An organization has allowed its cyber risk insurance to lapse while seeking a new insurance provider. The risk practitioner should report to management that the risk has been:
A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:
An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?
A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?
Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?
Which of the following is the BEST metric to demonstrate the effectiveness of an organization's change management process?
A risk practitioner is assisting with the preparation of a report on the organization s disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?
Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?
During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?
Which of the following would be MOST useful when measuring the progress of a risk response action plan?
The PRIMARY advantage of implementing an IT risk management framework is the:
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?
The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:
Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?
Whether the results of risk analyses should be presented in quantitative or qualitative terms should be based PRIMARILY on the:
Who should be accountable for ensuring effective cybersecurity controls are established?
A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?
During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:
Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:
Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?
A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:
Which of the following elements of a risk register is MOST likely to change as a result of change in management's risk appetite?
A risk practitioner discovers several key documents detailing the design of a product currently in development have been posted on the Internet. What should be the risk practitioner's FIRST course of action?
Which of the following is MOST effective against external threats to an organizations confidential information?
Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?
Which of the following roles would provide the MOST important input when identifying IT risk scenarios?
Which of the following controls will BEST detect unauthorized modification of data by a database administrator?
IT risk assessments can BEST be used by management:
It is MOST appropriate for changes to be promoted to production after they are;
Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?
Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?
Which of the following is the MOST cost-effective way to test a business continuity plan?
In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization's risk profile?
Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?
An effective control environment is BEST indicated by controls that:
Risk management strategies are PRIMARILY adopted to:
From a business perspective, which of the following is the MOST important objective of a disaster recovery test?
When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?
A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?
Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register?
Which of the following is the MOST important key performance indicator (KPI) to establish in the service level agreement (SLA) for an outsourced data center?
A risk assessment has identified that departments have installed their own WiFi access points on the enterprise network. Which of the following would be MOST important to include in a report to senior management?
The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:
Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?
A risk practitioner is reviewing a vendor contract and finds there is no clause to control privileged access to the organization's systems by vendor employees. Which of the following is the risk practitioner's BEST course of action?
A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges. What is the risk practitioner's BEST course of action?
Which of the following BEST enables the risk profile to serve as an effective resource to support business objectives?
What should a risk practitioner do FIRST when vulnerability assessment results identify a weakness in an application?
An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?
A recent internal risk review reveals the majority of core IT application recovery time objectives (RTOs) have exceeded the maximum time defined by the business application owners. Which of the following is MOST likely to change as a result?
Quantifying the value of a single asset helps the organization to understand the:
Which of The following is the PRIMARY consideration when establishing an organization's risk management methodology?
Which of the following should be the PRIMARY focus of an independent review of a risk management process?
A risk practitioner is reporting on an increasing trend of ransomware attacks in the industry. Which of the following information is MOST important to include to enable an informed response decision by key stakeholders?
Which of the following provides The MOST useful information when determining a risk management program's maturity level?
Which of the following provides the MOST helpful reference point when communicating the results of a risk assessment to stakeholders?
Which of the following is MOST important to sustainable development of secure IT services?
To minimize risk in a software development project, when is the BEST time to conduct a risk analysis?
Which of the following should an organization perform to forecast the effects of a disaster?
Which of the following will be MOST effective to mitigate the risk associated with the loss of company data stored on personal devices?
Which of the following should be included in a risk assessment report to BEST facilitate senior management's understanding of the results?
The BEST way to test the operational effectiveness of a data backup procedure is to:
Which of the following is the BEST method for identifying vulnerabilities?
Which of the following should be a risk practitionerâ€™s MOST important consideration when developing IT risk scenarios?
Which of the following is the BEST key performance indicator (KPI) for determining how well an IT policy is aligned to business requirements?
An organization is making significant changes to an application. At what point should the application risk profile be updated?
The MOST significant benefit of using a consistent risk ranking methodology across an organization is that it enables:
Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk?
Which of the following provides The BEST information when determining whether to accept residual risk of a critical system to be implemented?
An organization has decided to outsource a web application, and customer data will be stored in the vendor's public cloud. To protect customer data, it is MOST important to ensure which of the following?
Which of the following is MOST important for an organization that wants to reduce IT operational risk?
Who should be responsible for implementing and maintaining security controls?
A business manager wants to leverage an existing approved vendor solution from another area within the organization. Which of the following is the risk practitioner's BEST course of action?
A risk practitioner shares the results of a vulnerability assessment for a critical business application with the business manager. Which of the following is the NEXT step?
Which of the following is the MOST important input when developing risk scenarios?
Who is responsible for IT security controls that are outsourced to an external service provider?
An organization striving to be on the leading edge in regard to risk monitoring would MOST likely implement:
An organization is measuring the effectiveness of its change management program to reduce the number of unplanned production changes. Which of the following would be the BEST metric to determine if the program is performing as expected?
During a risk assessment, the risk practitioner finds a new risk scenario without controls has been entered into the risk register. Which of the following is the MOST appropriate action?
Performing a background check on a new employee candidate before hiring is an example of what type of control?
Which of the following would be MOST relevant to stakeholders regarding ineffective control implementation?
Sensitive data has been lost after an employee inadvertently removed a file from the premises, in violation of organizational policy. Which of the following controls MOST likely failed?
The PRIMARY purpose of a maturity model is to compare the:
Which of these documents is MOST important to request from a cloud service
provider during a vendor risk assessment?
Which of the following is the MOST important reason to create risk scenarios?
Which of the following will BEST help to ensure that information system controls are effective?
Which of the following is the MAIN reason for analyzing risk scenarios?
After migrating a key financial system to a new provider, it was discovered that a developer could gain access to the production environment. Which of the following is the BEST way to mitigate the risk in this situation?
Which of the following would be the BEST justification to invest in the development of a governance, risk, and compliance (GRC) solution?
Which of the following is the BEST way to identify changes in the risk profile of an organization?
Risk aggregation in a complex organization will be MOST successful when:
Which of the following is the BEST control to detect an advanced persistent threat (APT)?
Which of the following is the BEST evidence that a user account has been properly authorized?
A risk practitioner has received an updated enterprise risk management (ERM) report showing that residual risk is now within the organization's defined appetite and tolerance levels. Which of the following is the risk practitioner's BEST course of action?
Which of the following should be an element of the risk appetite of an organization?
Which of the following would BEST mitigate the risk associated with reputational damage from inappropriate use of social media sites by employees?
Before assigning sensitivity levels to information it is MOST important to:
Which of the following would be MOST helpful to an information security management team when allocating resources to mitigate exposures?
Which of the following is the BEST source for identifying key control indicators (KCIs)?
What are the MOST essential attributes of an effective Key control indicator (KCI)?
An employee lost a personal mobile device that may contain sensitive corporate information. What should be the risk practitioner's recommendation?
Which of the following should be implemented to BEST mitigate the risk associated with infrastructure updates?
An organization uses a vendor to destroy hard drives. Which of the following would BEST reduce the risk of data leakage?
Which of the following statements describes the relationship between key risk indicators (KRIs) and key control indicators (KCIs)?
Who is BEST suited to provide objective input when updating residual risk to reflect the results of control effectiveness?
Which of the following BEST indicates that additional or improved controls ate needed m the environment?
Which of the following approaches would BEST help to identify relevant risk scenarios?
Legal and regulatory risk associated with business conducted over the Internet is driven by:
When of the following provides the MOST tenable evidence that a business process control is effective?
Which of the following BEST indicates how well a web infrastructure protects critical information from an attacker?
When developing a risk awareness training program, which of the following training topics would BEST facilitate a thorough understanding of risk scenarios?
Which of the following is the MOST important consideration for protecting data assets m a Business application system?
Recovery the objectives (RTOs) should be based on
Which of the following is the MOST effective way to integrate risk and compliance management?
Which of the following is MOST helpful in aligning IT risk with business objectives?
Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?
An organization has initiated a project to launch an IT-based service to customers and take advantage of being the first to market. Which of the following should be of GREATEST concern to senior management?
An organization operates in an environment where reduced time-to-market for new software products is a top business priority. Which of the following should be the risk practitioner's GREATEST concern?
A deficient control has been identified which could result in great harm to an organization should a low frequency threat event occur. When communicating the associated risk to senior management the risk practitioner should explain:
Which of the following should be the MOST important consideration for senior management when developing a risk response strategy?
Which of The following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?
Which of the following would present the MOST significant risk to an organization when updating the incident response plan?
After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?
Which of the following is the GREATEST benefit when enterprise risk management (ERM) provides oversight of IT risk management?
Which of the following is MOST important when developing risk scenarios?
Which of the following is the MOST effective control to ensure user access is maintained on a least-privilege basis?
Which of the following BEST enables an organization to determine whether external emerging risk factors will impact the organization's risk profile?
Which of the following BEST facilitates the mitigation of identified gaps between current and desired risk environment states?
Which of the following BEST indicates the efficiency of a process for granting access privileges?
Management has required information security awareness training to reduce the risk associated with credential compromise. What is the BEST way to assess the effectiveness of the training?
Which of the following is the BEST way to determine the potential organizational impact of emerging privacy regulations?
A financial institution has identified high risk of fraud in several business applications. Which of the following controls will BEST help reduce the risk of fraudulent internal transactions?
Which of the following provides the MOST up-to-date information about the effectiveness of an organization's overall IT control environment?
Prudent business practice requires that risk appetite not exceed:
Accountability for a particular risk is BEST represented in a:
When reviewing the business continuity plan (BCP) of an online sales order system, a risk practitioner notices that the recovery time objective (RTO) has a shorter lime than what is defined in the disaster recovery plan (DRP). Which of the following is the BEST way for the risk practitioner to address this concern?
A risk practitioner has been asked to advise management on developing a log collection and correlation strategy. Which of the following should be the MOST important consideration when developing this strategy?