EMT Practice Test

1. Question Content...


Question List

Question1: The implementation of a risk treatment plan will exceed the resources originally allocated for the risk response. Which of the following should be the risk owner's NEXT action?

Question2: A department has been granted an exception to bypass the existing approval process for purchase orders. The risk practitioner should verify the exception has been approved by which of the following?

Question3: Which of the following BEST indicates effective information security incident management?

Question4: What is the PRIMARY purpose of a business impact analysis (BIA)?

Question5: Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

Question6: An organization automatically approves exceptions to security policies on a recurring basis. This practice is MOST likely the result of:

Question7: Which of the following is the MOST effective way to mitigate identified risk scenarios?

Question8: Which of the following BEST promotes commitment to controls?

Question9: Which of the following is MOST helpful in aligning IT risk with business objectives?

Question10: Which of the following is the GREATEST risk associated with an environment that lacks documentation of the architecture?

Question11: Which of the following is the BEST way to identify changes to the risk landscape?

Question12: Which of the following is MOST important for a risk practitioner to ensure once a risk action plan has been completed?

Question13: Which of the following BEST contributes to the implementation of an effective risk response action plan?

Question14: Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?

Question15: Which of the following is the MOST important key performance indicator (KPI) to establish in the service level agreement (SLA) for an outsourced data center?

Question16: A risk practitioner observes that the fraud detection controls in an online payment system do not perform as expected. Which of the following will MOST likely change as a result?

Question17: Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk?

Question18: Which of the following is MOST important for maintaining the effectiveness of an IT risk register?

Question19: Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register?

Question20: Which of the following is the BEST way to help ensure risk will be managed properly after a business process has been re-engineered?

Question21: An organization has recently been experiencing frequent data corruption incidents. Implementing a file corruption detection tool as a risk response strategy will help to:

Question22: The BEST metric to monitor the risk associated with changes deployed to production is the percentage of:

Question23: The PRIMARY objective for selecting risk response options is to:

Question24: To help identify high-risk situations, an organization should:

Question25: Which of the following statements in an organization's current risk profile report is cause for further action by senior management?

Question26: During a control review, the control owner states that an existing control has deteriorated over time. What is the BEST recommendation to the control owner?

Question27: Management has required information security awareness training to reduce the risk associated with credential compromise. What is the BEST way to assess the effectiveness of the training?

Question28: Which of the following BEST reduces the probability of laptop theft?

Question29: An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?

Question30: Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?

Question31: The GREATEST concern when maintaining a risk register is that:

Question32: Which of the following scenarios represents a threat?

Question33: A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?

Question34: Which of the following tools is MOST effective in identifying trends in the IT risk profile?

Question35: Which of the following is the BEST way to validate the results of a vulnerability assessment?

Question36: Which of the following is the BEST course of action when risk is found to be above the acceptable risk appetite?

Question37: Risk mitigation procedures should include:

Question38: Which of the following would be a risk practitioners BEST recommendation for preventing cyber intrusion?

Question39: When developing a new risk register, a risk practitioner should focus on which of the following risk management activities?

Question40: Which of the following would BEST help to ensure that identified risk is efficiently managed?

Question41: Which of the following would BEST help to address the risk associated with malicious outsiders modifying application data?

Question42: An organization is considering adopting artificial intelligence (AI). Which of the following is the risk practitioner's MOST important course of action?

Question43: A PRIMARY advantage of involving business management in evaluating and managing risk is that management:

Question44: Which of the following should be of GREATEST concern lo a risk practitioner reviewing the implementation of an emerging technology?

Question45: Which of the following is the MOST important characteristic of an effective risk management program?

Question46: Which of the following would be a risk practitioner'$ BEST recommendation to help ensure cyber risk is assessed and reflected in the enterprise-level risk profile?

Question47: Which of the following is the BEST key control indicator (KCI) for a vulnerability management program?

Question48: Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:

Question49: Which of the following should management consider when selecting a risk mitigation option?

Question50: While conducting an organization-wide risk assessment, it is noted that many of the information security policies have not changed in the past three years. The BEST course of action is to:

Question51: An effective control environment is BEST indicated by controls that:

Question52: The design of procedures to prevent fraudulent transactions within an enterprise resource planning (ERP) system should be based on:

Question53: Which of the following would MOST likely drive the need to review and update key performance indicators (KPIs) for critical IT assets?

Question54: Which of the following BEST indicates the condition of a risk management program?

Question55: A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:

Question56: Print jobs containing confidential information are sent to a shared network printer located in a secure room. Which of the following is the BEST control to prevent the inappropriate disclosure of confidential information?

Question57: An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:

Question58: Which of the following is the BEST metric to demonstrate the effectiveness of an organization's change management process?

Question59: Of the following, who should be responsible for determining the inherent risk rating of an application?

Question60: An organization is planning to outsource its payroll function to an external service provider Which of the following should be the MOST important consideration when selecting the provider?

Question61: Which of the following is the MOST effective key performance indicator (KPI) for change management?

Question62: Which of the following provides the MOST helpful information in identifying risk in an organization?

Question63: The PRIMARY basis for selecting a security control is:

Question64: Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?

Question65: Which of the following approaches to bring your own device (BYOD) service delivery provides the BEST protection from data loss?

Question66: Which of the following is the MOST effective control to maintain the integrity of system configuration files?

Question67: The MAIN goal of the risk analysis process is to determine the:

Question68: Following a significant change to a business process, a risk practitioner believes the associated risk has been reduced. The risk practitioner should advise the risk owner to FIRST

Question69: Which of the following would MOST likely result in updates to an IT risk appetite statement?

Question70: Which of the following will BEST help an organization evaluate the control environment of several third-party vendors?

Question71: An employee lost a personal mobile device that may contain sensitive corporate information. What should be the risk practitioner's recommendation?

Question72: Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications?

Question73: Which of the following controls will BEST detect unauthorized modification of data by a database administrator?

Question74: Which of the following is the GREATEST risk associated with the use of data analytics?

Question75: To minimize the risk of a potential acquisition being exposed externally, an organization has selected a few key employees to be engaged in the due diligence process. A member of the due diligence team realizes a close acquaintance is a high-ranking IT professional at a subsidiary of the company about to be acquired. What is the BEST course of action for this team member?

Question76: Which of the following will BEST mitigate the risk associated with IT and business misalignment?

Question77: What is the BEST information to present to business control owners when justifying costs related to controls?

Question78: Which of the following is a crucial component of a key risk indicator (KRI) to ensure appropriate action is taken to mitigate risk?

Question79: Which of the following would be MOST useful to senior management when determining an appropriate risk response?

Question80: The PRIMARY objective of a risk identification process is to:

Question81: Which of the following is the MOST important consideration when selecting either a qualitative or quantitative risk analysis?

Question82: Which of the following BEST indicates that an organization has implemented IT performance requirements?

Question83: Reviewing which of the following provides the BEST indication of an organizations risk tolerance?

Question84: Which of the following methods is the BEST way to measure the effectiveness of automated information security controls prior to going live?

Question85: What information is MOST helpful to asset owners when classifying organizational assets for risk assessment?

Question86: Which of the following practices BEST mitigates risk related to enterprise-wide ethical decision making in a multi-national organization?

Question87: Participants in a risk workshop have become focused on the financial cost to mitigate risk rather than choosing the most appropriate response. Which of the following is the BEST way to address this type of issue in the long term?

Question88: The MAIN purpose of having a documented risk profile is to:

Question89: A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?

Question90: Which of the following statements BEST describes risk appetite?

Question91: Which of me following is MOST helpful to mitigate the risk associated with an application under development not meeting business objectives?

Question92: Which of the following BEST enforces access control for an organization that uses multiple cloud technologies?

Question93: Which of the following would be MOST helpful to an information security management team when allocating resources to mitigate exposures?

Question94: Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system. These scenarios will be owned by the system manager. Which of the following would be the BEST method to use when developing the scenarios?

Question95: The effectiveness of a control has decreased. What is the MOST likely effect on the associated risk?

Question96: The risk appetite for an organization could be derived from which of the following?

Question97: Which of the following is the MAIN reason to continuously monitor IT-related risk?

Question98: When reviewing a business continuity plan (BCP). which of the following would be the MOST significant deficiency?

Question99: Which of the following is MOST important to communicate to senior management during the initial implementation of a risk management program?

Question100: Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?

Question101: The PRIMARY reason to have risk owners assigned to entries in the risk register is to ensure:

Question102: What are the MOST essential attributes of an effective Key control indicator (KCI)?

Question103: Which of the following should be the risk practitioner's FIRST course of action when an organization plans to adopt a cloud computing strategy?

Question104: An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program. Which of the following is MOST useful for this purpose?

Question105: Which of the following would be the BEST justification to invest in the development of a governance, risk, and compliance (GRC) solution?

Question106: A business unit is implementing a data analytics platform to enhance its customer relationship management (CRM) system primarily to process data that has been provided by its customers. Which of the following presents the GREATEST risk to the organization's reputation?

Question107: Which of the following will be MOST effective in uniquely identifying the originator of electronic transactions?

Question108: Senior management has asked the risk practitioner for the overall residual risk level for a process that contains numerous risk scenarios. Which of the following should be provided?

Question109: Which of the following facilitates a completely independent review of test results for evaluating control effectiveness?

Question110: Which of the following approaches BEST identifies information systems control deficiencies?

Question111: An external security audit has reported multiple findings related to control noncompliance. Which of the following would be MOST important for the risk practitioner to communicate to senior management?

Question112: A large organization is replacing its enterprise resource planning (ERP) system and has decided not to deploy the payroll module of the new system. Instead, the current payroll system will continue to be used. Of the following, who should own the risk if the ERP and payroll system fail to operate as expected?

Question113: Which of the following BEST enables an organization to determine whether external emerging risk factors will impact the organization's risk profile?

Question114: An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST.

Question115: Which of the following would provide the MOST objective assessment of the effectiveness of an organization's security controls?

Question116: Which of the following is the MOST important consideration for protecting data assets m a Business application system?

Question117: Which of the following resources is MOST helpful when creating a manageable set of IT risk scenarios?

Question118: Which of the following is the PRIMARY reason to perform ongoing risk assessments?

Question119: Which of the following is the BEST method for assessing control effectiveness against technical vulnerabilities that could be exploited to compromise an information system?

Question120: Which of the following is a KEY outcome of risk ownership?

Question121: Which of the following should be the FIRST consideration when a business unit wants to use personal information for a purpose other than for which it was originally collected?

Question122: The risk associated with an asset after controls are applied can be expressed as:

Question123: Which of the following would BEST help secure online financial transactions from improper users?

Question124: Once a risk owner has decided to implement a control to mitigate risk, it is MOST important to develop:

Question125: Which of the following BEST measures the impact of business interruptions caused by an IT service outage?

Question126: Which of the following is the BEST reason to use qualitative measures to express residual risk levels related to emerging threats?

Question127: When updating the risk register after a risk assessment, which of the following is MOST important to include?

Question128: An organization wants to grant remote access to a system containing sensitive data to an overseas third party. Which of the following should be of GREATEST concern to management?

Question129: After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:

Question130: To implement the MOST effective monitoring of key risk indicators (KRIs), which of the following needs to be in place?

Question131: Which of the following provides the BEST evidence of the effectiveness of an organization's account provisioning process?

Question132: To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:

Question133: Which of the following would be the GREATEST concern related to data privacy when implementing an Internet of Things (loT) solution that collects personally identifiable information (Pll)?

Question134: The head of a business operations department asks to review the entire IT risk register. Which of the following would be the risk manager s BEST approach to this request before sharing the register?

Question135: A risk practitioner has identified that the organization's secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?

Question136: Which of the following is the BEST indicator of the effectiveness of a control monitoring program?

Question137: Which of the following is the BEST course of action to reduce risk impact?

Question138: The acceptance of control costs that exceed risk exposure is MOST likely an example of:

Question139: Which of the following is the BEST method for assessing control effectiveness?

Question140: Which of the following would BEST ensure that identified risk scenarios are addressed?

Question141: Which of the following will BEST support management repotting on risk?

Question142: Which of the following is the BEST indicator of an effective IT security awareness program?

Question143: Which of the following BEST supports the communication of risk assessment results to stakeholders?

Question144: Which of the following is the MAIN reason for analyzing risk scenarios?

Question145: Which of the following should be the PRIMARY focus of a risk owner once a decision is made to mitigate a risk?

Question146: Vulnerabilities have been detected on an organization's systems. Applications installed on these systems will not operate if the underlying servers are updated. Which of the following is the risk practitioner's BEST course of action?

Question147: A risk owner has identified a risk with high impact and very low likelihood. The potential loss is covered by insurance. Which of the following should the risk practitioner do NEXT?

Question148: Winch of the following can be concluded by analyzing the latest vulnerability report for the it infrastructure?

Question149: From a business perspective, which of the following is the MOST important objective of a disaster recovery test?

Question150: Which of the following is MOST important to include in a Software as a Service (SaaS) vendor agreement?

Question151: Which of the following is MOST effective in continuous risk management process improvement?

Question152: Which of the following is MOST helpful in identifying gaps between the current and desired state of the IT risk environment?

Question153: Whether the results of risk analyses should be presented in quantitative or qualitative terms should be based PRIMARILY on the:

Question154: An organization striving to be on the leading edge in regard to risk monitoring would MOST likely implement:

Question155: Which of the following risk management practices BEST facilitates the incorporation of IT risk scenarios into the enterprise-wide risk register?

Question156: Which of the following is the BEST source for identifying key control indicators (KCIs)?

Question157: IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:

Question158: Which of the following will MOST improve stakeholders' understanding of the effect of a potential threat?

Question159: Which of the following trends would cause the GREATEST concern regarding the effectiveness of an organization's user access control processes? An increase in the:

Question160: A business manager wants to leverage an existing approved vendor solution from another area within the organization. Which of the following is the risk practitioner's BEST course of action?

Question161: Which of the following is the PRIMARY reason to establish the root cause of an IT security incident?

Question162: Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness?

Question163: Which of the following provides The BEST information when determining whether to accept residual risk of a critical system to be implemented?

Question164: IT disaster recovery point objectives (RPOs) should be based on the:

Question165: Which of the following is a risk practitioner's BEST recommendation to address an organization's need to secure multiple systems with limited IT resources?

Question166: Which of the following would be the BEST recommendation if the level of risk in the IT risk profile has decreased and is now below management's risk appetite?

Question167: Which of the following BEST confirms the existence and operating effectiveness of information systems controls?

Question168: Which of the following is MOST important for a risk practitioner to verify when evaluating the effectiveness of an organization's existing controls?

Question169: An upward trend in which of the following metrics should be of MOST concern?

Question170: Which of the following controls are BEST strengthened by a clear organizational code of ethics?

Question171: Which of the following should a risk practitioner recommend FIRST when an increasing trend of risk events and subsequent losses has been identified?

Question172: An organization must make a choice among multiple options to respond to a risk. The stakeholders cannot agree and decide to postpone the decision. Which of the following risk responses has the organization adopted?

Question173: The MOST important characteristic of an organization s policies is to reflect the organization's:

Question174: Which of the following will provide the BEST measure of compliance with IT policies?

Question175: Which of the following controls would BEST reduce the likelihood of a successful network attack through social engineering?

Question176: Which of the following is MOST important to ensure when continuously monitoring the performance of a client-facing application?

Question177: An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk?

Question178: Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario?

Question179: Which of the following would be considered a vulnerability?

Question180: A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

Question181: A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges. What is the risk practitioner's BEST course of action?

Question182: What are the MOST important criteria to consider when developing a data classification scheme to facilitate risk assessment and the prioritization of risk mitigation activities?

Question183: Which element of an organization's risk register is MOST important to update following the commissioning of a new financial reporting system?

Question184: Which of the following would BEST enable a risk practitioner to embed risk management within the organization?

Question185: Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?

Question186: An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?

Question187: The FIRST task when developing a business continuity plan should be to:

Question188: Which of the following would present the GREATEST challenge when assigning accountability for control ownership?

Question189: An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:

Question190: Which of the following is the GREATEST risk associated with the misclassification of data?

Question191: For a large software development project, risk assessments are MOST effective when performed:

Question192: A risk practitioner has discovered a deficiency in a critical system that cannot be patched. Which of the following should be the risk practitioner's FIRST course of action?

Question193: Which of the following would BEST help an enterprise define and communicate its risk appetite?

Question194: An organization plans to migrate sensitive information to a public cloud infrastructure. Which of the following is the GREATEST security risk in this scenario?

Question195: An organization is preparing to transfer a large number of customer service representatives to the sales department. Of the following, who is responsible for mitigating the risk associated with residual system access?

Question196: Which of the following is the MOST important outcome of reviewing the risk management process?

Question197: When reporting risk assessment results to senior management, which of the following is MOST important to include to enable risk-based decision making?

Question198: Which of the following BEST provides an early warning that network access of terminated employees is not being revoked in accordance with the service level agreement (SLA)?

Question199: Which of the following is MOST important for a risk practitioner to consider when evaluating plans for changes to IT services?

Question200: Which of the following is the MOST effective way to help ensure an organization's current risk scenarios are relevant?

Question201: An internally developed payroll application leverages Platform as a Service (PaaS) infrastructure from the cloud. Who owns the related data confidentiality risk?

Question202: Which of the following is the FIRST step when conducting a business impact analysis (BIA)?

Question203: The BEST key performance indicator (KPI) to measure the effectiveness of a vendor risk management program is the percentage of:

Question204: Which of the following is MOST important when developing key risk indicators (KRIs)?

Question205: A service provider is managing a client's servers. During an audit of the service, a noncompliant control is discovered that will not be resolved before the next audit because the client cannot afford the downtime required to correct the issue. The service provider's MOST appropriate action would be to:

Question206: Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?

Question207: Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?

Question208: Which of the following would be MOST beneficial as a key risk indicator (KRI)?

Question209: A recent audit identified high-risk issues in a business unit though a previous control self-assessment (CSA) had good results. Which of the following is the MOST likely reason for the difference?

Question210: An organization planning to transfer and store its customer data with an offshore cloud service provider should be PRIMARILY concerned with:

Question211: Which of the following will help ensure the elective decision-making of an IT risk management committee?

Question212: Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?

Question213: An organization operates in a jurisdiction where heavy fines are imposed for leakage of customer data. Which of the following provides the BEST input to assess the inherent risk impact?

Question214: An organization is considering allowing users to access company data from their personal devices. Which of the following is the MOST important factor when assessing the risk?

Question215: Who should be accountable for ensuring effective cybersecurity controls are established?

Question216: A risk practitioner is reporting on an increasing trend of ransomware attacks in the industry. Which of the following information is MOST important to include to enable an informed response decision by key stakeholders?

Question217: Which of these documents is MOST important to request from a cloud service provider during a vendor risk assessment?

Question218: Which of the following should be management's PRIMARY focus when key risk indicators (KRIs) begin to rapidly approach defined thresholds?

Question219: The PRIMARY reason for periodically monitoring key risk indicators (KRIs) is to:

Question220: Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?

Question221: An IT department has organized training sessions to improve user awareness of organizational information security policies. Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training?

Question222: Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?

Question223: Which of the following is a risk practitioner's BEST course of action upon learning that a control under internal review may no longer be necessary?

Question224: Which of the following is MOST essential for an effective change control environment?

Question225: Which of the following is MOST helpful to review when identifying risk scenarios associated with the adoption of Internet of Things (loT) technology in an organization?

Question226: A change management process has recently been updated with new testing procedures. What is the NEXT course of action?

Question227: Which of The following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?

Question228: Controls should be defined during the design phase of system development because:

Question229: To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:

Question230: When assessing the maturity level of an organization's risk management framework, which of the following deficiencies should be of GREATEST concern to a risk practitioner?

Question231: Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to a bring your own device (BYOD) program?

Question232: A bank has outsourced its statement printing function to an external service provider. Which of the following is the MOST critical requirement to include in the contract?

Question233: To communicate the risk associated with IT in business terms, which of the following MUST be defined?

Question234: An organization has outsourced its billing function to an external service provider. Who should own the risk of customer data leakage caused by the service provider?

Question235: Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?

Question236: Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?

Question237: An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?

Question238: The PRIMARY purpose of using control metrics is to evaluate the:

Question239: Which of the following should be considered when selecting a risk response?

Question240: Legal and regulatory risk associated with business conducted over the Internet is driven by:

Question241: Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?

Question242: Which of the following is MOST effective against external threats to an organizations confidential information?

Question243: Which stakeholders are PRIMARILY responsible for determining enterprise IT risk appetite?

Question244: Which of the following should be the GREATEST concern for an organization that uses open source software applications?

Question245: An organization moved its payroll system to a Software as a Service (SaaS) application. A new data privacy regulation stipulates that data can only be processed within the country where it is collected. Which of the following should be done FIRST when addressing this situation?

Question246: Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis?

Question247: Which of the following would prompt changes in key risk indicator {KRI) thresholds?

Question248: Which of the following approaches will BEST help to ensure the effectiveness of risk awareness training?

Question249: Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process?

Question250: A new regulator/ requirement imposes severe fines for data leakage involving customers' personally identifiable information (Pll). The risk practitioner has recommended avoiding the risk. Which of the following actions would BEST align with this recommendation?

Question251: Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?

Question252: Which of the following is the MOST important component in a risk treatment plan?

Question253: Which of the following should be a risk practitioner s MOST important consideration when developing IT risk scenarios?

Question254: Which of the following is the GREATEST benefit of analyzing logs collected from different systems?

Question255: Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?

Question256: When of the following provides the MOST tenable evidence that a business process control is effective?

Question257: Which of the following is the PRIMARY objective of providing an aggregated view of IT risk to business management?

Question258: The PRIMARY reason for prioritizing risk scenarios is to:

Question259: Which of the following elements of a risk register is MOST likely to change as a result of change in management's risk appetite?

Question260: A risk practitioner notices a trend of noncompliance with an IT-related control. Which of the following would BEST assist in making a recommendation to management?

Question261: Reviewing historical risk events is MOST useful for which of the following processes within the risk management life cycle?

Question262: A highly regulated organization acquired a medical technology startup company that processes sensitive personal information with weak data protection controls. Which of the following is the BEST way for the acquiring company to reduce its risk while still enabling the flexibility needed by the startup company?

Question263: After migrating a key financial system to a new provider, it was discovered that a developer could gain access to the production environment. Which of the following is the BEST way to mitigate the risk in this situation?

Question264: A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology?

Question265: Which of the following BEST enables a proactive approach to minimizing the potential impact of unauthorized data disclosure?

Question266: When a high-risk security breach occurs, which of the following would be MOST important to the person responsible for managing the incident?

Question267: Which of the following is the MOST appropriate key risk indicator (KRI) for backup media that is recycled monthly?

Question268: Which of the following is the PRIMARY role of a data custodian in the risk management process?

Question269: Which of the following will BEST help ensure that risk factors identified during an information systems review are addressed?

Question270: Which of the following should be the HIGHEST priority when developing a risk response?

Question271: Malware has recently affected an organization, The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

Question272: Which of the following is the BEST approach when a risk practitioner has been asked by a business unit manager for special consideration during a risk assessment of a system?

Question273: The PRIMARY purpose of using a framework for risk analysis is to:

Question274: A risk owner has accepted a high-impact risk because the control was adversely affecting process efficiency. Before updating the risk register, it is MOST important for the risk practitioner to:

Question275: The MOST important reason to aggregate results from multiple risk assessments on interdependent information systems is to:

Question276: Which of the following is MOST important to the successful development of IT risk scenarios?

Question277: A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:

Question278: Which of the following is MOST critical to the design of relevant risk scenarios?

Question279: A risk practitioner has just learned about new done FIRST?

Question280: Which of the following is MOST influential when management makes risk response decisions?

Question281: Which of the following is the GREATEST concern when an organization uses a managed security service provider as a firewall administrator?

Question282: Which of the following would be- MOST helpful to understand the impact of a new technology system on an organization's current risk profile?

Question283: A risk assessment indicates the residual risk associated with a new bring your own device (BYOD) program is within organizational risk tolerance. Which of the following should the risk practitioner recommend be done NEXT?

Question284: Prudent business practice requires that risk appetite not exceed:

Question285: The PRIMARY objective of testing the effectiveness of a new control before implementation is to:

Question286: To mitigate the risk of using a spreadsheet to analyze financial data, IT has engaged a third-party vendor to deploy a standard application to automate the process. Which of the following parties should own the risk associated with calculation errors?

Question287: An organization has identified that terminated employee accounts are not disabled or deleted within the time required by corporate policy. Unsure of the reason, the organization has decided to monitor the situation for three months to obtain more information. As a result of this decision, the risk has been:

Question288: Which of The following is the MOST relevant information to include in a risk management strategy?

Question289: Which of the following is MOST helpful to management when determining the resources needed to mitigate a risk?

Question290: Which of the following is the FIRST step when developing a business case to drive the adoption of a risk remediation project by senior management?

Question291: Which of the following is the MOST important enabler of effective risk management?

Question292: Which of the following is the BEST indication that an organization's risk management program has not reached the desired maturity level?

Question293: What is the PRIMARY benefit of risk monitoring?

Question294: The MOST effective way to increase the likelihood that risk responses will be implemented is to:

Question295: Which of the following is the MAIN reason for documenting the performance of controls?

Question296: Which of the following is the BEST key performance indicator (KPI) to measure the maturity of an organization's security incident handling process?

Question297: A risk practitioner learns that the organization s industry is experiencing a trend of rising security incidents. Which of the following is the BEST course of action?

Question298: Which of the following should be done FIRST when developing a data protection management plan?

Question299: Which of the following provides The MOST useful information when determining a risk management program's maturity level?

Question300: Mapping open risk issues to an enterprise risk heat map BEST facilitates:

Question301: Which of the following provides the MOST useful information when determining if a specific control should be implemented?

Question302: The BEST key performance indicator (KPI) to measure the effectiveness of a backup process would be the number of:

Question303: Which of the following is the BEST control to detect an advanced persistent threat (APT)?

Question304: Which of the following activities is PRIMARILY the responsibility of senior management?

Question305: An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following is the risk practitioner s BEST course of action?

Question306: When reviewing a risk response strategy, senior management's PRIMARY focus should be placed on the:

Question307: During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?

Question308: A newly enacted information privacy law significantly increases financial penalties for breaches of personally identifiable information (Pll). Which of the following will MOST likely outcome for an organization affected by the new law?

Question309: Which of We following is the MOST effective control to address the risk associated with compromising data privacy within the cloud?

Question310: Which of the following is the GREATEST concern associated with redundant data in an organization's inventory system?

Question311: A contract associated with a cloud service provider MUST include:

Question312: Which of the following is the GREATEST concern associated with the transmission of healthcare data across the internet?

Question313: Which of the following is MOST critical when designing controls?