Vulnerabilities have been detected on an organization's systems. Applications installed on these systems will not operate if the underlying servers are updated. Which of the following is the risk practitioner's BEST course of action?
A business unit is implementing a data analytics platform to enhance its customer relationship management (CRM) system primarily to process data that has been provided by its customers. Which of the following presents the GREATEST risk to the organization's reputation?
Which of the following is the MOST appropriate action when a tolerance threshold is exceeded?
Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness?
Which of the following is the MOST important consideration when sharing risk management updates with executive management?
Which of the following is the MOST important component in a risk treatment plan?
Which of the following is the BEST Key control indicator KCO to monitor the effectiveness of patch management?
The BEST key performance indicator (KPI) for monitoring adherence to an organization's user accounts provisioning practices is the percentage of:
Which of the following provides the MOST up-to-date information about the effectiveness of an organization's overall IT control environment?
A change management process has recently been updated with new testing procedures. What is the NEXT course of action?
Which of the following BEST facilitates the mitigation of identified gaps between current and desired risk environment states?
Which of the following is the PRIMARY risk management responsibility of the second line of defense?
The MOST important reason for implementing change control procedures is to ensure:
Which of the following would BEST indicate to senior management that IT processes are improving?
When an organization is having new software implemented under contract, which of the following is key to controlling escalating costs?
Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?
An organization moved its payroll system to a Software as a Service (SaaS) application. A new data privacy regulation stipulates that data can only be processed within the country where it is collected. Which of the following should be done FIRST when addressing this situation?
Which of the following is the MOST effective way to integrate risk and compliance management?
What should be the PRIMARY driver for periodically reviewing and adjusting key risk indicators (KRIs)?
When reviewing a report on the performance of control processes, it is MOST important to verify whether the:
Which of the following is the PRIMARY objective of providing an aggregated view of IT risk to business management?
The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning process is to:
An organization discovers significant vulnerabilities in a recently purchased commercial off-the-shelf software product which will not be corrected until the next release. Which of the following is the risk manager's BEST course of action?
Which of the following is MOST important when developing key risk indicators (KRIs)?
An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program. Which of the following is MOST useful for this purpose?
Which of the following is the BEST key control indicator (KCI) for a vulnerability management program?
Which of the following statements BEST illustrates the relationship between key performance indicators (KPIs) and key control indicators (KCIs)?
To reduce costs, an organization is combining the second and third tines of defense in a new department that reports to a recently appointed C-level executive. Which of the following is the GREATEST concern with this situation?
When reviewing a business continuity plan (BCP). which of the following would be the MOST significant deficiency?
Legal and regulatory risk associated with business conducted over the Internet is driven by:
From a risk management perspective, the PRIMARY objective of using maturity models is to enable:
An organization must make a choice among multiple options to respond to a risk. The stakeholders cannot agree and decide to postpone the decision. Which of the following risk responses has the organization adopted?
Several network user accounts were recently created without the required management approvals. Which of the following would be the risk practitioner's BEST recommendation to address this situation?
The BEST indication that risk management is effective is when risk has been reduced to meet:
An organization has been notified that a disgruntled, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization?
While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially Which of the following would be the BEST approach for the risk practitioner to take?
During an internal IT audit, an active network account belonging to a former employee was identified. Which of the following is the BEST way to prevent future occurrences?
An organization automatically approves exceptions to security policies on a recurring basis. This practice is MOST likely the result of:
Which of the following provides the BEST measurement of an organization's risk management maturity level?
An IT control gap has been identified in a key process. Who would be the MOST appropriate owner of the risk associated with this gap?
Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?
An IT department has provided a shared drive for personnel to store information to which all employees have access. Which of the following parties is accountable for the risk of potential loss of confidential information?
An organization outsources the processing of us payroll data A risk practitioner identifies a control weakness at the third party trial exposes the payroll data. Who should own this risk?
Which of the following is necessary to enable an IT risk register to be consolidated with the rest of the organization’s risk register?
An organization recently received an independent security audit report of its cloud service provider that indicates significant control weaknesses. What should be done NEXT in response to this report?
Which of the following BEST indicates the effectiveness of anti-malware software?
Which of the following controls BEST enables an organization to ensure a complete and accurate IT asset inventory?
It is MOST important for a risk practitioner to have an awareness of an organization s processes in order to:
Which of the following is the MOST critical element to maximize the potential for a successful security implementation?
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery test of critical business processes?
Several newly identified risk scenarios are being integrated into an organization's risk register. The MOST appropriate risk owner would be the individual who:
The PRIMARY benefit of using a maturity model is that it helps to evaluate the:
Which of the following is an IT business owner's BEST course of action following an unexpected increase in emergency changes?
To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:
Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?
Which of the following should be an element of the risk appetite of an organization?
Which of the following should be considered FIRST when creating a comprehensive IT risk register?
Which of the following is the BEST control to detect an advanced persistent threat (APT)?
A risk practitioner has discovered a deficiency in a critical system that cannot be patched. Which of the following should be the risk practitioner's FIRST course of action?
Which of the following is the GREATEST risk associated with an environment that lacks documentation of the architecture?
An organization is conducting a review of emerging risk. Which of the following is the BEST input for this exercise?
Which of the following is MOST important when considering risk in an enterprise risk management (ERM) process?
Which of the following is MOST important for a risk practitioner to verify when evaluating the effectiveness of an organization's existing controls?
Which of the following BEST indicates the risk appetite and tolerance level (or the risk associated with business interruption caused by IT system failures?
Which of the following is MOST helpful in preventing risk events from materializing?
Which of the following practices BEST mitigates risk related to enterprise-wide ethical decision making in a multi-national organization?
Which of the following is the BEST source for identifying key control indicators (KCIs)?
A risk practitioner has been notified of a social engineering attack using artificial intelligence (Al) technology to impersonate senior management personnel. Which of the following would BEST mitigate the impact of such attacks?
Which of the following is PRIMARILY responsible for providing assurance to the board of directors and senior management during the evaluation of a risk management program implementation?
A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology?
Which of the following is the MOST important objective of establishing an enterprise risk management (ERM) function within an organization?
Which of the following should be done FIRST when developing a data protection management plan?
Which of the following is MOST useful for measuring the existing risk management process against a desired state?
Which of the following risk management practices BEST facilitates the incorporation of IT risk scenarios into the enterprise-wide risk register?
Which of the following would be the BEST key performance indicator (KPI) for monitoring the effectiveness of the IT asset management process?
Which of the following would provide the MOST useful information to a risk owner when reviewing the progress of risk mitigation?
Which of me following is MOST helpful to mitigate the risk associated with an application under development not meeting business objectives?
What are the MOST essential attributes of an effective Key control indicator (KCI)?
Which of the following would MOST likely cause a risk practitioner to change the likelihood rating in the risk register?
Which of the following is the BEST way to manage the risk associated with malicious activities performed by database administrators (DBAs)?
Which of the following would be MOST helpful to a risk practitioner when ensuring that mitigated risk remains within acceptable limits?
Which of the following is the MOST effective control to ensure user access is maintained on a least-privilege basis?
Which of the following is the BEST indication of a mature organizational risk culture?
An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern?
Which of the following is the BEST way to identify changes in the risk profile of an organization?
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an anti-virus program?
The risk associated with inadvertent disclosure of database records from a public cloud service provider (CSP) would MOST effectively be reduced by:
Which of the following activities is PRIMARILY the responsibility of senior management?
The PRIMARY reason for establishing various Threshold levels for a set of key risk indicators (KRIs) is to:
An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?
Which of the following is MOST important for a risk practitioner to ensure once a risk action plan has been completed?
An organization has opened a subsidiary in a foreign country. Which of the following would be the BEST way to measure the effectiveness of the subsidiary's IT systems controls?
An organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard. Which risk treatment was adopted by the organization?
A control owner identifies that the organization's shared drive contains personally identifiable information (Pll) that can be accessed by all personnel. Which of the following is the MOST effective risk response?
Mitigating technology risk to acceptable levels should be based PRIMARILY upon:
A risk practitioner has been notified that an employee sent an email in error containing customers' personally identifiable information (Pll). Which of the following is the risk practitioner's BEST course of action?
Following a significant change to a business process, a risk practitioner believes the associated risk has been reduced. The risk practitioner should advise the risk owner to FIRST
A risk practitioner is reviewing the status of an action plan to mitigate an emerging IT risk and finds the risk level has increased. The BEST course of action would be to:
The BEST key performance indicator (KPI) to measure the effectiveness of a vendor risk management program is the percentage of:
Which of the following provides the MOST helpful reference point when communicating the results of a risk assessment to stakeholders?
It is MOST important to the effectiveness of an IT risk management function that the associated processes are:
Which of the following is the MOST important input when developing risk scenarios?
Which of the following would be the GREATEST concern related to data privacy when implementing an Internet of Things (loT) solution that collects personally identifiable information (Pll)?
An organization has initiated a project to implement an IT risk management program for the first time. The BEST time for the risk practitioner to start populating the risk register is when:
Which of the following MUST be assessed before considering risk treatment options for a scenario with significant impact?
A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner's GREATEST concern?
Which of the following provides the BEST evidence that risk mitigation plans have been implemented effectively?
Which of the following should be the PRIMARY recipient of reports showing the
progress of a current IT risk mitigation project?
Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis?
Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy?
Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?
An organization's financial analysis department uses an in-house forecasting application for business projections. Who is responsible for defining access roles to protect the sensitive data within this application?
Which of the following is the PRIMARY benefit of identifying and communicating with stakeholders at the onset of an IT risk assessment?
Which of the following BEST helps to balance the costs and benefits of managing IT risk?
Which of the following is the BEST way for a risk practitioner to verify that management has addressed control issues identified during a previous external audit?
A risk practitioner notices a trend of noncompliance with an IT-related control. Which of the following would BEST assist in making a recommendation to management?
During a risk assessment, the risk practitioner finds a new risk scenario without controls has been entered into the risk register. Which of the following is the MOST appropriate action?
When presenting risk, the BEST method to ensure that the risk is measurable against the organization's risk appetite is through the use of a:
Which of the following is MOST important for an organization to have in place when developing a risk management framework?
When testing the security of an IT system, il is MOST important to ensure that;
Which of the following provides the MOST important information to facilitate a risk response decision?
Which of the following is MOST important for developing effective key risk indicators (KRIs)?
Which of the following is the GREATEST risk associated with the transition of a sensitive data backup solution from on-premise to a cloud service provider?
Business areas within an organization have engaged various cloud service providers directly without assistance from the IT department. What should the risk practitioner do?
The PRIMARY objective of the board of directors periodically reviewing the risk profile is to help ensure:
An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?
The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:
The implementation of a risk treatment plan will exceed the resources originally allocated for the risk response. Which of the following should be the risk owner's NEXT action?
When collecting information to identify IT-related risk, a risk practitioner should FIRST focus on IT:
A bank wants to send a critical payment order via email to one of its offshore branches. Which of the following is the BEST way to ensure the message reaches the intended recipient without alteration?
Which of the following should management consider when selecting a risk mitigation option?
To minimize risk in a software development project, when is the BEST time to conduct a risk analysis?
Within the three lines of defense model, the accountability for the system of internal control resides with:
Which of the following BEST helps to identify significant events that could impact an organization?
Vulnerability analysis
An organization has received notification that it is a potential victim of a cybercrime that may have compromised sensitive customer data. What should be The FIRST course of action?
Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?
Controls should be defined during the design phase of system development because:
An organization has implemented a system capable of comprehensive employee monitoring. Which of the following should direct how the system is used?
An organization is considering allowing users to access company data from their personal devices. Which of the following is the MOST important factor when assessing the risk?
A risk owner has identified a risk with high impact and very low likelihood. The potential loss is covered by insurance. Which of the following should the risk practitioner do NEXT?
Prior to selecting key performance indicators (KPIs), itis MOST important to ensure:
What should a risk practitioner do FIRST when vulnerability assessment results identify a weakness in an application?
What is the GREATEST concern with maintaining decentralized risk registers instead of a consolidated risk register?
A newly enacted information privacy law significantly increases financial penalties for breaches of personally identifiable information (Pll). Which of the following will MOST likely outcome for an organization affected by the new law?
An organization's internal audit department is considering the implementation of robotics process automation (RPA) to automate certain continuous auditing tasks. Who would own the risk associated with ineffective design of the software bots?
Which of the following would BEST help secure online financial transactions from improper users?
To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:
An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?
Of the following, who should be responsible for determining the inherent risk rating of an application?
Which of the following is the BEST way to promote adherence to the risk tolerance level set by management?
A recent audit identified high-risk issues in a business unit though a previous control self-assessment (CSA) had good results. Which of the following is the MOST likely reason for the difference?
Which of the following is the BEST course of action when risk is found to be above the acceptable risk appetite?
Which of the following is the MOST relevant information to include in a risk management strategy?
Which of the following BEST facilitates the development of effective IT risk scenarios?
Which of the following is the PRIMARY reason for an organization to ensure the risk register is updated regularly?
A monthly payment report is generated from the enterprise resource planning (ERP) software to validate data against the old and new payroll systems. What is the BEST way to mitigate the risk associated with data integrity loss in the new payroll system after data migration?
An organization has raised the risk appetite for technology risk. The MOST likely result would be:
A risk practitioner is reviewing a vendor contract and finds there is no clause to control privileged access to the organization's systems by vendor employees. Which of the following is the risk practitioner's BEST course of action?
Which of the following is a crucial component of a key risk indicator (KRI) to ensure appropriate action is taken to mitigate risk?
A risk practitioner is reporting on an increasing trend of ransomware attacks in the industry. Which of the following information is MOST important to include to enable an informed response decision by key stakeholders?
Which of the following is the BEST way to determine software license compliance?
Which of the following is MOST important to sustainable development of secure IT services?
The BEST way to test the operational effectiveness of a data backup procedure is to:
Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are:
Which of the following is MOST important to ensure when continuously monitoring the performance of a client-facing application?
Which of the following will be MOST effective to mitigate the risk associated with the loss of company data stored on personal devices?
Deviation from a mitigation action plan's completion date should be determined by which of the following?
Which of the following BEST enables a proactive approach to minimizing the potential impact of unauthorized data disclosure?
Which of the following is the PRIMARY purpose of creating and documenting control procedures?
Which of the following sources is MOST relevant to reference when updating security awareness training materials?
An organization recently configured a new business division Which of the following is MOST likely to be affected?
Which of the following is the PRIMARY reason for sharing risk assessment reports with senior stakeholders?
Which of the following is a risk practitioner's MOST important responsibility in managing risk acceptance that exceeds risk tolerance?
Which of the following would BEST enable a risk-based decision when considering the use of an emerging technology for data processing?
The following is the snapshot of a recently approved IT risk register maintained by an organization's information security department.
After implementing countermeasures listed in ‘’Risk Response Descriptions’’ for each of the Risk IDs, which of the following component of the register MUST change?
Which of the following stakeholders are typically included as part of a line of defense within the three lines of defense model?
Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)?
An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning of the associated risk entries?
Which of the following is the MOST important consideration when developing risk strategies?
Which of the following is MOST important when conducting a post-implementation review as part of the system development life cycle (SDLC)?
Which of the following is the BEST course of action when an organization wants to reduce likelihood in order to reduce a risk level?
In order to determining a risk is under-controlled the risk practitioner will need to
When of the following standard operating procedure (SOP) statements BEST illustrates appropriate risk register maintenance?
An organization's business gap analysis reveals the need for a robust IT risk strategy. Which of the following should be the risk practitioner's PRIMARY consideration when participating in development of the new strategy?
The PRIMARY objective of collecting information and reviewing documentation when performing periodic risk analysis should be to:
Which of the following is the PRIMARY benefit of stakeholder involvement in risk scenario development?
Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?
Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data?
When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:
A root because analysis indicates a major service disruption due to a lack of competency of newly hired IT system administrators Who should be accountable for resolving the situation?
As pan of business continuity planning, which of the following is MOST important to include m a business impact analysis (BlA)?
Which of the following should be the PRIMARY basis for prioritizing risk responses?
Which of the following is the MOST important consideration when communicating the risk associated with technology end-of-life to business owners?
An organization is implementing robotic process automation (RPA) to streamline business processes. Given that implementation of this technology is expected to impact existing controls, which of the following is the risk practitioner's BEST course of action?
Which of the following is the GREATEST concern when establishing key risk indicators (KRIs)?
Which of the following is the MOST effective way 10 identify an application backdoor prior to implementation'?
Which organization is implementing a project to automate the purchasing process, including the modification of approval controls. Which of the following tasks is lie responsibility of the risk practitioner*?
The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for.
Which of the following is PRIMARILY a risk management responsibly of the first line of defense?
A risk practitioner recently discovered that personal information from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation?
The BEST metric to demonstrate that servers are configured securely is the total number of servers:
To define the risk management strategy which of the following MUST be set by the board of directors?
Which of the following is the BEST indication that key risk indicators (KRls) should be revised?
Which risk response strategy could management apply to both positive and negative risk that has been identified?
Which of the following BEST helps to identify significant events that could impact an organization?
An organization has experienced a cyber-attack that exposed customer personally identifiable information (Pll) and caused extended outages of network services. Which of the following stakeholders are MOST important to include in the cyber response team to determine response actions?
Which of the following would BEST facilitate the implementation of data classification requirements?
During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition phase?
Which of the following would be the GREATEST concern for an IT risk practitioner when an employees.....
Which of the following provides the BEST assurance of the effectiveness of vendor security controls?
Which of the following is the PRIMARY objective of establishing an organization's risk tolerance and appetite?
Which of the following BEST facilitates the identification of appropriate key performance indicators (KPIs) for a risk management program?
Which of the following is the BEST approach for selecting controls to minimize risk?
Which of the following is the MOST effective way for a large and diversified organization to minimize risk associated with unauthorized software on company devices?
Which of the following resources is MOST helpful to a risk practitioner when updating the likelihood rating in the risk register?
Following an acquisition, the acquiring company's risk practitioner has been asked to update the organization's IT risk profile What is the MOST important information to review from the acquired company to facilitate this task?
Which of the following will BEST help to ensure implementation of corrective action plans?
Which of the following would be of GREATEST concern regarding an organization's asset management?
Which of the following is the GREATEST benefit of identifying appropriate risk owners?
Which of the following is MOST important for senior management to review during an acquisition?
A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access. Who is responsible for ensuring the control is designed to effectively address risk?
What should be the PRIMARY consideration related to data privacy protection when there are plans for a business initiative to make use of personal information?
Which of the following is the MOST important benefit of reporting risk assessment results to senior management?
Which of the following would provide the MOST reliable evidence of the effectiveness of security controls implemented for a web application?
Which of the following presents the GREATEST challenge to managing an organization's end-user devices?
An organization's chief information officer (CIO) has proposed investing in a new. untested technology to take advantage of being first to market Senior management has concerns about the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization's risk:
Which of the following is a risk practitioner's BEST recommendation upon learning that an employee inadvertently disclosed sensitive data to a vendor?
An organization has experienced several incidents of extended network outages that have exceeded tolerance. Which of the following should be the risk practitioner's FIRST step to address this situation?
A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within the organization of the following, who should review the completed list and select the appropriate KRIs for implementation?
Which of the following s MOST likely to deter an employee from engaging in inappropriate use of company owned IT systems?
A bank recently incorporated Blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner’s BEST course of action?
Which of the following is the MOST useful information for a risk practitioner when planning response activities after risk identification?
An organization wants to launch a campaign to advertise a new product Using data analytics, the campaign can be targeted to reach potential customers. Which of the following should be of GREATEST concern to the risk practitioner?
Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board''
Which of the following is the PRIMARY objective of maintaining an information asset inventory?
An organization's recovery team is attempting to recover critical data backups following a major flood in its data center. However, key team members do not know exactly what steps should be taken to address this crisis. Which of the following is the MOST likely cause of this situation?
Which of the following is the MOST effective way to reduce potential losses due to ongoing expense fraud?
Which of the following would be a risk practitioner's GREATEST concern with the use of a vulnerability scanning tool?
Which of the following is the BEST way to help ensure risk will be managed properly after a business process has been re-engineered?
Which of the following is the BEST way to ensure adequate resources will be allocated to manage identified risk?
Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?
Which of the following is the BEST way to ensure data is properly sanitized while in cloud storage?
A company has recently acquired a customer relationship management (CRM) application from a certified software vendor. Which of the following will BE ST help lo prevent technical vulnerabilities from being exploded?
Which of the following situations presents the GREATEST challenge to creating a comprehensive IT risk profile of an organization?
Which of the following would be a risk practitioner’s BEST recommendation upon learning of an updated cybersecurity regulation that could impact the organization?
Which of the following is MOST important information to review when developing plans for using emerging technologies?
After the implementation of internal of Things (IoT) devices, new risk scenarios were identified. What is the PRIMARY reason to report this information to risk owners?
Using key risk indicators (KRIs) to illustrate changes in the risk profile PRIMARILY helps to:
Which of the following BEST reduces the risk associated with the theft of a laptop containing sensitive information?
When creating a separate IT risk register for a large organization, which of the following is MOST important to consider with regard to the existing corporate risk 'register?
Which of the following is the BEST way to reduce the likelihood of an individual performing a potentially harmful action as the result of unnecessary entitlement?
The MAIN reason for prioritizing IT risk responses is to enable an organization to:
When outsourcing a business process to a cloud service provider, it is MOST important to understand that:
The BEST way to validate that a risk treatment plan has been implemented effectively is by reviewing:
Which of the following is the BEST recommendation when a key risk indicator (KRI) is generating an excessive volume of events?
Which of the following is MOST important to ensure when reviewing an organization's risk register?
Which of the following is MOST important to review when an organization needs to transition the majority of its employees to remote work during a crisis?
When a risk practitioner is building a key risk indicator (KRI) from aggregated data, it is CRITICAL that the data is derived from:
An organization's capability to implement a risk management framework is PRIMARILY influenced by the:
An organization's decision to remain noncompliant with certain laws or regulations is MOST likely influenced by:
An organization has updated its acceptable use policy to mitigate the risk of employees disclosing confidential information. Which of the following is the BEST way to reinforce the effectiveness of this policy?
The results of a risk assessment reveal risk scenarios with high impact and low likelihood of occurrence. Which of the following would be the BEST action to address these scenarios?
Which of the following is the MOST important for an organization to have in place to ensure IT asset protection?
A large organization recently restructured the IT department and has decided to outsource certain functions. What action should the control owners in the IT department take?
Which of the following is the GREATEST concern if user acceptance testing (UAT) is not conducted when implementing a new application?
A risk practitioner has established that a particular control is working as desired, but the annual cost of maintenance has increased and now exceeds the expected annual loss exposure. The result is that the control is:
Which of the following is MOST important to determine as a result of a risk assessment?
Which process is MOST effective to determine relevance of threats for risk scenarios?
An application development team has a backlog of user requirements for a new system that will process insurance claim payments for customers. Which of the following should be the MOST important consideration for a risk-based review of the user requirements?
Which of the following process controls BEST mitigates the risk of an employee issuing fraudulent payments to a vendor?
During a recent security framework review, it was discovered that the marketing department implemented a non-fungible token asset program. This was done without following established risk procedures. Which of the following should the risk practitioner do FIRST?
Who should be responsible for approving the cost of controls to be implemented for mitigating risk?
A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner s NEXT step? r
A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:
Which of the following is the GREATEST benefit of having a mature enterprise architecture (EA) in place?
Which of the following is the BEST way to protect sensitive data from administrators within a public cloud?
An organizational policy requires critical security patches to be deployed in production within three weeks of patch availability. Which of the following is the BEST metric to verify adherence to the policy?
Which of the following is the PRIMARY reason for an organization to include an acceptable use banner when users log in?
Which of the following BEST enables detection of ethical violations committed by employees?
An organization allows programmers to change production systems in emergency situations. Which of the following is the BEST control?
A risk practitioner has been notified of a social engineering attack using artificial intelligence (AI) technology to impersonate senior management personnel. Which of the following would BEST mitigate the impact of such attacks?
Which of the following is the MOST important consideration when prioritizing risk response?
Reviewing which of the following would provide the MOST useful information when preparing to evaluate the effectiveness of existing controls?
Which of the following is MOST helpful when prioritizing action plans for identified risk?
Which of the following is the BEST response when a potential IT control deficiency has been identified?
Which of the following would BEST facilitate the maintenance of data classification requirements?
An organization is outsourcing a key database to be hosted by an external service provider. Who is BEST suited to assess the impact of potential data loss?
Which of the following is MOST likely to introduce risk for financial institutions that use blockchain?
Which of the following is the MOST important reason for a risk practitioner to continuously monitor a critical security transformation program?
A penetration testing team discovered an ineffectively designed access control. Who is responsible for ensuring the control design gap is remediated?
Which of the following is the PRIMARY benefit of integrating risk and security requirements in an organization's enterprise architecture (EA)?
Which of the following BEST enables an organization to address risk associated with technical complexity?
An organization requires a third party for processing customer personal data. Which of the following is the BEST approach when sharing data over a public network?
An organization retains footage from its data center security camera for 30 days when the policy requires 90-day retention The business owner challenges whether the situation is worth remediating Which of the following is the risk manager s BEST response'
Recent penetration testing of an organization's software has identified many different types of security risks. Which of the following is the MOST likely root cause for the identified risk?
Which of the following provides the BEST evidence that risk responses are effective?
A risk practitioner has been asked to evaluate the adoption of a third-party blockchain integration platform based on the value added by the platform and the organization's risk appetite. Which of the following is the risk practitioner's BEST course of action?
An organization plans to implement a new Software as a Service (SaaS) speech-to-text solution Which of the following is MOST important to mitigate risk associated with data privacy?
Which of the following is the BEST indicator of the effectiveness of a control?
Which of the following is the MOST useful input when developing risk scenarios?
Which of the following information is MOST useful to a risk practitioner for developing IT risk scenarios?
An organization's stakeholders are unable to agree on appropriate risk responses. Which of the following would be the BEST course of action?
Which of the following is the PRIMARY reason to engage business unit managers in risk management processes'?
A risk practitioner learns that a risk owner has been accepting gifts from a supplier of IT products. Some of these IT products are used to implement controls and to mitigate risk to acceptable levels. Which of the following should the risk practitioner do FIRST?
An organization has established a single enterprise-wide risk register that records high-level risk scenarios. The IT risk department has created its own register to record more granular scenarios applicable to IT. Which of the following is the BEST way to ensure alignment between these two registers?
Which of the following is MOST important for management to consider when deciding whether to invest in an IT initiative that exceeds management's risk appetite?
Which of the following will BEST help to improve an organization's risk culture?
Zero Trust architecture is designed and deployed with adherence to which of the following basic tenets?
An organization is concerned that a change in its market situation may impact the current level of acceptable risk for senior management. As a result, which of the following is MOST important to reevaluate?
Which of the following roles should be assigned accountability for monitoring risk levels?
Which of the following is MOST important when identifying an organization's risk exposure associated with Internet of Things (loT) devices?
Of the following, whose input is ESSENTIAL when developing risk scenarios for the implementation of a third-party mobile application that stores customer data?
Which of the following is the GREATEST impact of implementing a risk mitigation strategy?
Which of the following is the ULTIMATE objective of utilizing key control indicators (KCIs) in the risk management process?
Which of the following is the BEST way to mitigate the risk associated with fraudulent use of an enterprise's brand on Internet sites?
Which of the following is the MOST useful input when developing risk scenarios?
After undertaking a risk assessment of a production system, the MOST appropriate action is fcr the risk manager to
An organization has an internal control that requires all access for employees be removed within 15 days of their termination date. Which of the following should the risk practitioner use to monitor
adherence to the 15-day threshold?
Which of the following techniques is MOST helpful when quantifying the potential loss impact of cyber risk?
An organization recently implemented a machine learning-based solution to monitor IT usage and analyze user behavior in an effort to detect internal fraud. Which of the following is MOST likely to be reassessed as a result of this initiative?
An organization needs to send files to a business partner to perform a quality control audit on the organization’s record-keeping processes. The files include personal information on the organization's customers. Which of the following is the BEST recommendation to mitigate privacy risk?
Which of the following offers the SIMPLEST overview of changes in an organization's risk profile?
Who is accountable for authorizing application access in a cloud Software as a Service (SaaS) solution?
If concurrent update transactions to an account are not processed properly, which of the following will MOST likely be affected?
Which of the following would BEST indicate to senior management that IT processes are improving?
A global organization has implemented an application that does not address all privacy requirements across multiple jurisdictions. Which of the following risk responses has the organization adopted with regard to privacy requirements?
Which of the following BEST enables the timely detection of changes in the security control environment?
An organization's Internet-facing server was successfully attacked because the server did not have the latest security patches. The risk associated with poor patch management had been documented in the risk register and accepted. Who should be accountable for any related losses to the organization?
Which of the following BEST enables the development of a successful IT strategy focused on business risk mitigation?
Which of the following is the MOST useful information for prioritizing risk mitigation?
The MOST important measure of the effectiveness of risk management in project implementation is the percentage of projects:
An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner's FIRST course of action?
Which of the following should be a risk practitioner's GREATEST concern upon learning of failures in a data migration activity?
An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?
A trusted third-party service provider has determined that the risk of a client's systems being hacked is low. Which of the following would be the client's BEST course of action?
IT management has asked for a consolidated view into the organization's risk profile to enable project prioritization and resource allocation. Which of the following materials would
be MOST helpful?
A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?
An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:
A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?
Which of the following is the MAIN reason for documenting the performance of controls?
Which of the following roles would provide the MOST important input when identifying IT risk scenarios?
Which of the following is the MOST effective key performance indicator (KPI) for change management?
The PRIMARY reason for a risk practitioner to review business processes is to:
Which of the following is the MOST important factor affecting risk management in an organization?
During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?