Which of the following is the STRONGEST indication an organization has ethics management issues?

A. Employees face sanctions for not signing the organization’s acceptable use policy.

B. The organization has only two lines of defense.

C. Internal IT auditors report to the chief information security officer (CISO).

D. Employees do not report IT risk issues for fear of consequences.

To communicate the risk associated with IT in business terms, which of the following MUST be defined?

A. Risk appetite of the organization

B. Compliance objectives

C. Organizational objectives

D. Inherent and residual risk

Which of the following is the MOST important success factor when introducing risk management in an organization?

A. Establishing executive management support

B. Implementing a risk register

C. Assigning risk ownership

D. Defining a risk mitigation strategy and plan

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an organization's cybersecurity program?

A. Percentage of systems being monitored

B. Average time to contain security incidents

C. Number of false positives reported

D. Number of personnel dedicated to security monitoring

Which of the following is the PRIMARY objective of maintaining an information asset inventory?

A. To facilitate risk assessments

B. To protect information assets

C. To provide input to business impact analyses (BIAs)

D. To manage information asset licensing

Which of the following is MOST important to identify when developing top-down risk scenarios?

A. Hypothetical scenarios

B. Key procedure control gaps

C. Senior management’s risk appetite

D. Business objectives

Which of these documents is MOST important to request from a cloud service provider during a vendor risk assessment?

A. Business impact analysis (BIA)

B. Service level agreement (SLA)

C. Independent audit report

D. Nondisclosure agreement (NDA)

Which of the following stakeholders define risk tolerance for an enterprise?

A. The board and executive management

B. IT compliance and IT audit

C. Regulators and shareholders

D. Enterprise risk management (ERM)

A risk practitioner has been hired to establish risk management practices to be embedded across an organization. Which of the following should be the FIRST course of action?

A. Integrate risk management into operational procedures.

B. Engage key stakeholders in risk identification.

C. Implement risk management controls throughout the organization.

D. Establish an organization-wide risk taxonomy.

You are the project manager of GHT project. You identified a risk of noncompliance with regulations due to missing of a number of relatively simple procedures.
The response requires creating the missing procedures and implementing them. In which of the following risk response prioritization should this case be categorized?

A. Business case to be made

B. Quick win

C. Risk avoidance

D. Deferrals

After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:

A. inform the IT manager of the concerns and propose measures to reduce them

B. inform the process owner of the concerns and propose measures to reduce them

C. inform the development team of the concerns, and together formulate risk reduction measures

D. recommend a program that minimizes the concerns of that production system

Which of the following would BEST provide early warning of a high-risk condition?

A. Risk assessment

B. Key risk indicator (KRI)

C. Risk register

D. Key performance indicator (KPI)

Which of the following provides the BEST assurance of the effectiveness of internal controls?

A. Balanced scorecard review

B. Control self-assessments (CSAs)

C. Compliance training metrics

D. Continuous monitoring

Which of the following will be the GREATEST concern when assessing the risk profile of an organization?

A. The risk profile does not contain historical loss data.

B. The risk profile was last reviewed two years ago.

C. The risk profile was not updated after a recent incident.

D. The risk profile was developed without using industry standards.

Which of the following BEST ensures that a firewall is configured in compliance with an enterprise's security policy?

A. Interview the firewall administrator.

B. Review the actual procedures.

C. Review the device’s log file for recent attacks.

D. Review the parameter settings.

Which of the following is the MOST effective way for a large and diversified organization to minimize risk associated with unauthorized software on company devices?

A. Perform frequent internal audits of enterprise IT infrastructure.

B. Scan end points for applications not included in the asset inventory.

C. Conduct frequent reviews of software licenses.

D. Prohibit the use of cloud-based virtual desktop software.

A process maturity model is MOST useful to the risk management process because it helps:

A. reduce audit and regulatory findings

B. determine the cost of control improvements

C. benchmark maturity against industry standards

D. determine the gap between actual and desired state

Your project is an agricultural-based project that deals with plant irrigation systems. You have discovered a byproduct in your project that your organization could use to make a profit. If your organization seizes this opportunity, it would be an example of what risk response?

A. Enhancing

B. Positive

C. Opportunistic

D. Exploiting

The design of procedures to prevent fraudulent transactions within an enterprise resource planning (ERP) system should be based on:

A. benchmarking criteria.

B. stakeholder risk tolerance.

C. the control environment.

D. suppliers used by the organization.

Which of the following is MOST important for a risk practitioner to confirm when reviewing the disaster recovery plan (DRP)?

A. The DRP covers relevant scenarios.

B. The business continuity plan (BCP) has been documented.

C. Senior management has approved the DRP.

D. The DRP has been tested by an independent third party.

In response to recent security incidents, the IT risk management team is promoting a global security plan that defines controls to be implemented in multiple regions. Which of the following BEST enables the successful deployment of this plan?

A. Obtain the approval of each regional head.

B. Engage an external auditor in each region before deployment.

C. Provide each region with adequate funding.

D. Allow each region to adapt the plan to its local requirements

What is the BEST recommendation to reduce the risk associated with potential system compromise when a vendor stops releasing security patches and updates for a business-critical legacy system?

A. Ensure regular backups take place.

B. Install antivirus software on the system.

C. Virtualize the system in the cloud.

D. Segment the system on its own network.

You are completing the qualitative risk analysis process with your project team and are relying on the risk management plan to help you determine the budget, schedule for risk management, and risk categories. You discover that the risk categories have not been created. When the risk categories should have been created?

A. Define scope process

B. Risk identification process

C. Plan risk management process

D. Create work breakdown structure process

Which of the following is the MOST important requirement for monitoring key risk indicators (KRIs) using log analysis?

A. Collecting logs from the entire set of IT systems

B. Providing accurate logs in a timely manner

C. Implementing an automated log analysis tool

D. Obtaining logs in an easily readable format

Which of the following provides the MOST reliable information to ensure a newly acquired company has appropriate IT controls in place?

A. Vulnerability assessment

B. Information system audit

C. Penetration testing

D. IT risk assessment

Which among the following is the MOST crucial part of risk management process?

A. Risk communication

B. Auditing

C. Risk monitoring

D. Risk mitigation

The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for:

A. data classification and labeling.

B. data mining and analytics.

C. data retention and destruction.

D. data logging and monitoring.

Which of the following is true for Cost Performance Index (CPI)?

A. If the CPI > 1, it indicates better than expected performance of project

B. CPI = Earned Value (EV) * Actual Cost (AC)

C. It is used to measure performance of schedule

D. If the CPI = 1, it indicates poor performance of project

Which of the following BEST facilitates the mitigation of identified gaps between current and desired risk environment states?

A. Develop a risk treatment plan.

B. Include the current and desired states in the risk register.

C. Review results of prior risk assessments.

D. Validate organizational risk appetite.

To effectively support business decisions, an IT risk register MUST:

A. reflect the results of risk assessments.

B. effectively support a business maturity model.

C. be available to operational risk groups.

D. be reviewed by the IT steering committee.

Which of the following is the PRIMARY consideration when establishing an organization's risk management methodology?

A. Risk tolerance level

B. Benchmarking information

C. Resource requirements

D. Business context

Which of the following should be a risk practitioner's PRIMARY consideration when evaluating the possible impact of an adverse event affecting corporate information assets?

A. Authentication and authorization requirements for personnel accessing the assets

B. Potential regulatory fines as a result of the adverse event

C. The amount of data processed by the assets

D. Criticality classification of the assets needed for normal business operations

Which of the following attributes of a key risk indicator (KRI) is MOST important?

A. Repeatable

B. Qualitative

C. Automated

D. Quantitative

An organization moved one of its applications to a public cloud, but after migration decided to move it back on-premise after an issue caused the application to be down for one day. What does this scenario indicate?

A. The organization has high risk tolerance.

B. The organization has low risk tolerance.

C. The organization has high risk appetite.

D. The organization has low risk appetite.

Which of the following would be a risk practitioner's GREATEST concern with the use of a vulnerability scanning tool?

A. Increased time to remediate vulnerabilities

B. Inaccurate reporting of results

C. Increased number of vulnerabilities

D. Network performance degradation

Which of the following is true for Single loss expectancy (SLE), Annual rate of occurrence (ARO), and Annual loss expectancy (ALE)?

A. ALE= ARO/SLE

B. ARO= SLE/ALE

C. ARO= ALE*SLE

D. ALE= ARO*SLE

What are the PRIMARY requirements for developing risk scenarios?
Each correct answer represents a part of the solution. (Choose two.)

A. Potential threats and vulnerabilities that could lead to loss events

B. Determination of the value of an asset at risk

C. Determination of actors that has potential to generate risk

D. Determination of threat type

An organization has an internal control that requires all access for employees be removed within 15 days of their termination date. Which of the following should the risk practitioner use to monitor adherence to the 15-day threshold?

A. Service level agreement (SLA)

B. Operation level agreement (OLA)

C. Key performance indicator (KPI)

D. Key risk indicator (KRI)

Which of the following is the MOST important information for determining inherent risk?

A. The effectiveness of controls in place to prevent the risk

B. Loss the risk has historically caused

C. The IT risk manager’s view of emerging risk

D. The maturity of the control environment

Which of the following is the MOST important objective of the information system control?

A. Business objectives are achieved and undesired risk events are detected and corrected

B. Ensuring effective and efficient operations

C. Developing business continuity and disaster recovery plans

D. Safeguarding assets

Which of the following BEST protects organizational data within a production cloud environment?

A. Right to audit

B. Data encryption

C. Data obfuscation

D. Continuous log monitoring

A risk practitioner notes that the number of unauthorized disclosures of confidential data has been increasing. Which of the following is MOST important to examine for determining the root cause?

A. The volume of data loss prevention (DLP) alerts

B. Completeness of data classification schema

C. Scope of security awareness training

D. Updated regulations related to data protection

During a risk assessment, a risk practitioner learns that an IT risk factor is adequately mitigated by compensating controls in an associated business process.
Which of the following would enable the MOST effective management of the residual risk?

A. Recommend additional IT controls to further reduce residual risk.

B. Request that ownership of the compensating controls is reassigned to IT.

C. Schedule periodic reviews of the compensating controls’ effectiveness.

D. Report the use of compensating controls to senior management.

When developing a response plan to address security incidents regarding sensitive data loss; it is MOST important to:

A. revalidate existing risk scenarios.

B. revalidate current key risk indicators (KRIs).

C. review the data classification policy.

D. revise risk management procedures.

An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern?

A. Potential increase in regulatory scrutiny

B. Potential theft of personal information

C. Potential legal risk

D. Potential system downtime

Which of the following BEST mitigates the risk associated with sensitive data loss due to theft of an organization's removable media?

A. Data encryption

B. Asset management policy

C. Code of conduct policy

D. Data loss prevention (DLP) system

A risk practitioner is reviewing accountability assignments for data risk in the risk register. Which of the following would pose the GREATEST concern?

A. The risk owner is a staff member rather than a department manager.

B. The risk owner is in a business unit and does not report through the IT department.

C. The risk owner is not the control owner for associated data controls.

D. The risk owner is listed as the department responsible for decision making.

An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?

A. Application-related expenses

B. Classification of the data

C. Business benefits of shadow IT

D. Volume of data

A third-party vendor has offered to perform user access provisioning and termination. Which of the following control accountabilities is BEST retained within the organization?

A. Reviewing access control lists

B. Performing user access recertification

C. Authorizing user access requests

D. Terminating inactive user access

Which of the following provides the MOST up-to-date information about the effectiveness of an organization's overall IT control environment?

A. Periodic penetration testing.

B. Key performance indicators (KPIs).

C. Internal audit findings.

D. Risk heat maps.