During a risk assessment, a key external technology supplier refuses to provide control design and effectiveness information, citing confidentiality concerns. What should the risk practitioner do NEXT?

A. Escalate the non-cooperation to management

B. Exclude applicable controls from the assessment

C. Review the supplier’s contractual obligations

D. Request risk acceptance from the business process owner

Which of the following provides the BEST evidence that robust risk management practices are in place within an organization?

A. A management-approved risk dashboard

B. A current control framework

C. A regularly updated risk register

D. Regularly updated risk management procedures

Which of the following is the MOST important concern when assigning multiple risk owners for an identified risk?

A. Risk ratings may be inconsistently applied.

B. Accountability may not be clearly defined.

C. Different risk taxonomies may be used.

D. Mitigation efforts may be duplicated.

You are the project manager for TTP project. You are in the Identify Risks process. You have to create the risk register. Which of the following are included in the risk register?
Each correct answer represents a complete solution. (Choose two.)

A. List of potential responses

B. List of key stakeholders

C. List of mitigation techniques

D. List of identified risks

Which of the following is the BEST key performance indicator (KPI) for a server patch management process?

A. The number of servers with local credentials to install patches

B. The number of servers running the software patching service

C. The percentage of servers patched within required service level agreements

D. The percentage of servers with allowed patching exceptions

The BEST key performance indicator (KPI) for monitoring adherence to an organization's user accounts provisioning practices is the percentage of:

A. active accounts belonging to former personnel.

B. accounts with dormant activity.

C. accounts without documented approval.

D. user accounts with default passwords.

The MAIN reason for prioritizing IT risk responses is to enable an organization to:

A. determine the risk appetite.

B. determine the budget.

C. define key performance indicators (KPIs).

D. optimize resource utilization.

Which of the following would be MOST useful to management when allocating resources to mitigate risk to the organization?

A. Risk-based audits

B. Control self-assessments (CSAs)

C. Risk assessments

D. Vulnerability analysis

Which of the following would be MOST helpful to understand the impact of a new technology system on an organization's current risk profile?

A. Conduct a gap analysis

B. Review existing risk mitigation controls

C. Perform a risk assessment

D. Hire consultants specializing in the new technology

Which of the following is the GREATEST risk associated with an environment that lacks documentation of the architecture?

A. Network isolation

B. Overlapping threats

C. Unknown vulnerabilities

D. Legacy technology systems

Which of the following is a risk practitioner's BEST recommendation to help ensure cyber risk is assessed and reflected in the enterprise-level risk profile?

A. Conduct cyber risk awareness training tailored specifically for senior management

B. Implement a cyber risk program based on industry best practices

C. Manage cyber risk according to the organization’s risk management framework

D. Define cyber roles and responsibilities across the organization

A recent change in accounting policy has the potential to impact a known risk related to an organization's financial software. Which of the following should the risk practitioner do FIRST?

A. Analyze and update the risk register as needed.

B. Conduct software testing for required code updates.

C. Analyze and update associated control assessments.

D. Determine whether the risk response is still adequate.

A hospital's Internet of Things (IoT) bio-medical devices were recently hacked. Which of the following methods would BEST assist in identifying the control deficiencies?

A. SWOT analysis

B. Countermeasure analysis

C. Business impact analysis (BIA)

D. Gap analysis

Mary is the project manager for the BLB project. She has instructed the project team to assemble, to review the risks. She has included the schedule management plan as an input for the quantitative risk analysis process. Why is the schedule management plan needed for quantitative risk analysis?

A. Mary will schedule when the identified risks are likely to happen and affect the project schedule.

B. Mary will utilize the schedule controls and the nature of the schedule for the quantitative analysis of the schedule.

C. Mary will use the schedule management plan to schedule the risk identification meetings throughout the remaining project.

D. Mary will utilize the schedule controls to determine how risks may be allowed to change the project schedule.

An organization practices the principle of least privilege. To ensure access remains appropriate, application owners should be required to review user access rights on a regular basis by obtaining:

A. security logs to determine the cause of invalid login attempts.

B. documentation indicating the intended users of the application.

C. an access control matrix and approval from the user’s manager.

D. business purpose documentation and software license counts.

Which of the following is MOST important to promoting a risk-aware culture?

A. Communication of audit findings

B. Open communication of risk reporting

C. Procedures for security monitoring

D. Regular testing of risk controls

When formulating a social media policy to address information leakage, which of the following is the MOST important concern to address?

A. Using social media to maintain contact with business associates

B. Using social media for personal purposes during working hours

C. Sharing company information on social media

D. Sharing personal information on social media

Which of the following is the MOST important action for a risk practitioner when a recovery test indicates control gaps?

A. Verify test specifications.

B. Review the recovery test report.

C. Perform a root cause analysis.

D. Develop an action plan.

You are the project manager of GHT project. You want to perform post-project review of your project. What is the BEST time to perform post-project review by you and your project development team to access the effectiveness of the project?

A. Project is completed and the system has been in production for a sufficient time period

B. During the project

C. Immediately after the completion of the project

D. Project is about to complete

To define the risk management strategy, which of the following MUST be set by the board of directors?

A. Risk governance

B. Annualized loss expectancy (ALE)

C. Risk appetite

D. Operational strategies

Which of the following is the MOST important course of action to foster an ethical, risk-aware culture?

A. Establish an enterprise-wide ethics training and awareness program.

B. Ensure the alignment of the organization’s policies and standards to the defined risk appetite.

C. Implement a fraud detection and prevention framework.

D. Perform a comprehensive review of all applicable legislative frameworks and requirements.

A risk practitioner discovers that a data center's air conditioning system cannot provide sufficient cooling. What else is MOST important to consider when predicting the probability of adverse business impact from this issue?

A. Maintenance history

B. Compensating controls

C. Replacement cost

D. Applicable threats

Which of the following is a technique that provides a systematic description of the combination of unwanted occurrences in a system?

A. Sensitivity analysis

B. Scenario analysis

C. Fault tree analysis

D. Cause and effect analysis

A risk practitioner notices a risk scenario associated with data loss at the organization's cloud provider is assigned to the provider. Who should the risk scenario be reassigned to?

A. Chief risk officer

B. Vendor manager

C. Data owner

D. Senior management

Which of the following is MOST likely to introduce risk for financial institutions that use blockchain?

A. Disruption to business processes

B. Cost of implementation

C. Implementation of unproven applications

D. Increase in attack surface area

What should be PRIMARILY responsible for establishing an organization's IT risk culture?

A. Risk management

B. IT management

C. Business process owner

D. Executive management

Which of the following business requirements MOST relates to the need for resilient business and information systems processes?

A. Confidentiality

B. Effectiveness

C. Integrity

D. Availability

Which of the following is MOST important for senior management to review during an acquisition?

A. Key risk indicator (KRI) thresholds

B. Risk framework and methodology

C. Risk communication plan

D. Risk appetite and tolerance

Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

A. a vulnerability assessment.

B. a root cause analysis.

C. an impact assessment.

D. a gap analysis.

Which of the following is the BEST metric to demonstrate the effectiveness of an organization’s patch management process?

A. Number of patches tested prior to deployment

B. Average time to implement patches after vendor release

C. Percent of patches implemented within established timeframe

D. Increase in the frequency of patches deployed into production

An organization has established a policy prohibiting ransom payments if subjected to a ransomware attack. Which of the following is the MOST effective control to support this policy?

A. Implementing continuous intrusion detection monitoring

B. Creating immutable backups

C. Conducting periodic vulnerability scanning

D. Performing required patching

An organization implements a risk avoidance approach to collecting personal information. Which of the following is the BEST way for a risk practitioner to validate the risk response?

A. Verify security baselines are implemented for databases.

B. Perform a scan for personal information.

C. Confirm that personal information is encrypted.

D. Review the privacy policy to confirm it is up to date.

Establishing an organizational code of conduct is an example of which type of control?

A. Directive

B. Preventive

C. Detective

D. Compensating

Which of the following are parts of SWOT Analysis?
Each correct answer represents a complete solution. (Choose four.)

A. Weaknesses

B. Tools

C. Threats

D. Opportunities

E. Strengths

As part of software development projects, risk assessments are MOST effective when performed:

A. throughout the system development life cycle (SDLC).

B. before the decision is made to develop or acquire the software.

C. during system deployment and maintenance.

D. before developing the project charter for the software.

An organization recently experienced a cyber attack that resulted in the loss of confidential customer data. Which of the following is the risk practitioner’s BEST recommendation after recovery steps have been completed?

A. Review the incident response plan

B. Perform a root cause analysis

C. Develop new key risk indicators (KRIs)

D. Recommend the purchase of cyber insurance

You are the project manager of the NNN Project. Stakeholders in the two-year project have requested to send status reports to them via. email every week. You have agreed and send reports every Thursday. After six months of the project, the stakeholders are pleased with the project progress and they would like you to reduce the status reports to every two weeks. What process will examine the change to this project process and implement it in the project?

A. Configuration management

B. Communications management

C. Perform integrated change control process

D. Project change control process

You are the project manager for the NHH project. You are working with your project team to examine the project from four different defined perspectives to increase the breadth of identified risks by including internally generated risks. What risk identification approach are you using in this example?

A. Root cause analysis

B. Influence diagramming techniques

C. SWOT analysis

D. Assumptions analysis

A risk practitioner is assisting with the preparation of a report on the organization's disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?

A. The percentage of systems meeting recovery target times has increased

B. The number of systems requiring a recovery plan has increased

C. The number of systems tested in the last year has increased

D. The percentage of systems with long recovery target times has decreased

Which of the following approaches would BEST help to identify relevant risk scenarios?

A. Engage line management in risk assessment workshops

B. Escalate the situation to risk leadership

C. Engage internal audit for risk assessment workshops

D. Review system and process documentation

Which of the following is the responsibility of the second line of defense?

A. Auditing compliance with corporate risk policies and standards

B. Approving enterprise risk appetite thresholds

C. Providing oversight of the organization’s financial statements

D. Monitoring the result of actions taken to mitigate risk

Which of the following would be the BEST way to proactively identify changes in organizational risk levels?

A. Develop risk scenarios

B. Conduct compliance reviews

C. Monitor key risk indicators (KRIs)

D. Perform business impact analyses

Which of the following is a risk practitioner’s BEST recommendation upon learning that an employee inadvertently disclosed sensitive data to a vendor?

A. Enroll the employee in additional security training.

B. Invoke the incident response plan.

C. Conduct an internal audit.

D. Instruct the vendor to delete the data.

You are the project manager of the NHH Project. You are working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team.
What document do you and your team is creating in this scenario?

A. Project plan

B. Resource management plan

C. Project management plan

D. Risk management plan

Which of the following is the MOST effective control to ensure user access is maintained on a least-privilege basis?

A. Change log review

B. User recertification

C. Access log monitoring

D. User authorization

Which of the following is a detective control?

A. Limit check

B. Access control software

C. Periodic access review

D. Rerun procedures

The MOST important reason for implementing change control procedures is to ensure:

A. an audit trail exists.

B. timely evaluation of change events.

C. that emergency changes are logged.

D. only approved changes are implemented.

Continuous monitoring of key risk indicators (KRIs) will:

A. ensure that risk tolerance and risk appetite are aligned.

B. provide an early warning so that proactive action can be taken.

C. ensure that risk will not exceed the defined risk appetite of the organization.

D. provide a snapshot of the risk profile.

Sammy is the project manager for her organization. She would like to rate each risk based on its probability and affect on time, cost, and scope. Harry, a project team member, has never done this before and thinks Sammy is wrong to attempt this approach. Harry says that an accumulative risk score should be created, not three separate risk scores. Who is correct in this scenario?

A. Sammy is correct, because she is the project manager.

B. Sammy is correct, because organizations can create risk scores for each objective of the project.

C. Harry is correct, the risk probability and impact matrix is the only approach to risk assessment.

D. Harry is correct, because the risk probability and impact considers all objectives of the project.

Which of the following is MOST critical to the design of relevant risk scenarios?

A. The scenarios are linked to probable organizational situations.

B. The scenarios are based on past incidents.

C. The scenarios are aligned with risk management capabilities.

D. The scenarios are mapped to incident management capabilities.