New Year Goodies - 55% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: av5rz84q

Exact2Pass Menu

Question # 4

The risk associated with an asset before controls are applied can be expressed as:

A.

a function of the likelihood and impact

B.

the magnitude of an impact

C.

a function of the cost and effectiveness of control.

D.

the likelihood of a given threat

Full Access
Question # 5

Which of the following is the BEST way to identify changes to the risk landscape?

A.

Internal audit reports

B.

Access reviews

C.

Threat modeling

D.

Root cause analysis

Full Access
Question # 6

Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

A.

Risk tolerance is decreased.

B.

Residual risk is increased.

C.

Inherent risk is increased.

D.

Risk appetite is decreased

Full Access
Question # 7

Which of the following will BEST mitigate the risk associated with IT and business misalignment?

A.

Establishing business key performance indicators (KPIs)

B.

Introducing an established framework for IT architecture

C.

Establishing key risk indicators (KRIs)

D.

Involving the business process owner in IT strategy

Full Access
Question # 8

It is MOST appropriate for changes to be promoted to production after they are;

A.

communicated to business management

B.

tested by business owners.

C.

approved by the business owner.

D.

initiated by business users.

Full Access
Question # 9

The MOST important characteristic of an organization s policies is to reflect the organization's:

A.

risk assessment methodology.

B.

risk appetite.

C.

capabilities

D.

asset value.

Full Access
Question # 10

Which of the following is the MOST important consideration when developing an organization's risk taxonomy?

A.

Leading industry frameworks

B.

Business context

C.

Regulatory requirements

D.

IT strategy

Full Access
Question # 11

Which of the following is MOST critical when designing controls?

A.

Involvement of internal audit

B.

Involvement of process owner

C.

Quantitative impact of the risk

D.

Identification of key risk indicators

Full Access
Question # 12

Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?

A.

Vulnerability and threat analysis

B.

Control remediation planning

C.

User acceptance testing (UAT)

D.

Control self-assessment (CSA)

Full Access
Question # 13

A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization. Which of the following components of this review would provide the MOST useful information?

A.

Risk appetite statement

B.

Enterprise risk management framework

C.

Risk management policies

D.

Risk register

Full Access
Question # 14

Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?

A.

A control self-assessment

B.

A third-party security assessment report

C.

Internal audit reports from the vendor

D.

Service level agreement monitoring

Full Access
Question # 15

Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?

A.

Digital signatures

B.

Encrypted passwords

C.

One-time passwords

D.

Digital certificates

Full Access
Question # 16

Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?

A.

Better understanding of the risk appetite

B.

Improving audit results

C.

Enabling risk-based decision making

D.

Increasing process control efficiencies

Full Access
Question # 17

Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?

A.

Implementing record retention tools and techniques

B.

Establishing e-discovery and data loss prevention (DLP)

C.

Sending notifications when near storage quota

D.

Implementing a bring your own device 1BVOD) policy

Full Access
Question # 18

Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?

A.

Encrypted storage of data

B.

Links to source data

C.

Audit trails for updates and deletions

D.

Check totals on data records and data fields

Full Access
Question # 19

Which of the following should be the HIGHEST priority when developing a risk response?

A.

The risk response addresses the risk with a holistic view.

B.

The risk response is based on a cost-benefit analysis.

C.

The risk response is accounted for in the budget.

D.

The risk response aligns with the organization's risk appetite.

Full Access
Question # 20

Who should be accountable for ensuring effective cybersecurity controls are established?

A.

Risk owner

B.

Security management function

C.

IT management

D.

Enterprise risk function

Full Access
Question # 21

Which of the following is the MOST important consideration when multiple risk practitioners capture risk scenarios in a single risk register?

A.

Aligning risk ownership and control ownership

B.

Developing risk escalation and reporting procedures

C.

Maintaining up-to-date risk treatment plans

D.

Using a consistent method for risk assessment

Full Access
Question # 22

An effective control environment is BEST indicated by controls that:

A.

minimize senior management's risk tolerance.

B.

manage risk within the organization's risk appetite.

C.

reduce the thresholds of key risk indicators (KRIs).

D.

are cost-effective to implement

Full Access
Question # 23

In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date?

A.

Risk questionnaire

B.

Risk register

C.

Management assertion

D.

Compliance manual

Full Access
Question # 24

The acceptance of control costs that exceed risk exposure is MOST likely an example of:

A.

low risk tolerance.

B.

corporate culture misalignment.

C.

corporate culture alignment.

D.

high risk tolerance

Full Access
Question # 25

An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?

A.

Invoke the disaster recovery plan during an incident.

B.

Prepare a cost-benefit analysis of alternatives available

C.

Implement redundant infrastructure for the application.

D.

Reduce the recovery time by strengthening the response team.

Full Access
Question # 26

Which of the following is the MOST important data source for monitoring key risk indicators (KRIs)?

A.

Directives from legal and regulatory authorities

B.

Audit reports from internal information systems audits

C.

Automated logs collected from different systems

D.

Trend analysis of external risk factors

Full Access
Question # 27

Which of the following would be- MOST helpful to understand the impact of a new technology system on an organization's current risk profile?

A.

Hire consultants specializing m the new technology.

B.

Review existing risk mitigation controls.

C.

Conduct a gap analysis.

D.

Perform a risk assessment.

Full Access
Question # 28

Which of the following is the BEST method to ensure a terminated employee's access to IT systems is revoked upon departure from the organization?

A.

Login attempts are reconciled to a list of terminated employees.

B.

A list of terminated employees is generated for reconciliation against current IT access.

C.

A process to remove employee access during the exit interview is implemented.

D.

The human resources (HR) system automatically revokes system access.

Full Access
Question # 29

After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?

A.

The risk practitioner

B.

The business process owner

C.

The risk owner

D.

The control owner

Full Access
Question # 30

A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?

A.

Business continuity manager (BCM)

B.

Human resources manager (HRM)

C.

Chief risk officer (CRO)

D.

Chief information officer (CIO)

Full Access
Question # 31

When using a third party to perform penetration testing, which of the following is the MOST important control to minimize operational impact?

A.

Perform a background check on the vendor.

B.

Require the vendor to sign a nondisclosure agreement.

C.

Require the vendor to have liability insurance.

D.

Clearly define the project scope

Full Access
Question # 32

A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?

A.

An increase in attempted distributed denial of service (DDoS) attacks

B.

An increase in attempted website phishing attacks

C.

A decrease in achievement of service level agreements (SLAs)

D.

A decrease in remediated web security vulnerabilities

Full Access
Question # 33

Which of the following is the MOST important outcome of reviewing the risk management process?

A.

Assuring the risk profile supports the IT objectives

B.

Improving the competencies of employees who performed the review

C.

Determining what changes should be nude to IS policies to reduce risk

D.

Determining that procedures used in risk assessment are appropriate

Full Access
Question # 34

When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?

A.

Risk analysis results

B.

Exception handling policy

C.

Vulnerability assessment results

D.

Benchmarking assessments

Full Access
Question # 35

IT management has asked for a consolidated view into the organization's risk profile to enable project prioritization and resource allocation. Which of the following materials would

be MOST helpful?

A.

IT risk register

B.

List of key risk indicators

C.

Internal audit reports

D.

List of approved projects

Full Access
Question # 36

Which of the following would BEST help to ensure that identified risk is efficiently managed?

A.

Reviewing the maturity of the control environment

B.

Regularly monitoring the project plan

C.

Maintaining a key risk indicator for each asset in the risk register

D.

Periodically reviewing controls per the risk treatment plan

Full Access
Question # 37

Which of the following is the BEST indication of an improved risk-aware culture following the implementation of a security awareness training program for all employees?

A.

A reduction in the number of help desk calls

B.

An increase in the number of identified system flaws

C.

A reduction in the number of user access resets

D.

An increase in the number of incidents reported

Full Access
Question # 38

Which of the following tools is MOST effective in identifying trends in the IT risk profile?

A.

Risk self-assessment

B.

Risk register

C.

Risk dashboard

D.

Risk map

Full Access
Question # 39

The analysis of which of the following will BEST help validate whether suspicious network activity is malicious?

A.

Logs and system events

B.

Intrusion detection system (IDS) rules

C.

Vulnerability assessment reports

D.

Penetration test reports

Full Access
Question # 40

A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:

A.

map findings to objectives.

B.

provide a quantified detailed analysts.

C.

recommend risk tolerance thresholds.

D.

quantify key risk indicators (KRls).

Full Access
Question # 41

Which of the following would BEST help to ensure that suspicious network activity is identified?

A.

Analyzing intrusion detection system (IDS) logs

B.

Analyzing server logs

C.

Using a third-party monitoring provider

D.

Coordinating events with appropriate agencies

Full Access
Question # 42

Which of the following is the MOST important characteristic of an effective risk management program?

A.

Risk response plans are documented

B.

Controls are mapped to key risk scenarios.

C.

Key risk indicators are defined.

D.

Risk ownership is assigned

Full Access
Question # 43

A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?

A.

Document the finding in the risk register.

B.

Invoke the incident response plan.

C.

Re-evaluate key risk indicators.

D.

Modify the design of the control.

Full Access
Question # 44

A risk assessment has identified that departments have installed their own WiFi access points on the enterprise network. Which of the following would be MOST important to include in a report to senior management?

A.

The network security policy

B.

Potential business impact

C.

The WiFi access point configuration

D.

Planned remediation actions

Full Access
Question # 45

A trusted third party service provider has determined that the risk of a client's systems being hacked is low. Which of the following would be the client's BEST course of action?

A.

Perform their own risk assessment

B.

Implement additional controls to address the risk.

C.

Accept the risk based on the third party's risk assessment

D.

Perform an independent audit of the third party.

Full Access
Question # 46

Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?

A.

A decrease in control layering effectiveness

B.

An increase in inherent risk

C.

An increase in control vulnerabilities

D.

An increase in the level of residual risk

Full Access
Question # 47

An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk?

A.

Perform a risk assessment

B.

Disable user access.

C.

Develop an access control policy.

D.

Perform root cause analysis.

Full Access
Question # 48

After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:

A.

recommend a program that minimizes the concerns of that production system.

B.

inform the development team of the concerns, and together formulate risk reduction measures.

C.

inform the process owner of the concerns and propose measures to reduce them

D.

inform the IT manager of the concerns and propose measures to reduce them.

Full Access
Question # 49

Which of the following would BEST help minimize the risk associated with social engineering threats?

A.

Enforcing employees sanctions

B.

Conducting phishing exercises

C.

Enforcing segregation of dunes

D.

Reviewing the organization's risk appetite

Full Access
Question # 50

A risk owner should be the person accountable for:

A.

the risk management process

B.

managing controls.

C.

implementing actions.

D.

the business process.

Full Access
Question # 51

Which of the following provides the BEST evidence that risk mitigation plans have been implemented effectively?

A.

Self-assessments by process owners

B.

Mitigation plan progress reports

C.

Risk owner attestation

D.

Change in the level of residual risk

Full Access
Question # 52

Which of the following provides the MOST important information to facilitate a risk response decision?

A.

Audit findings

B.

Risk appetite

C.

Key risk indicators

D.

Industry best practices

Full Access
Question # 53

Which of the following should an organization perform to forecast the effects of a disaster?

A.

Develop a business impact analysis (BIA).

B.

Define recovery time objectives (RTO).

C.

Analyze capability maturity model gaps.

D.

Simulate a disaster recovery.

Full Access
Question # 54

During the initial risk identification process for a business application, it is MOST important to include which of the following stakeholders?

A.

Business process owners

B.

Business process consumers

C.

Application architecture team

D.

Internal audit

Full Access
Question # 55

A software developer has administrative access to a production application. Which of the following should be of GREATEST concern to a risk practitioner?

A.

The administrative access does not allow for activity log monitoring.

B.

The administrative access does not follow password management protocols.

C.

The administrative access represents a deviation from corporate policy.

D.

The administrative access represents a segregation of duties conflict.

Full Access
Question # 56

Risk aggregation in a complex organization will be MOST successful when:

A.

using the same scales in assessing risk

B.

utilizing industry benchmarks

C.

using reliable qualitative data for risk Hems

D.

including primarily low level risk factors

Full Access
Question # 57

Which of the following is the PRIMARY reason to update a risk register with risk assessment results?

A.

To communicate the level and priority of assessed risk to management

B.

To provide a comprehensive inventory of risk across the organization

C.

To assign a risk owner to manage the risk

D.

To enable the creation of action plans to address nsk

Full Access
Question # 58

As part of an overall IT risk management plan, an IT risk register BEST helps management:

A.

align IT processes with business objectives.

B.

communicate the enterprise risk management policy.

C.

stay current with existing control status.

D.

understand the organizational risk profile.

Full Access
Question # 59

A risk practitioner is reviewing a vendor contract and finds there is no clause to control privileged access to the organization's systems by vendor employees. Which of the following is the risk practitioner's BEST course of action?

A.

Contact the control owner to determine if a gap in controls exists.

B.

Add this concern to the risk register and highlight it for management review.

C.

Report this concern to the contracts department for further action.

D.

Document this concern as a threat and conduct an impact analysis.

Full Access
Question # 60

Which of the following is the GREATEST concern associated with business end users developing their own applications on end user spreadsheets and database programs?

A.

An IT project manager is not assigned to oversee development.

B.

Controls are not applied to the applications.

C.

There is a lack of technology recovery options.

D.

The applications are not captured in the risk profile.

Full Access
Question # 61

Which of the following statements BEST describes risk appetite?

A.

The amount of risk an organization is willing to accept

B.

The effective management of risk and internal control environments

C.

Acceptable variation between risk thresholds and business objectives

D.

The acceptable variation relative to the achievement of objectives

Full Access
Question # 62

Which of the following is a detective control?

A.

Limit check

B.

Periodic access review

C.

Access control software

D.

Rerun procedures

Full Access
Question # 63

A bank is experiencing an increasing incidence of customer identity theft. Which of the following is the BEST way to mitigate this risk?

A.

Implement monitoring techniques.

B.

Implement layered security.

C.

Outsource to a local processor.

D.

Conduct an awareness campaign.

Full Access
Question # 64

Which of the following is the GREATEST risk associated with the use of data analytics?

A.

Distributed data sources

B.

Manual data extraction

C.

Incorrect data selection

D.

Excessive data volume

Full Access
Question # 65

Which of the following is the PRIMARY role of the board of directors in corporate risk governance?

A.

Approving operational strategies and objectives

B.

Monitoring the results of actions taken to mitigate risk

C.

Ensuring the effectiveness of the risk management program

D.

Ensuring risk scenarios are identified and recorded in the risk register

Full Access
Question # 66

An organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard. Which risk treatment was adopted by the organization?

A.

Acceptance

B.

Transfer

C.

Mitigation

D.

Avoidance

Full Access
Question # 67

Which of the following is the BEST way to identify changes in the risk profile of an organization?

A.

Monitor key risk indicators (KRIs).

B.

Monitor key performance indicators (KPIs).

C.

Interview the risk owner.

D.

Conduct a gap analysis

Full Access
Question # 68

A risk practitioner observes that the fraud detection controls in an online payment system do not perform as expected. Which of the following will MOST likely change as a result?

A.

Impact

B.

Residual risk

C.

Inherent risk

D.

Risk appetite

Full Access
Question # 69

The BEST way to test the operational effectiveness of a data backup procedure is to:

A.

conduct an audit of files stored offsite.

B.

interview employees to compare actual with expected procedures.

C.

inspect a selection of audit trails and backup logs.

D.

demonstrate a successful recovery from backup files.

Full Access
Question # 70

After mapping generic risk scenarios to organizational security policies, the NEXT course of action should be to:

A.

record risk scenarios in the risk register for analysis.

B.

validate the risk scenarios for business applicability.

C.

reduce the number of risk scenarios to a manageable set.

D.

perform a risk analysis on the risk scenarios.

Full Access
Question # 71

IT disaster recovery point objectives (RPOs) should be based on the:

A.

maximum tolerable downtime.

B.

maximum tolerable loss of data.

C.

need of each business unit.

D.

type of business.

Full Access
Question # 72

When reporting risk assessment results to senior management, which of the following is MOST important to include to enable risk-based decision making?

A.

Risk action plans and associated owners

B.

Recent audit and self-assessment results

C.

Potential losses compared to treatment cost

D.

A list of assets exposed to the highest risk

Full Access
Question # 73

Which of the following should be the risk practitioner s FIRST course of action when an organization has decided to expand into new product areas?

A.

Identify any new business objectives with stakeholders.

B.

Present a business case for new controls to stakeholders.

C.

Revise the organization's risk and control policy.

D.

Review existing risk scenarios with stakeholders.

Full Access
Question # 74

A payroll manager discovers that fields in certain payroll reports have been modified without authorization. Which of the following control weaknesses could have contributed MOST to this problem?

A.

The user requirements were not documented.

B.

Payroll files were not under the control of a librarian.

C.

The programmer had access to the production programs.

D.

The programmer did not involve the user in testing.

Full Access
Question # 75

An IT risk practitioner is evaluating an organization's change management controls over the last six months. The GREATEST concern would be an increase in:

A.

rolled back changes below management's thresholds.

B.

change-related exceptions per month.

C.

the average implementation time for changes.

D.

number of user stories approved for implementation.

Full Access
Question # 76

A risk practitioner notices that a particular key risk indicator (KRI) has remained below its established trigger point for an extended period of time. Which of the following should be done FIRST?

A.

Recommend a re-evaluation of the current threshold of the KRI.

B.

Notify management that KRIs are being effectively managed.

C.

Update the risk rating associated with the KRI In the risk register.

D.

Update the risk tolerance and risk appetite to better align to the KRI.

Full Access
Question # 77

When establishing leading indicators for the information security incident response process it is MOST important to consider the percentage of reported incidents:

A.

that result in a full root cause analysis.

B.

used for verification within the SLA.

C.

that are verified as actual incidents.

D.

resolved within the SLA.

Full Access
Question # 78

Mapping open risk issues to an enterprise risk heat map BEST facilitates:

A.

risk response.

B.

control monitoring.

C.

risk identification.

D.

risk ownership.

Full Access
Question # 79

An organization has recently updated its disaster recovery plan (DRP). Which of the following would be the GREATEST risk if the new plan is not tested?

A.

External resources may need to be involved.

B.

Data privacy regulations may be violated.

C.

Recovery costs may increase significantly.

D.

Service interruptions may be longer than anticipated.

Full Access
Question # 80

Which of the following provides the MOST helpful information in identifying risk in an organization?

A.

Risk registers

B.

Risk analysis

C.

Risk scenarios

D.

Risk responses

Full Access
Question # 81

An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?

A.

Project sponsor

B.

Process owner

C.

Risk manager

D.

Internal auditor

Full Access
Question # 82

An organization plans to migrate sensitive information to a public cloud infrastructure. Which of the following is the GREATEST security risk in this scenario?

A.

Data may be commingled with other tenants' data.

B.

System downtime does not meet the organization's thresholds.

C.

The infrastructure will be managed by the public cloud administrator.

D.

The cloud provider is not independently certified.

Full Access
Question # 83

Who is PRIMARILY accountable for risk treatment decisions?

A.

Risk owner

B.

Business manager

C.

Data owner

D.

Risk manager

Full Access
Question # 84

Which of the following is MOST helpful in identifying gaps between the current and desired state of the IT risk environment?

A.

Analyzing risk appetite and tolerance levels

B.

Assessing identified risk and recording results in the risk register

C.

Evaluating risk scenarios and assessing current controls

D.

Reviewing guidance from industry best practices and standards

Full Access
Question # 85

Which of the following is the MOST important component of effective security incident response?

A.

Network time protocol synchronization

B.

Identification of attack sources

C.

Early detection of breaches

D.

A documented communications plan

Full Access
Question # 86

Which of the following activities should be performed FIRST when establishing IT risk management processes?

A.

Collect data of past incidents and lessons learned.

B.

Conduct a high-level risk assessment based on the nature of business.

C.

Identify the risk appetite of the organization.

D.

Assess the goals and culture of the organization.

Full Access
Question # 87

An audit reveals that there are changes in the environment that are not reflected in the risk profile. Which of the following is the BEST course of action?

A.

Review the risk identification process.

B.

Inform the risk scenario owners.

C.

Create a risk awareness communication plan.

D.

Update the risk register.

Full Access
Question # 88

An IT license audit has revealed that there are several unlicensed copies of co be to:

A.

immediately uninstall the unlicensed software from the laptops

B.

centralize administration rights on laptops so that installations are controlled

C.

report the issue to management so appropriate action can be taken.

D.

procure the requisite licenses for the software to minimize business impact.

Full Access
Question # 89

Which of the following is the FIRST step when developing a business case to drive the adoption of a risk remediation project by senior management?

A.

Calculating the cost

B.

Analyzing cost-effectiveness

C.

Determining the stakeholders

D.

Identifying the objectives

Full Access
Question # 90

Which of the following should be initiated when a high number of noncompliant conditions are observed during review of a control procedure?

A.

Disciplinary action

B.

A control self-assessment

C.

A review of the awareness program

D.

Root cause analysis

Full Access
Question # 91

The risk associated with data loss from a website which contains sensitive customer information is BEST owned by:

A.

the third-party website manager

B.

the business process owner

C.

IT security

D.

the compliance manager

Full Access
Question # 92

When communicating changes in the IT risk profile, which of the following should be included to BEST enable stakeholder decision making?

A.

List of recent incidents affecting industry peers

B.

Results of external attacks and related compensating controls

C.

Gaps between current and desired states of the control environment

D.

Review of leading IT risk management practices within the industry

Full Access
Question # 93

Which of the following would qualify as a key performance indicator (KPI)?

A.

Aggregate risk of the organization

B.

Number of identified system vulnerabilities

C.

Number of exception requests processed in the past 90 days

D.

Number of attacks against the organization's website

Full Access
Question # 94

Which of the following would prompt changes in key risk indicator {KRI) thresholds?

A.

Changes to the risk register

B.

Changes in risk appetite or tolerance

C.

Modification to risk categories

D.

Knowledge of new and emerging threats

Full Access
Question # 95

Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications?

A.

Identify information security controls in the requirements analysis

B.

Identify key risk indicators (KRIs) as process output.

C.

Design key performance indicators (KPIs) for security in system specifications.

D.

Include information security control specifications in business cases.

Full Access
Question # 96

A newly enacted information privacy law significantly increases financial penalties for breaches of personally identifiable information (Pll). Which of the following will MOST likely outcome for an organization affected by the new law?

A.

Increase in compliance breaches

B.

Increase in loss event impact

C.

Increase in residual risk

D.

Increase in customer complaints

Full Access
Question # 97

An organization has outsourced a critical process involving highly regulated data to a third party with servers located in a foreign country. Who is accountable for the confidentiality of this data?

A.

Third-party data custodian

B.

Data custodian

C.

Regional office executive

D.

Data owner

Full Access
Question # 98

An organization has identified that terminated employee accounts are not disabled or deleted within the time required by corporate policy. Unsure of the reason, the organization has decided to monitor the situation for three months to obtain more information. As a result of this decision, the risk has been:

A.

avoided.

B.

accepted.

C.

mitigated.

D.

transferred.

Full Access
Question # 99

What are the MOST essential attributes of an effective Key control indicator (KCI)?

A.

Flexibility and adaptability

B.

Measurability and consistency

C.

Robustness and resilience

D.

Optimal cost and benefit

Full Access
Question # 100

What is the PRIMARY purpose of a business impact analysis (BIA)?

A.

To determine the likelihood and impact of threats to business operations

B.

To identify important business processes in the organization

C.

To estimate resource requirements for related business processes

D.

To evaluate the priority of business operations in case of disruption

Full Access
Question # 101

Which of the following poses the GREATEST risk to an organization's operations during a major it transformation?

A.

Lack of robust awareness programs

B.

infrequent risk assessments of key controls

C.

Rapid changes in IT procedures

D.

Unavailability of critical IT systems

Full Access
Question # 102

The MAIN purpose of reviewing a control after implementation is to validate that the control:

A.

operates as intended.

B.

is being monitored.

C.

meets regulatory requirements.

D.

operates efficiently.

Full Access
Question # 103

Which of the following should be an element of the risk appetite of an organization?

A.

The effectiveness of compensating controls

B.

The enterprise's capacity to absorb loss

C.

The residual risk affected by preventive controls

D.

The amount of inherent risk considered appropriate

Full Access
Question # 104

Which of the following will be the GREATEST concern when assessing the risk profile of an organization?

A.

The risk profile was not updated after a recent incident

B.

The risk profile was developed without using industry standards.

C.

The risk profile was last reviewed two years ago.

D.

The risk profile does not contain historical loss data.

Full Access
Question # 105

While reviewing the risk register, a risk practitioner notices that different business units have significant variances in inherent risk for the same risk scenario. Which of the following is the BEST course of action?

A.

Update the risk register with the average of residual risk for both business units.

B.

Review the assumptions of both risk scenarios to determine whether the variance is reasonable.

C.

Update the risk register to ensure both risk scenarios have the highest residual risk.

D.

Request that both business units conduct another review of the risk.

Full Access
Question # 106

From a risk management perspective, the PRIMARY objective of using maturity models is to enable:

A.

solution delivery.

B.

resource utilization.

C.

strategic alignment.

D.

performance evaluation.

Full Access
Question # 107

Which of the following is the BEST course of action to help reduce the probability of an incident recurring?

A.

Perform a risk assessment.

B.

Perform root cause analysis.

C.

Initiate disciplinary action.

D.

Update the incident response plan.

Full Access
Question # 108

When developing a risk awareness training program, which of the following training topics would BEST facilitate a thorough understanding of risk scenarios?

A.

Mapping threats to organizational objectives

B.

Reviewing past audits

C.

Analyzing key risk indicators (KRIs)

D.

Identifying potential sources of risk

Full Access
Question # 109

Which of the following provides the MOST up-to-date information about the effectiveness of an organization's overall IT control environment?

A.

Key performance indicators (KPIs)

B.

Risk heat maps

C.

Internal audit findings

D.

Periodic penetration testing

Full Access
Question # 110

Which of the following BEST facilities the alignment of IT risk management with enterprise risk management (ERM)?

A.

Adopting qualitative enterprise risk assessment methods

B.

Linking IT risk scenarios to technology objectives

C.

linking IT risk scenarios to enterprise strategy

D.

Adopting quantitative enterprise risk assessment methods

Full Access
Question # 111

Which of the following is PRIMARILY a risk management responsibly of the first line of defense?

A.

Implementing risk treatment plans

B.

Validating the status of risk mitigation efforts

C.

Establishing risk policies and standards

D.

Conducting independent reviews of risk assessment results

Full Access
Question # 112

When reviewing a report on the performance of control processes, it is MOST important to verify whether the:

A.

business process objectives have been met.

B.

control adheres to regulatory standards.

C.

residual risk objectives have been achieved.

D.

control process is designed effectively.

Full Access
Question # 113

An information system for a key business operation is being moved from an in-house application to a Software as a Service (SaaS) vendor. Which of the following will have the GREATEST impact on the ability to monitor risk?

A.

Reduced ability to evaluate key risk indicators (KRIs)

B.

Reduced access to internal audit reports

C.

Dependency on the vendor's key performance indicators (KPIs)

D.

Dependency on service level agreements (SLAs)

Full Access
Question # 114

Which of the following is MOST important to compare against the corporate risk profile?

A.

Industry benchmarks

B.

Risk tolerance

C.

Risk appetite

D.

Regulatory compliance

Full Access
Question # 115

Which of the following should be management's PRIMARY focus when key risk indicators (KRIs) begin to rapidly approach defined thresholds?

A.

Designing compensating controls

B.

Determining if KRIs have been updated recently

C.

Assessing the effectiveness of the incident response plan

D.

Determining what has changed in the environment

Full Access
Question # 116

Which of the following is the MOST important responsibility of a risk owner?

A.

Testing control design

B.

Accepting residual risk

C.

Establishing business information criteria

D.

Establishing the risk register

Full Access
Question # 117

An organization maintains independent departmental risk registers that are not automatically aggregated. Which of the following is the GREATEST concern?

A.

Management may be unable to accurately evaluate the risk profile.

B.

Resources may be inefficiently allocated.

C.

The same risk factor may be identified in multiple areas.

D.

Multiple risk treatment efforts may be initiated to treat a given risk.

Full Access
Question # 118

A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:

A.

updating the risk register

B.

documenting the risk scenarios.

C.

validating the risk scenarios

D.

identifying risk mitigation controls.

Full Access
Question # 119

Which of the following criteria associated with key risk indicators (KRIs) BEST enables effective risk monitoring?

A.

Approval by senior management

B.

Low cost of development and maintenance

C.

Sensitivity to changes in risk levels

D.

Use of industry risk data sources

Full Access
Question # 120

Which of the following will BEST support management reporting on risk?

A.

Control self-assessment (CSA)

B.

Risk policy requirements

C.

A risk register

D.

Key performance indicators (KPIs)

Full Access
Question # 121

The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for.

A.

data logging and monitoring

B.

data mining and analytics

C.

data classification and labeling

D.

data retention and destruction

Full Access
Question # 122

When an organization’s disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment options is being applied?

A.

Acceptance

B.

Mitigation

C.

Transfer

D.

Avoidance

Full Access
Question # 123

Which of the following BEST indicates whether security awareness training is effective?

A.

User self-assessment

B.

User behavior after training

C.

Course evaluation

D.

Quality of training materials

Full Access
Question # 124

Winch of the following is the BEST evidence of an effective risk treatment plan?

A.

The inherent risk is below the asset residual risk.

B.

Remediation cost is below the asset business value

C.

The risk tolerance threshold s above the asset residual

D.

Remediation is completed within the asset recovery time objective (RTO)

Full Access
Question # 125

An IT control gap has been identified in a key process. Who would be the MOST appropriate owner of the risk associated with this gap?

A.

Key control owner

B.

Operational risk manager

C.

Business process owner

D.

Chief information security officer (CISO)

Full Access
Question # 126

Which of the following would be the result of a significant increase in the motivation of a malicious threat actor?

A.

Increase in mitigating control costs

B.

Increase in risk event impact

C.

Increase in risk event likelihood

D.

Increase in cybersecurity premium

Full Access
Question # 127

An organization discovers significant vulnerabilities in a recently purchased commercial off-the-shelf software product which will not be corrected until the next release. Which of the following is the risk manager's BEST course of action?

A.

Review the risk of implementing versus postponing with stakeholders.

B.

Run vulnerability testing tools to independently verify the vulnerabilities.

C.

Review software license to determine the vendor's responsibility regarding vulnerabilities.

D.

Require the vendor to correct significant vulnerabilities prior to installation.

Full Access
Question # 128

Which of the following is the GREATEST benefit when enterprise risk management (ERM) provides oversight of IT risk management?

A.

Aligning IT with short-term and long-term goals of the organization

B.

Ensuring the IT budget and resources focus on risk management

C.

Ensuring senior management's primary focus is on the impact of identified risk

D.

Prioritizing internal departments that provide service to customers

Full Access
Question # 129

After the review of a risk record, internal audit questioned why the risk was lowered from medium to low. Which of the following is the BEST course of action in responding to this inquiry?

A.

Obtain industry benchmarks related to the specific risk.

B.

Provide justification for the lower risk rating.

C.

Notify the business at the next risk briefing.

D.

Reopen the risk issue and complete a full assessment.

Full Access
Question # 130

Which of the following is MOST important to the successful development of IT risk scenarios?

A.

Cost-benefit analysis

B.

Internal and external audit reports

C.

Threat and vulnerability analysis

D.

Control effectiveness assessment

Full Access
Question # 131

Which of the following BEST informs decision-makers about the value of a notice and consent control for the collection of personal information?

A.

A comparison of the costs of notice and consent control options

B.

Examples of regulatory fines incurred by industry peers for noncompliance

C.

A report of critical controls showing the importance of notice and consent

D.

A cost-benefit analysis of the control versus probable legal action

Full Access
Question # 132

Which of the following is the MOST effective way to incorporate stakeholder concerns when developing risk scenarios?

A.

Evaluating risk impact

B.

Establishing key performance indicators (KPIs)

C.

Conducting internal audits

D.

Creating quarterly risk reports

Full Access
Question # 133

Which of the following is the MOST appropriate action when a tolerance threshold is exceeded?

A.

Communicate potential impact to decision makers.

B.

Research the root cause of similar incidents.

C.

Verify the response plan is adequate.

D.

Increase human resources to respond in the interim.

Full Access
Question # 134

Participants in a risk workshop have become focused on the financial cost to mitigate risk rather than choosing the most appropriate response. Which of the following is the BEST way to address this type of issue in the long term?

A.

Perform a return on investment analysis.

B.

Review the risk register and risk scenarios.

C.

Calculate annualized loss expectancy of risk scenarios.

D.

Raise the maturity of organizational risk management.

Full Access
Question # 135

The PRIMARY purpose of IT control status reporting is to:

A.

ensure compliance with IT governance strategy.

B.

assist internal audit in evaluating and initiating remediation efforts.

C.

benchmark IT controls with Industry standards.

D.

facilitate the comparison of the current and desired states.

Full Access
Question # 136

Which of the following controls are BEST strengthened by a clear organizational code of ethics?

A.

Detective controls

B.

Administrative controls

C.

Technical controls

D.

Preventive controls

Full Access
Question # 137

The BEST key performance indicator (KPI) to measure the effectiveness of a backup process would be the number of:

A.

resources to monitor backups

B.

restoration monitoring reports

C.

backup recovery requests

D.

recurring restore failures

Full Access
Question # 138

An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?

A.

Identify systems that are vulnerable to being exploited by the attack.

B.

Confirm with the antivirus solution vendor whether the next update will detect the attack.

C.

Verify the data backup process and confirm which backups are the most recent ones available.

D.

Obtain approval for funding to purchase a cyber insurance plan.

Full Access
Question # 139

An employee lost a personal mobile device that may contain sensitive corporate information. What should be the risk practitioner's recommendation?

A.

Conduct a risk analysis.

B.

Initiate a remote data wipe.

C.

Invoke the incident response plan

D.

Disable the user account.

Full Access
Question # 140

Which of the following is the BEST indication that key risk indicators (KRls) should be revised?

A.

A decrease in the number of critical assets covered by risk thresholds

B.

An Increase In the number of risk threshold exceptions

C.

An increase in the number of change events pending management review

D.

A decrease In the number of key performance indicators (KPls)

Full Access
Question # 141

Which of the following should be done FIRST when information is no longer required to support business objectives?

A.

Archive the information to a backup database.

B.

Protect the information according to the classification policy.

C.

Assess the information against the retention policy.

D.

Securely and permanently erase the information

Full Access
Question # 142

Which of the following should be considered when selecting a risk response?

A.

Risk scenarios analysis

B.

Risk response costs

C.

Risk factor awareness

D.

Risk factor identification

Full Access
Question # 143

Who is BEST suited to provide objective input when updating residual risk to reflect the results of control effectiveness?

A.

Control owner

B.

Risk owner

C.

Internal auditor

D.

Compliance manager

Full Access
Question # 144

The design of procedures to prevent fraudulent transactions within an enterprise resource planning (ERP) system should be based on:

A.

stakeholder risk tolerance.

B.

benchmarking criteria.

C.

suppliers used by the organization.

D.

the control environment.

Full Access
Question # 145

Which element of an organization's risk register is MOST important to update following the commissioning of a new financial reporting system?

A.

Key risk indicators (KRIs)

B.

The owner of the financial reporting process

C.

The risk rating of affected financial processes

D.

The list of relevant financial controls

Full Access