Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?

A. Control self-assessment (CSA)

B. Vulnerability and threat analysis

C. User acceptance testing (UAT)

D. Control remediation planning

Which of the following BEST reduces the likelihood of employees unintentionally disclosing sensitive information to outside parties?

A. Regular employee security awareness training

B. Anti-malware controls on endpoint devices

C. Sensitive information classification and handling policies

D. An egress intrusion detection system (IDS)

Which of the following would MOST electively reduce risk associated with an increased volume of online transactions on a retailer website?

A. Transaction limits

B. Scalable infrastructure

C. A hot backup site

D. Website activity monitoring

A recent internal risk review reveals the majority of core IT application recovery time objectives (RTOs) have exceeded the maximum time defined by the business application owners. Which of the following is MOST likely to change as a result?

A. Risk tolerance

B. Risk likelihood

C. Risk appetite

D. Risk forecasting

Which of the following aspect of monitoring tool ensures that the monitoring tool has the ability to keep up with the growth of an enterprise?

A. Scalability

B. Customizability

C. Sustainability

D. Impact on performance

An organization has made a decision to purchase a new IT system. During which phase of the system development life cycle (SDLC) will identified risk MOST likely lead to architecture and design trade-offs?

A. Acquisition

B. Implementation

C. Initiation

D. Operation and maintenance

Which of the following is the GREATEST benefit of having a mature enterprise architecture (EA) in place?

A. Standards-based policies

B. Efficient operations

C. Regulatory compliance

D. Audit readiness

Which of the following is the MOST important objective of embedding risk management practices into the initiation phase of the project management life cycle?

A. To deliver projects on time and on budget

B. To assess inherent risk

C. To assess risk throughout the project

D. To include project risk in the enterprise-wide IT risk profile

What is a risk practitioner's BEST approach to monitor and measure how quickly an exposure to a specific risk can affect the organization?

A. Create key performance indicators (KPIs).

B. Create key risk indicators (KRIs).

C. Create a risk volatility report.

D. Create an asset valuation report.

Who should be accountable for ensuring effective cybersecurity controls are established?

A. Security management function

B. Enterprise risk function

C. Risk owner

D. IT management

Which of the following is a PRIMARY responsibility of a control owner?

A. Assessing levels of risk

B. Identifying trends in the risk profile

C. Selecting controls to mitigate risk

D. Monitoring status of risk response

An unauthorized individual has socially engineered entry into an organization's secured physical premises. Which of the following is the BEST way to prevent future occurrences?

A. Require security access badges

B. Employ security guards

C. Install security cameras

D. Conduct security awareness training

Which of the following is the MOST important reason to maintain a risk register?

A. To help develop IT risk management strategies

B. To help develop accurate risk scenarios

C. To support risk-aware decision making

D. To track current risk scenarios

You are the project manager of HGT project. You have identified project risks and applied appropriate response for its mitigation. You noticed a risk generated as a result of applying response. What this resulting risk is known as?

A. Pure risk

B. Secondary risk

C. Response risk

D. High risk

Which of the following should be the PRIMARY area of focus when reporting changes to an organization’s risk profile to executive management?

A. Risk tolerance

B. Risk management resources

C. Risk trends

D. Cyberattack threats

You are the project manager of the QPS project. You and your project team have identified a pure risk. You along with the key stakeholders, decided to remove the pure risk from the project by changing the project plan altogether. What is a pure risk?

A. It is a risk event that only has a negative side and not any positive result.

B. It is a risk event that is created by the application of risk response.

C. It is a risk event that is generated due to errors or omission in the project work.

D. It is a risk event that cannot be avoided because of the order of the work.

Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?

A. Customer database manager

B. Audit committee

C. Data privacy officer

D. Customer data custodian

Which of the following should be the PRIMARY basis for the development of an IT risk scenario?

A. IT risk registers

B. IT objectives

C. IT risk owner input

D. IT threats and vulnerabilities

Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?

A. The program has not decreased threat counts.

B. The program uses non-customized training modules.

C. The program has not considered business impact.

D. The program has been significantly revised.

Which of the following BEST enables a risk practitioner to understand management's approach to organizational risk?

A. Industry best practices for risk management

B. Risk appetite and risk tolerance

C. Prior year’s risk assessment results

D. Organizational structure and job descriptions

Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?

A. Ability to predict trends

B. Ongoing availability of data

C. Availability of automated reporting systems

D. Ability to aggregate data

Which of the following is the MOST important benefit of reporting risk assessment results to senior management?

A. Facilitation of risk-aware decision making

B. Alignment of business activities

C. Compilation of a comprehensive risk register

D. Promotion of a risk-aware culture

Which of the following should be management's PRIMARY consideration when approving risk response action plans?

A. Prioritization for implementing the action plans

B. Ability of the action plans to address multiple risk scenarios

C. Ease of implementing the risk treatment solution

D. Changes in residual risk after implementing the plans

Which of the following individuals is responsible for identifying process requirements, approving process design and managing process performance?

A. Business process owner

B. Risk owner

C. Chief financial officer

D. Chief information officer

In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date?

A. Risk questionnaire

B. Risk register

C. Compliance manual

D. Management assertion

Which of the following processes is MOST helpful in proactively identifying non-compliant baseline images prior to implementing IT systems?

A. Configuration management

B. Change management

C. Patch management

D. Vulnerability management

To which level the risk should be reduced to accomplish the objective of risk management?

A. To a level where ALE is lower than SLE

B. To a level where ARO equals SLE

C. To a level that an organization can accept

D. To a level that an organization can mitigate

Which of the following is MOST important to the successful development of IT risk scenarios?

A. Control effectiveness assessment

B. Threat and vulnerability analysis

C. Internal and external audit reports

D. Cost-benefit analysis

Which of the following would be a risk practitioner's BEST recommendation upon learning of an updated cybersecurity regulation that could impact the organization?

A. Update security policies

B. Conduct system testing

C. Implement compensating controls

D. Perform a gap analysis

An organization has modified its disaster recovery plan (DRP) to reflect recent changes in its IT environment. Which of the following is the PRIMARY reason to test the new plan?

A. To ensure all assets have been identified

B. To ensure the risk assessment is validated

C. To ensure the plan is comprehensive

D. To ensure staff is sufficiently trained on the plan

A new international data privacy regulation requires personal data to be disposed after the specified retention period, which is different from the local regulatory requirement. Which of the following is the risk practitioner's BEST recommendation to resolve the disparity?

A. Adopt the international standard.

B. Adopt the standard determined by legal counsel.

C. Adopt the local standard.

D. Adopt the least stringent standard determined by the risk committee.

Which of the following BEST provides an early warning that network access of terminated employees is not being revoked in accordance with the service level agreement (SLA)?

A. Monitoring key access control performance indicators

B. Updating multi-factor authentication

C. Analyzing access control logs for suspicious activity

D. Revising the service level agreement (SLA)

Which of the following is MOST important to communicate to senior management during the initial implementation of a risk management program?

A. Risk ownership

B. Best practices

C. Desired risk level

D. Regulatory compliance

The IT risk profile is PRIMARILY a communication tool for:

A. external stakeholders.

B. senior management.

C. internal audit.

D. regulators.

Which of the following is MOST important for a risk practitioner to confirm when reviewing the disaster recovery plan (DRP)?

A. The DRP covers relevant scenarios.

B. The business continuity plan (BCP) has been documented.

C. Senior management has approved the DRP.

D. The DRP has been tested by an independent third party.

Which of the following is the MOST important course of action to foster an ethical, risk-aware culture?

A. Establish an enterprise-wide ethics training and awareness program.

B. Ensure the alignment of the organization’s policies and standards to the defined risk appetite.

C. Implement a fraud detection and prevention framework.

D. Perform a comprehensive review of all applicable legislative frameworks and requirements.

You are the project manager of GHT project. You have implemented an automated tool to analyze and report on access control logs based on severity. This tool generates excessively large amounts of results. You perform a risk assessment and decide to configure the monitoring tool to report only when the alerts are marked "critical". What you should do in order to fulfill that?

A. Apply risk response

B. Optimize Key Risk Indicator

C. Update risk register

D. Perform quantitative risk analysis

Which of the following is the BEST method to mitigate the risk of an unauthorized employee viewing confidential data in a database?

A. Implement a data masking process.

B. Include sanctions in nondisclosure agreements (NDAs).

C. Implement role-based access control.

D. Install a data loss prevention (DLP) tool.

Which of the following would be MOST helpful to a risk practitioner when ensuring that mitigated risk remains within acceptable limits?

A. Implementing a process for ongoing monitoring of control effectiveness.

B. Designing a process for risk owners to periodically review identified risk.

C. Ensuring risk owners participate on a periodic control testing process.

D. Building an organizational risk profile after updating the risk register.

Which of the following is the MOST essential factor for managing risk in a highly dynamic environment?

A. Obtaining support from senior leadership

B. Ongoing sharing of information among industry peers

C. Adhering to industry-recognized risk management standards

D. Implementing detection and response measures

Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?

A. Internal audit reports from the vendor

B. A control self-assessment

C. A third-party security assessment report

D. Service level agreement monitoring

From a risk management perspective, the PRIMARY objective of using maturity models is to enable:

A. solution delivery

B. strategic alignment

C. resource utilization

D. performance evaluation

While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially. Which of the following would be the BEST approach for the risk practitioner to take?

A. Temporarily suspend emergency changes.

B. Continue monitoring change management metrics.

C. Conduct a root cause analysis.

D. Document the control deficiency in the risk register.

Which of the following is MOST likely to result in a major change to the overall risk profile of the organization?

A. Changes in internal and external auditors

B. Changes in vulnerability assessment and penetration testing

C. Changes in risk appetite and risk tolerance

D. Changes in internal and external risk factors

You are the project manager for TTP project. You are in the Identify Risks process. You have to create the risk register. Which of the following are included in the risk register?
Each correct answer represents a complete solution. (Choose two.)

A. List of potential responses

B. List of key stakeholders

C. List of mitigation techniques

D. List of identified risks

Which of the following is the BEST way for a risk practitioner to verify that management has addressed control issues identified during a previous external audit?

A. Inspect external audit documentation.

B. Review management’s detailed action plans.

C. Observe the control enhancements in operation.

D. Interview control owners.

Which of the following statements are true for enterprise's risk management capability maturity level 3?

A. Workflow tools are used to accelerate risk issues and track decisions

B. The business knows how IT fits in the enterprise risk universe and the risk portfolio view

C. The enterprise formally requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals

D. Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized

The PRIMARY benefit of conducting a risk workshop using a top-down approach instead of a bottom-up approach is the ability to:

A. incorporate subject matter expertise.

B. identify specific project risk.

C. understand risk associated with complex processes.

D. obtain a holistic view of IT strategy risk.

Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?

A. Document and implement a patching process

B. Identify the vulnerabilities and applicable OS patches

C. Temporarily mitigate the OS vulnerabilities

D. Evaluate permanent fixes such as patches and upgrades

To effectively support business decisions, an IT risk register MUST:

A. reflect the results of risk assessments.

B. effectively support a business maturity model.

C. be available to operational risk groups.

D. be reviewed by the IT steering committee.