Which of the following is the BEST way to ensure that outsourced service providers comply with the enterprise's information security policy?

A. Penetration testing

B. Service level monitoring

C. Security awareness training

D. Periodic audits

Which of the following provides the MOST useful information to trace the impact of aggregated risk across an organization's technical environment?

A. Business case documentation

B. Organizational risk appetite statement

C. Enterprise architecture (EA) documentation

D. Organizational hierarchy

Which of the following aspects are included in the Internal Environment Framework of COSO ERM?
Each correct answer represents a complete solution. (Choose three.)

A. Enterprise’s integrity and ethical values

B. Enterprise’s working environment

C. Enterprise’s human resource standards

D. Enterprise’s risk appetite

The MOST significant benefit of using a consistent risk ranking methodology across an organization is that it enables:

A. assignment of risk to the appropriate owners.

B. allocation of available resources.

C. risk to be expressed in quantifiable terms.

D. clear understanding of risk levels.

Which of the following is the BEST way to quantify the likelihood of risk materialization?

A. Balanced scorecard

B. Business impact analysis (BIA)

C. Threat and vulnerability assessment

D. Compliance assessments

An organization has just implemented changes to close an identified vulnerability that impacted a critical business process. What should be the NEXT course of action?

A. Update the risk register

B. Review the risk tolerance

C. Perform a business impact analysis (BIA)

D. Redesign the heat map.

Which of the following is MOST important to the integrity of a security log?

A. Least privilege access

B. Encryption

C. Inability to edit

D. Ability to overwrite

A hospital's Internet of Things (IoT) bio-medical devices were recently hacked. Which of the following methods would BEST assist in identifying the control deficiencies?

A. SWOT analysis

B. Countermeasure analysis

C. Business impact analysis (BIA)

D. Gap analysis

Which of the following is MOST useful for measuring the existing risk management process against a desired date?

A. Capability maturity model

B. Risk scenario analysis

C. Risk management framework

D. Balanced scorecard

Which of the following is the BEST approach for obtaining management buy-in to implement additional IT controls?

A. Present new key risk indicators (KRIs) based on industry benchmarks.

B. Provide information on new governance, risk, and compliance (GRC) platform functionalities.

C. Describe IT risk impact on organizational processes in monetary terms.

D. List requirements based on a commonly accepted IT risk management framework.

Which of the following is the GREATEST advantage of implementing a risk management program?

A. Promoting a risk-aware culture

B. Improving security governance

C. Enabling risk-aware decisions

D. Reducing residual risk

A penetration test reveals several vulnerabilities in a web-facing application. Which of the following should be the FIRST step in selecting a risk response?

A. Assess the level of risk associated with the vulnerabilities.

B. Communicate the vulnerabilities to the risk owner.

C. Correct the vulnerabilities to mitigate potential risk exposure.

D. Develop a risk response action plan with key stakeholders.

Which of the following is MOST important for an organization to consider when developing its IT strategy?

A. The organization’s risk appetite statement

B. Legal and regulatory requirements

C. IT goals and objectives

D. Organizational goals and objectives

Which of the following is the BEST approach for an organization in a heavily regulated industry to comprehensively test application functionality?

A. Use production data in a non-production environment.

B. Use anonymized data in a non-production environment.

C. Use test data in a production environment.

D. Use masked data in a non-production environment.

An organization recently completed a major restructuring project to reduce overhead costs by streamlining the approval hierarchy. Which of the following should be done FIRST by the control owner?

A. Evaluate effectiveness of risk responses.

B. Revise risk classifications.

C. Execute control test plans.

D. Analyze the control assessments.

Which of the following is the GREATEST benefit of a three lines of defense structure?

A. Clear accountability for risk management processes

B. An effective risk culture that empowers employees to report risk

C. Improved effectiveness and efficiency of business operations

D. Effective segregation of duties to prevent internal fraud

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an organization’s patch management process?

A. Percentage of systems with the latest patches

B. Average time to implement system patches

C. Number of updates to the patch management policy

D. Number of systems subject to regular vulnerability scans

A separation of duties control can no longer be sustained due to resource reductions at an organization. Who is BEST suited to decide if additional compensating controls are needed?

A. Risk owner

B. Compliance manager

C. Control owner

D. Risk practitioner

You are the project manager of a HGT project that has recently finished the final compilation process. The project customer has signed off on the project completion and you have to do few administrative closure activities. In the project, there were several large risks that could have wrecked the project but you and your project team found some new methods to resolve the risks without affecting the project costs or project completion date. What should you do with the risk responses that you have identified during the project's monitoring and controlling process?

A. Include the responses in the project management plan.

B. Include the risk responses in the risk management plan.

C. Include the risk responses in the organization’s lessons learned database.

D. Nothing. The risk responses are included in the project’s risk register already.

Key control indicators (KCIs) help to assess the effectiveness of the internal control environment PRIMARILY by:

A. enabling senior leadership to better understand the level of risk the organization is facing.

B. ensuring controls are operating efficiently and facilitating productivity.

C. monitoring changes in the likelihood of adverse events due to ineffective controls.

D. providing information on the degree to which controls are meeting intended objectives.

Which of the following situations presents the GREATEST challenge to creating a comprehensive IT risk profile of an organization?

A. Manual vulnerability scanning processes

B. Inaccurate documentation of enterprise architecture (EA)

C. Organizational reliance on third-party service providers

D. Risk-averse organizational risk appetite

Which of the following would MOST effectively mitigate the risk of data loss when production data is being used in a testing environment?

A. Data obfuscation

B. Database encryption

C. Access management

D. Data cleansing and normalization

Which of the following is the BEST key performance indicator (KPI) to measure the maturity of an organization's security incident handling process?

A. The number of resolved security incidents

B. The number of security incidents escalated to senior management

C. The number of newly identified security incidents

D. The number of recurring security incidents

Which of the following BEST assists in justifying an investment in automated controls?

A. Alignment of investment with risk appetite

B. Reduction in personnel costs

C. Elimination of compensating controls

D. Cost-benefit analysis

You are the project manager in your enterprise. You have identified occurrence of risk event in your enterprise. You have pre-planned risk responses. You have monitored the risks that had occurred. What is the immediate step after this monitoring process that has to be followed in response to risk events?

A. Initiate incident response

B. Update the risk register

C. Eliminate the risk completely

D. Communicate lessons learned from risk events

You work as a project manager for BlueWell Inc. You are preparing for the risk identification process. You will need to involve several of the project's key stakeholders to help you identify and communicate the identified risk events. You will also need several documents to help you and the stakeholders identify the risk events. Which one of the following is NOT a document that will help you identify and communicate risks within the project?

A. Stakeholder registers

B. Activity duration estimates

C. Activity cost estimates

D. Risk register

Which of the following IT key risk indicators (KRIs) provides management with the BEST feedback on IT capacity?

A. Trends in IT resource usage.

B. Increased resource availability.

C. Trends in IT maintenance costs.

D. Increased number of incidents.

Which of the following is the BEST indication of a potential threat?

A. Excessive activity in system logs

B. Increase in identified system vulnerabilities

C. Excessive policy and standard exceptions

D. Ineffective risk treatment plans

Which of the following is the BEST indicator of the effectiveness of a control action plan's implementation?

A. Increased risk appetite

B. Increased number of controls

C. Reduced risk level

D. Stakeholder commitment

A program manager has completed an unsuccessful disaster recovery test. Which of the following should the risk practitioner recommend as the NEXT course of action?

A. Identify what additional controls are needed

B. Update the business impact analysis (BIA)

C. Prioritize issues noted during the testing window

D. Communicate test results to management

To drive effective risk management, it is MOST important that an organization’s policy framework is:

A. mapped to an industry-standard framework.

B. aligned to the functional business structure.

C. approved by relevant stakeholders.

D. included in employee onboarding materials.

A recently purchased IT application does not meet project requirements. Of the following, who is accountable for the potential impact?

A. Business analyst

B. IT project team

C. IT project management office

D. Project sponsor

When formulating a social media policy to address information leakage, which of the following is the MOST important concern to address?

A. Using social media to maintain contact with business associates

B. Using social media for personal purposes during working hours

C. Sharing company information on social media

D. Sharing personal information on social media

Which of the following would be the result of a significant increase in the motivation of a malicious threat actor?

A. Increase in risk event likelihood

B. Increase in mitigating control costs

C. Increase in risk event impact

D. Increase in cybersecurity premiums

Which of the following is the MOST important criteria for selecting key risk indicators (KRIs)?

A. Historical data availability

B. Sensitivity and reliability

C. Ability to display trends

D. Implementation and reporting effort

Which of the following has the GREATEST positive impact on ethical compliance within the risk management process?

A. An independent ethics investigation team has been established

B. The risk practitioner is required to consult with the ethics committee.

C. Senior management demonstrates ethics in their day-to-day decision making.

D. Employees are required to complete ethics training courses annually.

You are the project manager of the GHY Project for your company. You need to complete a project management process that will be on the lookout for new risks, changing risks, and risks that are now outdated. Which project management process is responsible for these actions?

A. Risk planning

B. Risk monitoring and controlling

C. Risk identification

D. Risk analysis

Harry is the project manager of HDW project. He has identified a risk that could injure project team members. He does not want to accept any risk where someone could become injured on this project so he hires a professional vendor to complete this portion of the project work. What type of risk response is Harry implementing?

A. Transference

B. Mitigation

C. Acceptance

D. Avoidance

To effectively support business decisions, an IT risk register MUST:

A. reflect the results of risk assessments.

B. effectively support a business maturity model.

C. be available to operational risk groups.

D. be reviewed by the IT steering committee.

Which of the following is the MOST important characteristic of a key risk indicator (KRI) to enable decision-making?

A. Listing alternative causes for risk events

B. Setting minimum sample sizes to ensure accuracy

C. Monitoring the risk until exposure is reduced

D. Illustrating changes in risk trends

Which process is MOST effective to determine relevance of threats for risk scenarios?

A. Penetration testing

B. Vulnerability assessment

C. Root cause analysis

D. Business impact analysis (BIA)

Which of the following processes addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget?

A. Monitor and Control Risk

B. Plan risk response

C. Identify Risks

D. Qualitative Risk Analysis

Which of the following is the MOST effective way to promote organization-wide awareness of data security in response to an increase in regulatory penalties for data leakage?

A. Enforce sanctions for noncompliance with security procedures.

B. Require regular testing of the data breach response plan.

C. Conduct organization-wide phishing simulations.

D. Require training on the data handling policy.

Which of the following should be the risk practitioner's FIRST course of action when an organization has decided to expand into new product areas?

A. Review existing risk scenarios with stakeholders.

B. Present a business case for new controls to stakeholders.

C. Revise the organization’s risk and control policy.

D. Identify any new business objectives with stakeholders.

An organization is participating in an industry benchmarking study that involves providing customer transaction records for analysis. Which of the following is the
MOST important control to ensure the privacy of customer information?

A. Data anonymization

B. Data cleansing

C. Data encryption

D. Nondisclosure agreements (NDAs)

Which of the following statements are true for enterprise's risk management capability maturity level 3?

A. Workflow tools are used to accelerate risk issues and track decisions

B. The business knows how IT fits in the enterprise risk universe and the risk portfolio view

C. The enterprise formally requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals

D. Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized

What is the PRIMARY reason to periodically review key performance indicators (KPIs)?

A. Identify trends

B. Optimize resources needed for controls

C. Ensure compliance

D. Promote a risk-aware culture

You are the risk official at Bluewell Inc. There are some risks that are posing threat on your enterprise. You are measuring exposure of those risk factors, which has the highest potential, by examining the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values. Which type of analysis you are performing?

A. Sensitivity analysis

B. Fault tree analysis

C. Cause-and-effect analysis

D. Scenario analysis

Which of the following MUST be updated to maintain an IT risk register?

A. Risk appetite

B. Risk tolerance

C. Expected frequency and potential impact

D. Enterprise-wide IT risk assessment

After mapping generic risk scenarios to organizational security policies, the NEXT course of action should be to:

A. record risk scenarios in the risk register for analysis

B. validate the risk scenarios for business applicability

C. reduce the number of risk scenarios to a manageable set

D. perform a risk analysis on the risk scenarios