EMT Practice Test

1. Question Content...


Question List

Question1: A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization.
Which of the following components of this review would provide the MOST useful information?

Question2: What is the PRIMARY objective difference between an internal and an external risk management assessment reviewer?

Question3: The design of procedures to prevent fraudulent transactions within an enterprise resource planning (ERP) system should be based on:

Question4: Which of the following is the MOST important data source for monitoring key risk indicators (KRIs)?

Question5: Which among the following is the MOST crucial part of risk management process?

Question6: A recent audit identified high-risk issues in a business unit though a previous control self-assessment (CSA) had good results. Which of the following is the MOST likely reason for the difference?

Question7: The analysis of which of the following will BEST help validate whether suspicious network activity is malicious?

Question8: You are the project manager of GHT project. A risk event has occurred in your project and you have identified it. Which of the following tasks you would do in reaction to risk event occurrence? Each correct answer represents a part of the solution. Choose three.

Question9: An organization has outsourced its IT security management function to an external service provider. The BEST party to own the IT security controls under this arrangement is the:

Question10: Which of the following is the final step in the policy development process?

Question11: You are elected as the project manager of GHT project. You have to initiate the project. Your Project request document has been approved, and now you have to start working on the project. What is the FIRST step you should take to initialize the project?

Question12: An organization has been notified that a dis grunted, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization?

Question13: Which of the following should be the MOST important consideration when determining controls necessary for a highly critical information system?

Question14: A department has been granted an exception to bypass the existing approval process for purchase orders. The risk practitioner should verify the exception has been approved by which of the following?

Question15: A risk practitioner has identified that the organization's secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?

Question16: Which of the following is the MOST important consideration when performing a risk assessment of a fire suppression system within a data center?

Question17: Jane, the Director of Sales, contacts you and demands that you add a new feature to the software your project team is creating for the organization. In the meeting she tells you how important the scope change would be.
You explain to her that the software is almost finished and adding a change now could cause the deliverable to be late, cost additional funds, and would probably introduce new risks to the project. Jane stands up and says to you, "I am the Director of Sales and this change will happen in the project." And then she leaves the room.
What should you do with this verbal demand for a change in the project?

Question18: The MOST important characteristic of an organization's policies is to reflect the organization's:

Question19: Which of the following controls BEST enables an organization to ensure a complete and accurate IT asset inventory?

Question20: You are the risk professional of your enterprise. Your enterprise has introduced new systems in many departments. The business requirements that were to be addressed by the new system are still unfulfilled, and the process has been a waste of resources. Even if the system is implemented, it will most likely be underutilized and not maintained making it obsolete in a short period of time. What kind of risk is it?

Question21: Which of the following is a risk practitioner's MOST important responsibility in managing risk acceptance that exceeds risk tolerance?

Question22: In which of the following risk management capability maturity levels does the enterprise takes major business decisions considering the probability of loss and the probability of reward? Each correct answer represents a complete solution. Choose two.

Question23: You are the risk control professional of your enterprise. You have implemented a tool that correlates information from multiple sources. To which of the following do this monitoring tool focuses?

Question24: Judy has identified a risk event in her project that will have a high probability and a high impact. Based on the requirements of the project, Judy has asked to change the project scope to remove the associated requirement and the associated risk. What type of risk response is this?

Question25: Which of the following is the BEST method for assessing control effectiveness against technical vulnerabilities that could be exploited to compromise an information system?

Question26: Which of The following should be of GREATEST concern for an organization considering the adoption of a bring your own device (BYOD) initiative?

Question27: Which of the following BEST enables a risk practitioner to enhance understanding of risk among stakeholders?

Question28: You are the project manager of the HJK Project for your organization. You and the project team have created risk responses for many of the risk events in the project. Where should you document the proposed responses and the current status of all identified risks?

Question29: Which of the following is the MOST important objective of establishing an enterprise risk management (ERM) function within an organization?

Question30: Suppose you are working in Techmart Inc. which sells various products through its website. Due to some recent losses, you are trying to identify the most important risks to the Website. Based on feedback from several experts, you have come up with a list. You now want to prioritize these risks. Now in which category you would put the risk concerning the modification of the Website by unauthorized parties.

Question31: Which of the following is the greatest risk to reporting?

Question32: You are the project manager of HGT project. You are in the first phase of the risk response process and are doing following tasks :
Communicating risk analysis results
Reporting risk management activities and the state of compliance
Interpreting independent risk assessment findings
Identifying business opportunities
Which of the following process are you performing?

Question33: When does the Identify Risks process take place in a project?

Question34: The PRIMARY benefit associated with key risk indicators (KRIs) is that they:

Question35: Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy?

Question36: During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?

Question37: An interruption in business productivity is considered as which of the following risks?

Question38: Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Question39: Which of the following BEST describes the utility of a risk?

Question40: Which of the following is NOT true for effective risk communication?

Question41: Which of the following parameters are considered for the selection of risk indicators?
Each correct answer represents a part of the solution. Choose three.

Question42: Which of the following are the security plans adopted by the organization?
Each correct answer represents a complete solution. (Choose three.)

Question43: An application runs a scheduled job that compiles financial data from multiple business systems and updates the financial reporting system. If this job runs too long, it can delay financial reporting. Which of the following is the risk practitioner's BEST recommendation?

Question44: Which of the following roles is BEST suited to help a risk practitioner understand the impact of IT-related events on business objectives?

Question45: After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

Question46: Which of the following is the PRIMARY purpose of periodically reviewing an organization's risk profile?

Question47: An IT department has organized training sessions to improve user awareness of organizational information security policies. Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training?

Question48: You are the risk professional of your enterprise. You need to calculate potential revenue loss if a certain risks occurs. Your enterprise has an electronic (e-commerce) web site that is producing US $1 million of revenue each day, then if a denial of service (DoS) attack occurs that lasts half a day creates how much loss?

Question49: Which of the following would BEST help to ensure that suspicious network activity is identified?

Question50: Which of The following is the MOST comprehensive input to the risk assessment process specific to the effects of system downtime?

Question51: Which of the following considerations should be taken into account while selecting risk indicators that ensures greater buy-in and ownership?

Question52: Which of the following is the priority of data owners when establishing risk mitigation method?

Question53: Which of the following baselines identifies the specifications required by the resource that meet the approved requirements?

Question54: A project team member has just identified a new project risk. The risk event is determined to have significant impact but a low probability in the project. Should the risk event happen it'll cause the project to be delayed by three weeks, which will cause new risk in the project. What should the project manager do with the risk event?

Question55: Which of the following would be a risk practitioner's BEST recommendation to help ensure cyber risk is assessed and reflected in the enterprise-level risk profile?

Question56: The best way to test the operational effectiveness of a data backup procedure is to:

Question57: You are the project manager for the NHH project. You are working with your project team to examine the project from four different defined perspectives to increase the breadth of identified risks by including internally generated risks. What risk identification approach are you using in this example?

Question58: From a risk management perspective, which of the following is the PRIMARY benefit of using automated system configuration validation tools?

Question59: An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning of the associated risk entries?

Question60: Which of the following would provide the MOST useful information to a risk owner when reviewing the progress of risk mitigation?

Question61: A teaming agreement is an example of what type of risk response?

Question62: Which of the following is MOST important to understand when determining an appropriate risk assessment approach?

Question63: Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an anti-virus program?

Question64: Which of the following BEST indicates that an organization has implemented IT performance requirements?

Question65: Which of the following is MOST commonly compared against the risk appetite?

Question66: Which of the following is MOST appropriate method to evaluate the potential impact of legal, regulatory, and contractual requirements on business objectives?

Question67: Thomas is a key stakeholder in your project. Thomas has requested several changes to the project scope for the project you are managing.
Upon review of the proposed changes, you have discovered that these new requirements are laden with risks and you recommend to the change control board that the changes be excluded from the project scope. The change control board agrees with you. What component of the change control system communicates the approval or denial of a proposed change request?

Question68: A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?

Question69: Which of the following control detects problem before it can occur?

Question70: Which of the following should be the FIRST consideration when a business unit wants to use personal information for a purpose other than for which it was originally collected?

Question71: Implementing which of the following will BEST help ensure that systems comply with an established baseline before deployment?

Question72: You are working in an enterprise. You enterprise is willing to accept a certain amount of risk. What is this risk called?

Question73: While developing obscure risk scenarios, what are the requirements of the enterprise?
Each correct answer represents a part of the solution. Choose two.

Question74: Which of the following is MOST useful when communicating risk to management?

Question75: Which of the following is the BEST way to ensure ongoing control effectiveness?

Question76: A risk assessment has identified increased losses associated with an IT risk scenario. It is MOST important for the risk practitioner to:

Question77: An organization is unable to implement a multi-factor authentication requirement until the next fiscal year due to budget constraints. Consequently, a policy exception must be submitted. Which of the following is MOST important to include in the analysis of the exception?

Question78: Which of the following provides the MOST up-to-date information about the effectiveness of an organization's overall IT control environment?

Question79: Your project is an agricultural-based project that deals with plant irrigation systems. You have discovered a byproduct in your project that your organization could use to make a profit. If your organization seizes this opportunity, it would be an example of what risk response?

Question80: An organization's risk practitioner learns a new third-party system on the corporate network has introduced vulnerabilities that could compromise corporate IT systems. What should the risk practitioner do FIRST?

Question81: Which of the following BEST indicates the condition of a risk management program?

Question82: After identifying new risk events during a project, the project manager s NEXT step should be to:

Question83: Which of the following BEST contributes to the implementation of an effective risk response action plan?

Question84: You are the project manager of HJT project. Important confidential files of your project are stored on a computer. Keeping the unauthorized access of this computer in mind, you have placed a hidden CCTV in the room, even on having protection password. Which kind of control CCTV is?

Question85: An organization uses a vendor to destroy hard drives. Which of the following would BEST reduce the risk of data leakage?

Question86: The following is the snapshot of a recently approved IT risk register maintained by an organization's information security department.

After implementing countermeasures listed in ''Risk Response Descriptions'' for each of the Risk IDs, which of the following component of the register MUST change?

Question87: Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?

Question88: A new international data privacy regulation requires personal data to be disposed after the specified retention period, which is different from the local regulatory requirement. Which of the following is the risk practitioner's BEST recommendation to resolve the disparity?

Question89: Which of the following is MOST critical to the design of relevant risk scenarios?

Question90: Who should be responsible for implementing and maintaining security controls?

Question91: Risk mitigation procedures should include:

Question92: When reviewing a report on the performance of control processes, it is MOST important to verify whether the:

Question93: Implementing which of the following controls would BEST reduce the impact of a vulnerability that has been exploited?

Question94: Using which of the following one can produce comprehensive result while performing qualitative risk analysis?

Question95: During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:

Question96: Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system. These scenarios will be owned by the system manager.
Which of the following would be the BEST method to use when developing the scenarios?

Question97: Which of the following is true for Single loss expectancy (SLE), Annual rate of occurrence (ARO), and Annual loss expectancy (ALE)?

Question98: Which of the following is the PRIMARY objective of providing an aggregated view of IT risk to business management?

Question99: While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BEST reduce the risk associated with such a data breach?

Question100: Which of the following is a risk practitioner's BEST course of action upon learning that a control under internal review may no longer be necessary?

Question101: An organization is preparing to transfer a large number of customer service representatives to the sales department. Of the following, who is responsible for mitigating the risk associated with residual system access?

Question102: The PRIMARY purpose of using control metrics is to evaluate the:

Question103: Which of the following is the STRONGEST indication an organization has ethics management issues?

Question104: Who should have the authority to approve an exception to a control?

Question105: Which of the following BEST indicates that an organization has implemented IT performance requirements?

Question106: You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What should you do with these identified risk events?

Question107: During a risk treatment plan review, a risk practitioner finds the approved risk action plan has not been completed However, there were other risk mitigation actions implemented. Which of the fallowing is the BEST course of action?

Question108: The PRIMARY objective of The board of directors periodically reviewing the risk profile is to help ensure:

Question109: Which of the following should an organization perform to forecast the effects of a disaster?

Question110: In an organization that allows employee use of social media accounts for work purposes, which of the following is the BEST way to protect company sensitive information from being exposed?

Question111: Which of the following is the BEST way to promote adherence to the risk tolerance level set by management?

Question112: Which of the following is MOST important to ensure when continuously monitoring the performance of a client-facing application?

Question113: You are the project manager of GFT project. Your project involves the use of electrical motor. It was stated in its specification that if its temperature would increase to 500 degree Fahrenheit the machine will overheat and have to be shut down for 48 hours. If the machine overheats even once it will delay the project's arrival date.
So to prevent this you have decided while creating response that if the temperature of the machine reach 450, the machine will be paused for at least an hour so as to normalize its temperature. This temperature of 450 degrees is referred to as?

Question114: You are the project manager of GHT project. You are performing cost and benefit analysis of control. You come across the result that costs of specific controls exceed the benefits of mitigating a given risk. What is the BEST action would you choose in this scenario?

Question115: An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?

Question116: An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure manuals for use by the part- time employees. This situation would be considered:

Question117: An organization maintains independent departmental risk registers that are not automatically aggregated. Which of the following is the GREATEST concern?

Question118: Which of the following is the MOST important use of KRIs?

Question119: Which of the following provides the BEST evidence that a selected risk treatment plan is effective?

Question120: You are the project manager of a large networking project. During the execution phase the customer requests for a change in the existing project plan. What will be your immediate action?

Question121: Which of the following techniques examines the degree to which organizational strengths offset threats and opportunities that may serve to overcome weaknesses?

Question122: Which of the following BEST protects an organization against breaches when using a software as a service (SaaS) application?

Question123: Which of the following is MOST important for developing effective key risk indicators (KRIs)?

Question124: You are the project manager of HGT project. You have identified project risks and applied appropriate response for its mitigation. You noticed a risk generated as a result of applying response. What this resulting risk is known as?

Question125: You are the project manager of RFT project. You have identified a risk that the enterprise's IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become very expensive. To overcome this risk the response adopted is re- architecture of the existing system and purchase of new integrated system. In which of the following risk prioritization options would this case be categorized?

Question126: When reviewing a business continuity plan (BCP), which of the following would be the MOST significant deficiency?

Question127: Which of the following BEST illustrates the relationship of actual risk exposure to appetite?

Question128: Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?

Question129: A peer review of a risk assessment finds that a relevant threat community was not included. Mitigation of the risk will require substantial changes to a software application. Which of the following is the BEST course of action?

Question130: You work as the project manager for Company Inc. The project on which you are working has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks?

Question131: Which of the following approaches will BEST help to ensure the effectiveness of risk awareness training?

Question132: Which of the following will significantly affect the standard information security governance model?

Question133: To effectively support business decisions, an IT risk register MUST:

Question134: Which of following is NOT used for measurement of Critical Success Factors of the project?

Question135: Participants in a risk workshop have become focused on the financial cost to mitigate risk rather than choosing the most appropriate response. Which of the following is the BEST way to address this type of issue in the long term?

Question136: A risk owner has accepted a high-impact risk because the control was adversely affecting process efficiency. Before updating the risk register, it is MOST important for the risk practitioner to:

Question137: All business units within an organization have the same risk response plan for creating local disaster recovery plans. In an effort to achieve cost effectiveness., the BEST course of action would be to:

Question138: Which of the following control detects problem before it can occur?

Question139: Mary is a project manager in her organization. On her current project she is working with her project team and other key stakeholders to identify the risks within the project. She is currently aiming to create a comprehensive list of project risks so she is using a facilitator to help generate ideas about project risks. What risk identification method is Mary likely using?

Question140: Which of the following are risk components of the COSO ERM framework?
Each correct answer represents a complete solution. Choose three.

Question141: Which of the following steps ensure effective communication of the risk analysis results to relevant stakeholders? Each correct answer represents a complete solution. Choose three.

Question142: You work as a Project Manager for Company Inc. You have to conduct the risk management activities for a project. Which of the following inputs will you use in the plan risk management process?
Each correct answer represents a complete solution. (Choose three.)

Question143: Fred is the project manager of a large project in his organization. Fred needs to begin planning the risk management plan with the project team and key stakeholders. Which plan risk management process tool and technique should Fred use to plan risk management?

Question144: You are elected as the project manager of GHT project. You are in project initialization phase and are busy in defining requirements for your project. While defining requirements you are describing how users will interact with a system. Which of the following requirements are you defining here?

Question145: Which of the following processes is described in the statement below?
"It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project."

Question146: An organization moved its payroll system to a Software as a Service (SaaS) application. A new data privacy regulation stipulates that data can only be processed within the country where it is collected. Which of the following should be done FIRST when addressing this situation?

Question147: What type of policy would an organization use to forbid its employees from using organizational e-mail for personal use?

Question148: What are the PRIMARY objectives of a control?

Question149: Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?

Question150: Your project is an agricultural-based project that deals with plant irrigation systems. You have discovered a byproduct in your project that your organization could use to make a profit. If your organization seizes this opportunity it would be an example of what risk response?

Question151: Which of the following is the MOST cost-effective way to test a business continuity plan?

Question152: Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register?

Question153: Which of the following is MOST important to understand when determining an appropriate risk assessment approach?

Question154: Which of the following would provide the MOST objective assessment of the effectiveness of an organization's security controls?

Question155: You work as a Project Manager for Company Inc. You are incorporating a risk response owner to take the job for each agreed-to and funded risk response. On which of the following processes are you working?

Question156: You work as a project manager for TechSoft Inc. You are working with the project stakeholders on the qualitative risk analysis process in your project. You have used all the tools to the qualitative risk analysis process in your project. Which of the following techniques is NOT used as a tool in qualitative risk analysis process?

Question157: Which of the following conditions presents the GREATEST risk to an application?

Question158: Within the three lines of defense model, the accountability for the system of internal control resides with:

Question159: Which of the following is the MOST effective method for indicating that the risk level is approaching a high or unacceptable level of risk?

Question160: Walter is the project manager of a large construction project. He'll be working with several vendors on the project. Vendors will be providing materials and labor for several parts of the project. Some of the works in the project are very dangerous so Walter has implemented safety requirements for all of the vendors and his own project team. Stakeholders for the project have added new requirements, which have caused new risks in the project. A vendor has identified a new risk that could affect the project if it comes into fruition. Walter agrees with the vendor and has updated the risk register and created potential risk responses to mitigate the risk.
What should Walter also update in this scenario considering the risk event?

Question161: Print jobs containing confidential information are sent to a shared network printer located in a secure room. Which of the following is the BEST control to prevent the inappropriate disclosure of confidential information?

Question162: Ben works as a project manager for the MJH Project. In this project, Ben is preparing to identify stakeholders so he can communicate project requirements, status, and risks. Ben has elected to use a salience model as part of his stakeholder identification process. Which of the following activities best describes a salience model?

Question163: What is the PRIMARY purpose of a business impact analysis (BIA)?

Question164: An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?

Question165: What is the process for selecting and implementing measures to impact risk called?

Question166: You are the project manager of GHT project. During the data extraction process, you evaluated the total number of transactions per year by multiplying the monthly average by twelve. This process of evaluating total number of transactions is known as?

Question167: Which of the following would be the BEST recommendation if the level of risk in the IT risk profile has decreased and is now below management's risk appetite?

Question168: Which of the following controls focuses on operational efficiency in a functional area sticking to management policies?

Question169: Which of the following should be the PRIMARY focus of an independent review of a risk management process?

Question170: A program manager has completed an unsuccessful disaster recovery test. Which of the following should the risk practitioner recommend as the NEXT course of action?

Question171: Which of the following should be a risk practitioner's NEXT action after identifying a high probability of data loss in a system?

Question172: Which of the following is MOST appropriate method to evaluate the potential impact of legal, regulatory, and contractual requirements on business objectives?

Question173: You are the project manager of the NHQ project in Bluewell Inc. The project has an asset valued at
$200,000 and is subjected to an exposure factor of 45 percent. If the annual rate of occurrence of loss in this project is once a month, then what will be the Annual Loss Expectancy (ALE) of the project?

Question174: What is the PRIMARY reason to periodically review key performance indicators (KPIs)?

Question175: A WiFi access points on the enterprise network. Which of the following would be MOST important to include in a report to senior management?

Question176: Which of the following would prompt changes in key risk indicator (KRI) thresholds?

Question177: Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?

Question178: When reviewing a report on the performance of control processes, it is MOST important to verify whether the:

Question179: An enterprise has identified risk events in a project. While responding to these identified risk events, which among the following stakeholders is MOST important for reviewing risk response options to an IT risk.

Question180: An organization has introduced risk ownership to establish clear accountability for each process. To ensure effective risk ownership, it is MOST important that:

Question181: Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?

Question182: An organization has just implemented changes to close an identified vulnerability that impacted a critical business process. What should be the NEXT course of action?

Question183: A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

Question184: Which of the following vulnerability assessment software can check for weak passwords on the network?

Question185: Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs?

Question186: Which of the following BEST measures the efficiency of an incident response process?

Question187: Which of the following is the BEST way to detect zero-day malware on an end user's workstation?

Question188: Which of the following should be the PRIMARY input when designing IT controls?

Question189: Which of the following is the BEST indicator of the effectiveness of IT risk management processes?

Question190: Which of the following is the MOST important consideration when developing an organization's risk taxonomy?

Question191: Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?

Question192: The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:

Question193: One of the risk events you've identified is classified as force majeure. What risk response is likely to be used?

Question194: Quantifying the value of a single asset helps the organization to understand the:

Question195: David is the project manager of the HRC Project. He has identified a risk in the project, which could cause the delay in the project. David does not want this risk event to happen so he takes few actions to ensure that the risk event will not happen. These extra steps, however, cost the project an additional $10,000.
What type of risk response has David adopted?

Question196: Which of the following is the MOST important component in a risk treatment plan?

Question197: According to the Section-302 of the Sarbanes-Oxley Act of 2002, what does certification of reports implies? Each correct answer represents a complete solution. Choose three.

Question198: How are the potential choices of risk based decisions are represented in decision tree analysis?

Question199: For which of the following risk management capability maturity levels do the statement given below is true?
"Real-time monitoring of risk events and control exceptions exists, as does automation of policy management"

Question200: You are working in an enterprise. Assuming that your enterprise periodically compares finished goods inventory levels to the perpetual inventories in its ERP system. What kind of information is being provided by the lack of any significant differences between perpetual levels and actual levels?

Question201: Which of the following methods would BEST contribute to identifying obscure risk scenarios?

Question202: You are the project manager of a large construction project. This project will last for 18 months and will cost $750,000 to complete. You are working with your project team, experts, and stakeholders to identify risks within the project before the project work begins. Management wants to know why you have scheduled so many risk identification meetings throughout the project rather than just initially during the project planning. What is the best reason for the duplicate risk identification sessions?

Question203: Which of the following is the STRONGEST indication that controls implemented as part of a risk action plan are not effective?

Question204: Which of the following is the BEST indication of an effective risk management program?

Question205: Which of the following would be a risk practitioner's BEST recommendation upon learning of an updated cybersecurity regulation that could impact the organization?

Question206: Which of the following will significantly affect the standard information security governance model?

Question207: Which of the following would be MOST relevant to stakeholders regarding ineffective control implementation?

Question208: An IT control gap has been identified in a key process. Who would be the MOST appropriate owner of the risk associated with this gap?

Question209: In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities.
The risk practitioner's BEST recommendation to further reduce the impact of ransomware attacks would be to implement:

Question210: Which of the following is the GREATEST concern when an organization uses a managed security service provider as a firewall administrator?

Question211: Which of the following phases is involved in the Data Extraction, Validation, Aggregation and Analysis?

Question212: What are the responsibilities of the CRO?
Each correct answer represents a complete solution. Choose three.

Question213: An IT department originally planned to outsource the hosting of its data center at an overseas location to reduce operational expenses. After a risk assessment, the department has decided to keep the data center in-house. How should the risk treatment response be reflected in the risk register?

Question214: The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning process is to:

Question215: The PRIMARY reason for tracking the status of risk mitigation plans is to ensure:

Question216: Which of the following is the BEST evidence that risk management is driving business decisions in an organization?

Question217: Mary is the project manager for the BLB project. She has instructed the project team to assemble, to review the risks. She has included the schedule management plan as an input for the quantitative risk analysis process. Why is the schedule management plan needed for quantitative risk analysis?

Question218: Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to a bring your own device (BYOD) program?

Question219: Which of the following is the PRIMARY objective for automating controls?

Question220: Which of the following is the BEST reason to use qualitative measures to express residual risk levels related to emerging threats?

Question221: Which of the following provides the MOST useful information to determine risk exposure following control implementations?

Question222: Which of the following is MOST important to update when an organization's risk appetite changes?

Question223: Which of the following is NOT true for risk management capability maturity level 1?

Question224: Which of the following BEST enables the risk profile to serve as an effective resource to support business objectives?

Question225: Which of the following is NOT true for Key Risk Indicators?

Question226: What are the functions of audit and accountability control?
Each correct answer represents a complete solution. (Choose three.)

Question227: You work as a project manager for BlueWell Inc. You are preparing to plan risk responses for your project with your team. How many risk response types are available for a negative risk event in the project?