An organization wants to leverage artificial intelligence (AI) to help identify and analyze root causes of data breaches involving multiple systems. Which of the following is BEST suited for this purpose?

A. Intrusion detection and prevention systems

B. Security information and event management (SIEM) system

C. Application event logging system

D. Database activity monitoring system

Thomas is a key stakeholder in your project. Thomas has requested several changes to the project scope for the project you are managing.
Upon review of the proposed changes, you have discovered that these new requirements are laden with risks and you recommend to the change control board that the changes be excluded from the project scope. The change control board agrees with you. What component of the change control system communicates the approval or denial of a proposed change request?

A. Configuration management system

B. Integrated change control

C. Change log

D. Scope change control system

A core data center went offline abruptly for several hours, affecting many transactions across multiple locations. Which of the following would provide the MOST useful information to determine mitigating controls?

A. Root cause analysis

B. Risk assessment

C. Business impact analysis (BIA)

D. Forensic analysis

Which of the following would be the BEST input when evaluating the risk associated with a proposed adoption of robotic process automation (RPA) of a business service?

A. Control objectives

B. Cost-benefit analysis results

C. Code review results

D. Business continuity plan (BCP)

What should a risk practitioner do NEXT if an ineffective key control is identified on a critical system?

A. Revalidate the risk assessment.

B. Escalate to senior management.

C. Propose acceptance of the risk.

D. Conduct a gap analysis.

Who should be responsible for evaluating the residual risk after a compensating control has been applied?

A. Risk practitioner

B. Compliance manager

C. Risk owner

D. Control owner

Which of the following methods involves the use of predictive or diagnostic analytical tool for exposing risk factors?

A. Scenario analysis

B. Sensitivity analysis

C. Fault tree analysis

D. Cause and effect analysis

Which of the following is the MOST appropriate key performance indicator (KPI) to measure change management performance?

A. Percentage of rejected change requests

B. Percentage of changes implemented successfully

C. Number of after-hours emergency changes

D. Number of change control requests

Which of the following is a detective control?

A. Limit check

B. Access control software

C. Periodic access review

D. Rerun procedures

What should be the PRIMARY consideration related to data privacy protection when there are plans for a business initiative to make use of personal information?

A. Limit access to the personal data.

B. Do not collect or retain data that is not needed.

C. Redact data where possible.

D. Ensure all data is encrypted at rest and during transit.

Which of the following is the MOST important reason for a risk practitioner to identify stakeholders for each IT risk scenario?

A. To ensure enterprise-wide risk management

B. To identity key risk indicators (KRIs)

C. To enable a comprehensive view of risk

D. To establish control ownership

What is the PRIMARY reason to periodically review key performance indicators (KPIs)?

A. Identify trends

B. Optimize resources needed for controls

C. Ensure compliance

D. Promote a risk-aware culture

You work as a Project Manager for www.company.com Inc. You have to measure the probability, impact, and risk exposure. Then, you have to measure how the selected risk response can affect the probability and impact of the selected risk event. Which of the following tools will help you to accomplish the task?

A. Project network diagrams

B. Delphi technique

C. Decision tree analysis

D. Cause-and-effect diagrams

Which of the following is the BEST way to validate the results of a vulnerability assessment?

A. Perform a penetration test

B. Perform a root cause analysis

C. Conduct a threat analysis

D. Review security logs

An information security audit identified a risk resulting from the failure of an automated control. Who is responsible for ensuring the risk register is updated accordingly?

A. The control owner

B. The audit manager

C. The risk practitioner

D. The risk owner

What are the requirements of effectively communicating risk analysis results to the relevant stakeholders? Each correct answer represents a part of the solution.
(Choose three.)

A. The results should be reported in terms and formats that are useful to support business decisions

B. Communicate only the negative risk impacts of events in order to drive response decisions

C. Communicate the risk-return context clearly

D. Provide decision makers with an understanding of worst-case and most probable scenarios

Which of the following is the BEST way to reduce the likelihood of an individual performing a potentially harmful action as the result of unnecessary entitlement?

A. Least privilege

B. Application monitoring

C. Separation of duty

D. Nonrepudiation

A recently purchased IT application does not meet project requirements. Of the following, who is accountable for the potential impact?

A. Business analyst

B. IT project team

C. IT project management office

D. Project sponsor

You are the project manager of the NGQQ Project for your company. To help you communicate project status to your stakeholders, you are going to create a stakeholder register. All of the following information should be included in the stakeholder register except for which one?

A. Stakeholder management strategy

B. Assessment information of the stakeholders’ major requirements, expectations, and potential influence

C. Identification information for each stakeholder

D. Stakeholder classification of their role in the project

The best way to test the operational effectiveness of a data backup procedure is to:

A. inspect a selection of audit trails and backup logs

B. conduct an audit of files stored offsite

C. demonstrate a successful recovery from backup files

D. interview employees to compare actual with expected procedures

Which of the following is the MOST critical factor to consider when determining an organization's risk appetite?

A. Budget for implementing security

B. Business maturity

C. Fiscal management practices

D. Management culture

Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?

A. Reviewing logs for unauthorized data transfers

B. Configuring the DLP control to block credit card numbers

C. Testing the transmission of credit card numbers

D. Testing the DLP rule change control process

An organization's risk profile indicates that residual risk levels have fallen significantly below management's risk appetite. Which of the following is the BEST course of action?

A. Add more risk scenarios to the risk register.

B. Decrease monitoring of residual risk levels.

C. Optimize controls.

D. Increase risk appetite.

Which of the following tasks should be completed prior to creating a disaster recovery plan (DRP)?

A. Procuring a recovery site

B. Conducting a business impact analysis (BIA)

C. Assigning sensitivity levels to data

D. Identifying the recovery response team

Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario?

A. Assess the vulnerability management process

B. Conduct a control self-assessment

C. Reassess the inherent risk of the target

D. Conduct a vulnerability assessment

An IT department has organized training sessions to improve user awareness of organizational information security policies. Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training?

A. Number of training sessions completed

B. Percentage of staff members who complete the training with a passing score

C. Percentage of attendees versus total staff

D. Percentage of staff members who attend the training with positive feedback

Which of the following is the PRIMARY objective of the risk identification process?

A. To expand organizational awareness and knowledge of identified risk scenarios

B. To reduce risk faced by the organization to an acceptable level

C. To ensure control objectives align with business objectives

D. To determine possible risk events that could jeopardize business objectives

When evaluating a number of potential controls for treating risk, it is MOST important to consider:

A. risk tolerance and control complexity

B. inherent risk and control effectiveness

C. risk appetite and control efficiency

D. residual risk and cost of control

Which of the following is the BEST way to mitigate the risk associated with fraudulent use of an enterprise's brand on Internet sites?

A. Utilizing data loss prevention technology

B. Scanning the Internet to search for unauthorized usage

C. Monitoring the enterprise’s use of the Internet

D. Developing training and awareness campaigns

Which of the following information MUST be included in a business impact analysis (BIA) to facilitate risk assessments related to business continuity?

A. Critical business processes with their dependent resources

B. List of threats impacting critical business processes

C. Vulnerabilities identified within critical business processes

D. Business continuity and disaster recovery testing requirements

As part of an overall IT risk management plan, an IT risk register BEST helps management:

A. stay current with existing control status

B. align IT processes with business objectives

C. understand the organizational risk profile

D. communicate the enterprise risk management policy

Which of the following is MOST helpful in defining an early-warning threshold associated with insufficient network bandwidth?

A. Bandwidth used during business hours

B. Average bandwidth usage

C. Total bandwidth usage

D. Peak bandwidth usage

Who should be accountable for authorizing information system access to internal users?

A. Information security manager

B. Information owner

C. Information custodian

D. Information security officer

Beth is a project team member on the JHG Project. Beth has added extra features to the project and this has introduced new risks to the project work. The project manager of the JHG project elects to remove the features Beth has added. The process of removing the extra features to remove the risks is called what?

A. Detective control

B. Preventive control

C. Corrective control

D. Scope creep

Which of the following is a risk practitioner’s BEST course of action upon learning that regulatory authorities have concerns with an emerging technology the organization is considering?

A. Update risk responses.

B. Perform a threat assessment.

C. Redesign key risk indicators (KRIs).

D. Conduct a SWOT analysis.

The BEST control to mitigate the risk associated with project scope creep is to:

A. consult with senior management on a regular basis

B. apply change management procedures

C. ensure extensive user involvement

D. deploy CASE tools in software development

Which of the following is MOST important to consider before determining a response to a vulnerability?

A. Monetary value of the asset

B. Lack of data to measure threat events

C. The cost to implement the risk response

D. The likelihood and impact of threat events

Several newly identified risk scenarios are being integrated into an organization's risk register. The MOST appropriate risk owner would be the individual who:

A. is accountable for loss if the risk materializes.

B. is in charge of information security.

C. is responsible for enterprise risk management (ERM).

D. can implement remediation action plans.

Which of the following is the BEST way to identify changes to the risk landscape?

A. Access reviews

B. Root cause analysis

C. Internal audit reports

D. Threat modeling

Which of the following practices MOST effectively safeguards the processing of personal data?

A. Personal data attributed to a specific data subject is tokenized.

B. Data protection impact assessments are performed on a regular basis.

C. Personal data certifications are performed to prevent excessive data collection.

D. Data retention guidelines are documented, established, and enforced.

Which of the following will have the GREATEST influence when determining an organization’s risk appetite?

A. Risk culture

B. Risk management budget

C. Organizational structure

D. Industry benchmarks

You work as a project manager for BlueWell Inc. Your project is using a new material to construct a large warehouse in your city. This new material is cheaper than traditional building materials, but it takes some time to learn how to use the material properly. You have communicated to the project stakeholders that you will be able to save costs by using the new material, but you will need a few extra weeks to complete training to use the materials. This risk response of learning how to use the new materials can also be known as what term?

A. Benchmarking

B. Cost-benefits analysis

C. Cost of conformance to quality

D. Team development

You are the project manager of the HJK Project for your organization. You and the project team have created risk responses for many of the risk events in the project. Where should you document the proposed responses and the current status of all identified risks?

A. Stakeholder management strategy

B. Lessons learned documentation

C. Risk register

D. Risk management plan

Which of the following is the BEST way to manage the risk associated with malicious activities performed by database administrators (DBAs)?

A. Activity logging and monitoring

B. Awareness training and background checks

C. Two-factor authentication

D. Periodic access review

Which of the following indicators BEST demonstrates the effectiveness of a disaster recovery management (DRM) program?

A. Percentage of applications that have met disaster recovery test requirements

B. Number of audit findings related to disaster recovery

C. Number of disaster recovery tests completed on time

D. Percentage of applications with a defined recovery time objective (RTO)

Which of the following situations would create the GREATEST need to review the organization's risk appetite?

A. Increased adoption of personal devices for business use

B. Increasing business reliance on legacy infrastructure

C. Recent acquisition of a large business partner

D. New privacy laws affecting the organization’s processing of personal data

After entering a large number of low-risk scenarios into the risk register, it is MOST important for the risk practitioner to:

A. reconfirm risk tolerance levels.

B. analyze changes to aggregate risk.

C. prepare a follow-up risk assessment.

D. recommend acceptance of the risk scenarios.

An organization has experienced a cyber attack that exposed customer personally identifiable information (PII) and caused extended outages of network services. Which of the following stakeholders are MOST important to include in the cyber response team to determine response actions?

A. Cyber risk remediation plan owners

B. Enterprise risk management (ERM) team

C. Security control owners based on control failures

D. Risk owners based on risk impact

What should a risk practitioner do FIRST when an assessment reveals a control is not operating as intended?

A. Determine the root cause of the control issue.

B. Recommend updates to the control procedures.

C. Discuss the status with the control owner.

D. Recommend compensating controls.

Which of the following BEST promotes alignment between IT risk management and enterprise risk management?

A. Using the same risk ranking methodology across IT and the business

B. Obtaining senior management approval for IT policies and procedures

C. Including IT risk scenarios in the organization’s risk register

D. Expressing risk treatment initiatives in financial terms