Which of the following is the BEST metric to demonstrate the effectiveness of an organization's change management process?

A. Average time to complete changes

B. Increase in the number of emergency changes

C. Percent of unauthorized changes

D. Increase in the frequency of changes

Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?

A. Control chart

B. Trend analysis

C. Sensitivity analysis

D. Decision tree

A risk practitioner has become aware of production data being used in a test environment. Which of the following should be the practitioner's PRIMARY concern?

A. Security of the test environment.

B. Readability of test data.

C. Sensitivity of the data.

D. Availability of data to authorized staff.

A control owner has decided to implement a compensating control instead of the control selected in the risk action plan. Which of the following is the risk practitioner's MOST important action after reassessing the risk?

A. Notify senior management of the control owner’s decision.

B. Seek approval of the change from the risk owner.

C. Update control ownership in the risk register.

D. Update policies relevant to the risk.

A vulnerability assessment of a vendor-supplied solution has revealed that the software is susceptible to cross-site scripting and SQL injection attacks. Which of the following will BEST mitigate this issue?

A. Require the software vendor to remediate the vulnerabilities.

B. Approve exception to allow the software to continue operating.

C. Monitor the databases for abnormal activity.

D. Accept the risk and let the vendor run the software as is.

Which of the following control detects problem before it can occur?

A. Deterrent control

B. Detective control

C. Compensation control

D. Preventative control

Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?

A. Average time to provision user accounts

B. Password reset volume per month

C. Number of tickers for provisioning new accounts

D. Average account lockout time

An organization striving to be on the leading edge in regard to risk monitoring would MOST likely implement:

A. a tool for monitoring critical activities and controls

B. procedures to monitor the operation of controls

C. real-time monitoring of risk events and control exceptions

D. monitoring activities for all critical assets.

Reviewing historical risk events is MOST useful for which of the following processes within the risk management life cycle?

A. Risk mitigation

B. Risk assessment

C. Risk monitoring

D. Risk aggregation

The BEST key performance indicator (KPI) to measure the ongoing effectiveness of a risk awareness training program is the percentage of staff members who have:

A. passed subsequent random testing.

B. passed the training session test.

C. attended annual training.

D. accessed online training materials.

Which of the following is the MOST important outcome of reviewing the risk management process?

A. Improving the competencies of employees who performed the review

B. Assuring the risk profile supports the IT objectives

C. Determining what changes should be made to IS policies to reduce risk

D. Determining that procedures used in risk assessment are appropriate

The MOST effective approach to prioritize risk scenarios is by:

A. assessing impact to the strategic plan

B. soliciting input from risk management experts

C. aligning with industry best practices

D. evaluating the cost of risk response

Which of the following is MOST important to review when determining whether a potential IT service provider's control environment is effective?

A. Control self-assessment (CSA)

B. Service level agreements (SLAs)

C. Key performance indicators (KPIs)

D. Independent audit report

You work as the project manager for Bluewell Inc. Your project has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks?

A. Risk Management Plan

B. Stakeholder management strategy

C. Communications Management Plan

D. Resource Management Plan

Which of the following is the MOST important reason to test new controls?

A. To verify controls work as intended.

B. To justify the cost of control investment.

C. To identify exceptions that elevate risk.

D. To ensure an accurate and up-to-date controls register.

Which of the following is the BEST key performance indicator (KPI) to measure the ability to deliver uninterrupted IT services?

A. Mean time to recover (MTTR)

B. Mean time between failures (MTBF)

C. Planned downtime

D. Unplanned downtime

The PRIMARY purpose of IT control status reporting is to:

A. assist internal audit in evaluating and initiating remediation efforts.

B. ensure compliance with IT governance strategy.

C. facilitate the comparison of the current and desired states.

D. benchmark IT controls with industry standards.

You are the project manager of GFT project. Your project involves the use of electrical motor. It was stated in its specification that if its temperature would increase to 500 degree Fahrenheit the machine will overheat and have to be shut down for 48 hours. If the machine overheats even once it will delay the project's arrival date. So to prevent this you have decided while creating response that if the temperature of the machine reach 450, the machine will be paused for at least an hour so as to normalize its temperature. This temperature of 450 degrees is referred to as?

A. Risk identification

B. Risk trigger

C. Risk event

D. Risk response

You are the project manager of the NHH Project. You are working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team.
What document do you and your team is creating in this scenario?

A. Project plan

B. Resource management plan

C. Project management plan

D. Risk management plan

Thomas is a key stakeholder in your project. Thomas has requested several changes to the project scope for the project you are managing.
Upon review of the proposed changes, you have discovered that these new requirements are laden with risks and you recommend to the change control board that the changes be excluded from the project scope. The change control board agrees with you. What component of the change control system communicates the approval or denial of a proposed change request?

A. Configuration management system

B. Integrated change control

C. Change log

D. Scope change control system

Which of the following is the BEST approach for an organization in a heavily regulated industry to comprehensively test application functionality?

A. Use production data in a non-production environment.

B. Use anonymized data in a non-production environment.

C. Use test data in a production environment.

D. Use masked data in a non-production environment.

A risk practitioner notices a risk scenario associated with data loss at the organization's cloud provider is assigned to the provider. Who should the risk scenario be reassigned to?

A. Chief risk officer

B. Vendor manager

C. Data owner

D. Senior management

Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis?

A. Inherent risk might not be considered

B. Implementation costs might increase

C. Risk factors might not be relevant to the organization

D. Quantitative analysis might not be possible

When assembling IT risk scenarios, it is MOST important that the scenarios:

A. describe worst-case situations and the inherent likelihood of risk.

B. are linked to relevant business risk and corresponding information classification.

C. can be used for efficient risk identification and subsequent risk analysis.

D. consider the information criteria efficiency, effectiveness, and availability.

An organization will be impacted by a new data privacy regulation due to the location of its production facilities. What action should the risk practitioner take when evaluating the new regulation?

A. Perform an analysis of the new regulation to ensure current risk is identified.

B. Evaluate if the existing risk responses to the previous regulation are still adequate.

C. Assess the validity and perform update testing on data privacy controls.

D. Develop internal control assessments over data privacy for the new regulation.

Which of the following attributes of data provided to an automated log analysis tool is MOST important for effective risk monitoring?

A. Retention

B. Confidentiality

C. Relevancy

D. Scalability

The PRIMARY reason to use a bottom-up approach to analyze risk scenarios is to:

A. identify the relationship to enterprise risk.

B. identify key stakeholders.

C. ensure risk details are appropriately gathered.

D. determine positional risk ranking.

Which component of a software inventory BEST enables the identification and mitigation of known vulnerabilities?

A. Software licensing information

B. Software version

C. Software support contract expiration

D. Assigned software manager

What is the PRIMARY purpose of a business impact analysis (BIA)?

A. To determine the likelihood and impact of threats to business operations

B. To evaluate the priority of business operations in case of disruption

C. To estimate resource requirements for related business processes

D. To identify important business processes in the organization

Due to budget constraints, an organization cannot implement encryption to all databases. Which of the following is the MOST useful information to identify high- risk databases where encryption should be applied?

A. Business impact assessment (BIA)

B. Unsupported database list

C. Penetration test results

D. Data classification scheme

You are the project manager of GHT project. You have implemented an automated tool to analyze and report on access control logs based on severity. This tool generates excessively large amounts of results. You perform a risk assessment and decide to configure the monitoring tool to report only when the alerts are marked "critical". What you should do in order to fulfill that?

A. Apply risk response

B. Optimize Key Risk Indicator

C. Update risk register

D. Perform quantitative risk analysis

Which of the following MOST effectively limits the impact of a ransomware attack?

A. End user training

B. Cyber insurance

C. Data backups

D. Cryptocurrency reserve

You are the project manager of the AFD project for your company. You are working with the project team to reassess existing risk events and to identify risk events that have not happened and whose relevancy to the project has passed. What should you do with these events that have not happened and would not happen now in the project?

A. Add the risk to the issues log

B. Close the outdated risks

C. Add the risks to the risk register

D. Add the risks to a low-priority watch-list

Mike is the project manager of the NNP Project for his organization. He is working with his project team to plan the risk responses for the NNP Project. Mike would like the project team to work together on establishing risk thresholds in the project. What is the purpose of establishing risk threshold?

A. It is a study of the organization’s risk tolerance.

B. It is a warning sign that a risk event is going to happen.

C. It is a limit of the funds that can be assigned to risk events.

D. It helps to identify those risks for which specific responses are needed.

An organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard. Which risk treatment was adopted by the organization?

A. Acceptance

B. Transfer

C. Mitigation

D. Avoidance

A risk practitioner is advising management on how to update the IT policy framework to account for the organization's cloud usage. Which of the following should be the FIRST step in this process?

A. Evaluate adherence to existing IT policies and standards.

B. Determine gaps between the current state and target framework

C. Consult with industry peers regarding cloud best practices.

D. Adopt an industry-leading cloud computing framework

An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?

A. Invoke the disaster recovery plan (DRP) during an incident

B. Reduce the recovery time by strengthening the response team

C. Prepare a cost-benefit analysis of alternatives available

D. Implement redundant infrastructure for the application

Which of the following would BEST help identify the owner for each risk scenario in a risk register?

A. Allocating responsibility for risk factors equally to asset owners.

B. Determining resource dependency of assets.

C. Mapping identified risk factors to specific business processes.

D. Determining which departments contribute most to risk.

You and your project team have identified a few risk events in the project and recorded the events in the risk register. Part of the recording of the events includes the identification of a risk owner. Who is a risk owner?

A. A risk owner is the party that will monitor the risk events.

B. A risk owner is the party that will pay for the cost of the risk event if it becomes an issue.

C. A risk owner is the party that has caused the risk event.

D. A risk owner is the party authorized to respond to the risk event.

You are the program manager for your organization and you are working with Alice, a project manager in her program. Alice calls you and insists you to add a change to program scope. You agree for that the change. What must Alice do to move forward with her change request?

A. Add the change to the program scope herself, as she is a project manager

B. Create a change request charter justifying the change request

C. Document the change request in a change request form.

D. Add the change request to the scope and complete integrated change control

Which of the following would be MOST helpful to review when prioritizing the implementation of multiple IT-related initiatives?

A. Risk policy

B. Risk profile

C. Risk assessment results

D. Risk awareness program objectives

Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?

A. Develop risk awareness training

B. Monitor employee usage

C. Identify the potential risk

D. Assess the potential risk

An organization expects to continually deal with severe distributed denial of service (DDoS) attacks from hacktivist groups. Which of the following is the BEST recommendation to help address this threat?

A. Implement Internet service provider (ISP) redundancy.

B. Implement an intrusion prevention system (IPS).

C. Develop an incident response plan.

D. Plan data center redundancy.

A change management process has recently been updated with new testing procedures. The NEXT course of action is to:

A. communicate to those who test and promote changes

B. assess the maturity of the change management process

C. conduct a cost-benefit analysis to justify the cost of the control

D. monitor processes to ensure recent updates are being followed

A multinational company needs to implement a new centralized security system. The risk practitioner has identified a conflict between the organization's data-handling policy and local privacy regulations. Which of the following would be the BEST recommendation?

A. Request a policy exception from senior management.

B. Request an exception from the local regulatory agency.

C. Comply with the organizational policy.

D. Report the noncompliance to the local regulatory agency.

External auditors have found that management has not effectively monitored key security technologies that support regulatory objectives. Which type of indicator would BEST enable the organization to identify and correct this situation?

A. Key management indicator (KMI)

B. Key control indicator (KCI)

C. Key performance indicator (KPI)

D. Key risk indicator (KRI)

The PRIMARY objective for requiring an independent review of an organizations IT risk management process should be to:

A. ensure IT risk management is focused on mitigating potential risk.

B. confirm that IT risk assessment results are expressed as business impact.

C. assess gaps in IT risk management operations and strategic focus.

D. verify implemented controls to reduce the likelihood of threat materialization.

A rule-based data loss prevention (DLP) tool has recently been implemented to reduce the risk of sensitive data leakage. Which of the following is MOST likely to change as a result of this implementation?

A. Risk velocity

B. Risk impact

C. Risk likelihood

D. Risk appetite

An organization is planning to outsource its payroll function to an external service provider. Which of the following should be the MOST important consideration when selecting the provider?

A. Transparency of key performance indicators (KPIs)

B. Right to audit the provider

C. Disaster recovery plan (ORP) of the system

D. Internal controls to ensure data privacy

You are working in an enterprise. You project deals with important files that are stored on the computer. You have identified the risk of the failure of operations. To address this risk of failure, you have guided the system administrator sign off on the daily backup. This scenario is an example of which of the following?

A. Risk avoidance

B. Risk transference

C. Risk acceptance

D. Risk mitigation