EMT Practice Test

1. Question Content...


Question List

Question1: Which of the following is the PRIMARY reason for monitoring activities performed in a production database environment?

Question2: A risk practitioner is reviewing a vendor contract and finds there is no clause to control privileged access to the organization's systems by vendor employees. Which of the following is the risk practitioner's BEST course of action?

Question3: A monthly payment report is generated from the enterprise resource planning (ERP) software to validate data against the old and new payroll systems. What is the BEST way to mitigate the risk associated with data integrity loss in the new payroll system after data migration?

Question4: During a control review, the control owner states that an existing control has deteriorated over time. What is the BEST recommendation to the control owner?

Question5: Which of the following is the GREATEST risk associated with the misclassification of data?

Question6: A risk practitioner has received an updated enterprise risk management (ERM) report showing that residual risk is now within the organization's defined appetite and tolerance levels. Which of the following is the risk practitioner's BEST course of action?

Question7: Which of the following is the BEST source for identifying key control indicators (KCIs)?

Question8: Which of the following BEST indicates that additional or improved controls ate needed m the environment?

Question9: Upon learning that the number of failed back-up attempts continually exceeds the current risk threshold, the risk practitioner should:

Question10: The BEST indication that risk management is effective is when risk has been reduced to meet:

Question11: Which of the following would BEST help an enterprise define and communicate its risk appetite?

Question12: Which of the following would be MOST useful to senior management when determining an appropriate risk response?

Question13: Which of the following presents the GREATEST challenge for an IT risk practitioner who wants to report on trends in historical IT risk levels?

Question14: The implementation of a risk treatment plan will exceed the resources originally allocated for the risk response. Which of the following should be the risk owner's NEXT action?

Question15: An organization has completed a project to implement encryption on all databases that host customer dat a. Which of the following elements of the risk register should be updated the reflect this change?

Question16: Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?

Question17: An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning of the associated risk entries?

Question18: An organization recently received an independent security audit report of its cloud service provider that indicates significant control weaknesses. What should be done NEXT in response to this report?

Question19: What is the MOST important consideration when aligning IT risk management with the enterprise risk management (ERM) framework?

Question20: A risk practitioner has just learned about new done FIRST?

Question21: Determining if organizational risk is tolerable requires:

Question22: A bank is experiencing an increasing incidence of customer identity theft. Which of the following is the BEST way to mitigate this risk?

Question23: Which of the following is MOST likely to be impacted as a result of a new policy which allows staff members to remotely connect to the organization's IT systems via personal or public computers?

Question24: Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?

Question25: Malware has recently affected an organization, The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

Question26: Performing a background check on a new employee candidate before hiring is an example of what type of control?

Question27: An organization is considering outsourcing user administration controls tor a critical system. The potential vendor has offered to perform quarterly sett-audits of its controls instead of having annual independent audits. Which of the following should be of GREATEST concern to me risk practitioner?

Question28: The PRIMARY basis for selecting a security control is:

Question29: Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

Question30: It is MOST important to the effectiveness of an IT risk management function that the associated processes are:

Question31: A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?

Question32: Which of the following is a crucial component of a key risk indicator (KRI) to ensure appropriate action is taken to mitigate risk?

Question33: Who should be responsible for strategic decisions on risk management?

Question34: The BEST way to test the operational effectiveness of a data backup procedure is to:

Question35: Which of the following is the MOST important characteristic of an effective risk management program?

Question36: Which of the following is the MOST cost-effective way to test a business continuity plan?

Question37: Which of the following should be included in a risk assessment report to BEST facilitate senior management's understanding of the results?

Question38: An organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard. Which risk treatment was adopted by the organization?

Question39: A management team is on an aggressive mission to launch a new product to penetrate new markets and overlooks IT risk factors, threats, and vulnerabilities. This scenario BEST demonstrates an organization's risk:

Question40: Which of the following indicates an organization follows IT risk management best practice?

Question41: Which of the following would be the BEST recommendation if the level of risk in the IT risk profile has decreased and is now below management's risk appetite?

Question42: Which of the following should be the MAIN consideration when validating an organization's risk appetite?

Question43: Which of the following is the GREATEST risk associated with the transition of a sensitive data backup solution from on-premise to a cloud service provider?

Question44: An organization is preparing to transfer a large number of customer service representatives to the sales department. Of the following, who is responsible for mitigating the risk associated with residual system access?

Question45: A risk practitioner is organizing a training session lo communicate risk assessment methodologies to ensure a consistent risk view within the organization Which of the following i< the MOST important topic to cover in this training?

Question46: Which of the following is MOST important to enable well-informed cybersecurity risk decisions?

Question47: An information system for a key business operation is being moved from an in-house application to a Software as a Service (SaaS) vendor. Which of the following will have the GREATEST impact on the ability to monitor risk?

Question48: Which of these documents is MOST important to request from a cloud service provider during a vendor risk assessment?

Question49: A bank wants to send a critical payment order via email to one of its offshore branches. Which of the following is the BEST way to ensure the message reaches the intended recipient without alteration?

Question50: An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST.

Question51: The BEST key performance indicator (KPI) for monitoring adherence to an organization's user accounts provisioning practices is the percentage of:

Question52: Which type of indicators should be developed to measure the effectiveness of an organization's firewall rule set?

Question53: Which of the following is the MOST important responsibility of a risk owner?

Question54: An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk?

Question55: Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?

Question56: it was determined that replication of a critical database used by two business units failed. Which of the following should be of GREATEST concern1?

Question57: Which of the following BEST indicates how well a web infrastructure protects critical information from an attacker?

Question58: Which of the following provides the MOST up-to-date information about the effectiveness of an organization's overall IT control environment?

Question59: During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?

Question60: Which of the following is the PRIMARY benefit of stakeholder involvement in risk scenario development?

Question61: Which of The following should be the FIRST step when a company is made aware of new regulatory requirements impacting IT?

Question62: Which of the following would be of GREATEST concern to a risk practitioner reviewing current key risk indicators (KRIs)?

Question63: A risk practitioner has been asked by executives to explain how existing risk treatment plans would affect risk posture at the end of the year. Which of the following is MOST helpful in responding to this request?

Question64: Which of the following is the MOST effective way to integrate risk and compliance management?

Question65: When reporting risk assessment results to senior management, which of the following is MOST important to include to enable risk-based decision making?

Question66: Who is the MOST appropriate owner for newly identified IT risk?

Question67: A service provider is managing a client's servers. During an audit of the service, a noncompliant control is discovered that will not be resolved before the next audit because the client cannot afford the downtime required to correct the issue. The service provider's MOST appropriate action would be to:

Question68: Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)?

Question69: Which of the following provides the BEST measurement of an organization's risk management maturity level?

Question70: Which of the following is MOST important to understand when determining an appropriate risk assessment approach?

Question71: The PRIMARY reason for periodically monitoring key risk indicators (KRIs) is to:

Question72: Which of the following is the BEST way to identify changes to the risk landscape?

Question73: Which of the following is MOST important to review when determining whether a potential IT service provider s control environment is effective?

Question74: Which of the following is the GREATEST advantage of implementing a risk management program?

Question75: The MOST essential content to include in an IT risk awareness program is how to:

Question76: Which of the following is the GREATEST concern associated with the transmission of healthcare data across the internet?

Question77: Which of the following should be the risk practitioner s FIRST course of action when an organization has decided to expand into new product areas?

Question78: What should be the PRIMARY objective for a risk practitioner performing a post-implementation review of an IT risk mitigation project?

Question79: Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?

Question80: A key risk indicator (KRI) is reported to senior management on a periodic basis as exceeding thresholds, but each time senior management has decided to take no action to reduce the risk. Which of the following is the MOST likely reason for senior management's response?

Question81: To minimize risk in a software development project, when is the BEST time to conduct a risk analysis?

Question82: Which of The following is the MOST comprehensive input to the risk assessment process specific to the effects of system downtime?

Question83: Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy?

Question84: Which of the following BEST indicates the effectiveness of anti-malware software?

Question85: Which of the following BEST enables the risk profile to serve as an effective resource to support business objectives?

Question86: Which of the following would be the GREATEST challenge when implementing a corporate risk framework for a global organization?

Question87: An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?

Question88: An organization has recently updated its disaster recovery plan (DRP). Which of the following would be the GREATEST risk if the new plan is not tested?

Question89: An effective control environment is BEST indicated by controls that:

Question90: A newly enacted information privacy law significantly increases financial penalties for breaches of personally identifiable information (Pll). Which of the following will MOST likely outcome for an organization affected by the new law?

Question91: Once a risk owner has decided to implement a control to mitigate risk, it is MOST important to develop:

Question92: When updating the risk register after a risk assessment, which of the following is MOST important to include?

Question93: Which of the following should be of GREATEST concern to a risk practitioner when determining the effectiveness of IT controls?

Question94: Which of the following scenarios presents the GREATEST risk for a global organization when implementing a data classification policy?

Question95: Which of the following will BEST help to ensure the continued effectiveness of the IT risk management function within an organization experiencing high employee turnover?

Question96: Which of the following is the MOST important benefit of key risk indicators (KRIs)'

Question97: Which of the following is the BEST course of action to reduce risk impact?

Question98: During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:

Question99: Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?

Question100: For a large software development project, risk assessments are MOST effective when performed:

Question101: Which of the following would BEST mitigate the risk associated with reputational damage from inappropriate use of social media sites by employees?

Question102: A risk practitioner has identified that the organization's secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?

Question103: Which of the following is the MOST important topic to cover in a risk awareness training program for all staff?

Question104: Which of the following BEST indicates that an organization has implemented IT performance requirements?

Question105: Which of the following BEST protects an organization against breaches when using a software as a service (SaaS) application?

Question106: Which of The following would offer the MOST insight with regard to an organization's risk culture?

Question107: Which of the following is the BEST indicator of the effectiveness of IT risk management processes?

Question108: The purpose of requiring source code escrow in a contractual agreement is to:

Question109: Which of the following should a risk practitioner recommend FIRST when an increasing trend of risk events and subsequent losses has been identified?

Question110: Which of the following is the BEST way to manage the risk associated with malicious activities performed by database administrators (DBAs)?

Question111: Which of the following is the BEST method for identifying vulnerabilities?

Question112: In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date?

Question113: Which of the following would BEST help to ensure that identified risk is efficiently managed?

Question114: The PRIMARY reason to have risk owners assigned to entries in the risk register is to ensure:

Question115: A department allows multiple users to perform maintenance on a system using a single set of credentials. A risk practitioner determined this practice to be high-risk. Which of the following is the MOST effective way to mitigate this risk?

Question116: Which of the following is MOST critical when designing controls?

Question117: Which of the following controls BEST enables an organization to ensure a complete and accurate IT asset inventory?

Question118: The annualized loss expectancy (ALE) method of risk analysis:

Question119: Which of the following will BEST help an organization evaluate the control environment of several third-party vendors?

Question120: Implementing which of the following will BEST help ensure that systems comply with an established baseline before deployment?

Question121: Which of the following is the BEST way to quantify the likelihood of risk materialization?

Question122: The PRIMARY purpose of using a framework for risk analysis is to:

Question123: Which of the following provides The BEST information when determining whether to accept residual risk of a critical system to be implemented?

Question124: Winch of the following can be concluded by analyzing the latest vulnerability report for the it infrastructure?

Question125: Which of the following would MOST likely cause a risk practitioner to reassess risk scenarios?

Question126: A maturity model will BEST indicate:

Question127: The PRIMARY advantage of implementing an IT risk management framework is the:

Question128: Which of The following should be of GREATEST concern for an organization considering the adoption of a bring your own device (BYOD) initiative?

Question129: Which of the following is the BEST way to determine the potential organizational impact of emerging privacy regulations?

Question130: Which of the following should be the HIGHEST priority when developing a risk response?

Question131: Risk mitigation procedures should include:

Question132: A key risk indicator (KRI) indicates a reduction in the percentage of appropriately patched servers. Which of the following is the risk practitioner's BEST course of action?

Question133: Which of the following would MOST likely result in updates to an IT risk appetite statement?

Question134: Which of the following BEST facilitates the mitigation of identified gaps between current and desired risk environment states?

Question135: Which of the following activities should be performed FIRST when establishing IT risk management processes?

Question136: During a risk treatment plan review, a risk practitioner finds the approved risk action plan has not been completed However, there were other risk mitigation actions implemented. Which of the fallowing is the BEST course of action?

Question137: Which of the following is the MOST effective way to mitigate identified risk scenarios?

Question138: Which of the following controls BEST helps to ensure that transaction data reaches its destination?

Question139: A PRIMARY advantage of involving business management in evaluating and managing risk is that management:

Question140: The BEST way to demonstrate alignment of the risk profile with business objectives is through:

Question141: To reduce costs, an organization is combining the second and third tines of defense in a new department that reports to a recently appointed C-level executive. Which of the following is the GREATEST concern with this situation?

Question142: Which of the following will BEST mitigate the risk associated with IT and business misalignment?

Question143: Which of the following would MOST likely cause a risk practitioner to change the likelihood rating in the risk register?

Question144: The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:

Question145: A risk practitioner shares the results of a vulnerability assessment for a critical business application with the business manager. Which of the following is the NEXT step?

Question146: Which of the following is the BEST key performance indicator (KPI) to measure the maturity of an organization's security incident handling process?

Question147: Which of the following is the BEST control to detect an advanced persistent threat (APT)?

Question148: Which of the following is the BEST evidence that risk management is driving business decisions in an organization?

Question149: Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?

Question150: Which of the following is the BEST way for a risk practitioner to verify that management has addressed control issues identified during a previous external audit?

Question151: Which of the following is the MOST important requirement for monitoring key risk indicators (KRls) using log analysis?

Question152: From a risk management perspective, which of the following is the PRIMARY benefit of using automated system configuration validation tools?

Question153: Which of the following is the BEST indicator of an effective IT security awareness program?

Question154: Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk?

Question155: Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?

Question156: Calculation of the recovery time objective (RTO) is necessary to determine the:

Question157: Which of the following is MOST helpful in identifying gaps between the current and desired state of the IT risk environment?

Question158: Which of the following is the MOST important enabler of effective risk management?

Question159: The risk associated with an asset before controls are applied can be expressed as:

Question160: An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following is the risk practitioner s BEST course of action?

Question161: A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges. What is the risk practitioner's BEST course of action?

Question162: Which of the following criteria associated with key risk indicators (KRIs) BEST enables effective risk monitoring?

Question163: Which of the following is the MOST important consideration when developing risk strategies?

Question164: Which of the following should be a risk practitioner s MOST important consideration when developing IT risk scenarios?

Question165: When developing risk treatment alternatives for a Business case, it is MOST helpful to show risk reduction based on:

Question166: A risk owner has identified a risk with high impact and very low likelihood. The potential loss is covered by insurance. Which of the following should the risk practitioner do NEXT?

Question167: What is the PRIMARY reason to periodically review key performance indicators (KPIs)?

Question168: A chief information officer (CIO) has identified risk associated with shadow systems being maintained by business units to address specific functionality gaps in the organization's enterprise resource planning (ERP) system. What is the BEST way to reduce this risk going forward?

Question169: An organization is planning to outsource its payroll function to an external service provider Which of the following should be the MOST important consideration when selecting the provider?

Question170: The PRIMARY goal of a risk management program is to:

Question171: Risk aggregation in a complex organization will be MOST successful when:

Question172: Which of the following would be a risk practitioners BEST recommendation for preventing cyber intrusion?

Question173: Which of the following is the BEST method to ensure a terminated employee's access to IT systems is revoked upon departure from the organization?

Question174: Which of the following BEST enforces access control for an organization that uses multiple cloud technologies?

Question175: Which of the following is the MOST important reason to revisit a previously accepted risk?

Question176: The BEST metric to monitor the risk associated with changes deployed to production is the percentage of:

Question177: An organization practices the principle of least privilege. To ensure access remains appropriate, application owners should be required to review user access rights on a regular basis by obtaining:

Question178: Which of the following would be MOST beneficial as a key risk indicator (KRI)?

Question179: Which of the following is MOST helpful in defining an early-warning threshold associated with insufficient network bandwidth''

Question180: Which type of cloud computing deployment provides the consumer the GREATEST degree of control over the environment?

Question181: Which of the following should be the PRIMARY focus of a risk owner once a decision is made to mitigate a risk?

Question182: An external security audit has reported multiple findings related to control noncompliance. Which of the following would be MOST important for the risk practitioner to communicate to senior management?

Question183: While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BES reduce the risk associated with such a data breach?

Question184: Which of the following is the GREATEST benefit when enterprise risk management (ERM) provides oversight of IT risk management?

Question185: Which of the following is the PRIMARY reason to adopt key control indicators (KCIs) in the risk monitoring and reporting process?

Question186: Which of the following should be the PRIMARY focus of an IT risk awareness program?

Question187: When of the following is the MOST significant exposure when an application uses individual user accounts to access the underlying database?

Question188: An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan. Which of the following is the risk practitioner's BEST course of action?

Question189: Which of the following elements of a risk register is MOST likely to change as a result of change in management's risk appetite?

Question190: Which of the following is the MOST important consideration when determining whether to accept residual risk after security controls have been implemented on a critical system?

Question191: What is the PRIMARY purpose of a business impact analysis (BIA)?

Question192: An organization has identified that terminated employee accounts are not disabled or deleted within the time required by corporate policy. Unsure of the reason, the organization has decided to monitor the situation for three months to obtain more information. As a result of this decision, the risk has been:

Question193: IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:

Question194: What information is MOST helpful to asset owners when classifying organizational assets for risk assessment?

Question195: What is MOST important for the risk practitioner to understand when creating an initial IT risk register?

Question196: Which of the following is the MOST important consideration when performing a risk assessment of a fire suppression system within a data center?

Question197: Which of the following controls are BEST strengthened by a clear organizational code of ethics?

Question198: Which of the following practices MOST effectively safeguards the processing of personal data?

Question199: A risk practitioner has learned that an effort to implement a risk mitigation action plan has stalled due to lack of funding. The risk practitioner should report that the associated risk has been:

Question200: Which of the following is the BEST course of action to help reduce the probability of an incident recurring?

Question201: Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?

Question202: Which of the following requirements is MOST important to include in an outsourcing contract to help ensure sensitive data stored with a service provider is secure?

Question203: Which of the following would BEST assist in reconstructing the sequence of events following a security incident across multiple IT systems in the organization's network?

Question204: Which of the following would be considered a vulnerability?

Question205: An organization has decided to implement an emerging technology and incorporate the new capabilities into its strategic business plan. Business operations for the technology will be outsourced. What will be the risk practitioner's PRIMARY role during the change?

Question206: A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?

Question207: A vulnerability assessment of a vendor-supplied solution has revealed that the software is susceptible to cross-site scripting and SQL injection attacks. Which of the following will BEST mitigate this issue?

Question208: Which of the following criteria is MOST important when developing a response to an attack that would compromise data?

Question209: An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:

Question210: Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?

Question211: Which of the following would be a weakness in procedures for controlling the migration of changes to production libraries?

Question212: Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment?

Question213: A risk owner has accepted a high-impact risk because the control was adversely affecting process efficiency. Before updating the risk register, it is MOST important for the risk practitioner to:

Question214: When developing a risk awareness training program, which of the following training topics would BEST facilitate a thorough understanding of risk scenarios?

Question215: Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process?

Question216: Which of the following is the MOST common concern associated with outsourcing to a service provider?

Question217: Which of the following resources is MOST helpful when creating a manageable set of IT risk scenarios?

Question218: Who is accountable for risk treatment?

Question219: Which of the following risk register updates is MOST important for senior management to review?

Question220: Which of the following would BEST indicate to senior management that IT processes are improving?

Question221: Which of the following is the BEST approach for performing a business impact analysis (BIA) of a supply-chain management application?

Question222: Which of the following BEST contributes to the implementation of an effective risk response action plan?

Question223: The BEST reason to classify IT assets during a risk assessment is to determine the:

Question224: During a risk assessment, the risk practitioner finds a new risk scenario without controls has been entered into the risk register. Which of the following is the MOST appropriate action?

Question225: Which of the following is MOST important to understand when developing key risk indicators (KRIs)?

Question226: Which of the following is the PRIMARY responsibility of the first line of defense related to computer-enabled fraud?

Question227: When an organization's disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment options is being applied?

Question228: A multinational organization is considering implementing standard background checks to' all new employees A KEY concern regarding this approach

Question229: Which of tie following is We MOST important consideration when implementing ethical remote work monitoring?

Question230: Which of the following BEST enables a proactive approach to minimizing the potential impact of unauthorized data disclosure?

Question231: Several network user accounts were recently created without the required management approvals. Which of the following would be the risk practitioner's BEST recommendation to address this situation?

Question232: Which element of an organization's risk register is MOST important to update following the commissioning of a new financial reporting system?

Question233: Which of the following is the PRIMARY objective for automating controls?

Question234: Which of the following IT key risk indicators (KRIs) provides management with the BEST feedback on IT capacity?

Question235: Which of the following will BEST support management reporting on risk?

Question236: Which of the following approaches would BEST help to identify relevant risk scenarios?

Question237: When performing a risk assessment of a new service to support a ewe Business process. which of the following should be done FRST10 ensure continuity of operations?

Question238: Which of the following is a KEY responsibility of the second line of defense?

Question239: An organization is measuring the effectiveness of its change management program to reduce the number of unplanned production changes. Which of the following would be the BEST metric to determine if the program is performing as expected?

Question240: Which of the following is the MOST important factor affecting risk management in an organization?

Question241: An organization has recently been experiencing frequent data corruption incidents. Implementing a file corruption detection tool as a risk response strategy will help to:

Question242: Which of the following is the MOST important consideration when developing an organization's risk taxonomy?

Question243: Which of the following statements describes the relationship between key risk indicators (KRIs) and key control indicators (KCIs)?

Question244: Which of The following is the PRIMARY consideration when establishing an organization's risk management methodology?

Question245: An IT organization is replacing the customer relationship management (CRM) system. Who should own the risk associated with customer data leakage caused by insufficient IT security controls for the new system?

Question246: To communicate the risk associated with IT in business terms, which of the following MUST be defined?

Question247: Which of the following should be management's PRIMARY consideration when approving risk response action plans?

Question248: A company has recently acquired a customer relationship management (CRM) application from a certified software vendor. Which of the following will BE ST help lo prevent technical vulnerabilities from being exploded?

Question249: The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:

Question250: The MOST effective way to increase the likelihood that risk responses will be implemented is to:

Question251: Reviewing which of the following provides the BEST indication of an organizations risk tolerance?

Question252: Which of the following BEST represents a critical threshold value for a key control indicator (KCI)?

Question253: Which of the following is MOST important to ensure when continuously monitoring the performance of a client-facing application?

Question254: An organization's risk tolerance should be defined and approved by which of the following?

Question255: Which of the following is MOST important for a risk practitioner to verify when evaluating the effectiveness of an organization's existing controls?

Question256: The risk associated with inadvertent disclosure of database records from a public cloud service provider (CSP) would MOST effectively be reduced by:

Question257: Which of the following is the PRIMARY reason for an organization to ensure the risk register is updated regularly?

Question258: Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?

Question259: Due to a change in business processes, an identified risk scenario no longer requires mitigation. Which of the following is the MOST important reason the risk should remain in the risk register?

Question260: Which of the following is the MOST important objective of embedding risk management practices into the initiation phase of the project management life cycle?

Question261: Which of the following is the BEST way to detect zero-day malware on an end user's workstation?

Question262: The PRIMARY reason for establishing various Threshold levels for a set of key risk indicators (KRIs) is to:

Question263: Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?

Question264: Which of the following activities is PRIMARILY the responsibility of senior management?

Question265: During testing, a risk practitioner finds the IT department's recovery time objective (RTO) for a key system does not align with the enterprise's business continuity plan (BCP). Which of the following should be done NEXT?

Question266: A risk assessment has identified that departments have installed their own WiFi access points on the enterprise network. Which of the following would be MOST important to include in a report to senior management?

Question267: Which of the following is the BEST approach for determining whether a risk action plan is effective?

Question268: The MOST effective approach to prioritize risk scenarios is by:

Question269: A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to:

Question270: Which of the following would be MOST helpful when communicating roles associated with the IT risk management process?

Question271: Which of the following is MOST important information to review when developing plans for using emerging technologies?

Question272: Which of The following is the MOST relevant information to include in a risk management strategy?

Question273: After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:

Question274: A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:

Question275: Which of the following would be of GREATEST assistance when justifying investment in risk response strategies?

Question276: Which of the following BEST measures the impact of business interruptions caused by an IT service outage?

Question277: Risk management strategies are PRIMARILY adopted to:

Question278: Which of the following would provide the MOST objective assessment of the effectiveness of an organization's security controls?

Question279: Which of the following BEST indicates the condition of a risk management program?

Question280: Which of the following would be MOST relevant to stakeholders regarding ineffective control implementation?

Question281: IT risk assessments can BEST be used by management:

Question282: A risk practitioner notices a trend of noncompliance with an IT-related control. Which of the following would BEST assist in making a recommendation to management?

Question283: Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?

Question284: A highly regulated organization acquired a medical technology startup company that processes sensitive personal information with weak data protection controls. Which of the following is the BEST way for the acquiring company to reduce its risk while still enabling the flexibility needed by the startup company?

Question285: An organization's financial analysis department uses an in-house forecasting application for business projections. Who is responsible for defining access roles to protect the sensitive data within this application?

Question286: Which of the following is a KEY outcome of risk ownership?

Question287: Which of the following would be MOST helpful to a risk practitioner when ensuring that mitigated risk remains within acceptable limits?

Question288: Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?

Question289: A key risk indicator (KRI) threshold has reached the alert level, indicating data leakage incidents are highly probable. What should be the risk practitioner's FIRST course of action?

Question290: A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:

Question291: The MOST effective approach to prioritize risk scenarios is by:

Question292: The risk appetite for an organization could be derived from which of the following?

Question293: In an organization that allows employee use of social media accounts for work purposes, which of the following is the BEST way to protect company sensitive information from being exposed?

Question294: Which of the following would be MOST helpful when estimating the likelihood of negative events?

Question295: When communicating changes in the IT risk profile, which of the following should be included to BEST enable stakeholder decision making?

Question296: Which of the following would present the GREATEST challenge when assigning accountability for control ownership?

Question297: An organization has raised the risk appetite for technology risk. The MOST likely result would be:

Question298: Which of the following is the BEST course of action when risk is found to be above the acceptable risk appetite?

Question299: In which of the following system development life cycle (SDLC) phases should controls be incorporated into system specifications?

Question300: Which of the following is MOST important when developing risk scenarios?

Question301: Which of the following tasks should be completed prior to creating a disaster recovery plan (DRP)?

Question302: Which of the following is MOST helpful to management when determining the resources needed to mitigate a risk?

Question303: An IT risk practitioner is evaluating an organization's change management controls over the last six months. The GREATEST concern would be an increase in:

Question304: A risk practitioner is reviewing the status of an action plan to mitigate an emerging IT risk and finds the risk level has increased. The BEST course of action would be to:

Question305: An organization outsources the processing of us payroll data A risk practitioner identifies a control weakness at the third party trial exposes the payroll dat a. Who should own this risk?

Question306: It is MOST important for a risk practitioner to have an awareness of an organization s processes in order to:

Question307: In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data?

Question308: Which of the following is the PRIMARY role of the board of directors in corporate risk governance?

Question309: The PRIMARY objective for selecting risk response options is to:

Question310: The PRIMARY advantage of involving end users in continuity planning is that they:

Question311: Which of the following would prompt changes in key risk indicator {KRI) thresholds?

Question312: Which of the following is MOST effective against external threats to an organizations confidential information?

Question313: When assessing the maturity level of an organization's risk management framework, which of the following deficiencies should be of GREATEST concern to a risk practitioner?

Question314: Which of the following is a risk practitioner's BEST course of action upon learning that a control under internal review may no longer be necessary?

Question315: An organization has outsourced a critical process involving highly regulated data to a third party with servers located in a foreign country. Who is accountable for the confidentiality of this data?

Question316: Which of the following MOST effectively limits the impact of a ransomware attack?

Question317: Which of the following is MOST helpful in determining the effectiveness of an organization's IT risk mitigation efforts?

Question318: The PRIMARY purpose of using control metrics is to evaluate the:

Question319: Which of the following controls will BEST detect unauthorized modification of data by a database administrator?

Question320: A risk practitioner has discovered a deficiency in a critical system that cannot be patched. Which of the following should be the risk practitioner's FIRST course of action?

Question321: Which of the following should be done FIRST when developing a data protection management plan?

Question322: A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner's GREATEST concern?

Question323: When formulating a social media policy lo address information leakage, which of the following is the MOST important concern to address?

Question324: An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?

Question325: An upward trend in which of the following metrics should be of MOST concern?