EMT Practice Test

1. Question Content...


Question List

Question1: Which of the following is the MOST important objective of regularly presenting the project risk register to the project steering committee?

Question2: An organization plans to migrate sensitive information to a public cloud infrastructure. Which of the following is the GREATEST security risk in this scenario?

Question3: While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:

Question4: The purpose of requiring source code escrow in a contractual agreement is to:

Question5: An organization has implemented a system capable of comprehensive employee monitoring. Which of the following should direct how the system is used?

Question6: Which of the following is the MOST appropriate key risk indicator (KRI) for backup media that is recycled monthly?

Question7: Which of the following is the MOST important consideration when developing an organization's risk taxonomy?

Question8: A risk practitioner has just learned about new done FIRST?

Question9: Who is accountable for risk treatment?

Question10: Which of the following is the FIRST step when developing a business case to drive the adoption of a risk remediation project by senior management?

Question11: Which of the following data would be used when performing a business impact analysis (BIA)?

Question12: Which of the following BEST mitigates the risk of violating privacy laws when transferring personal information lo a supplier?

Question13: When updating a risk register with the results of an IT risk assessment, the risk practitioner should log:

Question14: Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?

Question15: Which of the following risk management practices BEST facilitates the incorporation of IT risk scenarios into the enterprise-wide risk register?

Question16: Which of the following is MOST important for a risk practitioner to ensure once a risk action plan has been completed?

Question17: Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:

Question18: When collecting information to identify IT-related risk, a risk practitioner should FIRST focus on IT:

Question19: Which of the following is MOST effective against external threats to an organizations confidential information?

Question20: Which of the following is MOST important when developing key risk indicators (KRIs)?

Question21: During an internal IT audit, an active network account belonging to a former employee was identified. Which of the following is the BEST way to prevent future occurrences?

Question22: Which of the following is the PRIMARY factor in determining a recovery time objective (RTO)?

Question23: Which of the following should be the HIGHEST priority when developing a risk response?

Question24: Which of the following is the MAIN reason for documenting the performance of controls?

Question25: Which of the following is a KEY responsibility of the second line of defense?

Question26: Which of the following represents a vulnerability?

Question27: Which of the following would be the BEST key performance indicator (KPI) for monitoring the effectiveness of the IT asset management process?

Question28: When of the following provides the MOST tenable evidence that a business process control is effective?

Question29: An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk?

Question30: Which of the following conditions presents the GREATEST risk to an application?

Question31: The PRIMARY reason to have risk owners assigned to entries in the risk register is to ensure:

Question32: To implement the MOST effective monitoring of key risk indicators (KRIs), which of the following needs to be in place?

Question33: Which of the following BEST indicates that an organizations risk management program is effective?

Question34: An organization striving to be on the leading edge in regard to risk monitoring would MOST likely implement:

Question35: Which of the following trends would cause the GREATEST concern regarding the effectiveness of an organization's user access control processes? An increase in the:

Question36: Which of the following is the BEST way to identify changes in the risk profile of an organization?

Question37: An IT organization is replacing the customer relationship management (CRM) system. Who should own the risk associated with customer data leakage caused by insufficient IT security controls for the new system?

Question38: Which of the following will be MOST effective to mitigate the risk associated with the loss of company data stored on personal devices?

Question39: An organization has identified that terminated employee accounts are not disabled or deleted within the time required by corporate policy. Unsure of the reason, the organization has decided to monitor the situation for three months to obtain more information. As a result of this decision, the risk has been:

Question40: The PRIMARY basis for selecting a security control is:

Question41: Which of the following provides the MOST helpful reference point when communicating the results of a risk assessment to stakeholders?

Question42: Which of the following should be done FIRST when information is no longer required to support business objectives?

Question43: Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?

Question44: In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data?

Question45: What is the GREATEST concern with maintaining decentralized risk registers instead of a consolidated risk register?

Question46: A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:

Question47: Which of the following is a risk practitioner's BEST course of action upon learning that a control under internal review may no longer be necessary?

Question48: Upon learning that the number of failed back-up attempts continually exceeds the current risk threshold, the risk practitioner should:

Question49: Which of the following requirements is MOST important to include in an outsourcing contract to help ensure sensitive data stored with a service provider is secure?

Question50: The BEST criteria when selecting a risk response is the:

Question51: An organization has decided to implement an emerging technology and incorporate the new capabilities into its strategic business plan. Business operations for the technology will be outsourced. What will be the risk practitioner's PRIMARY role during the change?

Question52: A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology?

Question53: Which of the following is the MOST important benefit of key risk indicators (KRIs)'

Question54: A peer review of a risk assessment finds that a relevant threat community was not included. Mitigation of the risk will require substantial changes to a software application. Which of the following is the BEST course of action?

Question55: A monthly payment report is generated from the enterprise resource planning (ERP) software to validate data against the old and new payroll systems. What is the BEST way to mitigate the risk associated with data integrity loss in the new payroll system after data migration?

Question56: An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?

Question57: Which of the following would be MOST useful to senior management when determining an appropriate risk response?

Question58: Which of the following is MOST helpful in determining the effectiveness of an organization's IT risk mitigation efforts?

Question59: Which of the following is the MOST important topic to cover in a risk awareness training program for all staff?

Question60: Which of the following is the MOST important consideration when determining whether to accept residual risk after security controls have been implemented on a critical system?

Question61: The maturity of an IT risk management program is MOST influenced by:

Question62: A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?

Question63: An organization discovers significant vulnerabilities in a recently purchased commercial off-the-shelf software product which will not be corrected until the next release. Which of the following is the risk manager's BEST course of action?

Question64: Which of the following is MOST likely to be impacted as a result of a new policy which allows staff members to remotely connect to the organization's IT systems via personal or public computers?

Question65: Which of the following will be MOST effective in uniquely identifying the originator of electronic transactions?

Question66: An organization is making significant changes to an application. At what point should the application risk profile be updated?

Question67: Which of the following is the MOST important element of a successful risk awareness training program?

Question68: A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?

Question69: An IT license audit has revealed that there are several unlicensed copies of co be to:

Question70: The PRIMARY objective of The board of directors periodically reviewing the risk profile is to help ensure:

Question71: An application runs a scheduled job that compiles financial data from multiple business systems and updates the financial reporting system. If this job runs too long, it can delay financial reporting. Which of the following is the risk practitioner's BEST recommendation?

Question72: Risk management strategies are PRIMARILY adopted to:

Question73: Which of the following provides the MOST important information to facilitate a risk response decision?

Question74: Which of the following BEST indicates the effectiveness of anti-malware software?

Question75: Which of the following should be the PRIMARY focus of a risk owner once a decision is made to mitigate a risk?

Question76: Who is PRIMARILY accountable for risk treatment decisions?

Question77: Which of the following would be MOST beneficial as a key risk indicator (KRI)?

Question78: The BEST way to improve a risk register is to ensure the register:

Question79: Which of the following is the BEST way to determine whether new controls mitigate security gaps in a business system?

Question80: While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially Which of the following would be the BEST approach for the risk practitioner to take?

Question81: To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:

Question82: Which of the following is MOST important to ensure when continuously monitoring the performance of a client-facing application?

Question83: Which of the following is the MOST important reason to create risk scenarios?

Question84: Which of the following is the BEST way to assess the effectiveness of an access management process?

Question85: Which of the following BEST indicates whether security awareness training is effective?

Question86: Which of the following would BEST help an enterprise define and communicate its risk appetite?

Question87: Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?

Question88: Which of the following is MOST important to enable well-informed cybersecurity risk decisions?

Question89: An organization has implemented a preventive control to lock user accounts after three unsuccessful login attempts. This practice has been proven to be unproductive, and a change in the control threshold value has been recommended. Who should authorize changing this threshold?

Question90: Which of the following is the BEST way to manage the risk associated with malicious activities performed by database administrators (DBAs)?

Question91: To minimize the risk of a potential acquisition being exposed externally, an organization has selected a few key employees to be engaged in the due diligence process. A member of the due diligence team realizes a close acquaintance is a high-ranking IT professional at a subsidiary of the company about to be acquired. What is the BEST course of action for this team member?

Question92: Which of the following is the BEST indicator of the effectiveness of IT risk management processes?

Question93: Which of the following should be the PRIMARY recipient of reports showing the progress of a current IT risk mitigation project?

Question94: Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?

Question95: An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?

Question96: Which of the following is MOST helpful in identifying new risk exposures due to changes in the business environment?

Question97: Which of the following risk register elements is MOST likely to be updated if the attack surface or exposure of an asset is reduced?

Question98: Which of the following is an IT business owner's BEST course of action following an unexpected increase in emergency changes?

Question99: Which of the following is the BEST way to determine the ongoing efficiency of control processes?

Question100: The BEST way to obtain senior management support for investment in a control implementation would be to articulate the reduction in:

Question101: IT management has asked for a consolidated view into the organization's risk profile to enable project prioritization and resource allocation. Which of the following materials would be MOST helpful?

Question102: The design of procedures to prevent fraudulent transactions within an enterprise resource planning (ERP) system should be based on:

Question103: Which of the following resources is MOST helpful when creating a manageable set of IT risk scenarios?

Question104: Of the following, who is accountable for ensuing the effectiveness of a control to mitigate risk?

Question105: Which of the following is MOST important when discussing risk within an organization?

Question106: A deficient control has been identified which could result in great harm to an organization should a low frequency threat event occur. When communicating the associated risk to senior management the risk practitioner should explain:

Question107: Which of the following is the PRIMARY reason to perform ongoing risk assessments?

Question108: The MOST essential content to include in an IT risk awareness program is how to:

Question109: Which of the following BEST measures the impact of business interruptions caused by an IT service outage?

Question110: Which of the following will BEST quantify the risk associated with malicious users in an organization?

Question111: An organization practices the principle of least privilege. To ensure access remains appropriate, application owners should be required to review user access rights on a regular basis by obtaining:

Question112: Which of the following is the MOST important characteristic of an effective risk management program?

Question113: A review of an organization s controls has determined its data loss prevention {DLP) system is currently failing to detect outgoing emails containing credit card data. Which of the following would be MOST impacted?

Question114: Which of the following is the BEST course of action when risk is found to be above the acceptable risk appetite?

Question115: Which of the following provides the BEST measurement of an organization's risk management maturity level?

Question116: An organization has just implemented changes to close an identified vulnerability that impacted a critical business process. What should be the NEXT course of action?

Question117: The PRIMARY reason for tracking the status of risk mitigation plans is to ensure:

Question118: Which of the following is the MOST important input when developing risk scenarios?

Question119: Which of the following is the GREATEST risk associated with the use of data analytics?

Question120: A PRIMARY function of the risk register is to provide supporting information for the development of an organization's risk:

Question121: Which of the following is the MOST effective way to integrate risk and compliance management?

Question122: An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:

Question123: Which of The following should be the FIRST step when a company is made aware of new regulatory requirements impacting IT?

Question124: An internally developed payroll application leverages Platform as a Service (PaaS) infrastructure from the cloud. Who owns the related data confidentiality risk?

Question125: What should a risk practitioner do FIRST upon learning a risk treatment owner has implemented a different control than what was specified in the IT risk action plan?

Question126: A violation of segregation of duties is when the same:

Question127: A trusted third party service provider has determined that the risk of a client's systems being hacked is low. Which of the following would be the client's BEST course of action?

Question128: A service provider is managing a client's servers. During an audit of the service, a noncompliant control is discovered that will not be resolved before the next audit because the client cannot afford the downtime required to correct the issue. The service provider's MOST appropriate action would be to:

Question129: Which of the following is MOST important to the integrity of a security log?

Question130: Which of the following facilitates a completely independent review of test results for evaluating control effectiveness?

Question131: Which of the following is the GREATEST benefit when enterprise risk management (ERM) provides oversight of IT risk management?

Question132: A control owner has completed a year-long project To strengthen existing controls. It is MOST important for the risk practitioner to:

Question133: Which of the following observations would be GREATEST concern to a risk practitioner reviewing the implementation status of management action plans?

Question134: Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness?

Question135: When reporting risk assessment results to senior management, which of the following is MOST important to include to enable risk-based decision making?

Question136: Which of the following BEST facilitates the development of effective IT risk scenarios?

Question137: What should be the PRIMARY objective for a risk practitioner performing a post-implementation review of an IT risk mitigation project?

Question138: Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?

Question139: Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?

Question140: It is MOST appropriate for changes to be promoted to production after they are;

Question141: Which of the following is the BEST reason to use qualitative measures to express residual risk levels related to emerging threats?

Question142: Which of the following is MOST important to have in place to ensure the effectiveness of risk and security metrics reporting?

Question143: An organization has outsourced its billing function to an external service provider. Who should own the risk of customer data leakage caused by the service provider?

Question144: Which of the following would be the GREATEST concern related to data privacy when implementing an Internet of Things (loT) solution that collects personally identifiable information (Pll)?

Question145: When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?

Question146: Which of the following statements BEST illustrates the relationship between key performance indicators (KPIs) and key control indicators (KCIs)?

Question147: What are the MOST important criteria to consider when developing a data classification scheme to facilitate risk assessment and the prioritization of risk mitigation activities?

Question148: The MOST important reason to monitor key risk indicators (KRIs) is to help management:

Question149: It is MOST important to the effectiveness of an IT risk management function that the associated processes are:

Question150: Participants in a risk workshop have become focused on the financial cost to mitigate risk rather than choosing the most appropriate response. Which of the following is the BEST way to address this type of issue in the long term?

Question151: A key risk indicator (KRI) is reported to senior management on a periodic basis as exceeding thresholds, but each time senior management has decided to take no action to reduce the risk. Which of the following is the MOST likely reason for senior management's response?

Question152: The PRIMARY reason for establishing various Threshold levels for a set of key risk indicators (KRIs) is to:

Question153: Mapping open risk issues to an enterprise risk heat map BEST facilitates:

Question154: Which of the following is the BEST source for identifying key control indicators (KCIs)?

Question155: Which of the following is MOST effective in continuous risk management process improvement?

Question156: Which of the following is the PRIMARY benefit of identifying and communicating with stakeholders at the onset of an IT risk assessment?

Question157: Which of the following is MOST important to the successful development of IT risk scenarios?

Question158: Malware has recently affected an organization, The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

Question159: Which of the following controls BEST helps to ensure that transaction data reaches its destination?

Question160: Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?

Question161: Which of the following is the MOST important responsibility of a risk owner?

Question162: An organization is planning to outsource its payroll function to an external service provider Which of the following should be the MOST important consideration when selecting the provider?

Question163: An organization's financial analysis department uses an in-house forecasting application for business projections. Who is responsible for defining access roles to protect the sensitive data within this application?

Question164: Reviewing which of the following provides the BEST indication of an organizations risk tolerance?

Question165: The BEST way to demonstrate alignment of the risk profile with business objectives is through:

Question166: After the review of a risk record, internal audit questioned why the risk was lowered from medium to low. Which of the following is the BEST course of action in responding to this inquiry?

Question167: Which of the following would BEST help to ensure that suspicious network activity is identified?

Question168: Which of the following is the BEST way for a risk practitioner to verify that management has addressed control issues identified during a previous external audit?

Question169: Which of the following will help ensure the elective decision-making of an IT risk management committee?

Question170: The PRIMARY reason for periodic penetration testing of Internet-facing applications is to:

Question171: When an organization's disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment options is being applied?

Question172: Which of the following is MOST important when developing risk scenarios?

Question173: Which of the following is the BEST indication of an effective risk management program?

Question174: Which of the following is the BEST way to support communication of emerging risk?

Question175: Who should be accountable for ensuring effective cybersecurity controls are established?

Question176: Which of the following is the MOST important reason to link an effective key control indicator (KCI) to relevant key risk indicators (KRIs)?

Question177: Which of the following should be the PRIMARY input when designing IT controls?

Question178: An organizations chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a denial-of-service (DoS) attack. In this situation, the risk practitioner's BEST course of action is to:

Question179: Which of the following is the MOST important technology control to reduce the likelihood of fraudulent payments committed internally?

Question180: An organization is considering adopting artificial intelligence (AI). Which of the following is the risk practitioner's MOST important course of action?

Question181: Which of the following is the MOST important factor when deciding on a control to mitigate risk exposure?

Question182: A large organization needs to report risk at all levels for a new centralized visualization project to reduce cost and improve performance. Which of the following would MOST effectively represent the overall risk of the project to senior management?

Question183: Prudent business practice requires that risk appetite not exceed:

Question184: When presenting risk, the BEST method to ensure that the risk is measurable against the organization's risk appetite is through the use of a:

Question185: Which of the following is MOST important to communicate to senior management during the initial implementation of a risk management program?

Question186: Which of the following is the MOST common concern associated with outsourcing to a service provider?

Question187: Which of The following is the MOST relevant information to include in a risk management strategy?

Question188: Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?

Question189: An organization has recently updated its disaster recovery plan (DRP). Which of the following would be the GREATEST risk if the new plan is not tested?

Question190: An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern?

Question191: Which of the following is the MOST important key performance indicator (KPI) to establish in the service level agreement (SLA) for an outsourced data center?

Question192: The BEST indication that risk management is effective is when risk has been reduced to meet:

Question193: Which of the following is the BEST measure of the effectiveness of an employee deprovisioning process?

Question194: An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?

Question195: Which of the following is MOST important to include in a Software as a Service (SaaS) vendor agreement?

Question196: Which of the following is the PRIMARY objective for automating controls?

Question197: Which of the following is the GREATEST advantage of implementing a risk management program?

Question198: Which of the following is MOST essential for an effective change control environment?

Question199: A risk practitioner has identified that the organization's secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?

Question200: Which of the following provides The MOST useful information when determining a risk management program's maturity level?

Question201: While conducting an organization-wide risk assessment, it is noted that many of the information security policies have not changed in the past three years. The BEST course of action is to:

Question202: Which of the following is the BEST metric to demonstrate the effectiveness of an organization's change management process?

Question203: Which of the following would require updates to an organization's IT risk register?

Question204: A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges. What is the risk practitioner's BEST course of action?

Question205: The FIRST task when developing a business continuity plan should be to:

Question206: Which of the following BEST assists in justifying an investment in automated controls?

Question207: A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:

Question208: Which of the following is the MOST important objective of embedding risk management practices into the initiation phase of the project management life cycle?

Question209: Which of the following roles would provide the MOST important input when identifying IT risk scenarios?

Question210: Which of the following would be MOST helpful to an information security management team when allocating resources to mitigate exposures?

Question211: Which of the following BEST enables the risk profile to serve as an effective resource to support business objectives?

Question212: An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?

Question213: The effectiveness of a control has decreased. What is the MOST likely effect on the associated risk?

Question214: Which of the following is the BEST method for identifying vulnerabilities?

Question215: After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

Question216: Which of the following is the GREATEST risk associated with an environment that lacks documentation of the architecture?

Question217: An organization recently received an independent security audit report of its cloud service provider that indicates significant control weaknesses. What should be done NEXT in response to this report?

Question218: A bank wants to send a critical payment order via email to one of its offshore branches. Which of the following is the BEST way to ensure the message reaches the intended recipient without alteration?

Question219: Which of the following BEST supports the communication of risk assessment results to stakeholders?

Question220: Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?

Question221: Which of the following criteria is MOST important when developing a response to an attack that would compromise data?

Question222: Which of the following would BEST assist in reconstructing the sequence of events following a security incident across multiple IT systems in the organization's network?

Question223: Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?

Question224: Which of the following would MOST likely result in updates to an IT risk appetite statement?

Question225: Which of the following is the GREATEST risk associated with the transition of a sensitive data backup solution from on-premise to a cloud service provider?

Question226: The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:

Question227: A risk practitioner shares the results of a vulnerability assessment for a critical business application with the business manager. Which of the following is the NEXT step?

Question228: Which of the following is MOST important for an organization to have in place when developing a risk management framework?

Question229: Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?

Question230: Which of the following is MOST critical to the design of relevant risk scenarios?

Question231: Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?

Question232: A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:

Question233: Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are:

Question234: The risk associated with data loss from a website which contains sensitive customer information is BEST owned by:

Question235: The PRIMARY goal of a risk management program is to:

Question236: What is MOST important for the risk practitioner to understand when creating an initial IT risk register?

Question237: A risk practitioner has been asked by executives to explain how existing risk treatment plans would affect risk posture at the end of the year. Which of the following is MOST helpful in responding to this request?

Question238: An organization has opened a subsidiary in a foreign country. Which of the following would be the BEST way to measure the effectiveness of the subsidiary's IT systems controls?

Question239: Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?

Question240: Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?

Question241: An organization has received notification that it is a potential victim of a cybercrime that may have compromised sensitive customer data. What should be The FIRST course of action?

Question242: Which of the following should be done FIRST when developing a data protection management plan?

Question243: Which of The following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?

Question244: Which of the following should be considered FIRST when assessing risk associated with the adoption of emerging technologies?

Question245: Which of the following attributes of a key risk indicator (KRI) is MOST important?

Question246: Following a significant change to a business process, a risk practitioner believes the associated risk has been reduced. The risk practitioner should advise the risk owner to FIRST

Question247: The PRIMARY objective for selecting risk response options is to:

Question248: Which of the following is the MOST important factor affecting risk management in an organization?

Question249: Which of the following is MOST helpful in aligning IT risk with business objectives?

Question250: Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?

Question251: Which of the following provides the BEST evidence that risk mitigation plans have been implemented effectively?

Question252: Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?

Question253: Which of the following BEST facilities the alignment of IT risk management with enterprise risk management (ERM)?

Question254: Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?

Question255: Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents:

Question256: Mitigating technology risk to acceptable levels should be based PRIMARILY upon:

Question257: A risk assessment has identified that departments have installed their own WiFi access points on the enterprise network. Which of the following would be MOST important to include in a report to senior management?

Question258: An organization has decided to outsource a web application, and customer data will be stored in the vendor's public cloud. To protect customer data, it is MOST important to ensure which of the following?

Question259: The MOST significant benefit of using a consistent risk ranking methodology across an organization is that it enables:

Question260: A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization. Which of the following components of this review would provide the MOST useful information?

Question261: It is MOST important for a risk practitioner to have an awareness of an organization s processes in order to:

Question262: Which of the following would BEST enable a risk practitioner to embed risk management within the organization?

Question263: Which of the following is MOST helpful to review when identifying risk scenarios associated with the adoption of Internet of Things (loT) technology in an organization?

Question264: Calculation of the recovery time objective (RTO) is necessary to determine the:

Question265: Which of the following methods would BEST contribute to identifying obscure risk scenarios?

Question266: To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:

Question267: Which of the following is the MOST important information to be communicated during security awareness training?

Question268: Who should be accountable for monitoring the control environment to ensure controls are effective?

Question269: Which of the following is the BEST way for an organization to enable risk treatment decisions?

Question270: An organization has granted a vendor access to its data in order to analyze customer behavior. Which of the following would be the MOST effective control to mitigate the risk of customer data leakage?

Question271: Deviation from a mitigation action plan's completion date should be determined by which of the following?

Question272: Which of the following is MOST commonly compared against the risk appetite?

Question273: Which of the following is MOST important to sustainable development of secure IT services?

Question274: Of the following, who should be responsible for determining the inherent risk rating of an application?

Question275: Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?

Question276: During the initial risk identification process for a business application, it is MOST important to include which of the following stakeholders?

Question277: Which of the following would be MOST helpful to a risk practitioner when ensuring that mitigated risk remains within acceptable limits?

Question278: An organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard. Which risk treatment was adopted by the organization?

Question279: To minimize risk in a software development project, when is the BEST time to conduct a risk analysis?

Question280: An IT operations team implements disaster recovery controls based on decisions from application owners regarding the level of resiliency needed. Who is the risk owner in this scenario?

Question281: Which of the following will BEST support management repotting on risk?

Question282: When establishing leading indicators for the information security incident response process it is MOST important to consider the percentage of reported incidents:

Question283: Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?

Question284: Which of the following is the BEST method to identify unnecessary controls?

Question285: What is the PRIMARY benefit of risk monitoring?

Question286: Which of the following would BEST help to ensure that identified risk is efficiently managed?

Question287: Which of the following is the PRIMARY objective of providing an aggregated view of IT risk to business management?

Question288: Which of the following is the MOST effective control to maintain the integrity of system configuration files?