Month End Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtick70

CRISC Certified in Risk and Information Systems Control Questions and Answers

Questions 4

Vulnerabilities have been detected on an organization's systems. Applications installed on these systems will not operate if the underlying servers are updated. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Recommend the business change the application.

B.

Recommend a risk treatment plan.

C.

Include the risk in the next quarterly update to management.

D.

Implement compensating controls.

Buy Now
Questions 5

A business unit is implementing a data analytics platform to enhance its customer relationship management (CRM) system primarily to process data that has been provided by its customers. Which of the following presents the GREATEST risk to the organization's reputation?

Options:

A.

Third-party software is used for data analytics.

B.

Data usage exceeds individual consent.

C.

Revenue generated is not disclosed to customers.

D.

Use of a data analytics system is not disclosed to customers.

Buy Now
Questions 6

Which of the following is the MOST appropriate action when a tolerance threshold is exceeded?

Options:

A.

Communicate potential impact to decision makers.

B.

Research the root cause of similar incidents.

C.

Verify the response plan is adequate.

D.

Increase human resources to respond in the interim.

Buy Now
Questions 7

Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness?

Options:

A.

To measure business exposure to risk

B.

To identify control vulnerabilities

C.

To monitor the achievement of set objectives

D.

To raise awareness of operational issues

Buy Now
Questions 8

Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Options:

A.

Including trend analysis of risk metrics

B.

Using an aggregated view of organizational risk

C.

Relying on key risk indicator (KRI) data

D.

Ensuring relevance to organizational goals

Buy Now
Questions 9

Which of the following is the MOST important component in a risk treatment plan?

Options:

A.

Technical details

B.

Target completion date

C.

Treatment plan ownership

D.

Treatment plan justification

Buy Now
Questions 10

Which of the following is the BEST Key control indicator KCO to monitor the effectiveness of patch management?

Options:

A.

Percentage of legacy servers out of support

B.

Percentage of severs receiving automata patches

C.

Number of unpremeditated vulnerabilities

D.

Number of intrusion attempts

Buy Now
Questions 11

The BEST key performance indicator (KPI) for monitoring adherence to an organization's user accounts provisioning practices is the percentage of:

Options:

A.

accounts without documented approval

B.

user accounts with default passwords

C.

active accounts belonging to former personnel

D.

accounts with dormant activity.

Buy Now
Questions 12

Which of the following provides the MOST up-to-date information about the effectiveness of an organization's overall IT control environment?

Options:

A.

Key performance indicators (KPIs)

B.

Risk heat maps

C.

Internal audit findings

D.

Periodic penetration testing

Buy Now
Questions 13

A change management process has recently been updated with new testing procedures. What is the NEXT course of action?

Options:

A.

Monitor processes to ensure recent updates are being followed.

B.

Communicate to those who test and promote changes.

C.

Conduct a cost-benefit analysis to justify the cost of the control.

D.

Assess the maturity of the change management process.

Buy Now
Questions 14

Which of the following BEST facilitates the mitigation of identified gaps between current and desired risk environment states?

Options:

A.

Develop a risk treatment plan.

B.

Validate organizational risk appetite.

C.

Review results of prior risk assessments.

D.

Include the current and desired states in the risk register.

Buy Now
Questions 15

Which of the following is the PRIMARY risk management responsibility of the second line of defense?

Options:

A.

Monitoring risk responses

B.

Applying risk treatments

C.

Providing assurance of control effectiveness

D.

Implementing internal controls

Buy Now
Questions 16

The MOST important reason for implementing change control procedures is to ensure:

Options:

A.

only approved changes are implemented

B.

timely evaluation of change events

C.

an audit trail exists.

D.

that emergency changes are logged.

Buy Now
Questions 17

Which of the following would BEST indicate to senior management that IT processes are improving?

Options:

A.

Changes in the number of intrusions detected

B.

Changes in the number of security exceptions

C.

Changes in the position in the maturity model

D.

Changes to the structure of the risk register

Buy Now
Questions 18

When an organization is having new software implemented under contract, which of the following is key to controlling escalating costs?

Options:

A.

Risk management

B.

Change management

C.

Problem management

D.

Quality management

Buy Now
Questions 19

Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?

Options:

A.

Occurrences of specific events

B.

A performance measurement

C.

The risk tolerance level

D.

Risk scenarios

Buy Now
Questions 20

An organization moved its payroll system to a Software as a Service (SaaS) application. A new data privacy regulation stipulates that data can only be processed within the country where it is collected. Which of the following should be done FIRST when addressing this situation?

Options:

A.

Analyze data protection methods.

B.

Understand data flows.

C.

Include a right-to-audit clause.

D.

Implement strong access controls.

Buy Now
Questions 21

Which of the following is the MOST effective way to integrate risk and compliance management?

Options:

A.

Embedding risk management into compliance decision-making

B.

Designing corrective actions to improve risk response capabilities

C.

Embedding risk management into processes that are aligned with business drivers

D.

Conducting regular self-assessments to verify compliance

Buy Now
Questions 22

What should be the PRIMARY driver for periodically reviewing and adjusting key risk indicators (KRIs)?

Options:

A.

Risk impact

B.

Risk likelihood

C.

Risk appropriate

D.

Control self-assessments (CSAs)

Buy Now
Questions 23

When reviewing a report on the performance of control processes, it is MOST important to verify whether the:

Options:

A.

business process objectives have been met.

B.

control adheres to regulatory standards.

C.

residual risk objectives have been achieved.

D.

control process is designed effectively.

Buy Now
Questions 24

Which of the following is the PRIMARY objective of providing an aggregated view of IT risk to business management?

Options:

A.

To enable consistent data on risk to be obtained

B.

To allow for proper review of risk tolerance

C.

To identify dependencies for reporting risk

D.

To provide consistent and clear terminology

Buy Now
Questions 25

The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning process is to:

Options:

A.

obtain the support of executive management.

B.

map the business processes to supporting IT and other corporate resources.

C.

identify critical business processes and the degree of reliance on support services.

D.

document the disaster recovery process.

Buy Now
Questions 26

The MOST important objective of information security controls is to:

Options:

A.

Identify threats and vulnerability

B.

Ensure alignment with industry standards

C.

Provide measurable risk reduction

D.

Enforce strong security solutions

Buy Now
Questions 27

An organization discovers significant vulnerabilities in a recently purchased commercial off-the-shelf software product which will not be corrected until the next release. Which of the following is the risk manager's BEST course of action?

Options:

A.

Review the risk of implementing versus postponing with stakeholders.

B.

Run vulnerability testing tools to independently verify the vulnerabilities.

C.

Review software license to determine the vendor's responsibility regarding vulnerabilities.

D.

Require the vendor to correct significant vulnerabilities prior to installation.

Buy Now
Questions 28

Which of the following is MOST important when developing key risk indicators (KRIs)?

Options:

A.

Alignment with regulatory requirements

B.

Availability of qualitative data

C.

Properly set thresholds

D.

Alignment with industry benchmarks

Buy Now
Questions 29

An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program. Which of the following is MOST useful for this purpose?

Options:

A.

Balanced scorecard

B.

Capability maturity level

C.

Internal audit plan

D.

Control self-assessment (CSA)

Buy Now
Questions 30

Which of the following is the BEST key control indicator (KCI) for a vulnerability management program?

Options:

A.

Percentage of high-risk vulnerabilities missed

B.

Number of high-risk vulnerabilities outstanding

C.

Defined thresholds for high-risk vulnerabilities

D.

Percentage of high-risk vulnerabilities addressed

Buy Now
Questions 31

Which of the following statements BEST illustrates the relationship between key performance indicators (KPIs) and key control indicators (KCIs)?

Options:

A.

KPIs measure manual controls, while KCIs measure automated controls.

B.

KPIs and KCIs both contribute to understanding of control effectiveness.

C.

A robust KCI program will replace the need to measure KPIs.

D.

KCIs are applied at the operational level while KPIs are at the strategic level.

Buy Now
Questions 32

To reduce costs, an organization is combining the second and third tines of defense in a new department that reports to a recently appointed C-level executive. Which of the following is the GREATEST concern with this situation?

Options:

A.

The risk governance approach of the second and third lines of defense may differ.

B.

The independence of the internal third line of defense may be compromised.

C.

Cost reductions may negatively impact the productivity of other departments.

D.

The new structure is not aligned to the organization's internal control framework.

Buy Now
Questions 33

When reviewing a business continuity plan (BCP). which of the following would be the MOST significant deficiency?

Options:

A.

BCP testing is net in conjunction with the disaster recovery plan (DRP)

B.

Recovery time objectives (RTOs) do not meet business requirements.

C.

BCP is often tested using the walk-through method.

D.

Each business location has separate, inconsistent BCPs.

Buy Now
Questions 34

Legal and regulatory risk associated with business conducted over the Internet is driven by:

Options:

A.

the jurisdiction in which an organization has its principal headquarters

B.

international law and a uniform set of regulations.

C.

the laws and regulations of each individual country

D.

international standard-setting bodies.

Buy Now
Questions 35

From a risk management perspective, the PRIMARY objective of using maturity models is to enable:

Options:

A.

solution delivery.

B.

resource utilization.

C.

strategic alignment.

D.

performance evaluation.

Buy Now
Questions 36

An organization must make a choice among multiple options to respond to a risk. The stakeholders cannot agree and decide to postpone the decision. Which of the following risk responses has the organization adopted?

Options:

A.

Transfer

B.

Mitigation

C.

Avoidance

D.

Acceptance

Buy Now
Questions 37

Several network user accounts were recently created without the required management approvals. Which of the following would be the risk practitioner's BEST recommendation to address this situation?

Options:

A.

Conduct a comprehensive compliance review.

B.

Develop incident response procedures for noncompliance.

C.

Investigate the root cause of noncompliance.

D.

Declare a security breach and Inform management.

Buy Now
Questions 38

The BEST indication that risk management is effective is when risk has been reduced to meet:

Options:

A.

risk levels.

B.

risk budgets.

C.

risk appetite.

D.

risk capacity.

Buy Now
Questions 39

A maturity model is MOST useful to an organization when it:

Options:

A.

benchmarks against other organizations

B.

defines a qualitative measure of risk

C.

provides a reference for progress

D.

provides risk metrics.

Buy Now
Questions 40

An organization has been notified that a disgruntled, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization?

Options:

A.

Authentication logs have been disabled.

B.

An external vulnerability scan has been detected.

C.

A brute force attack has been detected.

D.

An increase in support requests has been observed.

Buy Now
Questions 41

While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially Which of the following would be the BEST approach for the risk practitioner to take?

Options:

A.

Temporarily suspend emergency changes.

B.

Document the control deficiency in the risk register.

C.

Conduct a root cause analysis.

D.

Continue monitoring change management metrics.

Buy Now
Questions 42

Determining if organizational risk is tolerable requires:

Options:

A.

mapping residual risk with cost of controls

B.

comparing against regulatory requirements

C.

comparing industry risk appetite with the organizations.

D.

understanding the organization's risk appetite.

Buy Now
Questions 43

During an internal IT audit, an active network account belonging to a former employee was identified. Which of the following is the BEST way to prevent future occurrences?

Options:

A.

Conduct a comprehensive review of access management processes.

B.

Declare a security incident and engage the incident response team.

C.

Conduct a comprehensive awareness session for system administrators.

D.

Evaluate system administrators' technical skills to identify if training is required.

Buy Now
Questions 44

An organization automatically approves exceptions to security policies on a recurring basis. This practice is MOST likely the result of:

Options:

A.

a lack of mitigating actions for identified risk

B.

decreased threat levels

C.

ineffective service delivery

D.

ineffective IT governance

Buy Now
Questions 45

Which of the following provides the BEST measurement of an organization's risk management maturity level?

Options:

A.

Level of residual risk

B.

The results of a gap analysis

C.

IT alignment to business objectives

D.

Key risk indicators (KRIs)

Buy Now
Questions 46

An IT control gap has been identified in a key process. Who would be the MOST appropriate owner of the risk associated with this gap?

Options:

A.

Key control owner

B.

Operational risk manager

C.

Business process owner

D.

Chief information security officer (CISO)

Buy Now
Questions 47

Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?

Options:

A.

A high number of approved exceptions exist with compensating controls.

B.

Successive assessments have the same recurring vulnerabilities.

C.

Redundant compensating controls are in place.

D.

Asset custodians are responsible for defining controls instead of asset owners.

Buy Now
Questions 48

An IT department has provided a shared drive for personnel to store information to which all employees have access. Which of the following parties is accountable for the risk of potential loss of confidential information?

Options:

A.

Risk manager

B.

Data owner

C.

End user

D.

IT department

Buy Now
Questions 49

The MAIN reason for creating and maintaining a risk register is to:

Options:

A.

assess effectiveness of different projects.

B.

define the risk assessment methodology.

C.

ensure assets have low residual risk.

D.

account for identified key risk factors.

Buy Now
Questions 50

An organization outsources the processing of us payroll data A risk practitioner identifies a control weakness at the third party trial exposes the payroll data. Who should own this risk?

Options:

A.

The third party's IT operations manager

B.

The organization's process owner

C.

The third party's chief risk officer (CRO)

D.

The organization's risk practitioner

Buy Now
Questions 51

Which of the following is necessary to enable an IT risk register to be consolidated with the rest of the organization’s risk register?

Options:

A.

Risk taxonomy

B.

Risk response

C.

Risk appetite

D.

Risk ranking

Buy Now
Questions 52

An organization recently received an independent security audit report of its cloud service provider that indicates significant control weaknesses. What should be done NEXT in response to this report?

Options:

A.

Migrate all data to another compliant service provider.

B.

Analyze the impact of the provider's control weaknesses to the business.

C.

Conduct a follow-up audit to verify the provider's control weaknesses.

D.

Review the contract to determine if penalties should be levied against the provider.

Buy Now
Questions 53

Which of the following BEST indicates the effectiveness of anti-malware software?

Options:

A.

Number of staff hours lost due to malware attacks

B.

Number of downtime hours in business critical servers

C.

Number of patches made to anti-malware software

D.

Number of successful attacks by malicious software

Buy Now
Questions 54

Which of the following controls BEST enables an organization to ensure a complete and accurate IT asset inventory?

Options:

A.

Prohibiting the use of personal devices for business

B.

Performing network scanning for unknown devices

C.

Requesting an asset list from business owners

D.

Documenting asset configuration baselines

Buy Now
Questions 55

Which of the following will BEST support management reporting on risk?

Options:

A.

Control self-assessment (CSA)

B.

Risk policy requirements

C.

A risk register

D.

Key performance indicators (KPIs)

Buy Now
Questions 56

It is MOST important for a risk practitioner to have an awareness of an organization s processes in order to:

Options:

A.

perform a business impact analysis.

B.

identify potential sources of risk.

C.

establish risk guidelines.

D.

understand control design.

Buy Now
Questions 57

Which of the following BEST supports ethical IT risk management practices?

Options:

A.

Robust organizational communication channels

B.

Mapping of key risk indicators (KRIs) to corporate strategy

C.

Capability maturity models integrated with risk management frameworks

D.

Rigorously enforced operational service level agreements (SLAs)

Buy Now
Questions 58

Which of the following is the MOST critical element to maximize the potential for a successful security implementation?

Options:

A.

The organization's knowledge

B.

Ease of implementation

C.

The organization's culture

D.

industry-leading security tools

Buy Now
Questions 59

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery test of critical business processes?

Options:

A.

Percentage of job failures identified and resolved during the recovery process

B.

Percentage of processes recovered within the recovery time and point objectives

C.

Number of current test plans and procedures

D.

Number of issues and action items resolved during the recovery test

Buy Now
Questions 60

Several newly identified risk scenarios are being integrated into an organization's risk register. The MOST appropriate risk owner would be the individual who:

Options:

A.

is in charge of information security.

B.

is responsible for enterprise risk management (ERM)

C.

can implement remediation action plans.

D.

is accountable for loss if the risk materializes.

Buy Now
Questions 61

Prudent business practice requires that risk appetite not exceed:

Options:

A.

inherent risk.

B.

risk tolerance.

C.

risk capacity.

D.

residual risk.

Buy Now
Questions 62

The PRIMARY benefit of using a maturity model is that it helps to evaluate the:

Options:

A.

capability to implement new processes

B.

evolution of process improvements

C.

degree of compliance with policies and procedures

D.

control requirements.

Buy Now
Questions 63

Which of the following is an IT business owner's BEST course of action following an unexpected increase in emergency changes?

Options:

A.

Evaluating the impact to control objectives

B.

Conducting a root cause analysis

C.

Validating the adequacy of current processes

D.

Reconfiguring the IT infrastructure

Buy Now
Questions 64

To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:

Options:

A.

require the vendor to sign a nondisclosure agreement

B.

clearly define the project scope.

C.

perform background checks on the vendor.

D.

notify network administrators before testing

Buy Now
Questions 65

Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?

Options:

A.

Customer database manager

B.

Customer data custodian

C.

Data privacy officer

D.

Audit committee

Buy Now
Questions 66

Which of the following should be an element of the risk appetite of an organization?

Options:

A.

The effectiveness of compensating controls

B.

The enterprise's capacity to absorb loss

C.

The residual risk affected by preventive controls

D.

The amount of inherent risk considered appropriate

Buy Now
Questions 67

Which of the following should be considered FIRST when creating a comprehensive IT risk register?

Options:

A.

Risk management budget

B.

Risk mitigation policies

C.

Risk appetite

D.

Risk analysis techniques

Buy Now
Questions 68

Which of the following is the BEST control to detect an advanced persistent threat (APT)?

Options:

A.

Utilizing antivirus systems and firewalls

B.

Conducting regular penetration tests

C.

Monitoring social media activities

D.

Implementing automated log monitoring

Buy Now
Questions 69

A risk practitioner has discovered a deficiency in a critical system that cannot be patched. Which of the following should be the risk practitioner's FIRST course of action?

Options:

A.

Report the issue to internal audit.

B.

Submit a request to change management.

C.

Conduct a risk assessment.

D.

Review the business impact assessment.

Buy Now
Questions 70

Which of the following is the GREATEST risk associated with an environment that lacks documentation of the architecture?

Options:

A.

Unknown vulnerabilities

B.

Legacy technology systems

C.

Network isolation

D.

Overlapping threats

Buy Now
Questions 71

An organization is conducting a review of emerging risk. Which of the following is the BEST input for this exercise?

Options:

A.

Audit reports

B.

Industry benchmarks

C.

Financial forecasts

D.

Annual threat reports

Buy Now
Questions 72

Which of the following is MOST important when considering risk in an enterprise risk management (ERM) process?

Options:

A.

Financial risk is given a higher priority.

B.

Risk with strategic impact is included.

C.

Security strategy is given a higher priority.

D.

Risk identified by industry benchmarking is included.

Buy Now
Questions 73

A violation of segregation of duties is when the same:

Options:

A.

user requests and tests the change prior to production.

B.

user authorizes and monitors the change post-implementation.

C.

programmer requests and tests the change prior to production.

D.

programmer writes and promotes code into production.

Buy Now
Questions 74

Which of the following is MOST important for a risk practitioner to verify when evaluating the effectiveness of an organization's existing controls?

Options:

A.

Senior management has approved the control design.

B.

Inherent risk has been reduced from original levels.

C.

Residual risk remains within acceptable levels.

D.

Costs for control maintenance are reasonable.

Buy Now
Questions 75

Which of the following BEST indicates the risk appetite and tolerance level (or the risk associated with business interruption caused by IT system failures?

Options:

A.

Mean time to recover (MTTR)

B.

IT system criticality classification

C.

Incident management service level agreement (SLA)

D.

Recovery time objective (RTO)

Buy Now
Questions 76

Which of the following is MOST helpful in preventing risk events from materializing?

Options:

A.

Prioritizing and tracking issues

B.

Establishing key risk indicators (KRIs)

C.

Reviewing and analyzing security incidents

D.

Maintaining the risk register

Buy Now
Questions 77

Which of the following practices BEST mitigates risk related to enterprise-wide ethical decision making in a multi-national organization?

Options:

A.

Customized regional training on local laws and regulations

B.

Policies requiring central reporting of potential procedure exceptions

C.

Ongoing awareness training to support a common risk culture

D.

Zero-tolerance policies for risk taking by middle-level managers

Buy Now
Questions 78

Which of the following scenarios represents a threat?

Options:

A.

Connecting a laptop to a free, open, wireless access point (hotspot)

B.

Visitors not signing in as per policy

C.

Storing corporate data in unencrypted form on a laptop

D.

A virus transmitted on a USB thumb drive

Buy Now
Questions 79

Which of the following is the FIRST step in risk assessment?

Options:

A.

Review risk governance

B.

Asset identification

C.

Identify risk factors

D.

Inherent risk identification

Buy Now
Questions 80

Which of the following is the BEST source for identifying key control indicators (KCIs)?

Options:

A.

Privileged user activity monitoring controls

B.

Controls mapped to organizational risk scenarios

C.

Recent audit findings of control weaknesses

D.

A list of critical security processes

Buy Now
Questions 81

A risk practitioner has been notified of a social engineering attack using artificial intelligence (Al) technology to impersonate senior management personnel. Which of the following would BEST mitigate the impact of such attacks?

Options:

A.

Training and awareness of employees for increased vigilance

B.

Increased monitoring of executive accounts

C.

Subscription to data breach monitoring sites

D.

Suspension and takedown of malicious domains or accounts

Buy Now
Questions 82

Which of the following is PRIMARILY responsible for providing assurance to the board of directors and senior management during the evaluation of a risk management program implementation?

Options:

A.

Risk management

B.

Business units

C.

External audit

D.

Internal audit

Buy Now
Questions 83

A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology?

Options:

A.

IT system owner

B.

Chief financial officer

C.

Chief risk officer

D.

Business process owner

Buy Now
Questions 84

Which of the following is the MOST important objective of establishing an enterprise risk management (ERM) function within an organization?

Options:

A.

To have a unified approach to risk management across the organization

B.

To have a standard risk management process for complying with regulations

C.

To optimize risk management resources across the organization

D.

To ensure risk profiles are presented in a consistent format within the organization

Buy Now
Questions 85

Which of the following should be done FIRST when developing a data protection management plan?

Options:

A.

Perform a cost-benefit analysis.

B.

Identify critical data.

C.

Establish a data inventory.

D.

Conduct a risk analysis.

Buy Now
Questions 86

Which of the following is MOST useful for measuring the existing risk management process against a desired state?

Options:

A.

Balanced scorecard

B.

Risk management framework

C.

Capability maturity model

D.

Risk scenario analysis

Buy Now
Questions 87

Which of the following risk management practices BEST facilitates the incorporation of IT risk scenarios into the enterprise-wide risk register?

Options:

A.

Key risk indicators (KRls) are developed for key IT risk scenarios

B.

IT risk scenarios are assessed by the enterprise risk management team

C.

Risk appetites for IT risk scenarios are approved by key business stakeholders.

D.

IT risk scenarios are developed in the context of organizational objectives.

Buy Now
Questions 88

Which of the following would be the BEST key performance indicator (KPI) for monitoring the effectiveness of the IT asset management process?

Options:

A.

Percentage of unpatched IT assets

B.

Percentage of IT assets without ownership

C.

The number of IT assets securely disposed during the past year

D.

The number of IT assets procured during the previous month

Buy Now
Questions 89

Which of the following would provide the MOST useful information to a risk owner when reviewing the progress of risk mitigation?

Options:

A.

Key audit findings

B.

Treatment plan status

C.

Performance indicators

D.

Risk scenario results

Buy Now
Questions 90

Which of me following is MOST helpful to mitigate the risk associated with an application under development not meeting business objectives?

Options:

A.

Identifying tweets that may compromise enterprise architecture (EA)

B.

Including diverse Business scenarios in user acceptance testing (UAT)

C.

Performing risk assessments during the business case development stage

D.

Including key stakeholders in review of user requirements

Buy Now
Questions 91

What are the MOST essential attributes of an effective Key control indicator (KCI)?

Options:

A.

Flexibility and adaptability

B.

Measurability and consistency

C.

Robustness and resilience

D.

Optimal cost and benefit

Buy Now
Questions 92

Which of the following would MOST likely cause a risk practitioner to change the likelihood rating in the risk register?

Options:

A.

Risk appetite

B.

Control cost

C.

Control effectiveness

D.

Risk tolerance

Buy Now
Questions 93

Which of the following is the BEST way to manage the risk associated with malicious activities performed by database administrators (DBAs)?

Options:

A.

Activity logging and monitoring

B.

Periodic access review

C.

Two-factor authentication

D.

Awareness training and background checks

Buy Now
Questions 94

Which of the following would be MOST helpful to a risk practitioner when ensuring that mitigated risk remains within acceptable limits?

Options:

A.

Building an organizational risk profile after updating the risk register

B.

Ensuring risk owners participate in a periodic control testing process

C.

Designing a process for risk owners to periodically review identified risk

D.

Implementing a process for ongoing monitoring of control effectiveness

Buy Now
Questions 95

The BEST way to improve a risk register is to ensure the register:

Options:

A.

is updated based upon significant events.

B.

documents possible countermeasures.

C.

contains the risk assessment completion date.

D.

is regularly audited.

Buy Now
Questions 96

Which of the following is the MOST effective control to ensure user access is maintained on a least-privilege basis?

Options:

A.

User authorization

B.

User recertification

C.

Change log review

D.

Access log monitoring

Buy Now
Questions 97

Which of the following is the BEST indication of a mature organizational risk culture?

Options:

A.

Corporate risk appetite is communicated to staff members.

B.

Risk owners understand and accept accountability for risk.

C.

Risk policy has been published and acknowledged by employees.

D.

Management encourages the reporting of policy breaches.

Buy Now
Questions 98

An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern?

Options:

A.

Potential increase in regulatory scrutiny

B.

Potential system downtime

C.

Potential theft of personal information

D.

Potential legal risk

Buy Now
Questions 99

Which of the following is the BEST way to identify changes in the risk profile of an organization?

Options:

A.

Monitor key risk indicators (KRIs).

B.

Monitor key performance indicators (KPIs).

C.

Interview the risk owner.

D.

Conduct a gap analysis

Buy Now
Questions 100

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an anti-virus program?

Options:

A.

Frequency of anti-virus software updates

B.

Number of alerts generated by the anti-virus software

C.

Number of false positives detected over a period of time

D.

Percentage of IT assets with current malware definitions

Buy Now
Questions 101

The risk associated with inadvertent disclosure of database records from a public cloud service provider (CSP) would MOST effectively be reduced by:

Options:

A.

encrypting the data

B.

including a nondisclosure clause in the CSP contract

C.

assessing the data classification scheme

D.

reviewing CSP access privileges

Buy Now
Questions 102

Which of the following activities is PRIMARILY the responsibility of senior management?

Options:

A.

Bottom-up identification of emerging risks

B.

Categorization of risk scenarios against a standard taxonomy

C.

Prioritization of risk scenarios based on severity

D.

Review of external loss data

Buy Now
Questions 103

The PRIMARY reason for establishing various Threshold levels for a set of key risk indicators (KRIs) is to:

Options:

A.

highlight trends of developing risk.

B.

ensure accurate and reliable monitoring.

C.

take appropriate actions in a timely manner.

D.

set different triggers for each stakeholder.

Buy Now
Questions 104

An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?

Options:

A.

Project Charlie

B.

Project Bravo

C.

Project Alpha

D.

Project Delta

Buy Now
Questions 105

Which of the following is MOST important for a risk practitioner to ensure once a risk action plan has been completed?

Options:

A.

The risk owner has validated outcomes.

B.

The risk register has been updated.

C.

The control objectives are mapped to risk objectives.

D.

The requirements have been achieved.

Buy Now
Questions 106

An organization has opened a subsidiary in a foreign country. Which of the following would be the BEST way to measure the effectiveness of the subsidiary's IT systems controls?

Options:

A.

Implement IT systems in alignment with business objectives.

B.

Review metrics and key performance indicators (KPIs).

C.

Review design documentation of IT systems.

D.

Evaluate compliance with legal and regulatory requirements.

Buy Now
Questions 107

An organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard. Which risk treatment was adopted by the organization?

Options:

A.

Acceptance

B.

Transfer

C.

Mitigation

D.

Avoidance

Buy Now
Questions 108

A control owner identifies that the organization's shared drive contains personally identifiable information (Pll) that can be accessed by all personnel. Which of the following is the MOST effective risk response?

Options:

A.

Protect sensitive information with access controls.

B.

Implement a data loss prevention (DLP) solution.

C.

Re-communicate the data protection policy.

D.

Implement a data encryption solution.

Buy Now
Questions 109

Mitigating technology risk to acceptable levels should be based PRIMARILY upon:

Options:

A.

organizational risk appetite.

B.

business sector best practices.

C.

business process requirements.

D.

availability of automated solutions

Buy Now
Questions 110

A risk practitioner has been notified that an employee sent an email in error containing customers' personally identifiable information (Pll). Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Report it to the chief risk officer.

B.

Advise the employee to forward the email to the phishing team.

C.

follow incident reporting procedures.

D.

Advise the employee to permanently delete the email.

Buy Now
Questions 111

Who is accountable for risk treatment?

Options:

A.

Enterprise risk management team

B.

Risk mitigation manager

C.

Business process owner

D.

Risk owner

Buy Now
Questions 112

Following a significant change to a business process, a risk practitioner believes the associated risk has been reduced. The risk practitioner should advise the risk owner to FIRST

Options:

A.

review the key risk indicators.

B.

conduct a risk analysis.

C.

update the risk register

D.

reallocate risk response resources.

Buy Now
Questions 113

A risk practitioner is reviewing the status of an action plan to mitigate an emerging IT risk and finds the risk level has increased. The BEST course of action would be to:

Options:

A.

implement the planned controls and accept the remaining risk.

B.

suspend the current action plan in order to reassess the risk.

C.

revise the action plan to include additional mitigating controls.

D.

evaluate whether selected controls are still appropriate.

Buy Now
Questions 114

The BEST key performance indicator (KPI) to measure the effectiveness of a vendor risk management program is the percentage of:

Options:

A.

vendors providing risk assessments on time.

B.

vendor contracts reviewed in the past year.

C.

vendor risk mitigation action items completed on time.

D.

vendors that have reported control-related incidents.

Buy Now
Questions 115

Which of the following provides the MOST helpful reference point when communicating the results of a risk assessment to stakeholders?

Options:

A.

Risk tolerance

B.

Risk appetite

C.

Risk awareness

D.

Risk policy

Buy Now
Questions 116

It is MOST important to the effectiveness of an IT risk management function that the associated processes are:

Options:

A.

aligned to an industry-accepted framework.

B.

reviewed and approved by senior management.

C.

periodically assessed against regulatory requirements.

D.

updated and monitored on a continuous basis.

Buy Now
Questions 117

Which of the following is the MOST important input when developing risk scenarios?

Options:

A.

Key performance indicators

B.

Business objectives

C.

The organization's risk framework

D.

Risk appetite

Buy Now
Questions 118

Which of the following would be the GREATEST concern related to data privacy when implementing an Internet of Things (loT) solution that collects personally identifiable information (Pll)?

Options:

A.

A privacy impact assessment has not been completed.

B.

Data encryption methods apply to a subset of Pll obtained.

C.

The data privacy officer was not consulted.

D.

Insufficient access controls are used on the loT devices.

Buy Now
Questions 119

An organization has initiated a project to implement an IT risk management program for the first time. The BEST time for the risk practitioner to start populating the risk register is when:

Options:

A.

identifying risk scenarios.

B.

determining the risk strategy.

C.

calculating impact and likelihood.

D.

completing the controls catalog.

Buy Now
Questions 120

Which of the following MUST be assessed before considering risk treatment options for a scenario with significant impact?

Options:

A.

Risk magnitude

B.

Incident probability

C.

Risk appetite

D.

Cost-benefit analysis

Buy Now
Questions 121

A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner's GREATEST concern?

Options:

A.

Security policies are being reviewed infrequently.

B.

Controls are not operating efficiently.

C.

Vulnerabilities are not being mitigated

D.

Aggregate risk is approaching the tolerance threshold

Buy Now
Questions 122

Which of the following is the BEST method for identifying vulnerabilities?

Options:

A.

Batch job failure monitoring

B.

Periodic network scanning

C.

Annual penetration testing

D.

Risk assessments

Buy Now
Questions 123

Which of the following provides the BEST evidence that risk mitigation plans have been implemented effectively?

Options:

A.

Self-assessments by process owners

B.

Mitigation plan progress reports

C.

Risk owner attestation

D.

Change in the level of residual risk

Buy Now
Questions 124

The purpose of requiring source code escrow in a contractual agreement is to:

Options:

A.

ensure that the source code is valid and exists.

B.

ensure that the source code is available if the vendor ceases to exist.

C.

review the source code for adequacy of controls.

D.

ensure the source code is available when bugs occur.

Buy Now
Questions 125

Which of the following should be the PRIMARY recipient of reports showing the

progress of a current IT risk mitigation project?

Options:

A.

Senior management

B.

Project manager

C.

Project sponsor

D.

IT risk manager

Buy Now
Questions 126

Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis?

Options:

A.

Quantitative analysis might not be possible.

B.

Risk factors might not be relevant to the organization

C.

Implementation costs might increase.

D.

Inherent risk might not be considered.

Buy Now
Questions 127

Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy?

Options:

A.

Chief financial officer

B.

Information security director

C.

Internal audit director

D.

Chief information officer

Buy Now
Questions 128

Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?

Options:

A.

A companion of risk assessment results to the desired state

B.

A quantitative presentation of risk assessment results

C.

An assessment of organizational maturity levels and readiness

D.

A qualitative presentation of risk assessment results

Buy Now
Questions 129

An organization's financial analysis department uses an in-house forecasting application for business projections. Who is responsible for defining access roles to protect the sensitive data within this application?

Options:

A.

IT risk manager

B.

IT system owner

C.

Information security manager

D.

Business owner

Buy Now
Questions 130

Which of the following is the PRIMARY benefit of identifying and communicating with stakeholders at the onset of an IT risk assessment?

Options:

A.

Obtaining funding support

B.

Defining the risk assessment scope

C.

Selecting the risk assessment framework

D.

Establishing inherent risk

Buy Now
Questions 131

Which of the following BEST helps to balance the costs and benefits of managing IT risk?

Options:

A.

Prioritizing risk responses

B.

Evaluating risk based on frequency and probability

C.

Considering risk factors that can be quantified

D.

Managing the risk by using controls

Buy Now
Questions 132

Which of the following is the BEST way for a risk practitioner to verify that management has addressed control issues identified during a previous external audit?

Options:

A.

Interview control owners.

B.

Observe the control enhancements in operation.

C.

Inspect external audit documentation.

D.

Review management's detailed action plans.

Buy Now
Questions 133

A risk practitioner notices a trend of noncompliance with an IT-related control. Which of the following would BEST assist in making a recommendation to management?

Options:

A.

Assessing the degree to which the control hinders business objectives

B.

Reviewing the IT policy with the risk owner

C.

Reviewing the roles and responsibilities of control process owners

D.

Assessing noncompliance with control best practices

Buy Now
Questions 134

During a risk assessment, the risk practitioner finds a new risk scenario without controls has been entered into the risk register. Which of the following is the MOST appropriate action?

Options:

A.

Include the new risk scenario in the current risk assessment.

B.

Postpone the risk assessment until controls are identified.

C.

Request the risk scenario be removed from the register.

D.

Exclude the new risk scenario from the current risk assessment

Buy Now
Questions 135

When presenting risk, the BEST method to ensure that the risk is measurable against the organization's risk appetite is through the use of a:

Options:

A.

risk map

B.

cause-and-effect diagram

C.

maturity model

D.

technology strategy plan.

Buy Now
Questions 136

Which of the following is MOST important for an organization to have in place when developing a risk management framework?

Options:

A.

A strategic approach to risk including an established risk appetite

B.

A risk-based internal audit plan for the organization

C.

A control function within the risk management team

D.

An organization-wide risk awareness training program

Buy Now
Questions 137

When testing the security of an IT system, il is MOST important to ensure that;

Options:

A.

tests are conducted after business hours.

B.

operators are unaware of the test.

C.

external experts execute the test.

D.

agreement is obtained from stakeholders.

Buy Now
Questions 138

Which of the following provides the MOST important information to facilitate a risk response decision?

Options:

A.

Audit findings

B.

Risk appetite

C.

Key risk indicators

D.

Industry best practices

Buy Now
Questions 139

Which of the following is MOST important for developing effective key risk indicators (KRIs)?

Options:

A.

Engaging sponsorship by senior management

B.

Utilizing data and resources internal to the organization

C.

Including input from risk and business unit management

D.

Developing in collaboration with internal audit

Buy Now
Questions 140

Which of the following is the GREATEST risk associated with the transition of a sensitive data backup solution from on-premise to a cloud service provider?

Options:

A.

More complex test restores

B.

Inadequate service level agreement (SLA) with the provider

C.

More complex incident response procedures

D.

Inadequate data encryption

Buy Now
Questions 141

Business areas within an organization have engaged various cloud service providers directly without assistance from the IT department. What should the risk practitioner do?

Options:

A.

Recommend the IT department remove access to the cloud services.

B.

Engage with the business area managers to review controls applied.

C.

Escalate to the risk committee.

D.

Recommend a risk assessment be conducted.

Buy Now
Questions 142

The PRIMARY objective of the board of directors periodically reviewing the risk profile is to help ensure:

Options:

A.

the risk strategy is appropriate

B.

KRIs and KPIs are aligned

C.

performance of controls is adequate

D.

the risk monitoring process has been established

Buy Now
Questions 143

An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?

Options:

A.

Mitigate

B.

Accept

C.

Transfer

D.

Avoid

Buy Now
Questions 144

The MAIN purpose of a risk register is to:

Options:

A.

document the risk universe of the organization.

B.

promote an understanding of risk across the organization.

C.

enable well-informed risk management decisions.

D.

identify stakeholders associated with risk scenarios.

Buy Now
Questions 145

The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:

Options:

A.

vulnerability scans.

B.

recurring vulnerabilities.

C.

vulnerabilities remediated,

D.

new vulnerabilities identified.

Buy Now
Questions 146

The implementation of a risk treatment plan will exceed the resources originally allocated for the risk response. Which of the following should be the risk owner's NEXT action?

Options:

A.

Perform a risk assessment.

B.

Accept the risk of not implementing.

C.

Escalate to senior management.

D.

Update the implementation plan.

Buy Now
Questions 147

When collecting information to identify IT-related risk, a risk practitioner should FIRST focus on IT:

Options:

A.

risk appetite.

B.

security policies

C.

process maps.

D.

risk tolerance level

Buy Now
Questions 148

A bank wants to send a critical payment order via email to one of its offshore branches. Which of the following is the BEST way to ensure the message reaches the intended recipient without alteration?

Options:

A.

Add a digital certificate

B.

Apply multi-factor authentication

C.

Add a hash to the message

D.

Add a secret key

Buy Now
Questions 149

Which of the following should management consider when selecting a risk mitigation option?

Options:

A.

Maturity of the enterprise architecture

B.

Cost of control implementation

C.

Reliability of key performance indicators (KPIs)

D.

Reliability of key risk indicators (KPIs)

Buy Now
Questions 150

To minimize risk in a software development project, when is the BEST time to conduct a risk analysis?

Options:

A.

During the business requirement definitions phase

B.

Before periodic steering committee meetings

C.

At each stage of the development life cycle

D.

During the business case development

Buy Now
Questions 151

Within the three lines of defense model, the accountability for the system of internal control resides with:

Options:

A.

the chief information officer (CIO).

B.

the board of directors

C.

enterprise risk management

D.

the risk practitioner

Buy Now
Questions 152

A risk practitioner has just learned about new done FIRST?

Options:

A.

Notify executive management.

B.

Analyze the impact to the organization.

C.

Update the IT risk register.

D.

Design IT risk mitigation plans.

Buy Now
Questions 153

Which of the following BEST helps to identify significant events that could impact an organization?

Vulnerability analysis

Options:

A.

Control analysis

B.

Scenario analysis

C.

Heat map analysis

Buy Now
Questions 154

An organization has received notification that it is a potential victim of a cybercrime that may have compromised sensitive customer data. What should be The FIRST course of action?

Options:

A.

Invoke the incident response plan.

B.

Determine the business impact.

C.

Conduct a forensic investigation.

D.

Invoke the business continuity plan (BCP).

Buy Now
Questions 155

Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?

Options:

A.

An updated risk register

B.

Risk assessment results

C.

Technical control validation

D.

Control testing results

Buy Now
Questions 156

Controls should be defined during the design phase of system development because:

Options:

A.

it is more cost-effective to determine controls in the early design phase.

B.

structured analysis techniques exclude identification of controls.

C.

structured programming techniques require that controls be designed before coding begins.

D.

technical specifications are defined during this phase.

Buy Now
Questions 157

An organization has implemented a system capable of comprehensive employee monitoring. Which of the following should direct how the system is used?

Options:

A.

Organizational strategy

B.

Employee code of conduct

C.

Industry best practices

D.

Organizational policy

Buy Now
Questions 158

An organization is considering allowing users to access company data from their personal devices. Which of the following is the MOST important factor when assessing the risk?

Options:

A.

Classification of the data

B.

Type of device

C.

Remote management capabilities

D.

Volume of data

Buy Now
Questions 159

A risk owner has identified a risk with high impact and very low likelihood. The potential loss is covered by insurance. Which of the following should the risk practitioner do NEXT?

Options:

A.

Recommend avoiding the risk.

B.

Validate the risk response with internal audit.

C.

Update the risk register.

D.

Evaluate outsourcing the process.

Buy Now
Questions 160

Prior to selecting key performance indicators (KPIs), itis MOST important to ensure:

Options:

A.

trending data is available.

B.

process flowcharts are current.

C.

measurement objectives are defined.

D.

data collection technology is available.

Buy Now
Questions 161

What should a risk practitioner do FIRST when vulnerability assessment results identify a weakness in an application?

Options:

A.

Review regular control testing results.

B.

Recommend a penetration test.

C.

Assess the risk to determine mitigation needed.

D.

Analyze key performance indicators (KPIs).

Buy Now
Questions 162

What is the GREATEST concern with maintaining decentralized risk registers instead of a consolidated risk register?

Options:

A.

Aggregated risk may exceed the enterprise's risk appetite and tolerance.

B.

Duplicate resources may be used to manage risk registers.

C.

Standardization of risk management practices may be difficult to enforce.

D.

Risk analysis may be inconsistent due to non-uniform impact and likelihood scales.

Buy Now
Questions 163

A newly enacted information privacy law significantly increases financial penalties for breaches of personally identifiable information (Pll). Which of the following will MOST likely outcome for an organization affected by the new law?

Options:

A.

Increase in compliance breaches

B.

Increase in loss event impact

C.

Increase in residual risk

D.

Increase in customer complaints

Buy Now
Questions 164

An organization's internal audit department is considering the implementation of robotics process automation (RPA) to automate certain continuous auditing tasks. Who would own the risk associated with ineffective design of the software bots?

Options:

A.

Lead auditor

B.

Project manager

C.

Chief audit executive (CAE)

D.

Chief information officer (CIO)

Buy Now
Questions 165

Which of the following would BEST help secure online financial transactions from improper users?

Options:

A.

Review of log-in attempts

B.

multi-level authorization

C.

Periodic review of audit trails

D.

multi-factor authentication

Buy Now
Questions 166

To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:

Options:

A.

risk mitigation approach

B.

cost-benefit analysis.

C.

risk assessment results.

D.

vulnerability assessment results

Buy Now
Questions 167

An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?

Options:

A.

Identify staff members who have access to the organization's sensitive data.

B.

Identify locations where the organization's sensitive data is stored.

C.

Identify risk scenarios and owners associated with possible data loss vectors.

D.

Identify existing data loss controls and their levels of effectiveness.

Buy Now
Questions 168

Of the following, who should be responsible for determining the inherent risk rating of an application?

Options:

A.

Application owner

B.

Senior management

C.

Risk practitioner

D.

Business process owner

Buy Now
Questions 169

Which of the following is the BEST way to promote adherence to the risk tolerance level set by management?

Options:

A.

Defining expectations in the enterprise risk policy

B.

Increasing organizational resources to mitigate risks

C.

Communicating external audit results

D.

Avoiding risks that could materialize into substantial losses

Buy Now
Questions 170

Which of the following is a KEY responsibility of the second line of defense?

Options:

A.

Implementing control activities

B.

Monitoring control effectiveness

C.

Conducting control self-assessments

D.

Owning risk scenarios

Buy Now
Questions 171

A recent audit identified high-risk issues in a business unit though a previous control self-assessment (CSA) had good results. Which of the following is the MOST likely reason for the difference?

Options:

A.

The audit had a broader scope than the CSA.

B.

The CSA was not sample-based.

C.

The CSA did not test control effectiveness.

D.

The CSA was compliance-based, while the audit was risk-based.

Buy Now
Questions 172

Which of the following is the BEST course of action when risk is found to be above the acceptable risk appetite?

Options:

A.

Review risk tolerance levels

B.

Maintain the current controls.

C.

Analyze the effectiveness of controls.

D.

Execute the risk response plan

Buy Now
Questions 173

Which of the following is the MOST relevant information to include in a risk management strategy?

Options:

A.

Quantified risk triggers

B.

Cost of controls

C.

Regulatory requirements

D.

Organizational goals

Buy Now
Questions 174

Which of the following BEST facilitates the development of effective IT risk scenarios?

Options:

A.

Utilization of a cross-functional team

B.

Participation by IT subject matter experts

C.

Integration of contingency planning

D.

Validation by senior management

Buy Now
Questions 175

Which of the following is the PRIMARY reason for an organization to ensure the risk register is updated regularly?

Options:

A.

Risk assessment results are accessible to senior management and stakeholders.

B.

Risk mitigation activities are managed and coordinated.

C.

Key risk indicators (KRIs) are evaluated to validate they are still within the risk threshold.

D.

Risk information is available to enable risk-based decisions.

Buy Now
Questions 176

A monthly payment report is generated from the enterprise resource planning (ERP) software to validate data against the old and new payroll systems. What is the BEST way to mitigate the risk associated with data integrity loss in the new payroll system after data migration?

Options:

A.

Compare new system reports with functional requirements.

B.

Compare encrypted data with checksums.

C.

Compare results of user acceptance testing (UAT) with the testing criteria.

D.

Compare processing output from both systems using the previous month's data.

Buy Now
Questions 177

An organization has raised the risk appetite for technology risk. The MOST likely result would be:

Options:

A.

increased inherent risk.

B.

higher risk management cost

C.

decreased residual risk.

D.

lower risk management cost.

Buy Now
Questions 178

A risk practitioner is reviewing a vendor contract and finds there is no clause to control privileged access to the organization's systems by vendor employees. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Contact the control owner to determine if a gap in controls exists.

B.

Add this concern to the risk register and highlight it for management review.

C.

Report this concern to the contracts department for further action.

D.

Document this concern as a threat and conduct an impact analysis.

Buy Now
Questions 179

Which of the following is a crucial component of a key risk indicator (KRI) to ensure appropriate action is taken to mitigate risk?

Options:

A.

Management intervention

B.

Risk appetite

C.

Board commentary

D.

Escalation triggers

Buy Now
Questions 180

A risk practitioner is reporting on an increasing trend of ransomware attacks in the industry. Which of the following information is MOST important to include to enable an informed response decision by key stakeholders?

Options:

A.

Methods of attack progression

B.

Losses incurred by industry peers

C.

Most recent antivirus scan reports

D.

Potential impact of events

Buy Now
Questions 181

IT disaster recovery point objectives (RPOs) should be based on the:

Options:

A.

maximum tolerable downtime.

B.

maximum tolerable loss of data.

C.

need of each business unit.

D.

type of business.

Buy Now
Questions 182

Which of the following is the BEST way to determine software license compliance?

Options:

A.

List non-compliant systems in the risk register.

B.

Conduct periodic compliance reviews.

C.

Review whistleblower reports of noncompliance.

D.

Monitor user software download activity.

Buy Now
Questions 183

Which of the following is MOST important to sustainable development of secure IT services?

Options:

A.

Security training for systems development staff

B.

\Well-documented business cases

C.

Security architecture principles

D.

Secure coding practices

Buy Now
Questions 184

The BEST way to test the operational effectiveness of a data backup procedure is to:

Options:

A.

conduct an audit of files stored offsite.

B.

interview employees to compare actual with expected procedures.

C.

inspect a selection of audit trails and backup logs.

D.

demonstrate a successful recovery from backup files.

Buy Now
Questions 185

Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are:

Options:

A.

accountable for the affected processes.

B.

members of senior management.

C.

authorized to select risk mitigation options.

D.

independent from the business operations.

Buy Now
Questions 186

Which of the following is MOST important to ensure when continuously monitoring the performance of a client-facing application?

Options:

A.

Objectives are confirmed with the business owner.

B.

Control owners approve control changes.

C.

End-user acceptance testing has been conducted.

D.

Performance information in the log is encrypted.

Buy Now
Questions 187

Which of the following will be MOST effective to mitigate the risk associated with the loss of company data stored on personal devices?

Options:

A.

An acceptable use policy for personal devices

B.

Required user log-on before synchronizing data

C.

Enforced authentication and data encryption

D.

Security awareness training and testing

Buy Now
Questions 188

Deviation from a mitigation action plan's completion date should be determined by which of the following?

Options:

A.

Change management as determined by a change control board

B.

Benchmarking analysis with similar completed projects

C.

Project governance criteria as determined by the project office

D.

The risk owner as determined by risk management processes

Buy Now
Questions 189

Which of the following BEST enables a proactive approach to minimizing the potential impact of unauthorized data disclosure?

Options:

A.

Key risk indicators (KRIs)

B.

Data backups

C.

Incident response plan

D.

Cyber insurance

Buy Now
Questions 190

Which of the following is the PRIMARY purpose of creating and documenting control procedures?

Options:

A.

To facilitate ongoing audit and control testing

B.

To help manage risk to acceptable tolerance levels

C.

To establish and maintain a control inventory

D.

To increase the likelihood of effective control operation

Buy Now
Questions 191

Which of the following sources is MOST relevant to reference when updating security awareness training materials?

Options:

A.

Risk management framework

B.

Risk register

C.

Global security standards

D.

Recent security incidents reported by competitors

Buy Now
Questions 192

An organization recently configured a new business division Which of the following is MOST likely to be affected?

Options:

A.

Risk profile

B.

Risk culture

C.

Risk appetite

D.

Risk tolerance

Buy Now
Questions 193

Which of the following is the PRIMARY reason for sharing risk assessment reports with senior stakeholders?

Options:

A.

To support decision-making for risk response

B.

To hold risk owners accountable for risk action plans

C.

To secure resourcing for risk treatment efforts

D.

To enable senior management to compile a risk profile

Buy Now
Questions 194

Which of the following is a risk practitioner's MOST important responsibility in managing risk acceptance that exceeds risk tolerance?

Options:

A.

Verify authorization by senior management.

B.

Increase the risk appetite to align with the current risk level

C.

Ensure the acceptance is set to expire over lime

D.

Update the risk response in the risk register.

Buy Now
Questions 195

Which of the following would BEST enable a risk-based decision when considering the use of an emerging technology for data processing?

Options:

A.

Gap analysis

B.

Threat assessment

C.

Resource skills matrix

D.

Data quality assurance plan

Buy Now
Questions 196

The following is the snapshot of a recently approved IT risk register maintained by an organization's information security department.

After implementing countermeasures listed in ‘’Risk Response Descriptions’’ for each of the Risk IDs, which of the following component of the register MUST change?

Options:

A.

Risk Impact Rating

B.

Risk Owner

C.

Risk Likelihood Rating

D.

Risk Exposure

Buy Now
Questions 197

Which of the following would BEST mitigate an identified risk scenario?

Options:

A.

Conducting awareness training

B.

Executing a risk response plan

C.

Establishing an organization's risk tolerance

D.

Performing periodic audits

Buy Now
Questions 198

An organization control environment is MOST effective when:

Options:

A.

control designs are reviewed periodically

B.

controls perform as intended.

C.

controls are implemented consistently.

D.

controls operate efficiently

Buy Now
Questions 199

Which of the following stakeholders are typically included as part of a line of defense within the three lines of defense model?

Options:

A.

Board of directors

B.

Vendors

C.

Regulators

D.

Legal team

Buy Now
Questions 200

The BEST indicator of the risk appetite of an organization is the

Options:

A.

regulatory environment of the organization

B.

risk management capability of the organization

C.

board of directors' response to identified risk factors

D.

importance assigned to IT in meeting strategic goals

Buy Now
Questions 201

Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)?

Options:

A.

KRIs assist in the preparation of the organization's risk profile.

B.

KRIs signal that a change in the control environment has occurred.

C.

KRIs provide a basis to set the risk appetite for an organization

D.

KRIs provide an early warning that a risk threshold is about to be reached.

Buy Now
Questions 202

An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning of the associated risk entries?

Options:

A.

The volume of risk scenarios is too large

B.

Risk aggregation has not been completed

C.

Risk scenarios are not applicable

D.

The risk analysts for each scenario is incomplete

Buy Now
Questions 203

Before assigning sensitivity levels to information it is MOST important to:

Options:

A.

define recovery time objectives (RTOs).

B.

define the information classification policy

C.

conduct a sensitivity analyse

D.

Identify information custodians

Buy Now
Questions 204

Which of the following is the MOST important consideration when developing risk strategies?

Options:

A.

Organization's industry sector

B.

Long-term organizational goals

C.

Concerns of the business process owners

D.

History of risk events

Buy Now
Questions 205

Which of the following is MOST important when conducting a post-implementation review as part of the system development life cycle (SDLC)?

Options:

A.

Verifying that project objectives are met

B.

Identifying project cost overruns

C.

Leveraging an independent review team

D.

Reviewing the project initiation risk matrix

Buy Now
Questions 206

Which of the following is the BEST course of action when an organization wants to reduce likelihood in order to reduce a risk level?

Options:

A.

Monitor risk controls.

B.

Implement preventive measures.

C.

Implement detective controls.

D.

Transfer the risk.

Buy Now
Questions 207

In order to determining a risk is under-controlled the risk practitioner will need to

Options:

A.

understand the risk tolerance

B.

monitor and evaluate IT performance

C.

identify risk management best practices

D.

determine the sufficiency of the IT risk budget

Buy Now
Questions 208

Which of the following BEST enables effective IT control implementation?

Options:

A.

Key risk indicators (KRIs)

B.

Documented procedures

C.

Information security policies

D.

Information security standards

Buy Now
Questions 209

A MAJOR advantage of using key risk indicators (KRis) is that (hey

Options:

A.

identify when risk exceeds defined thresholds

B.

assess risk scenarios that exceed defined thresholds

C.

identify scenarios that exceed defined risk appetite

D.

help with internal control assessments concerning risk appellate

Buy Now
Questions 210

When of the following standard operating procedure (SOP) statements BEST illustrates appropriate risk register maintenance?

Options:

A.

Remove risk that has been mitigated by third-party transfer

B.

Remove risk that management has decided to accept

C.

Remove risk only following a significant change in the risk environment

D.

Remove risk when mitigation results in residual risk within tolerance levels

Buy Now
Questions 211

Risk appetite should be PRIMARILY driven by which of the following?

Options:

A.

Enterprise security architecture roadmap

B.

Stakeholder requirements

C.

Legal and regulatory requirements

D.

Business impact analysis (BIA)

Buy Now
Questions 212

An organization's business gap analysis reveals the need for a robust IT risk strategy. Which of the following should be the risk practitioner's PRIMARY consideration when participating in development of the new strategy?

Options:

A.

Scale of technology

B.

Risk indicators

C.

Risk culture

D.

Proposed risk budget

Buy Now
Questions 213

The PRIMARY objective of collecting information and reviewing documentation when performing periodic risk analysis should be to:

Options:

A.

Identify new or emerging risk issues.

B.

Satisfy audit requirements.

C.

Survey and analyze historical risk data.

D.

Understand internal and external threat agents.

Buy Now
Questions 214

Which of the following is the PRIMARY benefit of stakeholder involvement in risk scenario development?

Options:

A.

Ability to determine business impact

B.

Up-to-date knowledge on risk responses

C.

Decision-making authority for risk treatment

D.

Awareness of emerging business threats

Buy Now
Questions 215

Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?

Options:

A.

Temporarily mitigate the OS vulnerabilities

B.

Document and implement a patching process

C.

Evaluate permanent fixes such as patches and upgrades

D.

Identify the vulnerabilities and applicable OS patches

Buy Now
Questions 216

Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data?

Options:

A.

The cost associated with incident response activities

The composition and number of records in the information asset

B.

The maximum levels of applicable regulatory fines

C.

The length of time between identification and containment of the incident

Buy Now
Questions 217

When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:

Options:

A.

information risk assessments with enterprise risk assessments.

B.

key risk indicators (KRIs) with risk appetite of the business.

C.

the control key performance indicators (KPIs) with audit findings.

D.

control performance with risk tolerance of business owners.

Buy Now
Questions 218

A root because analysis indicates a major service disruption due to a lack of competency of newly hired IT system administrators Who should be accountable for resolving the situation?

Options:

A.

HR training director

B.

Business process owner

C.

HR recruitment manager

D.

Chief information officer (CIO)

Buy Now
Questions 219

As pan of business continuity planning, which of the following is MOST important to include m a business impact analysis (BlA)?

Options:

A.

An assessment of threats to the organization

B.

An assessment of recovery scenarios

C.

industry standard framework

D.

Documentation of testing procedures

Buy Now
Questions 220

Which of the following should be the PRIMARY basis for prioritizing risk responses?

Options:

A.

The impact of the risk

B.

The replacement cost of the business asset

C.

The cost of risk mitigation controls

D.

The classification of the business asset

Buy Now
Questions 221

Which of the following is the MOST important consideration when communicating the risk associated with technology end-of-life to business owners?

Options:

A.

Cost and benefit

B.

Security and availability

C.

Maintainability and reliability

D.

Performance and productivity

Buy Now
Questions 222

An organization is implementing robotic process automation (RPA) to streamline business processes. Given that implementation of this technology is expected to impact existing controls, which of the following is the risk practitioner's BEST course of action?

Options:

A.

Reassess whether mitigating controls address the known risk in the processes.

B.

Update processes to address the new technology.

C.

Update the data governance policy to address the new technology.

D.

Perform a gap analysis of the impacted processes.

Buy Now
Questions 223

Which of the following is the GREATEST concern when establishing key risk indicators (KRIs)?

Options:

A.

High percentage of lagging indicators

B.

Nonexistent benchmark analysis

C.

Incomplete documentation for KRI monitoring

D.

Ineffective methods to assess risk

Buy Now
Questions 224

Which of the following is the MOST effective way 10 identify an application backdoor prior to implementation'?

Options:

A.

User acceptance testing (UAT)

B.

Database activity monitoring

C.

Source code review

D.

Vulnerability analysis

Buy Now
Questions 225

Which organization is implementing a project to automate the purchasing process, including the modification of approval controls. Which of the following tasks is lie responsibility of the risk practitioner*?

Options:

A.

Verify that existing controls continue to properly mitigate defined risk

B.

Test approval process controls once the project is completed

C.

Update the existing controls for changes in approval processes from this project

D.

Perform a gap analysis of the impacted control processes

Buy Now
Questions 226

Which of the following is the MAIN purpose of monitoring risk?

Options:

A.

Communication

B.

Risk analysis

C.

Decision support

D.

Benchmarking

Buy Now
Questions 227

Which of the following is MOST important to promoting a risk-aware culture?

Options:

A.

Regular testing of risk controls

B.

Communication of audit findings

C.

Procedures for security monitoring

D.

Open communication of risk reporting

Buy Now
Questions 228

The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for.

Options:

A.

data logging and monitoring

B.

data mining and analytics

C.

data classification and labeling

D.

data retention and destruction

Buy Now
Questions 229

Which of the following is PRIMARILY a risk management responsibly of the first line of defense?

Options:

A.

Implementing risk treatment plans

B.

Validating the status of risk mitigation efforts

C.

Establishing risk policies and standards

D.

Conducting independent reviews of risk assessment results

Buy Now
Questions 230

A risk practitioner recently discovered that personal information from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation?

Options:

A.

Enable data encryption in the test environment.

B.

Prevent the use of production data in the test environment

C.

De-identify data before being transferred to the test environment.

D.

Enforce multi-factor authentication within the test environment.

Buy Now
Questions 231

The BEST metric to demonstrate that servers are configured securely is the total number of servers:

Options:

A.

exceeding availability thresholds

B.

experiencing hardware failures

C.

exceeding current patching standards.

D.

meeting the baseline for hardening.

Buy Now
Questions 232

To define the risk management strategy which of the following MUST be set by the board of directors?

Options:

A.

Operational strategies

B.

Risk governance

C.

Annualized loss expectancy (ALE)

D.

Risk appetite

Buy Now
Questions 233

Which of the following is the BEST indication that key risk indicators (KRls) should be revised?

Options:

A.

A decrease in the number of critical assets covered by risk thresholds

B.

An Increase In the number of risk threshold exceptions

C.

An increase in the number of change events pending management review

D.

A decrease In the number of key performance indicators (KPls)

Buy Now
Questions 234

Which risk response strategy could management apply to both positive and negative risk that has been identified?

Options:

A.

Transfer

B.

Accept

C.

Exploit

D.

Mitigate

Buy Now
Questions 235

Which of the following BEST helps to identify significant events that could impact an organization?

Options:

A.

Control analysis

B.

Vulnerability analysis

C.

Scenario analysis

D.

Heat map analysis

Buy Now
Questions 236

An organization has experienced a cyber-attack that exposed customer personally identifiable information (Pll) and caused extended outages of network services. Which of the following stakeholders are MOST important to include in the cyber response team to determine response actions?

Options:

A.

Security control owners based on control failures

B.

Cyber risk remediation plan owners

C.

Risk owners based on risk impact

D.

Enterprise risk management (ERM) team

Buy Now
Questions 237

Which of the following would BEST facilitate the implementation of data classification requirements?

Options:

A.

Implementing a data toss prevention (DLP) solution

B.

Assigning a data owner

C.

Scheduling periodic audits

D.

Implementing technical controls over the assets

Buy Now
Questions 238

During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition phase?

Options:

A.

Risk management framework adopted by each company

B.

Risk registers of both companies

C.

IT balanced scorecard of each company

D.

Most recent internal audit findings from both companies

Buy Now
Questions 239

Which of the following is the GREATEST benefit of centralizing IT systems?

Options:

A.

Risk reporting

B.

Risk classification

C.

Risk monitoring

D.

Risk identification

Buy Now
Questions 240

Which of the following would be the GREATEST concern for an IT risk practitioner when an employees.....

Options:

A.

The organization's structure has not been updated

B.

Unnecessary access permissions have not been removed.

C.

Company equipment has not been retained by IT

D.

Job knowledge was not transferred to employees m the former department

Buy Now
Questions 241

Which of the following provides the BEST assurance of the effectiveness of vendor security controls?

Options:

A.

Review vendor control self-assessments (CSA).

B.

Review vendor service level agreement (SLA) metrics.

C.

Require independent control assessments.

D.

Obtain vendor references from existing customers.

Buy Now
Questions 242

Which of the following is the PRIMARY objective of establishing an organization's risk tolerance and appetite?

Options:

A.

To align with board reporting requirements

B.

To assist management in decision making

C.

To create organization-wide risk awareness

D.

To minimize risk mitigation efforts

Buy Now
Questions 243

Which of the following BEST facilitates the identification of appropriate key performance indicators (KPIs) for a risk management program?

Options:

A.

Reviewing control objectives

B.

Aligning with industry best practices

C.

Consulting risk owners

D.

Evaluating KPIs in accordance with risk appetite

Buy Now
Questions 244

Which of the following is the BEST approach for selecting controls to minimize risk?

Options:

A.

Industry best practice review

B.

Risk assessment

C.

Cost-benefit analysis

D.

Control-effectiveness evaluation

Buy Now
Questions 245

Which of the following is the MOST effective way for a large and diversified organization to minimize risk associated with unauthorized software on company devices?

Options:

A.

Scan end points for applications not included in the asset inventory.

B.

Prohibit the use of cloud-based virtual desktop software.

C.

Conduct frequent reviews of software licenses.

D.

Perform frequent internal audits of enterprise IT infrastructure.

Buy Now
Questions 246

Which of the following resources is MOST helpful to a risk practitioner when updating the likelihood rating in the risk register?

Options:

A.

Risk control assessment

B.

Audit reports with risk ratings

C.

Penetration test results

D.

Business impact analysis (BIA)

Buy Now
Questions 247

Following an acquisition, the acquiring company's risk practitioner has been asked to update the organization's IT risk profile What is the MOST important information to review from the acquired company to facilitate this task?

Options:

A.

Internal and external audit reports

B.

Risk disclosures in financial statements

C.

Risk assessment and risk register

D.

Business objectives and strategies

Buy Now
Questions 248

Which of the following will BEST help to ensure implementation of corrective action plans?

Options:

A.

Establishing employee awareness training

B.

Assigning accountability to risk owners

C.

Selling target dates to complete actions

D.

Contracting to third parties

Buy Now
Questions 249

Which of the following would be of GREATEST concern regarding an organization's asset management?

Options:

A.

Lack of a mature records management program

B.

Lack of a dedicated asset management team

C.

Decentralized asset lists

D.

Incomplete asset inventory

Buy Now
Questions 250

Which of the following is the GREATEST benefit of identifying appropriate risk owners?

Options:

A.

Accountability is established for risk treatment decisions

B.

Stakeholders are consulted about risk treatment options

C.

Risk owners are informed of risk treatment options

D.

Responsibility is established for risk treatment decisions.

Buy Now
Questions 251

Which of the following is MOST important for senior management to review during an acquisition?

Options:

A.

Risk appetite and tolerance

B.

Risk framework and methodology

C.

Key risk indicator (KRI) thresholds

D.

Risk communication plan

Buy Now
Questions 252

A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access. Who is responsible for ensuring the control is designed to effectively address risk?

Options:

A.

Risk manager

B.

Control owner

C.

Control tester

D.

Risk owner

Buy Now
Questions 253

What should be the PRIMARY consideration related to data privacy protection when there are plans for a business initiative to make use of personal information?

Options:

A.

Do not collect or retain data that is not needed.

B.

Redact data where possible.

C.

Limit access to the personal data.

D.

Ensure all data is encrypted at rest and during transit.

Buy Now
Questions 254

Which of the following is the MOST important benefit of reporting risk assessment results to senior management?

Options:

A.

Promotion of a risk-aware culture

B.

Compilation of a comprehensive risk register

C.

Alignment of business activities

D.

Facilitation of risk-aware decision making

Buy Now
Questions 255

Which of the following would provide the MOST reliable evidence of the effectiveness of security controls implemented for a web application?

Options:

A.

Penetration testing

B.

IT general controls audit

C.

Vulnerability assessment

D.

Fault tree analysis

Buy Now
Questions 256

Which of the following presents the GREATEST challenge to managing an organization's end-user devices?

Options:

A.

Incomplete end-user device inventory

B.

Unsupported end-user applications

C.

Incompatible end-user devices

D.

Multiple end-user device models

Buy Now
Questions 257

An organization's chief information officer (CIO) has proposed investing in a new. untested technology to take advantage of being first to market Senior management has concerns about the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization's risk:

Options:

A.

capacity.

B.

appetite.

C.

management capability.

D.

treatment strategy.

Buy Now
Questions 258

Which of the following is a risk practitioner's BEST recommendation upon learning that an employee inadvertently disclosed sensitive data to a vendor?

Options:

A.

Enroll the employee in additional security training.

B.

Invoke the incident response plan.

C.

Conduct an internal audit.

D.

Instruct the vendor to delete the data.

Buy Now
Questions 259

An organization has experienced several incidents of extended network outages that have exceeded tolerance. Which of the following should be the risk practitioner's FIRST step to address this situation?

Options:

A.

Recommend additional controls to address the risk.

B.

Update the risk tolerance level to acceptable thresholds.

C.

Update the incident-related risk trend in the risk register.

D.

Recommend a root cause analysis of the incidents.

Buy Now
Questions 260

A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within the organization of the following, who should review the completed list and select the appropriate KRIs for implementation?

Options:

A.

IT security managers

B.

IT control owners

C.

IT auditors

D.

IT risk owners

Buy Now
Questions 261

Recovery the objectives (RTOs) should be based on

Options:

A.

minimum tolerable downtime

B.

minimum tolerable loss of data.

C.

maximum tolerable downtime.

D.

maximum tolerable loss of data

Buy Now
Questions 262

Which of the following s MOST likely to deter an employee from engaging in inappropriate use of company owned IT systems?

Options:

A.

A centralized computer security response team

B.

Regular performance reviews and management check-ins

C.

Code of ethics training for all employees

D.

Communication of employee activity monitoring

Buy Now
Questions 263

A bank recently incorporated Blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner’s BEST course of action?

Options:

A.

Determine whether risk responses are still adequate.

B.

Analyze and update control assessments with the new processes.

C.

Analyze the risk and update the risk register as needed.

D.

Conduct testing of the control that mitigate the existing risk.

Buy Now
Questions 264

Which of the following is the MOST useful information for a risk practitioner when planning response activities after risk identification?

Options:

A.

Risk register

B.

Risk appetite

C.

Risk priorities

D.

Risk heat maps

Buy Now
Questions 265

An organization wants to launch a campaign to advertise a new product Using data analytics, the campaign can be targeted to reach potential customers. Which of the following should be of GREATEST concern to the risk practitioner?

Options:

A.

Data minimization

B.

Accountability

C.

Accuracy

D.

Purpose limitation

Buy Now
Questions 266

Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board''

Options:

A.

A summary of risk response plans with validation results

B.

A report with control environment assessment results

C.

A dashboard summarizing key risk indicators (KRIs)

D.

A summary of IT risk scenarios with business cases

Buy Now
Questions 267

Which of the following is the PRIMARY objective of maintaining an information asset inventory?

Options:

A.

To provide input to business impact analyses (BIAs)

B.

To protect information assets

C.

To facilitate risk assessments

D.

To manage information asset licensing

Buy Now
Questions 268

An organization's recovery team is attempting to recover critical data backups following a major flood in its data center. However, key team members do not know exactly what steps should be taken to address this crisis. Which of the following is the MOST likely cause of this situation?

Options:

A.

Failure to test the disaster recovery plan (DRP)

B.

Lack of well-documented business impact analysis (BIA)

C.

Lack of annual updates to the disaster recovery plan (DRP)

D.

Significant changes in management personnel

Buy Now
Questions 269

Which of the following is the MOST effective way to reduce potential losses due to ongoing expense fraud?

Options:

A.

Implement user access controls

B.

Perform regular internal audits

C.

Develop and communicate fraud prevention policies

D.

Conduct fraud prevention awareness training.

Buy Now
Questions 270

Which of the following would be a risk practitioner's GREATEST concern with the use of a vulnerability scanning tool?

Options:

A.

Increased time to remediate vulnerabilities

B.

Inaccurate reporting of results

C.

Increased number of vulnerabilities

D.

Network performance degradation

Buy Now
Questions 271

Which of the following is the BEST way to help ensure risk will be managed properly after a business process has been re-engineered?

Options:

A.

Reassessing control effectiveness of the process

B.

Conducting a post-implementation review to determine lessons learned

C.

Reporting key performance indicators (KPIs) for core processes

D.

Establishing escalation procedures for anomaly events

Buy Now
Questions 272

Which of the following is the BEST way to ensure adequate resources will be allocated to manage identified risk?

Options:

A.

Prioritizing risk within each business unit

B.

Reviewing risk ranking methodology

C.

Promoting an organizational culture of risk awareness

D.

Assigning risk ownership to appropriate roles

Buy Now
Questions 273

Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?

Options:

A.

The program has not decreased threat counts.

B.

The program has not considered business impact.

C.

The program has been significantly revised

D.

The program uses non-customized training modules.

Buy Now
Questions 274

Which of the following is the BEST way to ensure data is properly sanitized while in cloud storage?

Options:

A.

Deleting the data from the file system

B.

Cryptographically scrambling the data

C.

Formatting the cloud storage at the block level

D.

Degaussing the cloud storage media

Buy Now
Questions 275

A company has recently acquired a customer relationship management (CRM) application from a certified software vendor. Which of the following will BE ST help lo prevent technical vulnerabilities from being exploded?

Options:

A.

implement code reviews and Quality assurance on a regular basis

B.

Verity me software agreement indemnifies the company from losses

C.

Review the source coda and error reporting of the application

D.

Update the software with the latest patches and updates

Buy Now
Questions 276

Which of the following situations presents the GREATEST challenge to creating a comprehensive IT risk profile of an organization?

Options:

A.

Manual vulnerability scanning processes

B.

Organizational reliance on third-party service providers

C.

Inaccurate documentation of enterprise architecture (EA)

D.

Risk-averse organizational risk appetite

Buy Now
Questions 277

Which of the following would be a risk practitioner’s BEST recommendation upon learning of an updated cybersecurity regulation that could impact the organization?

Options:

A.

Perform a gap analysis

B.

Conduct system testing

C.

Implement compensating controls

D.

Update security policies

Buy Now
Questions 278

Which of the following is MOST important information to review when developing plans for using emerging technologies?

Options:

A.

Existing IT environment

B.

IT strategic plan

C.

Risk register

D.

Organizational strategic plan

Buy Now
Questions 279

After the implementation of internal of Things (IoT) devices, new risk scenarios were identified. What is the PRIMARY reason to report this information to risk owners?

Options:

A.

To reevaluate continued use to IoT devices

B.

The add new controls to mitigate the risk

C.

The recommend changes to the IoT policy

D.

To confirm the impact to the risk profile

Buy Now
Questions 280

Using key risk indicators (KRIs) to illustrate changes in the risk profile PRIMARILY helps to:

Options:

A.

communicate risk trends to stakeholders.

B.

assign ownership of emerging risk scenarios.

C.

highlight noncompliance with the risk policy

D.

identify threats to emerging technologies.

Buy Now
Questions 281

Which of the following BEST reduces the risk associated with the theft of a laptop containing sensitive information?

Options:

A.

Cable lock

B.

Data encryption

C.

Periodic backup

D.

Biometrics access control

Buy Now
Questions 282

When creating a separate IT risk register for a large organization, which of the following is MOST important to consider with regard to the existing corporate risk 'register?

Options:

A.

Leveraging business risk professionals

B.

Relying on generic IT risk scenarios

C.

Describing IT risk in business terms

D.

Using a common risk taxonomy

Buy Now
Questions 283

Which of the following is the BEST way to reduce the likelihood of an individual performing a potentially harmful action as the result of unnecessary entitlement?

Options:

A.

Application monitoring

B.

Separation of duty

C.

Least privilege

D.

Nonrepudiation

Buy Now
Questions 284

The MAIN reason for prioritizing IT risk responses is to enable an organization to:

Options:

A.

determine the risk appetite.

B.

determine the budget.

C.

define key performance indicators (KPIs).

D.

optimize resource utilization.

Buy Now
Questions 285

When outsourcing a business process to a cloud service provider, it is MOST important to understand that:

Options:

A.

insurance could be acquired for the risk associated with the outsourced process.

B.

service accountability remains with the cloud service provider.

C.

a risk owner must be designated within the cloud service provider.

D.

accountability for the risk will remain with the organization.

Buy Now
Questions 286

The BEST way to validate that a risk treatment plan has been implemented effectively is by reviewing:

Options:

A.

results of a business impact analysis (BIA).

B.

the original risk response plan.

C.

training program and user awareness documentation.

D.

a post-implementation risk and control self-assessment (RCSA).

Buy Now
Questions 287

Which of the following is the BEST recommendation when a key risk indicator (KRI) is generating an excessive volume of events?

Options:

A.

Reevaluate the design of the KRIs.

B.

Develop a corresponding key performance indicator (KPI).

C.

Monitor KRIs within a specific timeframe.

D.

Activate the incident response plan.

Buy Now
Questions 288

Which of the following is MOST important to ensure when reviewing an organization's risk register?

Options:

A.

Risk ownership is recorded.

B.

Vulnerabilities have separate entries.

C.

Control ownership is recorded.

D.

Residual risk is less than inherent risk.

Buy Now
Questions 289

Which of the following is MOST important to review when an organization needs to transition the majority of its employees to remote work during a crisis?

Options:

A.

Customer notification plans

B.

Capacity management

C.

Access management

D.

Impacts on IT project delivery

Buy Now
Questions 290

When a risk practitioner is building a key risk indicator (KRI) from aggregated data, it is CRITICAL that the data is derived from:

Options:

A.

business process owners.

B.

representative data sets.

C.

industry benchmark data.

D.

data automation systems.

Buy Now
Questions 291

An organization's capability to implement a risk management framework is PRIMARILY influenced by the:

Options:

A.

guidance of the risk practitioner.

B.

competence of the staff involved.

C.

approval of senior management.

D.

maturity of its risk culture.

Buy Now
Questions 292

An organization's decision to remain noncompliant with certain laws or regulations is MOST likely influenced by:

Options:

A.

The region in which the organization operates.

B.

Established business culture.

C.

Risk appetite set by senior management.

D.

Identified business process controls.

Buy Now
Questions 293

An organization has updated its acceptable use policy to mitigate the risk of employees disclosing confidential information. Which of the following is the BEST way to reinforce the effectiveness of this policy?

Options:

A.

Communicate sanctions for policy violations to all staff.

B.

Obtain signed acceptance of the new policy from employees.

C.

Train all staff on relevant information security best practices.

D.

Implement data loss prevention (DLP) within the corporate network.

Buy Now
Questions 294

A MAJOR advantage of using key risk indicators (KRIs) is that they:

Options:

A.

Identify scenarios that exceed defined risk appetite.

B.

Help with internal control assessments concerning risk appetite.

C.

Assess risk scenarios that exceed defined thresholds.

D.

Identify when risk exceeds defined thresholds.

Buy Now
Questions 295

The results of a risk assessment reveal risk scenarios with high impact and low likelihood of occurrence. Which of the following would be the BEST action to address these scenarios?

Options:

A.

Assemble an incident response team.

B.

Create a disaster recovery plan (DRP).

C.

Develop a risk response plan.

D.

Initiate a business impact analysis (BIA).

Buy Now
Questions 296

Which of the following is the MOST important for an organization to have in place to ensure IT asset protection?

Options:

A.

Procedures for risk assessments on IT assets

B.

An IT asset management checklist

C.

An IT asset inventory populated by an automated scanning tool

D.

A plan that includes processes for the recovery of IT assets

Buy Now
Questions 297

A large organization recently restructured the IT department and has decided to outsource certain functions. What action should the control owners in the IT department take?

Options:

A.

Conduct risk classification for associated IT controls.

B.

Determine whether risk responses still effectively address risk.

C.

Perform vulnerability and threat assessments.

D.

Analyze and update IT control assessments.

Buy Now
Questions 298

Which of the following is the GREATEST concern if user acceptance testing (UAT) is not conducted when implementing a new application?

Options:

A.

The probability of application defects will increase

B.

Data confidentiality could be compromised

C.

Increase in the use of redundant processes

D.

The application could fail to meet defined business requirements

Buy Now
Questions 299

A risk practitioner has established that a particular control is working as desired, but the annual cost of maintenance has increased and now exceeds the expected annual loss exposure. The result is that the control is:

Options:

A.

mature

B.

ineffective.

C.

optimized.

D.

inefficient.

Buy Now
Questions 300

Which of the following is MOST important to determine as a result of a risk assessment?

Options:

A.

Risk appetite statement

B.

Risk response options

C.

Risk tolerance levels

D.

Process ownership

Buy Now
Questions 301

Which process is MOST effective to determine relevance of threats for risk scenarios?

Options:

A.

Vulnerability assessment

B.

Business impact analysis (BIA)

C.

Penetration testing

D.

Root cause analysis

Buy Now
Questions 302

An application development team has a backlog of user requirements for a new system that will process insurance claim payments for customers. Which of the following should be the MOST important consideration for a risk-based review of the user requirements?

Options:

A.

Number of claims affected by the user requirements

B.

Number of customers impacted

C.

Impact to the accuracy of claim calculation

D.

Level of resources required to implement the user requirements

Buy Now
Questions 303

Which of the following process controls BEST mitigates the risk of an employee issuing fraudulent payments to a vendor?

Options:

A.

Performing credit verification of third-party vendors prior to payment

B.

Conducting system access reviews to ensure least privilege and appropriate access

C.

Performing regular reconciliation of payments to the check registers

D.

Enforcing segregation of duties between the vendor master file and invoicing

Buy Now
Questions 304

During a recent security framework review, it was discovered that the marketing department implemented a non-fungible token asset program. This was done without following established risk procedures. Which of the following should the risk practitioner do FIRST?

Options:

A.

Report the infraction.

B.

Perform a risk assessment.

C.

Conduct risk awareness training.

D.

Discontinue the process.

Buy Now
Questions 305

Who should be responsible for approving the cost of controls to be implemented for mitigating risk?

Options:

A.

Risk practitioner

B.

Risk owner

C.

Control owner

D.

Control implementer

Buy Now
Questions 306

A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner s NEXT step? r

Options:

A.

Prepare a business case for the response options.

B.

Identify resources for implementing responses.

C.

Develop a mechanism for monitoring residual risk.

D.

Update the risk register with the results.

Buy Now
Questions 307

A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:

Options:

A.

updating the risk register.

B.

validating the risk scenarios.

C.

documenting the risk scenarios.

D.

identifying risk mitigation controls.

Buy Now
Questions 308

Which of the following is the GREATEST benefit of having a mature enterprise architecture (EA) in place?

Options:

A.

Standards-based policies

B.

Audit readiness

C.

Efficient operations

D.

Regulatory compliance

Buy Now
Questions 309

Which of the following is the BEST way to protect sensitive data from administrators within a public cloud?

Options:

A.

Use an encrypted tunnel lo connect to the cloud.

B.

Encrypt the data in the cloud database.

C.

Encrypt physical hard drives within the cloud.

D.

Encrypt data before it leaves the organization.

Buy Now
Questions 310

An organizational policy requires critical security patches to be deployed in production within three weeks of patch availability. Which of the following is the BEST metric to verify adherence to the policy?

Options:

A.

Maximum time gap between patch availability and deployment

B.

Percentage of critical patches deployed within three weeks

C.

Minimum time gap between patch availability and deployment

D.

Number of critical patches deployed within three weeks

Buy Now
Questions 311

Which of the following is the PRIMARY reason for an organization to include an acceptable use banner when users log in?

Options:

A.

To reduce the likelihood of insider threat

B.

To eliminate the possibility of insider threat

C.

To enable rapid discovery of insider threat

D.

To reduce the impact of insider threat

Buy Now
Questions 312

Which of the following BEST enables detection of ethical violations committed by employees?

Options:

A.

Transaction log monitoring

B.

Access control attestation

C.

Periodic job rotation

D.

Whistleblower program

Buy Now
Questions 313

An organization allows programmers to change production systems in emergency situations. Which of the following is the BEST control?

Options:

A.

Implementing an emergency change authorization process

B.

Periodically reviewing operator logs

C.

Limiting the number of super users

D.

Reviewing the programmers' emergency change reports

Buy Now
Questions 314

A risk practitioner has been notified of a social engineering attack using artificial intelligence (AI) technology to impersonate senior management personnel. Which of the following would BEST mitigate the impact of such attacks?

Options:

A.

Subscription to data breach monitoring sites

B.

Suspension and takedown of malicious domains or accounts

C.

Increased monitoring of executive accounts

D.

Training and awareness of employees for increased vigilance

Buy Now
Questions 315

Which of the following is the MOST important consideration when prioritizing risk response?

Options:

A.

Requirements for regulatory obligations

B.

Cost of control implementation

C.

Effectiveness of risk treatment

D.

Number of risk response options

Buy Now
Questions 316

Reviewing which of the following would provide the MOST useful information when preparing to evaluate the effectiveness of existing controls?

Options:

A.

Previous audit reports

B.

Control objectives

C.

Risk responses in the risk register

D.

Changes in risk profiles

Buy Now
Questions 317

Which of the following is MOST helpful when prioritizing action plans for identified risk?

Options:

A.

Comparing risk rating against appetite

B.

Obtaining input from business units

C.

Determining cost of controls to mitigate risk

D.

Ranking the risk based on likelihood of occurrence

Buy Now
Questions 318

Which of the following is the result of a realized risk scenario?

Options:

A.

Threat event

B.

Vulnerability event

C.

Technical event

D.

Loss event

Buy Now
Questions 319

Which of the following is the BEST response when a potential IT control deficiency has been identified?

Options:

A.

Remediate and report the deficiency to the enterprise risk committee.

B.

Verify the deficiency and then notify the business process owner.

C.

Verify the deficiency and then notify internal audit.

D.

Remediate and report the deficiency to senior executive management.

Buy Now
Questions 320

Which of the following would BEST facilitate the maintenance of data classification requirements?

Options:

A.

Scheduling periodic audits

B.

Assigning a data custodian

C.

Implementing technical controls over the assets

D.

Establishing a data loss prevention (DLP) solution

Buy Now
Questions 321

An organization is outsourcing a key database to be hosted by an external service provider. Who is BEST suited to assess the impact of potential data loss?

Options:

A.

Database manager

B.

Public relations manager

C.

Data privacy manager

D.

Business manager

Buy Now
Questions 322

Which of the following is MOST likely to introduce risk for financial institutions that use blockchain?

Options:

A.

Cost of implementation

B.

Implementation of unproven applications

C.

Disruption to business processes

D.

Increase in attack surface area

Buy Now
Questions 323

Which of the following is the MOST important reason for a risk practitioner to continuously monitor a critical security transformation program?

Options:

A.

To validate the quality of defined deliverables for the program

B.

To detect increases in program costs

C.

To ensure program risk events are mitigated in a timely manner

D.

To provide timely reporting to the governance steering committee

Buy Now
Questions 324

A penetration testing team discovered an ineffectively designed access control. Who is responsible for ensuring the control design gap is remediated?

Options:

A.

Control owner

B.

Risk owner

C.

IT security manager

D.

Control operator

Buy Now
Questions 325

Which of the following is MOST useful input when developing risk scenarios?

Options:

A.

Common attacks in other industries.

B.

Identification of risk events.

C.

Impact on critical assets.

D.

Probability of disruptive risk events.

Buy Now
Questions 326

The PRIMARY focus of an ongoing risk awareness program should be to:

Options:

A.

enable better risk-based decisions.

B.

define appropriate controls to mitigate risk.

C.

determine impact of risk scenarios.

D.

expand understanding of risk indicators.

Buy Now
Questions 327

Which of the following is the PRIMARY benefit of integrating risk and security requirements in an organization's enterprise architecture (EA)?

Options:

A.

Adherence to legal and compliance requirements

B.

Reduction in the number of test cases in the acceptance phase

C.

Establishment of digital forensic architectures

D.

Consistent management of information assets

Buy Now
Questions 328

Which of the following BEST enables an organization to address risk associated with technical complexity?

Options:

A.

Documenting system hardening requirements

B.

Minimizing dependency on technology

C.

Aligning with a security architecture

D.

Establishing configuration guidelines

Buy Now
Questions 329

An organization requires a third party for processing customer personal data. Which of the following is the BEST approach when sharing data over a public network?

Options:

A.

Include a nondisclosure agreement (NDA) for personal data in the contract.

B.

Implement a digital rights protection tool to monitor data.

C.

Use a virtual private network (VPN) to communicate data.

D.

Transfer a read-only version of the data.

Buy Now
Questions 330

An organization retains footage from its data center security camera for 30 days when the policy requires 90-day retention The business owner challenges whether the situation is worth remediating Which of the following is the risk manager s BEST response'

Options:

A.

Identify the regulatory bodies that may highlight this gap

B.

Highlight news articles about data breaches

C.

Evaluate the risk as a measure of probable loss

D.

Verify if competitors comply with a similar policy

Buy Now
Questions 331

Recent penetration testing of an organization's software has identified many different types of security risks. Which of the following is the MOST likely root cause for the identified risk?

Options:

A.

SIEM software is producing faulty alerts.

B.

Threat modeling was not utilized in the software design process.

C.

The configuration management process is not applied consistently during development.

D.

An identity and access management (IAM) tool has not been properly integrated into the software.

Buy Now
Questions 332

Which of the following provides the BEST evidence that risk responses are effective?

Options:

A.

Residual risk is within risk tolerance.

B.

Risk with low impact is accepted.

C.

Risk ownership is identified and assigned.

D.

Compliance breaches are addressed in a timely manner.

Buy Now
Questions 333

A risk practitioner has been asked to evaluate the adoption of a third-party blockchain integration platform based on the value added by the platform and the organization's risk appetite. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Conduct a risk assessment with stakeholders.

B.

Conduct third-party resilience tests.

C.

Update the risk register with the process changes.

D.

Review risk related to standards and regulations.

Buy Now
Questions 334

An organization plans to implement a new Software as a Service (SaaS) speech-to-text solution Which of the following is MOST important to mitigate risk associated with data privacy?

Options:

A.

Secure encryption protocols are utilized.

B.

Multi-factor authentication is set up for users.

C.

The solution architecture is approved by IT.

D.

A risk transfer clause is included in the contact

Buy Now
Questions 335

Which of the following is the BEST indicator of the effectiveness of a control?

Options:

A.

Scope of the control coverage

B.

The number of exceptions granted

C.

Number of steps necessary to operate process

D.

Number of control deviations detected

Buy Now
Questions 336

Which of the following is the MOST useful input when developing risk scenarios?

Options:

A.

Common attacks in other industries.

B.

Identification of risk events.

C.

Impact on critical assets.

D.

Probability of disruptive risk events.

Buy Now
Questions 337

The percentage of unpatched systems is a:

Options:

A.

threat vector.

B.

critical success factor (CSF).

C.

key performance indicator (KPI).

D.

key risk indicator (KRI).

Buy Now
Questions 338

Which of the following information is MOST useful to a risk practitioner for developing IT risk scenarios?

Options:

A.

Published vulnerabilities relevant to the business

B.

Threat actors that can trigger events

C.

Events that could potentially impact the business

D.

IT assets requiring the greatest investment

Buy Now
Questions 339

An organization's stakeholders are unable to agree on appropriate risk responses. Which of the following would be the BEST course of action?

Options:

A.

Escalate to senior management.

B.

Identify a risk transfer option.

C.

Reassess risk scenarios.

D.

Benchmark with similar industries.

Buy Now
Questions 340

Which of the following is the PRIMARY reason to engage business unit managers in risk management processes'?

Options:

A.

Improved alignment will technical risk

B.

Better-informed business decisions

C.

Enhanced understanding of enterprise architecture (EA)

D.

Improved business operations efficiency

Buy Now
Questions 341

A risk practitioner learns that a risk owner has been accepting gifts from a supplier of IT products. Some of these IT products are used to implement controls and to mitigate risk to acceptable levels. Which of the following should the risk practitioner do FIRST?

Options:

A.

Initiate disciplinary action against the risk owner.

B.

Reassess the risk and review the underlying controls.

C.

Review organizational ethics policies.

D.

Report the activity to the supervisor.

Buy Now
Questions 342

An organization has established a single enterprise-wide risk register that records high-level risk scenarios. The IT risk department has created its own register to record more granular scenarios applicable to IT. Which of the following is the BEST way to ensure alignment between these two registers?

Options:

A.

Map the granular risk scenarios to the high-level risk register items.

B.

List application and server vulnerabilities in the IT risk register.

C.

Identify overlapping risk scenarios between the two registers.

D.

Maintain both high-level and granular risk scenarios in a single register.

Buy Now
Questions 343

Who is ULTIMATELY accountable for risk treatment?

Options:

A.

Risk owner

B.

Enterprise risk management (ERM)

C.

Risk practitioner

D.

Control owner

Buy Now
Questions 344

Which of the following is MOST important for management to consider when deciding whether to invest in an IT initiative that exceeds management's risk appetite?

Options:

A.

Risk management budget

B.

Risk management industry trends

C.

Risk tolerance

D.

Risk capacity

Buy Now
Questions 345

Which of the following will BEST help to improve an organization's risk culture?

Options:

A.

Maintaining a documented risk register

B.

Establishing a risk awareness program

C.

Rewarding employees for reporting security incidents

D.

Allocating resources for risk remediation

Buy Now
Questions 346

Zero Trust architecture is designed and deployed with adherence to which of the following basic tenets?

Options:

A.

Incoming traffic must be inspected before connection is established.

B.

Security frameworks and libraries should be leveraged.

C.

Digital identities should be implemented.

D.

All communication is secured regardless of network location.

Buy Now
Questions 347

An organization is concerned that a change in its market situation may impact the current level of acceptable risk for senior management. As a result, which of the following is MOST important to reevaluate?

Options:

A.

Risk classification

B.

Risk policy

C.

Risk strategy

D.

Risk appetite

Buy Now
Questions 348

Which of the following roles should be assigned accountability for monitoring risk levels?

Options:

A.

Risk practitioner

B.

Business manager

C.

Risk owner

D.

Control owner

Buy Now
Questions 349

Which of the following is MOST important when identifying an organization's risk exposure associated with Internet of Things (loT) devices?

Options:

A.

Defined remediation plans

B.

Management sign-off on the scope

C.

Manual testing of device vulnerabilities

D.

Visibility into all networked devices

Buy Now
Questions 350

Of the following, whose input is ESSENTIAL when developing risk scenarios for the implementation of a third-party mobile application that stores customer data?

Options:

A.

Information security manager

B.

IT vendor manager

C.

Business process owner

D.

IT compliance manager

Buy Now
Questions 351

Which of the following is MOST important when determining risk appetite?

Options:

A.

Assessing regulatory requirements

B.

Benchmarking against industry standards

C.

Gaining management consensus

D.

Identifying risk tolerance

Buy Now
Questions 352

Which of the following is the GREATEST impact of implementing a risk mitigation strategy?

Options:

A.

Improved alignment with business goals.

B.

Reduction of residual risk.

C.

Increased costs due to control implementation.

D.

Decreased overall risk appetite.

Buy Now
Questions 353

Which of the following is the ULTIMATE objective of utilizing key control indicators (KCIs) in the risk management process?

Options:

A.

To provide insight into the effectiveness of the internal control environment

B.

To provide a basis for determining the criticality of risk mitigation controls

C.

To provide benchmarks for assessing control design effectiveness against industry peers

D.

To provide early warning signs of a potential change in risk level

Buy Now
Questions 354

Which of the following is the BEST way to mitigate the risk associated with fraudulent use of an enterprise's brand on Internet sites?

Options:

A.

Utilizing data loss prevention (DLP) technology

B.

Monitoring the enterprise's use of the Internet

C.

Scanning the Internet to search for unauthorized usage

D.

Developing training and awareness campaigns

Buy Now
Questions 355

Which of the following is the MOST useful input when developing risk scenarios?

Options:

A.

Common attacks in other industries

B.

Identification of risk events

C.

Impact on critical assets

D.

Probability of disruptive risk events

Buy Now
Questions 356

After undertaking a risk assessment of a production system, the MOST appropriate action is fcr the risk manager to

Options:

A.

recommend a program that minimizes the concerns of that production system.

B.

inform the process owner of the concerns and propose measures to reduce them.

C.

inform the IT manager of the concerns and propose measures to reduce them.

D.

inform the development team of the concerns and together formulate risk reduction measures.

Buy Now
Questions 357

An organization has an internal control that requires all access for employees be removed within 15 days of their termination date. Which of the following should the risk practitioner use to monitor

adherence to the 15-day threshold?

Options:

A.

Operation level agreement (OLA)

B.

Service level agreement (SLA)

C.

Key performance indicator (KPI)

D.

Key risk indicator (KRI)

Buy Now
Questions 358

Which of the following techniques is MOST helpful when quantifying the potential loss impact of cyber risk?

Options:

A.

Cost-benefit analysis

B.

Penetration testing

C.

Business impact analysis (BIA)

D.

Security assessment

Buy Now
Questions 359

An organization recently implemented a machine learning-based solution to monitor IT usage and analyze user behavior in an effort to detect internal fraud. Which of the following is MOST likely to be reassessed as a result of this initiative?

Options:

A.

Risk likelihood

B.

Risk culture

C.

Risk appetite

D.

Risk capacity

Buy Now
Questions 360

An organization needs to send files to a business partner to perform a quality control audit on the organization’s record-keeping processes. The files include personal information on the organization's customers. Which of the following is the BEST recommendation to mitigate privacy risk?

Options:

A.

Obfuscate the customers’ personal information.

B.

Require the business partner to delete personal information following the audit.

C.

Use a secure channel to transmit the files.

D.

Ensure the contract includes provisions for sharing personal information.

Buy Now
Questions 361

Which of the following offers the SIMPLEST overview of changes in an organization's risk profile?

Options:

A.

A risk roadmap

B.

A balanced scorecard

C.

A heat map

D.

The risk register

Buy Now
Questions 362

Who is accountable for authorizing application access in a cloud Software as a Service (SaaS) solution?

Options:

A.

Cloud service provider

B.

IT department

C.

Senior management

D.

Business unit owner

Buy Now
Questions 363

If concurrent update transactions to an account are not processed properly, which of the following will MOST likely be affected?

Options:

A.

Confidentiality

B.

Accountability

C.

Availability

D.

Integrity

Buy Now
Questions 364

Which of the following would BEST indicate to senior management that IT processes are improving?

Options:

A.

Changes in the number of security exceptions

B.

Changes to the structure of the risk register

C.

Changes in the number of intrusions detected

D.

Changes in the position in the maturity model

Buy Now
Questions 365

A global organization has implemented an application that does not address all privacy requirements across multiple jurisdictions. Which of the following risk responses has the organization adopted with regard to privacy requirements?

Options:

A.

Risk avoidance

B.

Risk transfer

C.

Risk mitigation

D.

Risk acceptance

Buy Now
Questions 366

Which of the following BEST enables the timely detection of changes in the security control environment?

Options:

A.

Control self-assessment (CSA)

B.

Log analysis

C.

Security control reviews

D.

Random sampling checks

Buy Now
Questions 367

An organization's Internet-facing server was successfully attacked because the server did not have the latest security patches. The risk associated with poor patch management had been documented in the risk register and accepted. Who should be accountable for any related losses to the organization?

Options:

A.

Risk owner

B.

IT risk manager

C.

Server administrator

D.

Risk practitioner

Buy Now
Questions 368

Which of the following BEST enables the development of a successful IT strategy focused on business risk mitigation?

Options:

A.

Providing risk awareness training for business units

B.

Obtaining input from business management

C.

Understanding the business controls currently in place

D.

Conducting a business impact analysis (BIA)

Buy Now
Questions 369

Which of the following is the MOST useful information for prioritizing risk mitigation?

Options:

A.

Cost of risk mitigation

B.

Asset criticality

C.

Acceptable risk level

D.

Business impact assessment

Buy Now
Questions 370

Which of the following is MOST useful input when developing risk scenarios?

Options:

A.

Common attacks in other industries

B.

Identification of risk events

C.

Impact on critical assets

D.

Probability of disruptive risk events

Buy Now
Questions 371

The MOST important measure of the effectiveness of risk management in project implementation is the percentage of projects:

Options:

A.

introduced into production without high-risk issues.

B.

having the risk register updated regularly.

C.

having key risk indicators (KRIs) established to measure risk.

D.

having an action plan to remediate overdue issues.

Buy Now
Questions 372

An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner's FIRST course of action?

Options:

A.

Determine whether the impact is outside the risk appetite.

B.

Report the ineffective control for inclusion in the next audit report.

C.

Request a formal acceptance of risk from senior management.

D.

Deploy a compensating control to address the identified deficiencies.

Buy Now
Questions 373

Which of the following should be a risk practitioner's GREATEST concern upon learning of failures in a data migration activity?

Options:

A.

Availability of test data

B.

Integrity of data

C.

Cost overruns

D.

System performance

Buy Now
Questions 374

An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?

Options:

A.

The third party s management

B.

The organization's management

C.

The control operators at the third party

D.

The organization's vendor management office

Buy Now
Questions 375

A trusted third-party service provider has determined that the risk of a client's systems being hacked is low. Which of the following would be the client's BEST course of action?

Options:

A.

Perform their own risk assessment

B.

Implement additional controls to address the risk.

C.

Accept the risk based on the third party's risk assessment

D.

Perform an independent audit of the third party.

Buy Now
Questions 376

Which of the following situations reflects residual risk?

Options:

A.

Risk that is present before risk acceptance has been finalized

B.

Risk that is removed after a risk acceptance has been finalized

C.

Risk that is present before mitigation controls have been applied

D.

Risk that remains after mitigation controls have been applied

Buy Now
Questions 377

IT management has asked for a consolidated view into the organization's risk profile to enable project prioritization and resource allocation. Which of the following materials would

be MOST helpful?

Options:

A.

IT risk register

B.

List of key risk indicators

C.

Internal audit reports

D.

List of approved projects

Buy Now
Questions 378

A contract associated with a cloud service provider MUST include:

Options:

A.

ownership of responsibilities.

B.

a business recovery plan.

C.

provision for source code escrow.

D.

the providers financial statements.

Buy Now
Questions 379

A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?

Options:

A.

Business continuity manager (BCM)

B.

Human resources manager (HRM)

C.

Chief risk officer (CRO)

D.

Chief information officer (CIO)

Buy Now
Questions 380

An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:

Options:

A.

validate control process execution.

B.

determine if controls are effective.

C.

identify key process owners.

D.

conduct a baseline assessment.

Buy Now
Questions 381

A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?

Options:

A.

Document the finding in the risk register.

B.

Invoke the incident response plan.

C.

Re-evaluate key risk indicators.

D.

Modify the design of the control.

Buy Now
Questions 382

The MAIN purpose of conducting a control self-assessment (CSA) is to:

Options:

A.

gain a better understanding of the control effectiveness in the organization

B.

gain a better understanding of the risk in the organization

C.

adjust the controls prior to an external audit

D.

reduce the dependency on external audits

Buy Now
Questions 383

Which of the following is the MAIN reason for documenting the performance of controls?

Options:

A.

Obtaining management sign-off

B.

Demonstrating effective risk mitigation

C.

Justifying return on investment

D.

Providing accurate risk reporting

Buy Now
Questions 384

Which of the following roles would provide the MOST important input when identifying IT risk scenarios?

Options:

A.

Information security managers

B.

Internal auditors

C.

Business process owners

D.

Operational risk managers

Buy Now
Questions 385

Which of the following is the MOST effective key performance indicator (KPI) for change management?

Options:

A.

Percentage of changes with a fallback plan

B.

Number of changes implemented

C.

Percentage of successful changes

D.

Average time required to implement a change

Buy Now
Questions 386

The PRIMARY reason for a risk practitioner to review business processes is to:

Options:

A.

Benchmark against peer organizations.

B.

Identify appropriate controls within business processes.

C.

Assess compliance with global standards.

D.

Identify risk owners related to business processes.

Buy Now
Questions 387

Which of the following is the MOST important factor affecting risk management in an organization?

Options:

A.

The risk manager's expertise

B.

Regulatory requirements

C.

Board of directors' expertise

D.

The organization's culture

Buy Now
Questions 388

During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?

Options:

A.

Describe IT risk scenarios in terms of business risk.

B.

Recommend the formation of an executive risk council to oversee IT risk.

C.

Provide an estimate of IT system downtime if IT risk materializes.

D.

Educate business executives on IT risk concepts.

Buy Now