Question1: Which of the following will BEST help to ensure implementation of corrective action plans?
Question2: A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within the organization Of the following, who should review the completed list and select the appropriate KRIs for implementation?
Question3: Which of We following is the MOST effective control to address the risk associated with compromising data privacy within the cloud?
Question4: Which of the following is MOST important for an organization to have in place when developing a risk management framework?
Question5: The BEST key performance indicator (KPI) to measure the effectiveness of a vendor risk management program is the percentage of:
Question6: An organization's internal audit department is considering the implementation of robotics process automation (RPA) to automate certain continuous auditing tasks. Who would own the risk associated with ineffective design of the software bots?
Question7: Which of the following should be the GREATEST concern for an organization that uses open source software applications?
Question8: Which of the following should be included in a risk assessment report to BEST facilitate senior management's understanding of the results?
Question9: Which of the following is the MOST important consideration when sharing risk management updates with executive management?
Question10: Which of the following will BEST support management repotting on risk?
Question11: The BEST way to improve a risk register is to ensure the register:
Question12: An organization's chief information officer (CIO) has proposed investing in a new. untested technology to take advantage of being first to market Senior management has concerns about the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization's risk:
Question13: During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:
Question14: Which of the following IT key risk indicators (KRIs) provides management with the BEST feedback on IT capacity?
Question15: To minimize risk in a software development project, when is the BEST time to conduct a risk analysis?
Question16: During the control evaluation phase of a risk assessment, it is noted that multiple controls are ineffective. Which of the following should be the risk practitioner's FIRST course of action?
Question17: Which of the following is MOST effective in continuous risk management process improvement?
Question18: Which of the following should be a risk practitioner's PRIMARY focus when tasked with ensuring organization records are being retained for a sufficient period of time to meet legal obligations?
Question19: The risk associated with an asset after controls are applied can be expressed as:
Question20: An organization has outsourced its billing function to an external service provider. Who should own the risk of customer data leakage caused by the service provider?
Question21: Which of the following facilitates a completely independent review of test results for evaluating control effectiveness?
Question22: Which of the following is the BEST way to identify changes to the risk landscape?
Question23: A risk owner should be the person accountable for:
Question24: Which of the following methods is an example of risk mitigation?
Question25: Which of the following should be the PRIMARY goal of developing information security metrics?
Question26: An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure manuals for use by the part-time employees. Which of the following BEST describes this situation?
Question27: What is the BEST information to present to business control owners when justifying costs related to controls?
Question28: Of the following, who should be responsible for determining the inherent risk rating of an application?
Question29: An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning of the associated risk entries?
Question30: From a risk management perspective, which of the following is the PRIMARY benefit of using automated system configuration validation tools?
Question31: An organization has provided legal text explaining the rights and expected behavior of users accessing a system from geographic locations that have strong privacy regulations. Which of the following control types has been applied?
Question32: Which of the following is MOST important to the effective monitoring of key risk indicators (KRIs)?
Question33: The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning process is to:
Question34: Which of the following is MOST important for maintaining the effectiveness of an IT risk register?
Question35: Which of the following is a KEY responsibility of the second line of defense?
Question36: A maturity model is MOST useful to an organization when it:
Question37: An organization has introduced risk ownership to establish clear accountability for each process. To ensure effective risk ownership, it is MOST important that:
Question38: Which of the following is a KEY consideration for a risk practitioner to communicate to senior management evaluating the introduction of artificial intelligence (Al) solutions into the organization?
Question39: Which of the following is MOST important when developing key performance indicators (KPIs)?
Question40: Which of the following should be the FIRST consideration when a business unit wants to use personal information for a purpose other than for which it was originally collected?
Question41: Which of the following should an organization perform to forecast the effects of a disaster?
Question42: Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?
Question43: Which of the following is the PRIMARY reason to update a risk register with risk assessment results?
Question44: Which of the following BEST indicates that an organization has implemented IT performance requirements?
Question45: Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?
Question46: Which of the following is MOST important for a risk practitioner to consider when evaluating plans for changes to IT services?
Question47: An organization has recently updated its disaster recovery plan (DRP). Which of the following would be the GREATEST risk if the new plan is not tested?
Question48: Which of the following provides The BEST information when determining whether to accept residual risk of a critical system to be implemented?
Question49: Which of the following is MOST influential when management makes risk response decisions?
Question50: Implementing which of the following will BEST help ensure that systems comply with an established baseline before deployment?
Question51: Which of the following should be considered when selecting a risk response?
Question52: Which of the following is the BEST way to ensure ongoing control effectiveness?
Question53: Which type of cloud computing deployment provides the consumer the GREATEST degree of control over the environment?
Question54: Which of the following BEST enforces access control for an organization that uses multiple cloud technologies?
Question55: An organization's risk register contains a large volume of risk scenarios that senior management considers overwhelming. Which of the following would BEST help to improve the risk register?
Question56: Who should be PRIMARILY responsible for establishing an organization's IT risk culture?
Question57: A risk practitioner has identified that the organization's secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?
Question58: Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system. These scenarios will be owned by the system manager. Which of the following would be the BEST method to use when developing the scenarios?
Question59: Which of the following is the MOST comprehensive resource for prioritizing the implementation of information systems controls?
Question60: Whose risk tolerance matters MOST when making a risk decision?
Question61: Print jobs containing confidential information are sent to a shared network printer located in a secure room. Which of the following is the BEST control to prevent the inappropriate disclosure of confidential information?
Question62: Which of the following would BEST enable a risk practitioner to embed risk management within the organization?
Question63: An internally developed payroll application leverages Platform as a Service (PaaS) infrastructure from the cloud. Who owns the related data confidentiality risk?
Question64: Which of the following is the MOST important enabler of effective risk management?
Question65: Which of the following is MOST important for developing effective key risk indicators (KRIs)?
Question66: Which of the following would be a risk practitioner's BEST recommendation upon learning of an updated cybersecurity regulation that could impact the organization?
Question67: Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?
Question68: A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges. What is the risk practitioner's BEST course of action?
Question69: The acceptance of control costs that exceed risk exposure MOST likely demonstrates:
Question70: Who should have the authority to approve an exception to a control?
Question71: Which of the following is the MOST important requirement for monitoring key risk indicators (KRls) using log analysis?
Question72: What is the GREATEST concern with maintaining decentralized risk registers instead of a consolidated risk register?
Question73: Which of the following is necessary to enable an IT risk register to be consolidated with the rest of the organization's risk register?
Question74: The BEST way to demonstrate alignment of the risk profile with business objectives is through:
Question75: To help identify high-risk situations, an organization should:
Question76: Which of the following is MOST important to the integrity of a security log?
Question77: Which of the following is the PRIMARY objective for automating controls?
Question78: Which of the following controls would BEST reduce the likelihood of a successful network attack through social engineering?
Question79: IT management has asked for a consolidated view into the organization's risk profile to enable project prioritization and resource allocation. Which of the following materials would be MOST helpful?
Question80: When reviewing a report on the performance of control processes, it is MOST important to verify whether the:
Question81: A risk practitioner shares the results of a vulnerability assessment for a critical business application with the business manager. Which of the following is the NEXT step?
Question82: Which of the following is the MOST important step to ensure regulatory requirements are adequately addressed within an organization?
Question83: Which of the following is MOST important to review when determining whether a potential IT service provider s control environment is effective?
Question84: A rule-based data loss prevention {DLP) tool has recently been implemented to reduce the risk of sensitive data leakage. Which of the following is MOST likely to change as a result of this implementation?
Question85: During implementation of an intrusion detection system (IDS) to monitor network traffic, a high number of alerts is reported. The risk practitioner should recommend to:
Question86: An organization has completed a risk assessment of one of its service providers. Who should be accountable for ensuring that risk responses are implemented?
Question87: Of the following, who is accountable for ensuing the effectiveness of a control to mitigate risk?
Question88: Which of the following is the MOST important objective of an enterprise risk management (ERM) program?
Question89: Which of the following can be used to assign a monetary value to risk?
Question90: Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?
Question91: After mapping generic risk scenarios to organizational security policies, the NEXT course of action should be to:
Question92: Which of the following would be- MOST helpful to understand the impact of a new technology system on an organization's current risk profile?
Question93: A cote data center went offline abruptly for several hours affecting many transactions across multiple locations. Which of the to" owing would provide the MOST useful information to determine mitigating controls?
Question94: The MAIN purpose of having a documented risk profile is to:
Question95: Which of the following would be the result of a significant increase in the motivation of a malicious threat actor?
Question96: Which of the following BEST contributes to the implementation of an effective risk response action plan?
Question97: Which of the following should be a risk practitioner s MOST important consideration when developing IT risk scenarios?
Question98: Which of the following is MOST important when conducting a post-implementation review as part of the system development life cycle (SDLC)?
Question99: Mapping open risk issues to an enterprise risk heat map BEST facilitates:
Question100: Which of the following practices would be MOST effective in protecting personality identifiable information (Ptl) from unauthorized access m a cloud environment?
Question101: Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?
Question102: What are the MOST important criteria to consider when developing a data classification scheme to facilitate risk assessment and the prioritization of risk mitigation activities?
Question103: Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?
Question104: A risk practitioner has learned that an effort to implement a risk mitigation action plan has stalled due to lack of funding. The risk practitioner should report that the associated risk has been:
Question105: Which of the following would prompt changes in key risk indicator {KRI) thresholds?
Question106: Which of the following is the MOST important information to be communicated during security awareness training?
Question107: An unauthorized individual has socially engineered entry into an organization's secured physical premises. Which of the following is the BEST way to prevent future occurrences?
Question108: An organization has implemented a system capable of comprehensive employee monitoring. Which of the following should direct how the system is used?
Question109: An organization has decided to outsource a web application, and customer data will be stored in the vendor's public cloud. To protect customer data, it is MOST important to ensure which of the following?
Question110: An IT department has provided a shared drive for personnel to store information to which all employees have access. Which of the following parties is accountable for the risk of potential loss of confidential information?
Question111: The MOST effective way to increase the likelihood that risk responses will be implemented is to:
Question112: Read" rights to application files in a controlled server environment should be approved by the:
Question113: Which of the following is the BEST indication of the effectiveness of a business continuity program?
Question114: The PRIMARY reason to have risk owners assigned to entries in the risk register is to ensure:
Question115: A key risk indicator (KRI) indicates a reduction in the percentage of appropriately patched servers. Which of the following is the risk practitioner's BEST course of action?
Question116: Which of the following provides the MOST important information to facilitate a risk response decision?
Question117: A control owner has completed a year-long project To strengthen existing controls. It is MOST important for the risk practitioner to:
Question118: Which of the following would MOST effectively reduce risk associated with an increase of online transactions on a retailer website?
Question119: A risk practitioner has received an updated enterprise risk management (ERM) report showing that residual risk is now within the organization's defined appetite and tolerance levels. Which of the following is the risk practitioner's BEST course of action?
Question120: Which of the following is the BEST course of action to reduce risk impact?
Question121: Which of the following BEST indicates the effectiveness of anti-malware software?
Question122: Which of the following will BEST support management reporting on risk?
Question123: Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to a bring your own device (BYOD) program?
Question124: An organization moved its payroll system to a Software as a Service (SaaS) application. A new data privacy regulation stipulates that data can only be processed within the country where it is collected. Which of the following should be done FIRST when addressing this situation?
Question125: Which of The following is the MOST relevant information to include in a risk management strategy?
Question126: Which of the following statements in an organization's current risk profile report is cause for further action by senior management?
Question127: While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:
Question128: To implement the MOST effective monitoring of key risk indicators (KRIs), which of the following needs to be in place?
Question129: The MOST important reason to aggregate results from multiple risk assessments on interdependent information systems is to:
Question130: An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?
Question131: What should a risk practitioner do FIRST when vulnerability assessment results identify a weakness in an application?
Question132: Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?
Question133: Which of the following activities is PRIMARILY the responsibility of senior management?
Question134: What can be determined from the risk scenario chart?

Question135: Which of the following is MOST important when considering risk in an enterprise risk management (ERM) process?
Question136: Which of the following is a KEY outcome of risk ownership?
Question137: Which of the following BEST mitigates the risk of sensitive personal data leakage from a software development environment?
Question138: Which of the following roles would provide the MOST important input when identifying IT risk scenarios?
Question139: Which of the following is the MOST important characteristic of an effective risk management program?
Question140: Which of the following BEST enables the identification of trends in risk levels?
Question141: Which of the following is the GREATEST benefit of analyzing logs collected from different systems?
Question142: Which of the following will BEST help to ensure key risk indicators (KRIs) provide value to risk owners?
Question143: Which of the following sources is MOST relevant to reference when updating security awareness training materials?
Question144: Which of the following is the PRIMARY factor in determining a recovery time objective (RTO)?
Question145: Vulnerabilities have been detected on an organization's systems. Applications installed on these systems will not operate if the underlying servers are updated. Which of the following is the risk practitioner's BEST course of action?
Question146: A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?
Question147: Which of the following BEST supports ethical IT risk management practices?
Question148: Which of the following is the PRIMARY reason for conducting peer reviews of risk analysis?
Question149: Which of the following provides the MOST useful information when determining if a specific control should be implemented?
Question150: Which of the following is the MOST important consideration when developing risk strategies?
Question151: The PRIMARY purpose of a maturity model is to compare the:
Question152: Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy?
Question153: Which of the following would MOST likely require a risk practitioner to update the risk register?
Question154: An organization's risk practitioner learns a new third-party system on the corporate network has introduced vulnerabilities that could compromise corporate IT systems. What should the risk practitioner do FIRST?
Question155: Which of the following BEST indicates the risk appetite and tolerance level (or the risk associated with business interruption caused by IT system failures?
Question156: It is MOST important to the effectiveness of an IT risk management function that the associated processes are:
Question157: Which of these documents is MOST important to request from a cloud service provider during a vendor risk assessment?
Question158: Which of the following should be the MOST important consideration for senior management when developing a risk response strategy?
Question159: Which of the following is the MOST effective way to mitigate identified risk scenarios?
Question160: In which of the following system development life cycle (SDLC) phases should controls be incorporated into system specifications?
Question161: A management team is on an aggressive mission to launch a new product to penetrate new markets and overlooks IT risk factors, threats, and vulnerabilities. This scenario BEST demonstrates an organization's risk:
Question162: The MAIN goal of the risk analysis process is to determine the:
Question163: A risk practitioner has been notified that an employee sent an email in error containing customers' personally identifiable information (Pll). Which of the following is the risk practitioner's BEST course of action?
Question164: An organization has raised the risk appetite for technology risk. The MOST likely result would be:
Question165: A PRIMARY function of the risk register is to provide supporting information for the development of an organization's risk:
Question166: Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?
Question167: Which of the following is MOST effective against external threats to an organizations confidential information?
Question168: Which of the following is MOST important when developing risk scenarios?
Question169: Key risk indicators (KRIs) are MOST useful during which of the following risk management phases?
Question170: What is MOST important for the risk practitioner to understand when creating an initial IT risk register?
Question171: Which of the following is the MOST important benefit of key risk indicators (KRIs)'
Question172: Which of the following is the BEST way to determine software license compliance?
Question173: Which of the following is the PRIMARY purpose of periodically reviewing an organization's risk profile?
Question174: An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:
Question175: Which of the following tools is MOST effective in identifying trends in the IT risk profile?
Question176: Which of the following should be management's PRIMARY consideration when approving risk response action plans?
Question177: Which of the following is the BEST indicator of the effectiveness of IT risk management processes?
Question178: Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?
Question179: A risk practitioner observes that the fraud detection controls in an online payment system do not perform as expected. Which of the following will MOST likely change as a result?
Question180: Effective risk communication BEST benefits an organization by:
Question181: The MOST important reason to monitor key risk indicators (KRIs) is to help management:
Question182: Which of the following is the BEST indicator of the effectiveness of a control monitoring program?
Question183: To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:
Question184: Which of the following is the MOST important consideration when performing a risk assessment of a fire suppression system within a data center?
Question185: Which of the following would be considered a vulnerability?
Question186: Which of the following will be the GREATEST concern when assessing the risk profile of an organization?
Question187: Which of the following is MOST critical to the design of relevant risk scenarios?
Question188: Which of the following should be done FIRST when developing a data protection management plan?
Question189: Which of the following is the MOST important responsibility of a risk owner?
Question190: Which of the following is the MOST effective way to help ensure an organization's current risk scenarios are relevant?
Question191: Which of the following is the MOST effective way to integrate risk and compliance management?
Question192: An organization automatically approves exceptions to security policies on a recurring basis. This practice is MOST likely the result of:
Question193: Which of the following is the BEST control to minimize the risk associated with scope creep in software development?
Question194: During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition phase?
Question195: A newly enacted information privacy law significantly increases financial penalties for breaches of personally identifiable information (Pll). Which of the following will MOST likely outcome for an organization affected by the new law?
Question196: Before assigning sensitivity levels to information it is MOST important to:
Question197: Which of the following is MOST important for a risk practitioner to ensure once a risk action plan has been completed?
Question198: A financial institution has identified high risk of fraud in several business applications. Which of the following controls will BEST help reduce the risk of fraudulent internal transactions?
Question199: Participants in a risk workshop have become focused on the financial cost to mitigate risk rather than choosing the most appropriate response. Which of the following is the BEST way to address this type of issue in the long term?
Question200: A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology?
Question201: While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially Which of the following would be the BEST approach for the risk practitioner to take?
Question202: For no apparent reason, the time required to complete daily processing for a legacy application is approaching a risk threshold. Which of the following activities should be performed FIRST?
Question203: Which of the following is the MOST important factor affecting risk management in an organization?
Question204: An organization is considering allowing users to access company data from their personal devices. Which of the following is the MOST important factor when assessing the risk?
Question205: Mitigating technology risk to acceptable levels should be based PRIMARILY upon:
Question206: A contract associated with a cloud service provider MUST include:
Question207: A software developer has administrative access to a production application. Which of the following should be of GREATEST concern to a risk practitioner?
Question208: The PRIMARY reason a risk practitioner would be interested in an internal audit report is to:
Question209: Which of the following would be MOST useful when measuring the progress of a risk response action plan?
Question210: Which of the following trends would cause the GREATEST concern regarding the effectiveness of an organization's user access control processes? An increase in the:
Question211: Which of the following should be the risk practitioner s FIRST course of action when an organization has decided to expand into new product areas?
Question212: Which of the following is the FIRST step in risk assessment?
Question213: The PRIMARY reason for prioritizing risk scenarios is to:
Question214: A large organization needs to report risk at all levels for a new centralized visualization project to reduce cost and improve performance. Which of the following would MOST effectively represent the overall risk of the project to senior management?
Question215: Which of the following is the MOST important foundational element of an effective three lines of defense model for an organization?
Question216: A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner's NEXT step?
Question217: Which of the following is MOST important to have in place to ensure the effectiveness of risk and security metrics reporting?
Question218: To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:
Question219: When reviewing the business continuity plan (BCP) of an online sales order system, a risk practitioner notices that the recovery time objective (RTO) has a shorter lime than what is defined in the disaster recovery plan (DRP). Which of the following is the BEST way for the risk practitioner to address this concern?
Question220: Which of the following provides the BEST evidence that risk mitigation plans have been implemented effectively?
Question221: During a risk assessment, a key external technology supplier refuses to provide control design and effectiveness information, citing confidentiality concerns. What should the risk practitioner do NEXT?
Question222: Which of the following is PRIMARILY a risk management responsibly of the first line of defense?
Question223: Which of the following is the MOST important concern when assigning multiple risk owners for an identified risk?
Question224: A recent internal risk review reveals the majority of core IT application recovery time objectives (RTOs) have exceeded the maximum time defined by the business application owners. Which of the following is MOST likely to change as a result?
Question225: Which of the following is the BEST method for assessing control effectiveness against technical vulnerabilities that could be exploited to compromise an information system?
Question226: Which of the following will BEST help in communicating strategic risk priorities?
Question227: Which of the following conditions presents the GREATEST risk to an application?
Question228: A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:
Question229: After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:
Question230: A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?
Question231: When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?
Question232: Which of the following would be the GREATEST challenge when implementing a corporate risk framework for a global organization?
Question233: Which of the following is the BEST recommendation to senior management when the results of a risk and control assessment indicate a risk scenario can only be partially mitigated?
Question234: The PRIMARY benefit of using a maturity model is that it helps to evaluate the:
Question235: A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?
Question236: Which of the following should a risk practitioner do FIRST when an organization decides to use a cloud service?
Question237: During testing, a risk practitioner finds the IT department's recovery time objective (RTO) for a key system does not align with the enterprise's business continuity plan (BCP). Which of the following should be done NEXT?
Question238: IT disaster recovery point objectives (RPOs) should be based on the:
Question239: A monthly payment report is generated from the enterprise resource planning (ERP) software to validate data against the old and new payroll systems. What is the BEST way to mitigate the risk associated with data integrity loss in the new payroll system after data migration?
Question240: Which of the following is MOST helpful in providing an overview of an organization's risk management program?
Question241: A business unit is implementing a data analytics platform to enhance its customer relationship management (CRM) system primarily to process data that has been provided by its customers. Which of the following presents the GREATEST risk to the organization's reputation?
Question242: Which of the following would be a risk practitioner's GREATEST concern with the use of a vulnerability scanning tool?
Question243: An organization's control environment is MOST effective when
Question244: Which of the following provides the BEST measurement of an organization's risk management maturity level?
Question245: Prior to selecting key performance indicators (KPIs), itis MOST important to ensure:
Question246: Which of the following BEST confirms the existence and operating effectiveness of information systems controls?
Question247: Which of the following is the MOST important element of a successful risk awareness training program?
Question248: Which of the following is MOST helpful to review when identifying risk scenarios associated with the adoption of Internet of Things (loT) technology in an organization?
Question249: The MAIN purpose of a risk register is to:
Question250: Which of the following is the GREATEST concern associated with redundant data in an organization's inventory system?
Question251: A company has recently acquired a customer relationship management (CRM) application from a certified software vendor. Which of the following will BE ST help lo prevent technical vulnerabilities from being exploded?
Question252: A risk practitioner notices that a particular key risk indicator (KRI) has remained below its established trigger point for an extended period of time. Which of the following should be done FIRST?
Question253: Which of the following is MOST critical when designing controls?
Question254: An organization's risk tolerance should be defined and approved by which of the following?
Question255: Which of the following is the GREATEST risk associated with an environment that lacks documentation of the architecture?
Question256: The design of procedures to prevent fraudulent transactions within an enterprise resource planning (ERP) system should be based on:
Question257: A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:
Question258: Which of the following provides the MOST useful information when developing a risk profile for management approval?
Question259: Which of tie following is We MOST important consideration when implementing ethical remote work monitoring?
Question260: During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?
Question261: Which of the following is the MOST effective way to integrate business risk management with IT operations?
Question262: A risk assessment indicates the residual risk associated with a new bring your own device (BYOD) program is within organizational risk tolerance. Which of the following should the risk practitioner recommend be done NEXT?
Question263: Which of the following will BEST help an organization select a recovery strategy for critical systems?
Question264: Which of the following would be a risk practitioner'$ BEST recommendation to help ensure cyber risk is assessed and reflected in the enterprise-level risk profile?
Question265: A change management process has recently been updated with new testing procedures. What is the NEXT course of action?
Question266: Which of the following would BEST enable mitigation of newly identified risk factors related to internet of Things (loT)?
Question267: Which of the following is the BEST evidence that risk management is driving business decisions in an organization?
Question268: A risk practitioner recently discovered that sensitive data from the production environment is required for testing purposes in non-production environments. Which of the following i the BEST recommendation to address this situation?
Question269: In order to determining a risk is under-controlled the risk practitioner will need to
Question270: An effective control environment is BEST indicated by controls that:
Question271: The PRIMARY benefit of conducting continuous monitoring of access controls is the ability to identify:
Question272: What should a risk practitioner do FIRST upon learning a risk treatment owner has implemented a different control than what was specified in the IT risk action plan?
Question273: A deficient control has been identified which could result in great harm to an organization should a low frequency threat event occur. When communicating the associated risk to senior management the risk practitioner should explain:
Question274: Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?
Question275: Which of the following is a risk practitioner's MOST important responsibility in managing risk acceptance that exceeds risk tolerance?
Question276: Which of the following would BEST facilitate the implementation of data classification requirements?
Question277: What should be the PRIMARY driver for periodically reviewing and adjusting key risk indicators (KRIs)?
Question278: Which of the following is the FIRST step when conducting a business impact analysis (BIA)?
Question279: When reviewing a business continuity plan (BCP). which of the following would be the MOST significant deficiency?
Question280: Which of the following is the MOST common concern associated with outsourcing to a service provider?
Question281: Which of the following would be MOST relevant to stakeholders regarding ineffective control implementation?
Question282: Which of the following BEST indicates that an organizations risk management program is effective?
Question283: Which of the following would BEST help an enterprise prioritize risk scenarios?
Question284: Analyzing trends in key control indicators (KCIs) BEST enables a risk practitioner to proactively identify impacts on an organization's:
Question285: The PRIMARY advantage of implementing an IT risk management framework is the:
Question286: A new regulator/ requirement imposes severe fines for data leakage involving customers' personally identifiable information (Pll). The risk practitioner has recommended avoiding the risk. Which of the following actions would BEST align with this recommendation?
Question287: Which of the following is the MOST important objective of establishing an enterprise risk management (ERM) function within an organization?
Question288: Who should be accountable for monitoring the control environment to ensure controls are effective?
Question289: An organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard. Which risk treatment was adopted by the organization?
Question290: An organization has outsourced a critical process involving highly regulated data to a third party with servers located in a foreign country. Who is accountable for the confidentiality of this data?
Question291: Which of the following is the BEST key performance indicator (KPI) to measure the maturity of an organization's security incident handling process?
Question292: When establishing leading indicators for the information security incident response process it is MOST important to consider the percentage of reported incidents:
Question293: An organization outsources the processing of us payroll data A risk practitioner identifies a control weakness at the third party trial exposes the payroll dat a. Who should own this risk?
Question294: An IT department originally planned to outsource the hosting of its data center at an overseas location to reduce operational expenses. After a risk assessment, the department has decided to keep the data center in-house. How should the risk treatment response be reflected in the risk register?
Question295: A multinational organization is considering implementing standard background checks to' all new employees A KEY concern regarding this approach
Question296: Which of the following should be determined FIRST when a new security vulnerability is made public?
Question297: Which of the following would MOST likely result in updates to an IT risk appetite statement?
Question298: Which of the following statements BEST illustrates the relationship between key performance indicators (KPIs) and key control indicators (KCIs)?
Question299: Which of the following is the BEST course of action to help reduce the probability of an incident recurring?
Question300: Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?
Question301: Which of the following is performed after a risk assessment is completed?
Question302: Which of the following poses the GREATEST risk to an organization's operations during a major it transformation?
Question303: Risk management strategies are PRIMARILY adopted to:
Question304: Which of the following BEST represents a critical threshold value for a key control indicator (KCI)?
Question305: After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?
Question306: When developing a risk awareness training program, which of the following training topics would BEST facilitate a thorough understanding of risk scenarios?
Question307: Which of the following is the GREATEST benefit of identifying appropriate risk owners?
Question308: An organization control environment is MOST effective when:
Question309: A risk practitioner is organizing a training session lo communicate risk assessment methodologies to ensure a consistent risk view within the organization Which of the following i< the MOST important topic to cover in this training?
Question310: Which of the following is a drawback in the use of quantitative risk analysis?
Question311: Which of the following is the MOST appropriate key risk indicator (KRI) for backup media that is recycled monthly?
Question312: A global organization is planning to collect customer behavior data through social media advertising. Which of the following is the MOST important business risk to be considered?
Question313: Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?
Question314: When an organization's disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment options is being applied?
Question315: Reviewing which of the following provides the BEST indication of an organizations risk tolerance?
Question316: The MOST important objective of information security controls is to:
Question317: Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system?
Question318: Which of the following is the MOST important consideration when determining whether to accept residual risk after security controls have been implemented on a critical system?
Question319: Which of the following is the BEST way to assess the effectiveness of an access management process?
Question320: Which of the following is the BEST method of creating risk awareness in an organization?
Question321: Which of the following would MOST likely cause a risk practitioner to change the likelihood rating in the risk register?
Question322: After migrating a key financial system to a new provider, it was discovered that a developer could gain access to the production environment. Which of the following is the BEST way to mitigate the risk in this situation?
Question323: An organization delegates its data processing to the internal IT team to manage information through its applications. Which of the following is the role of the internal IT team in this situation?
Question324: The MOST important characteristic of an organization s policies is to reflect the organization's:
Question325: Following an acquisition, the acquiring company's risk practitioner has been asked to update the organization's IT risk profile What is the MOST important information to review from the acquired company to facilitate this task?
Question326: Which of the following is the BEST way to help ensure risk will be managed properly after a business process has been re-engineered?
Question327: A third-party vendor has offered to perform user access provisioning and termination. Which of the following control accountabilities is BEST retained within the organization?
Question328: Which of the following approaches would BEST help to identify relevant risk scenarios?
Question329: Which of the following is the BEST evidence that a user account has been properly authorized?
Question330: The risk appetite for an organization could be derived from which of the following?
Question331: Which of the following approaches to bring your own device (BYOD) service delivery provides the BEST protection from data loss?
Question332: An organization with a large number of applications wants to establish a security risk assessment program. Which of the following would provide the MOST useful information when determining the frequency of risk assessments?
Question333: Malware has recently affected an organization, The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:
Question334: Accountability for a particular risk is BEST represented in a:
Question335: An organization is considering adopting artificial intelligence (AI). Which of the following is the risk practitioner's MOST important course of action?
Question336: A business manager wants to leverage an existing approved vendor solution from another area within the organization. Which of the following is the risk practitioner's BEST course of action?
Question337: Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are: