The PRIMARY objective for selecting risk response options is to:
- A . reduce risk 10 an acceptable level.
- B . identify compensating controls.
- C . minimize residual risk.
- D . reduce risk factors.
An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST.
- A . The risk owner who also owns the business service enabled by this infrastructure
- B . The data center manager who is also employed under the managed hosting services contract
- C . The site manager who is required to provide annual risk assessments under the contract
- D . The chief information officer (CIO) who is responsible for the hosted services
IT management has asked for a consolidated view into the organization’s risk profile to enable project prioritization and resource allocation .
Which of the following materials would be MOST helpful?
- A . IT risk register
- B . List of key risk indicators
- C . Internal audit reports
- D . List of approved projects
Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?
- A . Number of tickets for provisioning new accounts
- B . Average time to provision user accounts
- C . Password reset volume per month
- D . Average account lockout time
A risk practitioner is assisting with the preparation of a report on the organization s disaster recovery (DR) capabilities .
Which information would have the MOST impact on the overall recovery profile?
- A . The percentage of systems meeting recovery target times has increased.
- B . The number of systems tested in the last year has increased.
- C . The number of systems requiring a recovery plan has increased.
- D . The percentage of systems with long recovery target times has decreased.
Which of the following changes would be reflected in an organization’s risk profile after the failure of a critical patch implementation?
- A . Risk tolerance is decreased.
- B . Residual risk is increased.
- C . Inherent risk is increased.
- D . Risk appetite is decreased
Which of the following would be MOST important for a risk practitioner to provide to the internal audit department during the audit planning process?
- A . Closed management action plans from the previous audit
- B . Annual risk assessment results
- C . An updated vulnerability management report
- D . A list of identified generic risk scenarios
The MAIN purpose of conducting a control self-assessment (CSA) is to:
- A . gain a better understanding of the control effectiveness in the organization
- B . gain a better understanding of the risk in the organization
- C . adjust the controls prior to an external audit
- D . reduce the dependency on external audits
Which of the following attributes of a key risk indicator (KRI) is MOST important?
- A . Repeatable
- B . Automated
- C . Quantitative
- D . Qualitative
A contract associated with a cloud service provider MUST include:
- A . ownership of responsibilities.
- B . a business recovery plan.
- C . provision for source code escrow.
- D . the providers financial statements.
Who should be accountable for ensuring effective cybersecurity controls are established?
- A . Risk owner
- B . Security management function
- C . IT management
- D . Enterprise risk function
Which of the following is the BEST method to identify unnecessary controls?
- A . Evaluating the impact of removing existing controls
- B . Evaluating existing controls against audit requirements
- C . Reviewing system functionalities associated with business processes
- D . Monitoring existing key risk indicators (KRIs)
Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?
- A . It compares performance levels of IT assets to value delivered.
- B . It facilitates the alignment of strategic IT objectives to business objectives.
- C . It provides input to business managers when preparing a business case for new IT projects.
- D . It helps assess the effects of IT decisions on risk exposure
Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs?
- A . Ensuring availability of resources for log analysis
- B . Implementing log analysis tools to automate controls
- C . Ensuring the control is proportional to the risk
- D . Building correlations between logs collected from different sources
Which of the following is the BEST method to ensure a terminated employee’s access to IT systems is revoked upon departure from the organization?
- A . Login attempts are reconciled to a list of terminated employees.
- B . A list of terminated employees is generated for reconciliation against current IT access.
- C . A process to remove employee access during the exit interview is implemented.
- D . The human resources (HR) system automatically revokes system access.
Who is the MOST appropriate owner for newly identified IT risk?
- A . The manager responsible for IT operations that will support the risk mitigation efforts
- B . The individual with authority to commit organizational resources to mitigate the risk
- C . A project manager capable of prioritizing the risk remediation efforts
- D . The individual with the most IT risk-related subject matter knowledge
Which of the following is the BEST indication of an improved risk-aware culture following the implementation of a security awareness training program for all employees?
- A . A reduction in the number of help desk calls
- B . An increase in the number of identified system flaws
- C . A reduction in the number of user access resets
- D . An increase in the number of incidents reported
Which of the following tools is MOST effective in identifying trends in the IT risk profile?
- A . Risk self-assessment
- B . Risk register
- C . Risk dashboard
- D . Risk map
A risk practitioner has determined that a key control does not meet design expectations .
Which of the following should be done NEXT?
- A . Document the finding in the risk register.
- B . Invoke the incident response plan.
- C . Re-evaluate key risk indicators.
- D . Modify the design of the control.
Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?
- A . Maintain and review the classified data inventor.
- B . Implement mandatory encryption on data
- C . Conduct an awareness program for data owners and users.
- D . Define and implement a data classification policy
Which of the following is the PRIMARY reason to perform ongoing risk assessments?
- A . Emerging risk must be continuously reported to management.
- B . New system vulnerabilities emerge at frequent intervals.
- C . The risk environment is subject to change.
- D . The information security budget must be justified.
Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited .
Which of the following would be the BEST response to this scenario?
- A . Assess the vulnerability management process.
- B . Conduct a control serf-assessment.
- C . Conduct a vulnerability assessment.
- D . Reassess the inherent risk of the target.
Which of the following BEST provides an early warning that network access of terminated employees is not being revoked in accordance with the service level agreement (SLA)?
- A . Updating multi-factor authentication
- B . Monitoring key access control performance indicators
- C . Analyzing access control logs for suspicious activity
- D . Revising the service level agreement (SLA)
A risk assessment has identified that departments have installed their own WiFi access points on the enterprise network .
Which of the following would be MOST important to include in a report to senior management?
- A . The network security policy
- B . Potential business impact
- C . The WiFi access point configuration
- D . Planned remediation actions
Which of the following is the MOST important element of a successful risk awareness training program?
- A . Customizing content for the audience
- B . Providing incentives to participants
- C . Mapping to a recognized standard
- D . Providing metrics for measurement
The number of tickets to rework application code has significantly exceeded the established threshold .
Which of the following would be the risk practitioner s BEST recommendation?
- A . Perform a root cause analysis
- B . Perform a code review
- C . Implement version control software.
- D . Implement training on coding best practices
An effective control environment is BEST indicated by controls that:
- A . minimize senior management’s risk tolerance.
- B . manage risk within the organization’s risk appetite.
- C . reduce the thresholds of key risk indicators (KRIs).
- D . are cost-effective to implement
Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?
- A . To build an organizational risk-aware culture
- B . To continuously improve risk management processes
- C . To comply with legal and regulatory requirements
- D . To identify gaps in risk management practices
Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?
- A . Digital signatures
- B . Encrypted passwords
- C . One-time passwords
- D . Digital certificates
Establishing and organizational code of conduct is an example of which type of control?
- A . Preventive
- B . Directive
- C . Detective
- D . Compensating
Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails .
Which of the following can BEST alleviate this issue while not sacrificing security?
- A . Implementing record retention tools and techniques
- B . Establishing e-discovery and data loss prevention (DLP)
- C . Sending notifications when near storage quota
- D . Implementing a bring your own device 1BVOD) policy
Malware has recently affected an organization.
The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:
- A . a gap analysis
- B . a root cause analysis.
- C . an impact assessment.
- D . a vulnerability assessment.
Calculation of the recovery time objective (RTO) is necessary to determine the:
- A . time required to restore files.
- B . point of synchronization
- C . priority of restoration.
- D . annual loss expectancy (ALE).
During testing, a risk practitioner finds the IT department’s recovery time objective (RTO) for a key system does not align with the enterprise’s business continuity plan (BCP) .
Which of the following should be done NEXT?
- A . Report the gap to senior management
- B . Consult with the IT department to update the RTO
- C . Complete a risk exception form.
- D . Consult with the business owner to update the BCP
Which of the following is the MOST important key performance indicator (KPI) to establish in the service level agreement (SLA) for an outsourced data center?
- A . Percentage of systems included in recovery processes
- B . Number of key systems hosted
- C . Average response time to resolve system incidents
- D . Percentage of system availability
Which of the following is the MOST important factor affecting risk management in an organization?
- A . The risk manager’s expertise
- B . Regulatory requirements
- C . Board of directors’ expertise
- D . The organization’s culture
A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization .
Which of the following components of this review would provide the MOST useful information?
- A . Risk appetite statement
- B . Enterprise risk management framework
- C . Risk management policies
- D . Risk register
Which of the following should be the PRIMARY input when designing IT controls?
- A . Benchmark of industry standards
- B . Internal and external risk reports
- C . Recommendations from IT risk experts
- D . Outcome of control self-assessments
A rule-based data loss prevention {DLP) tool has recently been implemented to reduce the risk of sensitive data leakage .
Which of the following is MOST likely to change as a result of this implementation?
- A . Risk likelihood
- B . Risk velocity
- C . Risk appetite
- D . Risk impact
The PRIMARY objective of testing the effectiveness of a new control before implementation is to:
- A . ensure that risk is mitigated by the control.
- B . measure efficiency of the control process.
- C . confirm control alignment with business objectives.
- D . comply with the organization’s policy.
Which of the following is the MOST important benefit of key risk indicators (KRIs)’
- A . Assisting in continually optimizing risk governance
- B . Enabling the documentation and analysis of trends
- C . Ensuring compliance with regulatory requirements
- D . Providing an early warning to take proactive actions
Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?
- A . Align business objectives to the risk profile.
- B . Assess risk against business objectives
- C . Implement an organization-specific risk taxonomy.
- D . Explain risk details to management.
Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?
- A . Risk mitigation budget
- B . Business Impact analysis
- C . Cost-benefit analysis
- D . Return on investment
A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures.
Of the following, who should be accountable?
- A . Business continuity manager (BCM)
- B . Human resources manager (HRM)
- C . Chief risk officer (CRO)
- D . Chief information officer (CIO)
A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security .
Which of the following observations would be MOST relevant to escalate to senior management?
- A . An increase in attempted distributed denial of service (DDoS) attacks
- B . An increase in attempted website phishing attacks
- C . A decrease in achievement of service level agreements (SLAs)
- D . A decrease in remediated web security vulnerabilities
Which of the following elements of a risk register is MOST likely to change as a result of change in management’s risk appetite?
- A . Key risk indicator (KRI) thresholds
- B . Inherent risk
- C . Risk likelihood and impact
- D . Risk velocity
Which of the following would be a risk practitioners BEST recommendation for preventing cyber intrusion?
- A . Establish a cyber response plan
- B . Implement data loss prevention (DLP) tools.
- C . Implement network segregation.
- D . Strengthen vulnerability remediation efforts.
An organization wants to assess the maturity of its internal control environment.
The FIRST step should be to:
- A . validate control process execution.
- B . determine if controls are effective.
- C . identify key process owners.
- D . conduct a baseline assessment.
Which of the following roles would provide the MOST important input when identifying IT risk scenarios?
- A . Information security managers
- B . Internal auditors
- C . Business process owners
- D . Operational risk managers
Which of the following risk register updates is MOST important for senior management to review?
- A . Extending the date of a future action plan by two months
- B . Retiring a risk scenario no longer used
- C . Avoiding a risk that was previously accepted
- D . Changing a risk owner
Which of the following is the BEST method for assessing control effectiveness?
- A . Ad hoc control reporting
- B . Control self-assessment
- C . Continuous monitoring
- D . Predictive analytics
The MOST effective way to increase the likelihood that risk responses will be implemented is to:
- A . create an action plan
- B . assign ownership
- C . review progress reports
- D . perform regular audits.
During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT .
Which of the following is the BEST way for the risk practitioner to address these concerns?
- A . Describe IT risk scenarios in terms of business risk.
- B . Recommend the formation of an executive risk council to oversee IT risk.
- C . Provide an estimate of IT system downtime if IT risk materializes.
- D . Educate business executives on IT risk concepts.
Which of the following would BEST help to ensure that identified risk is efficiently managed?
- A . Reviewing the maturity of the control environment
- B . Regularly monitoring the project plan
- C . Maintaining a key risk indicator for each asset in the risk register
- D . Periodically reviewing controls per the risk treatment plan
Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?
- A . Identify the potential risk.
- B . Monitor employee usage.
- C . Assess the potential risk.
- D . Develop risk awareness training.
Which of the following is the BEST way to identify changes to the risk landscape?
- A . Internal audit reports
- B . Access reviews
- C . Threat modeling
- D . Root cause analysis
In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date?
- A . Risk questionnaire
- B . Risk register
- C . Management assertion
- D . Compliance manual
The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:
- A . implement uniform controls for common risk scenarios.
- B . ensure business unit risk is uniformly distributed.
- C . build a risk profile for management review.
- D . quantify the organization’s risk appetite.
Which of the following is the BEST key performance indicator (KPI) to measure the maturity of an organization’s security incident handling process?
- A . The number of security incidents escalated to senior management
- B . The number of resolved security incidents
- C . The number of newly identified security incidents
- D . The number of recurring security incidents
Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?
- A . Sensitivity analysis
- B . Level of residual risk
- C . Cost-benefit analysis
- D . Risk appetite
From a business perspective, which of the following is the MOST important objective of a disaster recovery test?
- A . The organization gains assurance it can recover from a disaster
- B . Errors are discovered in the disaster recovery process.
- C . All business critical systems are successfully tested.
- D . All critical data is recovered within recovery time objectives (RTOs).
Which of the following is the PRIMARY factor in determining a recovery time objective (RTO)?
- A . Cost of offsite backup premises
- B . Cost of downtime due to a disaster
- C . Cost of testing the business continuity plan
- D . Response time of the emergency action plan
A risk assessment has identified that an organization may not be in compliance with industry regulations.
The BEST course of action would be to:
- A . conduct a gap analysis against compliance criteria.
- B . identify necessary controls to ensure compliance.
- C . modify internal assurance activities to include control validation.
- D . collaborate with management to meet compliance requirements.
A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management.
The BEST way to support risk-based decisions by senior management would be to:
- A . map findings to objectives.
- B . provide a quantified detailed analysts.
- C . recommend risk tolerance thresholds.
- D . quantify key risk indicators (KRls).
Which of the following is the BEST way to determine the ongoing efficiency of control processes?
- A . Perform annual risk assessments.
- B . Interview process owners.
- C . Review the risk register.
- D . Analyze key performance indicators (KPIs).
An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application .
Which of the following should be the NEXT course of action?
- A . Invoke the disaster recovery plan during an incident.
- B . Prepare a cost-benefit analysis of alternatives available
- C . Implement redundant infrastructure for the application.
- D . Reduce the recovery time by strengthening the response team.
Which of the following is the MOST important consideration when sharing risk management updates with executive management?
- A . Using an aggregated view of organizational risk
- B . Ensuring relevance to organizational goals
- C . Relying on key risk indicator (KRI) data Including
- D . Trend analysis of risk metrics
Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?
- A . Performing a benchmark analysis and evaluating gaps
- B . Conducting risk assessments and implementing controls
- C . Communicating components of risk and their acceptable levels
- D . Participating in peer reviews and implementing best practices
Which of the following would be MOST helpful when estimating the likelihood of negative events?
- A . Business impact analysis
- B . Threat analysis
- C . Risk response analysis
- D . Cost-benefit analysis
A risk practitioner is organizing risk awareness training for senior management .
Which of the following is the MOST important topic to cover in the training session?
- A . The organization’s strategic risk management projects
- B . Senior management roles and responsibilities
- C . The organizations risk appetite and tolerance
- D . Senior management allocation of risk management resources
An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system.
The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:
- A . chief risk officer.
- B . project manager.
- C . chief information officer.
- D . business process owner.
When using a third party to perform penetration testing, which of the following is the MOST important control to minimize operational impact?
- A . Perform a background check on the vendor.
- B . Require the vendor to sign a nondisclosure agreement.
- C . Require the vendor to have liability insurance.
- D . Clearly define the project scope
Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?
- A . Continuous monitoring
- B . A control self-assessment
- C . Transaction logging
- D . Benchmarking against peers
The MOST important characteristic of an organization s policies is to reflect the organization’s:
- A . risk assessment methodology.
- B . risk appetite.
- C . capabilities
- D . asset value.
A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:
- A . communication
- B . identification.
- C . treatment.
- D . assessment.
A trusted third party service provider has determined that the risk of a client’s systems being hacked is low .
Which of the following would be the client’s BEST course of action?
- A . Perform their own risk assessment
- B . Implement additional controls to address the risk.
- C . Accept the risk based on the third party’s risk assessment
- D . Perform an independent audit of the third party.
Which of the following is the BEST course of action to reduce risk impact?
- A . Create an IT security policy.
- B . Implement corrective measures.
- C . Implement detective controls.
- D . Leverage existing technology
Improvements in the design and implementation of a control will MOST likely result in an update to:
- A . inherent risk.
- B . residual risk.
- C . risk appetite
- D . risk tolerance
A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:
- A . a root cause analysis is required
- B . controls are effective for ensuring continuity
- C . hardware needs to be upgraded
- D . no action is required as there was no impact
A risk practitioner discovers several key documents detailing the design of a product currently in development have been posted on the Internet .
What should be the risk practitioner’s FIRST course of action?
- A . invoke the established incident response plan.
- B . Inform internal audit.
- C . Perform a root cause analysis
- D . Conduct an immediate risk assessment
During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards.
The overall control environment may still be effective if:
- A . compensating controls are in place.
- B . a control mitigation plan is in place.
- C . risk management is effective.
- D . residual risk is accepted.
After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?
- A . The risk practitioner
- B . The business process owner
- C . The risk owner
- D . The control owner
A data processing center operates in a jurisdiction where new regulations have significantly increased penalties for data breaches .
Which of the following elements of the risk register is MOST important to update to reflect this change?
- A . Risk impact
- B . Risk trend
- C . Risk appetite
- D . Risk likelihood
Which of the following would BEST provide early warning of a high-risk condition?
- A . Risk register
- B . Risk assessment
- C . Key risk indicator (KRI)
- D . Key performance indicator (KPI)
What is the BEST information to present to business control owners when justifying costs related to controls?
- A . Loss event frequency and magnitude
- B . The previous year’s budget and actuals
- C . Industry benchmarks and standards
- D . Return on IT security-related investments
Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?
- A . impact due to failure of control
- B . Frequency of failure of control
- C . Contingency plan for residual risk
- D . Cost-benefit analysis of automation
An organization has determined a risk scenario is outside the defined risk tolerance level .
What should be the NEXT course of action?
- A . Develop a compensating control.
- B . Allocate remediation resources.
- C . Perform a cost-benefit analysis.
- D . Identify risk responses
A risk practitioner is organizing a training session lo communicate risk assessment methodologies to ensure a consistent risk view within the organization.
Which of the following i< the MOST important topic to cover in this training?
- A . Applying risk appetite
- B . Applying risk factors
- C . Referencing risk event data
- D . Understanding risk culture
Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?
- A . Perform an m-depth code review with an expert
- B . Validate functionality by running in a test environment
- C . Implement a service level agreement.
- D . Utilize the change management process.
Which of the following would be MOST useful when measuring the progress of a risk response action plan?
- A . Percentage of mitigated risk scenarios
- B . Annual loss expectancy (ALE) changes
- C . Resource expenditure against budget
- D . An up-to-date risk register
An unauthorized individual has socially engineered entry into an organization’s secured physical premises .
Which of the following is the BEST way to prevent future occurrences?
- A . Employ security guards.
- B . Conduct security awareness training.
- C . Install security cameras.
- D . Require security access badges.
The analysis of which of the following will BEST help validate whether suspicious network activity is malicious?
- A . Logs and system events
- B . Intrusion detection system (IDS) rules
- C . Vulnerability assessment reports
- D . Penetration test reports
Which of the following is the MOST important outcome of reviewing the risk management process?
- A . Assuring the risk profile supports the IT objectives
- B . Improving the competencies of employees who performed the review
- C . Determining what changes should be nude to IS policies to reduce risk
- D . Determining that procedures used in risk assessment are appropriate
Which of the following is the BEST metric to demonstrate the effectiveness of an organization’s change management process?
- A . Increase in the frequency of changes
- B . Percent of unauthorized changes
- C . Increase in the number of emergency changes
- D . Average time to complete changes
The PRIMARY advantage of implementing an IT risk management framework is the:
- A . establishment of a reliable basis for risk-aware decision making.
- B . compliance with relevant legal and regulatory requirements.
- C . improvement of controls within the organization and minimized losses.
- D . alignment of business goals with IT objectives.
During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall .
Which of the following controls has MOST likely been compromised?
- A . Data validation
- B . Identification
- C . Authentication
- D . Data integrity
Which of the following will BEST mitigate the risk associated with IT and business misalignment?
- A . Establishing business key performance indicators (KPIs)
- B . Introducing an established framework for IT architecture
- C . Establishing key risk indicators (KRIs)
- D . Involving the business process owner in IT strategy
Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register?
- A . Corporate incident escalation protocols are established.
- B . Exposure is integrated into the organization’s risk profile.
- C . Risk appetite cascades to business unit management
- D . The organization-wide control budget is expanded.
An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program.
The PRIMARY goal of this program should be to:
- A . reduce the risk to an acceptable level.
- B . communicate the consequences for violations.
- C . implement industry best practices.
- D . reduce the organization’s risk appetite
Which of the following is the MOST important consideration when multiple risk practitioners capture risk scenarios in a single risk register?
- A . Aligning risk ownership and control ownership
- B . Developing risk escalation and reporting procedures
- C . Maintaining up-to-date risk treatment plans
- D . Using a consistent method for risk assessment