to improve its logical access controls to address the results of the annual risk assessment. Which of the following should be done FIRST to facilitate this initiative?. Review business and operational requirements. Review roles and entitlements. Review user access logs. Review prior access management approval. Which of the following is the MOST important outcome of monitoring key risk indicators (KRIs)?. Increased risk control efficiency. Improvement of risk awareness. Identification of risk event root causes. Development of risk transfer strategies. Which of the following BEST reduces the likelihood of fraudulent activity that occurs through use of a digital wallet?. Require public key infrastructure (PKI) to authorize transactions. Require multi-factor authentication (MFA) to access the digital wallet. Use a digital key to encrypt the contents of the wallet. Enable audit logging on the digital wallet's device. The MOST essential content to include in an IT risk awareness program is how to: populate risk register entries and build a risk profile for management reporting. define the IT risk framework for the organization. prioritize IT-related actions by considering risk appetite and risk tolerance. comply with the organization's IT risk and information security policies. Which of the following offers the SIMPLEST overview of changes in an organization's risk profile?. A balanced scorecard. The risk register. A risk roadmap. A heat map. To minimize the number of unmanaged application systems, it is MOST important that the policy for controlling the systems includes requirements for: review of application system operation logs. periodic password expiration for application users. regular training of system administrators. documentation of system ownership. Which type of content would be MOST effective when an organization is building customized security awareness training?. Real-world examples of security incidents with a selection of potential risk responses. Awareness of the three lines of defense model. Internal security policies and metrics to detect noncompliance. Reinforcement of the acceptable use policy. A risk practitioner has been asked to propose a risk acceptance framework for an organization. Which of the following is the MOST important consideration for the risk practitioner to address in the framework?. Communication protocols when a risk is accepted. Acceptable scenarios to override risk appetite or tolerance thresholds. Consistent forms to document risk acceptance rationales. Individuals or roles authorized to approve risk acceptance. An organization's key risk indicator (KRI) that tracks patch compliance has exceeded its threshold. Which of the following is the risk practitioner's NEXT step?. Instruct users to refrain from using affected devices. Submit change requests to deploy patches. Isolate noncompliant devices. Report the condition to the risk owner. Which of the following is MOST likely to trigger a penetration test?. Loss of customer data is suspected. A disgruntled senior IT staff member has left the organization. An acquired company's systems are being integrated. A competitor's website was compromised. Which of the following is the PRIMARY advantage of having a single integrated business continuity plan (BCP) rather than each business unit developing its own BCP?. It enables effective BCP maintenance and updates to reflect organizational changes. It provides assurance of timely business process response and effectiveness. It supports effective use of resources and provides reasonable confidence of recoverability. It decreases the risk of downtime and operational losses in the event of a disruption. What should a risk practitioner do FIRST when an assessment reveals a control is not operating as intended?. Determine the root cause of the control issue. Recommend updates to the control procedures. Discuss the status with the control owner. Recommend compensating controls. A risk practitioner has observed an increasing trend of security events reported via network security monitoring tools. Which of the following would MOST likely be updated to reflect this trend?. Risk impact. Risk ownership. Key risk indicators (KRIs). Risk tolerance level. Who is ULTIMATELY accountable for risk treatment?. Control owner. Risk owner. Risk practitioner. Enterprise risk management (ERM). The PRIMARY benefit of selecting an appropriate set of key risk indicators (KRIs) is that they: provide a warning of emerging high-risk conditions. align with the organization's risk profile. provide data for updating the risk register. serve as a basis for measuring risk appetite. Zero Trust architecture is designed and deployed with adherence to which of the following basic tenets?. Digital identities should be implemented. Security frameworks and libraries should be leveraged. Incoming traffic must be inspected before connection is established. All communication is secured regardless of network location. Which of the following BEST enables an organization to address new risk associated with an Internet of Things (IoT) solution?. Introducing control procedures early in the life cycle. Transferring the risk. Updating the risk tolerance to include the new risk. Implementing IoT device monitoring software. Which of the following is the MOST reliable validation of a new control?. Internal audit review of control design. Control owner attestation of control effectiveness. Approval of the control by senior management. Complete and accurate documentation of control objectives. Which of the following will have the GREATEST influence on the residual risk level in an organization?. The investment portfolio. IT department's capability. The availability of resources. The residual risk level in peer organizations. Which of the following BEST supports the integration of risk management into an organization's strategic direction?. Identifying processes for which key risk indicator (KRI) values are rising. Establishing guidelines for regulatory compliance. Providing leadership with timely information about emerging risk. Demonstrating tone at the top for mitigating risk within projects. During a review of the asset life cycle process, a risk practitioner identified several unreturned and unencrypted laptops belonging to former employees. Which of the following is the GREATEST concern with this finding?. Unauthorized access to organizational data. Insufficient laptops for existing employees. Financial cost of replacing the laptops. Abuse of leavers’ account privileges. Which of the following should a risk practitioner do FIRST to support the implementation of governance around organizational assets within an enterprise risk management (ERM) program?. Conduct risk assessments across the business. Hire experienced and knowledgeable resources. Develop a detailed risk profile. Schedule internal audits across the business. Which of the following should be done FIRST when developing an initial set of risk scenarios for an organization?. Consider relevant business activities. Use a top-down approach. Use a bottom-up approach. Refer to industry standard scenarios. The PRIMARY reason for communicating risk assessment results to data owners is to enable the. prioritization of response efforts. industry benchmarking of controls. design of appropriate controls. classification of information assets. For which of the following activities is it MOST important to obtain input from business stakeholders?. Emerging threat identification. Awareness training content development. Risk scenario development. Control ownership assignment. Recovery time objectives (RTOs) should be based on: maximum tolerable downtime. maximum tolerable loss of data. minimum tolerable loss of data. minimum tolerable downtime. Which of the following should be the PRIMARY driver for the prioritization of risk responses?. Residual risk. Inherent risk. Mitigation cost. Risk appetite. A risk practitioner notes that controls in place for a risk are only partially effective. However, the risk owner has indicated that implementing additional controls would be too costly. Which of the following is the risk practitioner's BEST course of action?. Recommend risk acceptance for the control gap. Document the inherent risk. Adjust the risk tolerance in the risk register. Recommend avoiding the risk. Which of the following BEST enables a risk practitioner to identify the consequences of losing critical resources due to a disaster?. Tabletop exercise results. Risk management action plans. Business impact analysis (BIA). What-if technique. An organization's board of directors is concerned about recent data breaches in the news and wants to assess its exposure to similar scenarios. Which of the following is the BEST course of action?. Reassess the risk appetite and tolerance levels of the business. Review the organization's data retention policy and regulatory requirements. Evaluate the organization's existing data protection controls. Evaluate the sensitivity of data that the business needs to handle. The BEST use of key risk indicators (KRIs) is to provide: early indication of changes to required risk response. lagging indication of major information security incidents. insight into the performance of a monitored process. early indication of increasing exposure to a specific risk. Which of the following events is MOST likely to trigger the need to conduct a risk assessment?. Introduction of a new product line. An incident resulting in data loss. Changes in executive management. Updates to the information security policy. An organization has completed a detailed root cause analysis of a security incident. Before selecting the risk treatment plan, it is MOST important to: perform a risk reassessment. conduct a business impact analysis (BIA). update the existing key risk indicators (KRIs). perform a control matrix analysis. Which of the following is the MOST important update for keeping the risk register current?. Adding new risk assessment results annually. Retiring risk scenarios that have been avoided. Changing risk owners due to employee turnover. Modifying organizational structures when lines of business merge. Which of the following techniques is MOST helpful when quantifying the potential loss impact of cyber risk?. Security assessment. Cost-benefit analysis. Penetration testing. Business impact analysis (BIA). An internal risk assessment revealed multiple critical security findings for a newly commissioned testing environment. Which of the following should the risk practitioner do FIRST?. Define mitigating steps. Update the IT risk register. Notify IT management. Set dates for the next review. Which of the following stakeholders define risk tolerance for an enterprise?. The board and executive management. IT compliance and IT audit. Regulators and shareholders. Enterprise risk management (ERM). Which of the following is MOST important for secure application development?. A recognized risk management framework. Secure coding practices. Well-documented business cases. Security training for systems development staff. An increase in which of the following would be the MOST useful key risk indicator (KRI) for unauthorized access?. Percentage of failed login attempts. Number of direct logins to privileged accounts. Percentage of user accounts not disabled after termination. Number of system accounts provisioned. Which of the following presents the GREATEST security risk associated with Internet of Things (IoT) technology?. The lack of updates for vulnerable firmware. The lack of relevant IoT security frameworks to guide the risk assessment process. The heightened level of IoT threats via the widespread use of smart devices. The inability to monitor via network management solutions. Within the three lines of defense model, the PRIMARY responsibility for ensuring risk mitigation controls are properly configured belongs with: the IT risk function. line management. enterprise compliance. internal audit. Which of the following would produce the MOST comprehensive and relevant enterprise risk scenarios?. Conduct risk assessment workshops with business process owners. Conduct risk assessment workshops with risk owners. Leverage current and historical data to inform risk scenarios. Combine top-down and bottom-up approaches. Which of the following would be the MOST effective way to identify changes in the internal control environment?. Reviewing control ownership changes. Performing control self-assessments (CSAs). Assessing risk objectives. Reviewing the enterprise architecture (EA) roadmap. Which of the following BEST measures how well a risk assessment process is performing?. Process maturity reports. Key performance indicators (KPIs). Key risk indicators (KRIs). An enterprise performance improvement program. Which of the following is MOST important to ensure risk management practices are effective at all levels within the organization?. Establishing key risk indicators (KRIs) to monitor risk management processes. Ensuring that business activities minimize inherent risk. Embedding risk management in business activities. Communicating risk awareness materials regularly. Which of the following is a PRIMARY objective of privacy impact assessments (PIAs)? Isaca CRISC Exam. To identify risk when personal information is collected. To ensure compliance with data privacy laws and regulations. To identify threats introduced by business processes. To ensure senior management has approved the use of personal information. Which of the following should be identified FIRST when using a bottom-up approach to develop IT risk scenarios related to a cloud environment managed by a third party?. Scope of services provided and responsibilities carried out by the cloud vendor. Business objectives to prioritize actions in the scenario treatment plan. Control objectives applicable to the environment. Current IT environment including cloud components. What should a risk practitioner verify FIRST once an acquisition of another company has been confirmed?. Impact of compliance and regulatory requirements. Whether currently identified risk items need updating. The alignment of the risk appetite and tolerance levels. The risk management approaches. Within the system development life cycle (SDLC), controls should be specified during: system integration testing. project initiation. requirements definition. business case development. Which of the following is the PRIMARY benefit of using a risk profile?. It provides risk information to auditors. It enables vulnerability analysis. It enhances internal risk reporting. It promotes a security-aware culture. Which of the following is the GREATEST concern associated with quantum computing technology?. Increase in computing resource demands. Compromise of encryption techniques. Incompatibility with blockchain-based infrastructure. Increase in the cost of security. Which of the following processes is MOST helpful in proactively identifying non-compliant baseline images prior to implementing IT systems?. Configuration management. Change management. Patch management. Vulnerability management. A risk practitioner is advising management on how to update the IT policy framework to account for the organization's cloud usage. Which of the following should be the FIRST step in this process?. Evaluate adherence to existing IT policies and standards. Determine gaps between the current state and target framework. Consult with industry peers regarding cloud best practices. Adopt an industry-leading cloud computing framework. Which of the following BEST enables the integration of IT risk management across an organization?. Enterprise-wide risk awareness training. Robust risk reporting practices. Risk management policies. Enterprise risk management (ERM) framework. Which of the following is MOST important when substantiating control effectiveness?. Control design documentation. Length of time the control has been in operation. Evidence of operation. Certification by the risk assessor. Which of the following is the BEST way to prevent the loss of highly sensitive data when disposing of storage media?. Physical destruction. Degaussing. Data deletion. Data anonymization. Which of the following is the BEST indicator of the effectiveness of a newly implemented security awareness program?. An increase in the number of successful virus attacks detected. A decrease in the number of phishing emails received. An increase in the number of reported internal security incidents. A decrease in the number of internal network attacks detected. Which of the following events is MOST likely to trigger an update to the risk register?. A reminder to reassess an identified risk has been sent to risk owners and risk custodians. A business case for implementing a new solution for automating controls has been proposed. A project to implement a risk response action plan has been completed and closed successfully. A post-implementation review of a new application has been initiated by senior management. Which of the following is the MOST important reason to maintain a risk register?. To help develop IT risk management strategies. To help develop accurate risk scenarios. To support risk-aware decision making. To track current risk scenarios. Which of the following privacy principles reduces the impact of accidental leakage of personal data?. Accuracy. Purpose. Transparency. Minimization. A separation of duties control can no longer be sustained due to resource reductions at an organization. Who is BEST suited to decide if additional compensating controls are needed?. Risk owner. Compliance manager. Control owner. Risk practitioner. A risk practitioner is developing risk scenarios for a manufacturing organization that uses highly specialized systems to control its production process. Which of the following will BEST support management decision making that adequately addresses impacts to these systems?. Bottom-up approach. Event tree analysis. Top-down approach. Control gap analysis. Which of the following is the GREATEST risk associated with inappropriate classification of data?. Users having unauthorized access to data. Inaccurate recovery time objectives (RTOs). Lack of accountability for data ownership. Inaccurate record management data. Which of the following is MOST helpful to review when identifying risk scenarios associated with the adoption of Internet of Things (IoT) technology in an organization?. The network that IoT devices can access. The IoT threat landscape. Policy development for IoT. The business case for the use of IoT. Reviewing which of the following is the BEST way to gauge the effectiveness of a web application firewall (WAF)?. Product documentation. Capacity estimates. Implementation details. Penetration test results. Warning banners on login screens for laptops provided by an organization to its employees are an example of which type of control?. Corrective. Detective. Deterrent. Preventive. Who is BEST suited to provide information to the risk practitioner about the effectiveness of a technical control associated with an application?. Risk owner. Process owner. System owner. Internal auditor. An organization has established a policy prohibiting ransom payments if subjected to a ransomware attack. Which of the following is the MOST effective control to support this policy?. Implementing continuous intrusion detection monitoring. Creating immutable backups. Conducting periodic vulnerability scanning. Performing required patching. Which of the following is an example of the second line in the three lines of defense model?. External auditors. Risk management function. Risk owners. Control owners. Which of the following is MOST important for a risk practitioner to understand about an organization in order to create an effective risk awareness program?. Key risk indicators (KRIs) and thresholds. Known threats and vulnerabilities. Structure and culture. Policies and procedures. A technology company is developing a strategic artificial intelligence (AI)-driven application that has high potential business value. At what point should the enterprise risk profile be updated?. When user stories are developed. During post-implementation review. After user acceptance testing (UAT). Upon approval of the business case. Which of the following should be the PRIMARY focus of a disaster recovery management (DRM) framework and related processes?. Ensuring timely recovery of critical business operations. Determining capacity for alternate sites. Assessing the impact and probability of disaster scenarios. Restoring IT and cybersecurity operations. Which of the following is PRIMARILY responsible for providing assurance to the board of directors and senior management during the evaluation of a risk management program implementation?. Internal audit. Business units. Risk management. External audit. Which of the following describes the relationship between risk appetite and risk tolerance?. Risk tolerance is used to determine risk appetite. Risk tolerance may exceed risk appetite. Risk appetite is completely independent of risk tolerance. Risk appetite and risk tolerance are synonymous. Concerned about system load capabilities during the month-end close process, management requires monitoring of the average time to complete tasks and monthly reporting of the findings. What type of measure has been established?. Service level agreement (SLA). Key risk indicator (KRI). Key performance indicator (KPI). Critical success factor (CSF). Which of the following would MOST likely lower the risk associated with unauthorized access of sensitive data?. Sensitive data is centralized in one directory for users to access. Uploading sensitive data requires department head approval. Access is managed according to the principle of least privilege. Access is restricted to staff members based on level of seniority. An organization implements a risk avoidance approach to collecting personal information. Which of the following is the BEST way for a risk practitioner to validate the risk response?. Verify security baselines are implemented for databases. Perform a scan for personal information. Confirm that personal information is encrypted. Review the privacy policy to confirm it is up to date. Which of the following is the MOST important key performance indicator (KPI) for monitoring the user access management process?. Proportion of end users having more than one account. Percentage of accounts that have not been activated. Proportion of privileged to non-privileged accounts. Percentage of accounts disabled within the service level agreement (SLA). In a public company, which group is PRIMARILY accountable for ensuring sufficient attention and resources are applied to the risk management process?. Senior management. Line management. Risk officers. Board of directors. A risk practitioner has discovered that most third-party cloud service providers have not included a nondisclosure agreement (NDA) as part of the contract with the organization. Which of the following would MOST likely change as a result of this finding?. Risk appetite. Risk heat map. Risk likelihood. Risk tolerance. Which of the following is MOST important to understand when determining an appropriate risk assessment approach?. Threats and vulnerabilities. Prior audit findings. Complexity of the IT infrastructure. Management culture. A risk register BEST facilitates which of the following risk management functions?. Reviewing relevant risk scenarios with stakeholders. Influencing the risk culture of the organization. Analyzing the organization's risk appetite. Articulating senior management's intent. Which of the following outcomes of disaster recovery planning is MOST important to enable the initiation of necessary actions during a disaster?. A list of business areas and critical functions subject to risk analysis. Definition of disaster recovery plan (DRP) scope and key stakeholders. A checklist including equipment, location of data backups, and backup sites. Recovery time and maximum acceptable data loss thresholds. Which of the following presents the GREATEST regulatory risk associated with data privacy?. Where the data is collected. Where the data is disposed. When the data is collected. When the data is disposed. A failure in an organization's IT system build process has resulted in several computers on the network missing the corporate endpoint detection and response (EDR) software. Which of the following should be the risk practitioner's IMMEDIATE concern?. Threats are not being detected. The IT build process was not followed. The process documentation was not updated. Multiple corporate build images exist. Which of the following is MOST important for ensuring data privacy across multiple geographical environments?. Segmenting the network by geography. Determining the type of data processed. Updating data flow diagrams. Inventorying data processes. Which of the following BEST enables an organization to address risk associated with technical complexity?. Aligning with a security architecture. Establishing configuration guidelines. Documenting system hardening requirements. Minimizing dependency on technology. Which of the following BEST enables the selection of appropriate risk treatment in the event of a disaster?. Risk scenario analysis. Risk treatment plan. Business impact analysis (BIA). Failover procedures. Which of the following indicators measures the performance of IT configuration management?. Number of devices exceeding minimum configuration. Number of devices reviewed for compliance. Number of devices adhering to baseline settings. Number of devices not reporting configuration data. Which of the following is the BEST way to help ensure an internal control will continue to effectively mitigate risk?. Establish control monitoring. Perform periodic risk assessments. Perform control vulnerability assessments. Engage an independent controls audit. Which of the following information is MOST useful to a risk practitioner for developing IT risk scenarios?. Published vulnerabilities relevant to the business. Threat actors that can trigger events. Events that could potentially impact the business. IT assets requiring the greatest investment. Reviewing which of the following would provide the MOST useful information when preparing to evaluate the effectiveness of existing controls?. Changes in risk profiles. Previous audit reports. Control objectives. Risk responses in the risk register. Which of the following scenarios presents the GREATEST risk of noncompliance with data privacy best practices?. Data being used for purposes the data subjects have not opted into. Making data available to a larger audience of customers. Data not being disposed according to the retention policy. Personal data not being de-identified properly. Which of the following problems is BEST solved by a cloud access security broker (CASB)?. Lack of expertise to implement single sign-on (SSO). Cloud access security vendor selection. Inconsistently applied security policies. Inadequate key management policies. A threat assessment revealed issues with ransomware recoverability. Which of the following backup types would BEST mitigate this scenario?. Automated backups. Degaussed backups. Encrypted backups. Immutable backups. Which of the following should a risk practitioner review FIRST when evaluating risk events associated with the organization’s data flow model?. Results of data classification activities. High-level network diagrams. Recent changes to enterprise architecture (EA). Notes from interviews with the data owners. An organization is concerned that its employee may be unintentionally disclosing data through the use of social media sites. Which of the following will MOST effectively mitigate this risk?. Requiring the use of virtual private networks (VPNs). Establishing a data classification policy. Conducting user awareness training. Requiring employee agreement of the acceptable use policy. Which of the following should be the PRIMARY goal of developing information security metrics?. Identifying security threats. Raising security awareness. Ensuring regulatory compliance. Enabling continuous improvement. Which of the following should be the FIRST step when a company is made aware of new regulatory requirements impacting IT?. Review the risk tolerance and appetite. Prioritize impact to the business units. Perform a gap analysis. Perform a risk assessment. Which of the following is the PRIMARY objective of risk management?. To identify threats and vulnerabilities. To minimize business disruptions. To identify and analyze risk. To achieve business objectives. Which of the following BEST indicates the risk appetite and tolerance level for the risk associated with business interruption caused by IT system failures?. Recovery time objective (RTO). Incident management service level agreement (SLA). IT system criticality classification. Mean time to recover (MTTR). A risk practitioner has discovered a deficiency in a critical system that cannot be patched. Which of the following should be the risk practitioner’s FIRST course of action?. Submit a request to change management. Review the business impact assessment. Report the issue to internal audit. Conduct a risk assessment. Weaknesses found in an application system have been reviewed, and mitigating controls have been implemented. Which of the following should be done NEXT to ensure the effectiveness of controls at this stage?. Verify that residual risk remains within the acceptable range approved by management. Develop key performance indicators (KPIs) for the system. Review the service level agreement (SLA) to determine whether there is any degradation in quality. Design unannounced attacks to the application system to test its resilience. Which of the following is MOST influential when management makes risk response decisions?. Audit risk. Detection risk. Residual risk. Risk appetite. Which of the following should be the PRIMARY focus of a risk owner once a decision is made to mitigate a risk?. Ensuring that control design reduces risk to an acceptable level. Confirming to management the controls reduce the likelihood of the risk. Determining processes for monitoring the effectiveness of the controls. Updating the risk register to include the risk mitigation plan. Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?. To monitor the vendor’s control effectiveness. To verify the vendor’s ongoing financial viability. To provide input to the organization’s risk appetite. To assess the vendor’s risk mitigation plans. The PRIMARY benefit of using a maturity model is that it helps to evaluate the: control requirements. capability to implement new processes. degree of compliance with policies and procedures. evolution of process improvements. Which of the following is the BEST way to mitigate the risk associated with fraudulent use of an enterprise’s brand on Internet sites?. Scanning the Internet to search for unauthorized usage. Developing training and awareness campaigns. Monitoring the enterprise’s use of the Internet. Utilizing data loss prevention (DLP) technology. Which of the following is performed after a risk assessment is completed?. Conducting an impact analysis. Defining risk taxonomy. Defining risk response options. Identifying vulnerabilities. Which of the following is the PRIMARY risk management responsibility of the third line of defense?. Providing assurance of the effectiveness of risk management activities. Providing advisory services on enterprise risk management (ERM). Providing guidance on the design of effective controls. Providing benchmarking on other organizations’ risk management programs. Which of the following is the MOST important criterion for assigning ownership of IT risk?. Responsibility for key performance indicators (KPIs). Authority to approve control ownership. Authority to manage the risk resolution process. Ability to track and report on risk mitigation efforts. Which of the following BEST reduces the risk associated with the theft of a laptop containing sensitive information?. Biometric access control. Periodic backup. Data encryption. Cable lock. Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?. Perform an in-depth code review with an expert. Utilize the change management process. Implement a service level agreement (SLA). Validate functionality by running in a test environment. Which of the following should be the risk practitioner’s FIRST course of action when an organization plans to adopt a cloud computing strategy?. Request a budget for implementation. Create a cloud computing policy. Conduct a threat analysis. Perform a controls assessment. Which of the following will BEST help to ensure new IT policies address the enterprise’s requirements?. Involve IT leadership in the policy development process. Provide policy owners with greater enforcement authority. Involve business owners in the policy development process. Require business users to sign acknowledgment of the policies. Which of the following situations presents the GREATEST challenge to creating a comprehensive IT risk profile of an organization?. Risk-averse organizational risk appetite. Organizational reliance on third-party service providers. Inaccurate documentation of enterprise architecture (EA). Manual vulnerability scanning processes. Which of the following analyses is MOST useful for prioritizing risk scenarios associated with loss of IT assets?. Business impact analysis (BIA). Root cause analysis. SWOT analysis. Cost-benefit analysis. The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning process is to: document the disaster recovery process. map the business processes to supporting IT and other corporate resources. obtain the support of executive management. identify critical business processes and the degree of reliance on support services. Which of the following should be the PRIMARY basis for deciding whether to disclose information related to risk events that impact external stakeholders?. Management assertions. Contractual requirements. Stakeholder preferences. Regulatory requirements. Which of the following is the PRIMARY reason for sharing risk assessment reports with senior stakeholders?. To support decision-making for risk response. To secure resourcing for risk treatment efforts. To enable senior management to compile a risk profile. To hold risk owners accountable for risk action plans. Which of the following activities is a prerequisite for effectively executing information security functions such as vulnerability management, incident management, and data protection?. Financial management. Asset management. Change management. Configuration management. Which of the following is the PRIMARY reason to conduct risk assessments at periodic intervals?. To ensure emerging risk is identified and monitored. To promote a risk-aware culture among staff. To establish the maturity level of risk assessment processes. To ensure risk trend data is collected and reported. What is the MAIN benefit of using a top-down approach to develop risk scenarios?. It describes risk events specific to technology used by the enterprise. It helps management and the risk practitioner to refine risk scenarios. It uses hypothetical and generic risk events specific to the enterprise. It establishes the relationship between risk events and organizational objectives. Which of the following is the GREATEST benefit of a three lines of defense structure?. Improved effectiveness and efficiency of business operations. An effective risk culture that empowers employees to report risk. Effective separation of duties to prevent internal fraud. Clear accountability for risk management processes. An organization automatically approves exceptions to security policies on a recurring basis. This practice is MOST likely the result of: a lack of mitigating actions for identified risk. decreased threat levels. ineffective service delivery. ineffective IT governance. As part of the three lines of defense, which of the following is the MOST important function of internal audit?. Advising on risk mitigation plans. Providing independent reporting. Communication critical findings. Remediating control deficiencies. A failed IT system upgrade project has resulted in the corruption of an organization’s asset inventory database. Which of the following controls BEST mitigates the impact of this incident?. Encryption. Configuration. Authentication. Backups. A new risk practitioner finds that decisions for implementing risk response plans are not being made. Which of the following would MOST likely explain this situation?. Risk ownership is not being assigned properly. The organization has a high level of risk appetite. The organization’s risk awareness program is ineffective. Risk management procedures are outdated. A risk practitioner has established that a particular control is working as desired, but the annual cost of maintenance has increased and now exceeds the expected annual loss exposure. The result is that the control is: ineffective. mature. optimized. inefficient. An organization is considering outsourcing user administration controls for a critical system. The potential vendor has offered to perform quarterly self-audits of its controls instead of having annual independent audits. Which of the following should be of GREATEST concern to the risk practitioner?. The vendor will not achieve best practices. The vendor will not ensure against control failure. The controls may not be properly tested. Lack of a risk-based approach to access control. Which of the following is BEST determined by analysis of incident reports?. Effectiveness of internal controls. Changes in the external risk environment. Thresholds for key risk indicators (KRIs). Ranges for key performance indicators (KPIs). During a risk assessment, a key external technology supplier refuses to provide control design and effectiveness information, citing confidentiality concerns. What should the risk practitioner do NEXT?. Review the supplier’s contractual obligations. Request risk acceptance from the business process owner. Escalate the non-cooperation to management. Exclude applicable controls from the assessment. Which of the following is the MOST effective way to promote organization-wide awareness of data security in response to an increase in regulatory penalties for data leakage?. Require training on the data handling policy. Enforce sanctions for noncompliance with security procedures. Require regular testing of data breach response plan. Conduct organization-wide phishing simulations. Which of the following should be the PRIMARY input to determine risk tolerance?. Annual loss expectance (ALE). Organizational objectives. Regulatory requirements. Risk management costs. Risk appetite should be PRIMARILY driven by which of the following?. Legal and regulatory requirements. Business impact analysis (BIA). Stakeholder requirements. Enterprise security architecture roadmap. A legacy application used for a critical business function relies on software that has reached the end of extended support. Which of the following is the MOST effective control to manage this application?. Segment the application within the existing network. Increase the frequency of regular system and data backups. Apply patches for a newer version of the application. Subscribe to threat intelligence to monitor external attacks. Which of the following would be MOST helpful when communicating roles associated with the IT risk management process?. Organizational chart. RACI chart. Job descriptions. Skills matrix. Which of the following is the MOST effective method for identifying high-impact risk scenarios?. Probability and consequence analysis. Quantitative risk analysis. Failure modes and effects analysis. Business impact analysis (BIA). Which of the following should be done FIRST to develop effective mitigation plans following an audit?. Prioritize findings according to risk. Assess controls already in place. Evaluate risk response options. Identify internal resources. An organization is implementing Zero Trust architecture to improve its security posture. Which of the following is the MOST important input to develop the architecture?. The organization’s threat model. Cloud services risk assessments. Access control logs. Multi-factor authentication (MFA) architecture. Which of the following should be the GREATEST concern to a risk practitioner when process documentation is incomplete?. Inability to identify the risk owner. Inability to complete the risk register. Inability to allocate resources efficiently. Inability to identify process experts. Which of the following would provide the MOST useful input when evaluating the appropriateness of risk responses?. Cost-benefit analysis. Incident reports. Risk tolerance. Control objectives. Which of the following BEST enables effective IT control implementation?. Information security standards. Key risk indicators (KRIs). Information security policies. Documented procedures. Which of the following standard operating procedure statements BEST illustrates appropriate risk register maintenance?. Remove risk that management has decided to accept. Remove risk when mitigation results in residual risk within tolerance levels. Remove risk only following a significant change in the risk environment. Remove risk that has been mitigated by third-party transfer. Which of the following should be the MOST important consideration when determining controls necessary for a highly critical information system?. The number of threats to the system. The organization’s available budget. The level of acceptable risk to the organization. The number of vulnerabilities to the system. To define the risk management strategy, which of the following MUST be set by the board of directors?. Risk appetite. Operational strategies. Risk governance. Annual loss expectancy (ALE). Which of the following is the BEST approach to mitigate the risk associated with a control deficiency?. Perform a business case analysis. Conduct a control self-assessment (CSA). Implement compensating controls. Build a provision for risk. Which of the following is a risk practitioner’s BEST course of action if a risk assessment identifies a risk that is extremely unlikely but would have a severe impact should it occur?. Ignore the risk due to the extremely low likelihood. Address the risk by analyzing treatment options. Rate the risk as high priority based on the severe impact. Obtain management’s consent to accept the risk. Which of the following BEST enables the classification of controls in a risk taxonomy?. Reviewing security policies periodically. Adopting standards and frameworks. Hiring external consultants. Performing internal and external audits. An organization recently implemented a cybersecurity awareness program that includes phishing simulation exercises for all employees. What type of control is being utilized?. Deterrent. Compensating. Detective. Preventive. After entering a large number of low-risk scenarios into the risk register, it is MOST important for the risk practitioner to: analyze changes to aggregate risk. recommend acceptance of the risk scenarios. reconfirm risk tolerance levels. prepare a follow-up risk assessment. An organization’s capability to implement a risk management framework is PRIMARILY influenced by the: approval of senior management. maturity of its risk culture. guidance of the risk practitioner. competence of the staff involved. What is the PRIMARY role of the application owner when changes are being introduced into an existing environment?. Approving the proposed changes based on impact analysis. Updating control procedures and documentation. Determining possible losses due to downtime during the changes. Notifying owners of affected systems after the changes are implemented. An organization has decided to implement a new Internet of Things (IoT) solution. Which of the following should be done FIRST when addressing security concerns associated with this new technology?. Implement IoT device monitoring software. Introduce controls to the new threat environment. Develop new IoT risk scenarios. Engage external security reviews. Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)?. Annual review. Relevance. Automation. Automation. Which of the following BEST helps to identify significant events that could impact an organization?. Vulnerability analysis. Scenario analysis. Control analysis. Heat map analysis. Which of the following activities BEST facilitates effective risk management throughout the organization?. Reviewing risk-related process documentation. Conducting periodic risk assessments. Performing frequent audits. Performing a business impact analysis (BIA). Which of the following should be considered FIRST when creating a comprehensive IT risk register?. Risk management budget. Risk appetite. Risk analysis techniques. Risk mitigation policies. What would be MOST helpful to ensuring the effective implementation of a new cybersecurity program?. Assigning clear ownership of the program. Establishing a budget for additional resources. Creating metrics to report the number of security incidents. Hiring subject matter experts for the program. Which of the following is the MOST significant indicator of the need to perform a penetration test?. An increase in the number of infrastructure changes. An increase in the percentage of turnover in IT personnel. An increase in the number of high-risk audit findings. An increase in the number of security incidents. Which of the following is the ULTIMATE goal of conducting a privacy impact analysis (PIA)?. To identify personally identifiable information (PII). To identify gaps in data protection controls. To determine gaps in data de-identification processes. To develop a customer notification plan. An organization has introduced risk ownership to establish clear accountability for each process. To ensure effective risk ownership, it is MOST important that: risk owners have decision-making authority. senior management has oversight of the process. separation of duties exists between risk and process owners. process ownership aligns with IT system ownership. Which of the following is MOST helpful to understand the consequences of an IT risk event?. Root cause analysis. Business impact analysis (BIA). Historical trend analysis. Fault tree analysis. A risk owner and control owner disagree on the minimum required level of operational effectiveness for a key control and have asked the risk practitioner to help resolve the dispute. Which of the following would be the risk practitioner’s BEST course of action?. Select a compensating control agreeable to both parties. Defer to the control owner’s desired level of operational effectiveness. Review thresholds against the organization’s risk appetite and tolerance. Defer to the risk owner’s desired level of operational effectiveness. Which of the following would be the BEST way for a risk practitioner to validate the effectiveness of a patching program?. Interview IT operations personnel. Conduct vulnerability scans. Conduct penetration testing. Review change control board documentation. A risk practitioner recently discovered that personal information from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation?. Enable data encryption in the test environment. Prevent the use of production data in the test environment. De-identify data before transferred to the environment. Enforce multi-factor authentication (MFA) within the test environment. From a risk management perspective, which of the following is the PRIMARY benefit of using automated system configuration validation tools?. Staff costs are reduced. Operational costs are reduced. Residual risk is reduced. Inherent risk is reduced. Which of the following is a risk practitioner’s BEST recommendation to address an organization’s need to secure multiple systems with limited IT resources?. Perform a vulnerability analysis. Schedule a penetration test. Conduct a business impact analysis (BIA). Apply available security patches. Which risk response strategy could management apply to both positive and negative risk that has been identified?. Transfer. Accept. Exploit. Mitigate. Which of the following would MOST likely drive the need to review and update key performance indicators (KPIs) for critical IT assets?. Changes in service level objectives. Findings from continuous monitoring. The outsourcing of related IT processes. Outcomes of periodic risk assessments. Which of the following is the MOST important consideration when selecting digital signature software?. Completeness. Availability. Accuracy. Nonrepudiation. After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to: inform the development team of the concerns and together formulate risk reduction measures. inform the IT manager of the concerns and propose measures to reduce them. recommend a program that minimizes the concerns of that production system. inform the process owner of the concerns and propose measures to reduce them. As part of software development projects, risk assessments are MOST effective when performed: during system deployment and maintenance. before developing the project charter for the software. before the decision is made to develop or acquire the software. throughout the system development life cycle (SDLC). Which of the following should be the PRIMARY consideration when assessing the risk of using Internet of Things (IoT) devices to collect and process personally identifiable information (PII)?. Costs and benefits. Local laws and regulations. Business strategies and needs. Security features and support. The PRIMARY purpose of penetration testing is to: assess the impact of potential threats. validate system resiliency. detect vulnerabilities that can be exploited. verify effectiveness of response procedures. Upon learning that the number of failed backup attempts continually exceeds the current risk threshold, the risk practitioner should: adjust the risk threshold to better reflect actual performance. keep monitoring the situation as there is evidence that this is normal. initiate corrective action to address the known deficiency. inquire about the status of any planned corrective actions. Following an acquisition, the acquiring company's risk practitioner has been asked to update the organization's IT risk profile. What is the MOST important information to review from the acquired company to facilitate this task?. Risk assessment and risk register. Risk disclosures in financial statements. Business objectives and strategies. Internal and external audit reports. Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery test of critical business processes?. Number of issues and action items resolved during the recovery test. Percentage of processes recovered within the recovery time and point objectives. Percentage of job failures identified and resolved during the recovery process. Number of current test plans and procedures. An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to: communicate the consequences for violations. implement industry best practices. reduce the organization’s risk appetite. reduce the risk to an acceptable level. The MAIN purpose of selecting a risk response is to: mitigate the residual risk to be within tolerance. ensure organizational awareness of the risk level. demonstrate the effectiveness of risk management practices. ensure compliance with local regulatory requirements. Which of the following is the MOST important characteristic of a key risk indicator (KRI) to enable decision-making?. Listing alternative causes for risk events. Setting minimum sample sizes to ensure accuracy. Monitoring the risk until exposure is reduced. Illustrating changes in risk trends. Which of the following BEST indicates that an organization has implemented IT performance requirements?. Vendor references. Accountability matrix. Benchmarking data. Service level agreements (SLAs). A risk practitioner identifies an increasing trend of employees copying company information unrelated to their job functions to USB drives. Which if the following elements of the risk register should be updates to reflect this observation?. Key risk indicator (KRI). Risk appetite. Risk impact. Risk likelihood. Which of the following is PRIMARILY a risk management responsibility of the first line of defense?. Implementing risk treatment plans. Conducting independent reviews of risk assessment results. Establishing risk policies and standards. Validating the status of risk mitigation efforts. Which of the following BEST enables senior management to compare the ratings of risk scenarios?. Control self-assessment (CSA). Key risk indicators (KRIs). Risk heat map. Key performance indicators (KPIs). All business units within an organization have the same risk response plan for creating local disaster recovery plans. In an effort to achieve cost effectiveness, the BEST course of action would be to: outsource disaster recovery to an external provider. select a provider to standardize the disaster recovery plans. evaluate opportunities to combine disaster recovery plans. centralize the risk response function at the enterprise level. Which of the following presents the GREATEST challenge to managing an organization’s end-user devices?. Incompatible end-user devices. Unsupported end-user applications. Incomplete end-user device inventory. Multiple end-user device models. Who should have the authority to approve an exception to a control?. Information security manager. Risk manager. Control owner. Risk owner. The PRIMARY reason to implement a formalized risk taxonomy is to: reduce subjectivity in risk management. comply with regulatory requirements. demonstrate best industry practice. improve visibility of overall risk exposure. Which of the following is the MOST important course of action for a risk practitioner when reviewing the results of control performance monitoring?. Analyze appropriateness of key performance indicators (KPIs). Evaluate changes to the organization’s risk profile. Confirm controls achieve regulatory compliance. Validate whether the controls effectively mitigate risk. A MAJOR advantage of using key risk indicators (KRIs) is that they: identity when risk exceeds defined thresholds. assess risk scenarios that exceed defined thresholds. help with internal control assessments concerning risk appetite. identify scenarios that exceed defined risk appetite. Which strategy employed by risk management would BEST help to prevent internal fraud?. Require control owners to conduct an annual control certification. Require the information security officer to review unresolved incidents. Ensure segregation of duties are implemented within key systems or processes. Conduct regular internal and external audits on the systems supporting financial reporting. A risk practitioner is reviewing a vendor contract and finds there is no clause to control privileged access to the organization’s systems by vendor employees. Which of the following is the risk practitioner’s BEST course of action?. Contact the business owner. Seek an alternative vendor. Add this concern to the risk register. Invoke the security incident plan. A recent regulatory requirement has the potential to affect an organization’s use of a third party to supply outsourced business services. Which of the following is the BEST course of action?. Identify compensating controls. Terminate the outsourcing agreement. Transfer risk to the third party. Conduct a gap analysis. During a recent security framework review, it was discovered that the marketing department implemented a non-fungible token asset program. This was done without following established risk procedures. Which of the following should the risk practitioner do FIRST?. Perform a risk assessment. Discontinue the process. Report the infraction. Conduct risk awareness training. An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?. Invoke the disaster recovery plan (DRP) during an incident. Reduce the recovery time by strengthening the response team. Prepare a cost-benefit analysis of alternatives available. Implement redundant infrastructure for the application. The annualized loss expectancy (ALE) method of risk analysis: uses qualitative risk rankings such as low, medium, and high. can be used to determine the indirect business impact. helps in calculating the expected cost of controls. can be used in a cost-benefit analysis. After an annual risk assessment is completed, which of the following would be MOST important to communicate to stakeholders?. A change in the risk profile. A decrease in threats. An increase in identified risk scenarios. An increase in reported vulnerabilities. Which of the following is the PRIMARY reason for an organization to include an acceptable use banner when users log in?. To enable rapid discovery of insider threat. To reduce the likelihood of insider threat. To eliminate the possibility of insider threat. To reduce the impact of insider threat. An organization is considering the adoption of an aggressive business strategy to achieve desired growth. From a risk management perspective, what should the risk practitioner do NEXT?. Update risk awareness training to reflect current levels of risk appetite and tolerance. Identify new threats resulting from the new business strategy. Increase the scale for measuring impact due to threat materialization. Inform the board of potential risk scenarios associated with aggressive business strategies. Which of the following controls will BEST mitigate risk associated with excessive access privileges?. Frequent password expiration. Segregation of duties. Entitlement reviews. Review of user access logs. Which of the following is the MOST critical consideration when awarding a project to a third-party service provider whose servers are located offshore?. Difficulty of monitoring compliance due to geographical distance. Cost implications due to installation of network intrusion detection systems (IDSs). Delays in incident communication. Potential impact on data governance. An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure manuals for use by the part-time employees. Which of the following BEST describes this situation?. Risk. Policy violation. Threat. Vulnerability. Which of the following is the MAIN reason for documenting the performance of controls?. Justifying return on investment. Demonstrating effective risk mitigation. Providing accurate risk reporting. Obtaining management sign-off. One of an organization’s key IT systems cannot be patched because the patches interfere with critical business application functionalities. Which of the following would be the risk practitioner’s BEST recommendation?. The associated IT risk should be accepted by management. The organization’s IT risk appetite should be adjusted. Additional mitigating controls should be identified. The system should not be used until the application is changed. Which of the following is the MOST useful input for the prioritization of future risk assessments?. Risk metrics dashboard. Business impact analysis (BIA). Capability maturity assessment. Change management schedule. A financial organization is considering a project to implement the use of blockchain technology. To help ensure the organization’s management team can make informed decisions on the project, which of the following should the risk practitioner reassess?. Risk tolerance. Risk classification. Business impact analysis (BIA). Risk profile. Which of the following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?. Conduct user acceptance testing. Perform a post-implementation review. Interview process owners. Review the key performance indicators (KPIs). Which of the following is the MOST useful information for prioritizing risk mitigation?. Cost of risk mitigation. Asset criticality. Business impact assessment. Acceptable risk level. Which of the following is the BEST evidence that a user account has been properly authorized?. Notification from human resources (HR) that the account is active. Formal approval of the account by the user’s manager. User privileges matching the request form. An email from the user accepting the account. Which of the following would provide the MOST reliable evidence of the effectiveness of security controls implemented for a web application?. Penetration testing. Fault tree analysis. Vulnerability assessment. IT general controls audit. Which of the following BEST enables a risk practitioner to understand management's approach to organizational risk?. Industry best practices for risk management. Risk appetite and risk tolerance. Prior year’s risk assessment results. Organizational structure and job descriptions. An incentive program is MOST likely implemented to manage the risk associated with loss of which organizational asset?. Employees. Reputation. Data. Customer lists. Which of the following is MOST important to determine as a result of a risk assessment?. Risk appetite statement. Process ownership. Risk response options. Risk tolerance levels. Which of the following would BEST facilitate the implementation of data classification requirements?. Implementing technical controls over the assets. Implementing a data loss prevention (DLP) solution. Scheduling periodic audits. Assigning a data owner. A robotic process automation (RPA) project has implemented new robots to enhance the efficiency of a sales business process. Which of the following provides the BEST evidence that the new controls have been implemented successfully?. Senior management has signed off on the design of the controls. A post-implementation review has been conducted by key personnel. Robots have operated without human interference on a daily basis. A qualified independent party assessed the new controls as effective. Which of the following would be a risk practitioner’s GREATEST concern with the use of a vulnerability scanning tool?. Increased time to remediate vulnerabilities. Inaccurate reporting of results. Increased number of vulnerabilities. Network performance degradation. Which of the following is MOST useful when performing a quantitative risk assessment?. Management support. RACI matrix. Industry benchmarking. Financial models. Which of the following provides the BEST evidence that risk responses are effective?. Compliance breaches are addressed in a timely manner. Risk with low impact is accepted. Risk ownership is identified and assigned. Residual risk is within risk tolerance. An organization is planning to engage a cloud-based service provider for some of its dataintensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?. Service level agreement. Right to audit the provider. Customer service reviews. Scope of services provided. An organization’s business gap analysis reveals the need for a robust IT risk strategy. Which of the following should be the risk practitioner’s PRIMARY consideration when participating in development of the new strategy?. Proposed risk budget. Risk indicators. Risk culture. Scale of technology. |