An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the risk associated with these new entries has been;
Which of the following is the MOST cost-effective way to test a business continuity plan?
Which of the following is the BEST way to ensure adequate resources will be allocated to manage identified risk?
An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning of the associated risk entries?
Which of the following is the BEST key performance indicator (KPI) to measure how effectively risk management practices are embedded in the project management office (PMO)?
The BEST key performance indicator (KPI) to measure the effectiveness of the security patching process is the percentage of patches installed:
The PRIMARY objective of collecting information and reviewing documentation when performing periodic risk analysis should be to:
Which of the following BEST mitigates the risk of sensitive personal data leakage from a software development environment?
A deficient control has been identified which could result in great harm to an organization should a low frequency threat event occur. When communicating the associated risk to senior management the risk practitioner should explain:
Days before the realization of an acquisition, a data breach is discovered at the company to be acquired. For the accruing organization, this situation represents which of the following?
Which of The following is the MOST comprehensive input to the risk assessment process specific to the effects of system downtime?
An organization has implemented a preventive control to lock user accounts after three unsuccessful login attempts. This practice has been proven to be unproductive, and a change in the control threshold value has been recommended. Who should authorize changing this threshold?
A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology?
Which of the following is the GREATEST risk associated with an environment that lacks documentation of the architecture?
Which of the following would be MOST useful to senior management when determining an appropriate risk response?
What is the PRIMARY reason to periodically review key performance indicators (KPIs)?
An organization discovers significant vulnerabilities in a recently purchased commercial off-the-shelf software product which will not be corrected until the next release. Which of the following is the risk manager's BEST course of action?
During implementation of an intrusion detection system (IDS) to monitor network traffic, a high number of alerts is reported. The risk practitioner should recommend to:
Reviewing historical risk events is MOST useful for which of the following processes within the risk management life cycle?
An IT risk practitioner is evaluating an organization's change management controls over the last six months. The GREATEST concern would be an increase in:
Which of the following is the PRIMARY benefit of using an entry in the risk register to track the aggregate risk associated with server failure?
When developing risk treatment alternatives for a Business case, it is MOST helpful to show risk reduction based on:
Which of the following BEST facilitates the mitigation of identified gaps between current and desired risk environment states?
Which of the following provides the MOST up-to-date information about the effectiveness of an organization's overall IT control environment?
Which of the following controls BEST enables an organization to ensure a complete and accurate IT asset inventory?
Which of the following is the BEST course of action to help reduce the probability of an incident recurring?
Which of the following is the MOST appropriate action when a tolerance threshold is exceeded?
Which of the following is the BEST method for assessing control effectiveness against technical vulnerabilities that could be exploited to compromise an information system?
After the review of a risk record, internal audit questioned why the risk was lowered from medium to low. Which of the following is the BEST course of action in responding to this inquiry?
Of the following, who is responsible for approval when a change in an application system is ready for release to production?
Information security officer
B. IT risk manager
C. Business owner
D. Chief risk officer (CRO)
While conducting an organization-wide risk assessment, it is noted that many of the information security policies have not changed in the past three years. The BEST course of action is to:
An organization outsources the processing of us payroll data A risk practitioner identifies a control weakness at the third party trial exposes the payroll data. Who should own this risk?
An IT department has organized training sessions to improve user awareness of organizational information security policies. Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training?
Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system?
An organization is preparing to transfer a large number of customer service representatives to the sales department. Of the following, who is responsible for mitigating the risk associated with residual system access?
When reporting on the performance of an organization's control environment including which of the following would BEST inform stakeholders risk decision-making?
An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?
Which of the following BEST assists in justifying an investment in automated controls?
During an internal IT audit, an active network account belonging to a former employee was identified. Which of the following is the BEST way to prevent future occurrences?
Which of tie following is We MOST important consideration when implementing ethical remote work monitoring?
The BEST way to obtain senior management support for investment in a control implementation would be to articulate the reduction in:
Which of the following tasks should be completed prior to creating a disaster recovery plan (DRP)?
Which of the following provides the BEST evidence that a selected risk treatment plan is effective?
A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to:
The BEST reason to classify IT assets during a risk assessment is to determine the:
A highly regulated organization acquired a medical technology startup company that processes sensitive personal information with weak data protection controls. Which of the following is the BEST way for the acquiring company to reduce its risk while still enabling the flexibility needed by the startup company?
The PRIMARY benefit of using a maturity model is that it helps to evaluate the:
Which of the following is the MOST important technology control to reduce the likelihood of fraudulent payments committed internally?
During a risk treatment plan review, a risk practitioner finds the approved risk action plan has not been completed However, there were other risk mitigation actions implemented. Which of the fallowing is the BEST course of action?
Which of the following would MOST likely cause a risk practitioner to change the likelihood rating in the risk register?
Which of the following would be MOST important for a risk practitioner to provide to the internal audit department during the audit planning process?
Which of the following controls will BEST detect unauthorized modification of data by a database administrator?
A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization. Which of the following components of this review would provide the MOST useful information?
An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?
Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?
The head of a business operations department asks to review the entire IT risk register. Which of the following would be the risk manager s BEST approach to this request before sharing the register?
Which of the following will BEST mitigate the risk associated with IT and business misalignment?
A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:
Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?
Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario?
Which of the following would BEST help an enterprise prioritize risk scenarios?
Which of the following is the BEST method to ensure a terminated employee's access to IT systems is revoked upon departure from the organization?
When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?
Establishing and organizational code of conduct is an example of which type of control?
Which of the following elements of a risk register is MOST likely to change as a result of change in management's risk appetite?
An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk?
A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:
Which of the following is MOST helpful in defining an early-warning threshold associated with insufficient network bandwidth''
A key risk indicator (KRI) is reported to senior management on a periodic basis as exceeding thresholds, but each time senior management has decided to take no action to reduce the risk. Which of the following is the MOST likely reason for senior management's response?
Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:
A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?
Which of the following is MOST important to understand when determining an appropriate risk assessment approach?
Which of the following risk register updates is MOST important for senior management to review?
Which of the following is the BEST metric to demonstrate the effectiveness of an organization's change management process?
Which of the following is the PRIMARY reason to perform ongoing risk assessments?
An unauthorized individual has socially engineered entry into an organization's secured physical premises. Which of the following is the BEST way to prevent future occurrences?
Which of the following is the MOST important consideration when developing an organization's risk taxonomy?
When using a third party to perform penetration testing, which of the following is the MOST important control to minimize operational impact?
A risk practitioner has identified that the organization's secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?
Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?
Improvements in the design and implementation of a control will MOST likely result in an update to:
An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST.
Which of the following attributes of a key risk indicator (KRI) is MOST important?
An organization is planning to engage a cloud-based service provider for some of its data-intensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?
To implement the MOST effective monitoring of key risk indicators (KRIs), which of the following needs to be in place?
Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?
Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?
During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?
Which of the following is the PRIMARY factor in determining a recovery time objective (RTO)?
Which of the following should be the PRIMARY input when designing IT controls?
Which of the following is the BEST way to identify changes to the risk landscape?
Which of the following provides the BEST evidence that risk mitigation plans have been implemented effectively?
Which of the following would be the BEST justification to invest in the development of a governance, risk, and compliance (GRC) solution?
Which of the following is the BEST way to support communication of emerging risk?
Which of the following is MOST influential when management makes risk response decisions?
An organization has decided to implement an emerging technology and incorporate the new capabilities into its strategic business plan. Business operations for the technology will be outsourced. What will be the risk practitioner's PRIMARY role during the change?
After mapping generic risk scenarios to organizational security policies, the NEXT course of action should be to:
Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?
Which of the following is the BEST approach for determining whether a risk action plan is effective?
Which of the following is MOST important to understand when developing key risk indicators (KRIs)?
An organization's risk tolerance should be defined and approved by which of the following?
Which of the following is MOST important for an organization that wants to reduce IT operational risk?
Which of the following would be MOST relevant to stakeholders regarding ineffective control implementation?
Which of the following is the BEST way to assess the effectiveness of an access management process?
An organization has granted a vendor access to its data in order to analyze customer behavior. Which of the following would be the MOST effective control to mitigate the risk of customer data leakage?
Which of the following observations would be GREATEST concern to a risk practitioner reviewing the implementation status of management action plans?
An organization is considering adopting artificial intelligence (AI). Which of the
following is the risk practitioner's MOST important course of action?
An organization is considering allowing users to access company data from their personal devices. Which of the following is the MOST important factor when assessing the risk?
The risk associated with a high-risk vulnerability in an application is owned by the:
Mitigating technology risk to acceptable levels should be based PRIMARILY upon:
Who is responsible for IT security controls that are outsourced to an external service provider?
Which of the following MOST effectively limits the impact of a ransomware attack?
Which of the following is the PRIMARY responsibility of the first line of defense related to computer-enabled fraud?
Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are:
Which of the following is the BEST indication that an organization's risk management program has not reached the desired maturity level?
An organization is measuring the effectiveness of its change management program to reduce the number of unplanned production changes. Which of the following would be the BEST metric to determine if the program is performing as expected?
The BEST way to test the operational effectiveness of a data backup procedure is to:
Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?
A business unit has decided to accept the risk of implementing an off-the-shelf, commercial software package that uses weak password controls. The BEST course of action would be to:
Which of the following BEST supports the communication of risk assessment results to stakeholders?
To mitigate the risk of using a spreadsheet to analyze financial data, IT has engaged a third-party vendor to deploy a standard application to automate the process. Which of the following parties should own the risk associated with calculation errors?
The risk associated with data loss from a website which contains sensitive customer information is BEST owned by:
Which of the following should be the PRIMARY recipient of reports showing the
progress of a current IT risk mitigation project?
A bank has outsourced its statement printing function to an external service provider. Which of the following is the MOST critical requirement to include in the contract?
An organization's financial analysis department uses an in-house forecasting application for business projections. Who is responsible for defining access roles to protect the sensitive data within this application?
A risk practitioner notices that a particular key risk indicator (KRI) has remained below its established trigger point for an extended period of time. Which of the following should be done FIRST?
Which of the following is MOST important to the effective monitoring of key risk indicators (KRIS)?
A department has been granted an exception to bypass the existing approval process for purchase orders. The risk practitioner should verify the exception has been approved by which of the following?
A PRIMARY function of the risk register is to provide supporting information for the development of an organization's risk:
The purpose of requiring source code escrow in a contractual agreement is to:
Which of the following would MOST likely result in updates to an IT risk appetite statement?
A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges. What is the risk practitioner's BEST course of action?
The risk appetite for an organization could be derived from which of the following?
After undertaking a risk assessment of a production system, the MOST appropriate action is fcr the risk manager to
An organization has made a decision to purchase a new IT system. During when phase of the system development life cycle (SDLC) will identified risk MOST likely lead to architecture and design trade-offs?
Which of the following provides the MOST useful information for developing key risk indicators (KRIs)?
After an annual risk assessment is completed, which of the following would be MOST important to communicate to stakeholders?
Which of the following is MOST important to determine as a result of a risk assessment?
Which of the following is a risk practitioner's BEST course of action after identifying risk scenarios related to noncompliance with new industry regulations?
Which of the following is the MOST important outcome of a business impact analysis (BIA)?
An organization's chief information officer (CIO) has proposed investing in a new. untested technology to take advantage of being first to market Senior management has concerns about the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization's risk:
A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner s NEXT step? r
Which of the following is the BEST way to determine whether system settings are in alignment with control baselines?
Which of the following is MOST important to ensure when reviewing an organization's risk register?
Which of the following would BEST enable a risk-based decision when considering the use of an emerging technology for data processing?
One of an organization's key IT systems cannot be patched because the patches interfere with critical business application functionalities. Which of the following would be the risk practitioner's BEST recommendation?
Which of the following, who should be PRIMARILY responsible for performing user entitlement reviews?
Which of the following should be of GREATEST concern when reviewing the results of an independent control assessment to determine the effectiveness of a vendor's control environment?
Which of the following should be the FIRST consideration when establishing a new risk governance program?
Which of the following is a risk practitioner's MOST important responsibility in managing risk acceptance that exceeds risk tolerance?
An organization wants to grant remote access to a system containing sensitive data to an overseas third party. Which of the following should be of GREATEST concern to management?
An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure manuals for use by the part-time employees. Which of the following BEST describes this situation?
Business management is seeking assurance from the CIO that IT has a plan in place for early identification of potential issues that could impact the delivery of a new application Which of the following is the BEST way to increase the chances of a successful delivery'?
A bank recently incorporated Blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner’s BEST course of action?
An organization plans to implement a new Software as a Service (SaaS) speech-to-text solution Which of the following is MOST important to mitigate risk associated with data privacy?
Which of the following is the GREATEST benefit of using IT risk scenarios?
When developing risk scenario using a list of generic scenarios based on industry best practices, it is MOST imported to:
When developing a response plan to address security incidents regarding sensitive data loss, it is MOST important
An organization has decided to commit to a business activity with the knowledge that the risk exposure is higher than the risk appetite. Which of the following is the risk practitioner's MOST important action related to this decision?
Which of the following would be of GREATEST concern regarding an organization's asset management?
Which of the following BEST reduces the risk associated with the theft of a laptop containing sensitive information?
Which of the following is the MOST important benefit of reporting risk assessment results to senior management?
Which of the following is MOST important for successful incident response?
The MAIN reason for prioritizing IT risk responses is to enable an organization to: