Question1: Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?
Question2: Which of the following would be MOST useful when measuring the progress of a risk response action plan?
Question3: When developing a business continuity plan (BCP), it is MOST important to:
Question4: Which of the following is the MOST important data source for monitoring key risk indicators (KRIs)?
Question5: The MOST important objective of information security controls is to:
Question6: You are the project manager of your enterprise. You have introduced an intrusion detection system for the control. You have identified a warning of violation of security policies of your enterprise. What type of control is an intrusion detection system (IDS)?
Question7: Which of the following is the BEST course of action to help reduce the probability of an incident recurring?
Question8: Which of the following processes is described in the statement below?
"It is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions."
Question9: Which of the following control is used to ensure that users have the rights and permissions they need to perform their jobs, and no more?
Question10: The only output of qualitative risk analysis is risk register updates. When the project manager updates the risk register he will need to include several pieces of information including all of the following except for which one?
Question11: Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?
Question12: You are working in an enterprise. Assuming that your enterprise periodically compares finished goods inventory levels to the perpetual inventories in its ERP system. What kind of information is being provided by the lack of any significant differences between perpetual levels and actual levels?
Question13: Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment?
Question14: A trusted third party service provider has determined that the risk of a client's systems being hacked is low.
Which of the following would be the client's BEST course of action?
Question15: An interruption in business productivity is considered as which of the following risks?
Question16: After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

Question17: You are the project manager of GHT project. You and your team have developed risk responses for those risks with the highest threat to or best opportunity for the project objectives. What are the immediate steps you should follow, after planning for risk response process? Each correct answer represents a complete solution. Choose three.
Question18: Which of the following is the PRIMARY role of the board of directors in corporate risk governance?
Question19: You are an experienced Project Manager that has been entrusted with a project to develop a machine which produces auto components. You have scheduled meetings with the project team and the key stakeholders to identify the risks for your project. Which of the following is a key output of this process?
Question20: A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?
Question21: Which of the following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?
Question22: After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

Question23: Harry is the project manager of HDW project. He has identified a risk that could injure project team members. He does not want to accept any risk where someone could become injured on this project so he hires a professional vendor to complete this portion of the project work. What type of risk response is Harry implementing?
Question24: A risk practitioner recently discovered that sensitive data from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation?
Question25: David is the project manager of the HRC Project. He has identified a risk in the project, which could cause the delay in the project. David does not want this risk event to happen so he takes few actions to ensure that the risk event will not happen. These extra steps, however, cost the project an additional $10,000.
What type of risk response has David adopted?
Question26: An organizations chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a denial-of-service (DoS) attack. In this situation, the risk practitioner's BEST course of action is to:
Question27: Which of the following management action will MOST likely change the likelihood rating of a risk scenario related to remote network access?
Question28: The PRIMARY benefit of using a maturity model is that it helps to evaluate the:
Question29: After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

Question30: Which of the following will BEST help to ensure the continued effectiveness of the IT risk management function within an organization experiencing high employee turnover?
Question31: An internal audit report reveals that not all IT application databases have encryption in place. Which of the following information would be MOST important for assessing the risk impact?
Question32: Which of the following is the BEST approach when a risk practitioner has been asked by a business unit manager for special consideration during a risk assessment of a system?
Question33: What type of policy would an organization use to forbid its employees from using organizational e-mail for personal use?
Question34: Which of the following approaches to bring your own device (BYOD) service delivery provides the BEST protection from data loss?
Question35: Mary is a project manager in her organization. On her current project she is working with her project team and other key stakeholders to identify the risks within the project. She is currently aiming to create a comprehensive list of project risks so she is using a facilitator to help generate ideas about project risks. What risk identification method is Mary likely using?
Question36: Which of the following is the MOST important objective of regularly presenting the project risk register to the project steering committee?
Question37: An organization has granted a vendor access to its data in order to analyze customer behavior. Which of the following would be the MOST effective control to mitigate the risk of customer data leakage?
Question38: The compensating control that MOST effectively addresses the risk associated with piggybacking into a restricted area without a dead-man door is:
Question39: Stephen is the project manager of the GBB project. He has worked with two subject matter experts and his project team to complete the risk assessment technique. There are approximately 47 risks that have a low probability and a low impact on the project. Which of the following answers best describes what Stephen should do with these risk events?
Question40: While developing obscure risk scenarios, what are the requirements of the enterprise?
Each correct answer represents a part of the solution. Choose two.
Question41: Which of the following is MOST important to ensure when continuously monitoring the performance of a client-facing application?
Question42: Which of the following is the BEST way to determine the ongoing efficiency of control processes?
Question43: A risk practitioner has been notified that an employee sent an email in error containing customers' personally identifiable information (Pll). Which of the following is the risk practitioner's BEST course of action?
Question44: The BEST control to mitigate the risk associated with project scope creep is to:
Question45: Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?
Question46: A risk practitioner notices a risk scenario associated with data loss at the organization's cloud provider is assigned to the provider. Who should the risk scenario be reassigned to?
Question47: You work as a project manager for SoftTech Inc. You are working with the project stakeholders to begin the qualitative risk analysis process. Which of the following inputs will be needed for the qualitative risk analysis process in your project?
Each correct answer represents a complete solution. (Choose three.)
Question48: Which of the following is the BEST way to detect zero-day malware on an end user's workstation?
Question49: Which of the following provides an organization with the MOST insight with regard to operational readiness associated with risk?
Question50: Which of the following is the process of numerically analyzing the effects of identified risks on the overall enterprise's objectives?
Question51: Which of the following is MOST important when developing key risk indicators (KRIs)?
Question52: Which of the following is the BEST method for discovering high-impact risk types?
Question53: Which of the following would prompt changes in key risk indicator (KRI) thresholds?
Question54: When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?
Question55: The MOST important reason to aggregate results from multiple risk assessments on interdependent information systems is to:
Question56: Using which of the following one can produce comprehensive result while performing qualitative risk analysis?
Question57: Ben works as a project manager for the MJH Project. In this project, Ben is preparing to identify stakeholders so he can communicate project requirements, status, and risks. Ben has elected to use a salience model as part of his stakeholder identification process. Which of the following activities best describes a salience model?
Question58: The PRIMARY reason for periodic penetration testing of Internet-facing applications is to:
Question59: You are the IT manager in Bluewell Inc. You identify a new regulation for safeguarding the information processed by a specific type of transaction. What would be the FIRST action you will take?
Question60: The PRIMARY reason, a risk practitioner would be interested in an internal audit report is to:
Question61: A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk response is this?
Question62: Which of the following is MOST critical when designing controls?
Question63: Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:
Question64: What is the process for selecting and implementing measures to impact risk called?
Question65: Which is the MOST important parameter while selecting appropriate risk response?
Question66: Which of the following characteristics of risk controls can be defined as under?
"The separation of controls in the production environment rather than the separation in the design and implementation of the risk"
Question67: A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:
Question68: Which of the following are the principles of risk management?
Each correct answer represents a complete solution. Choose three.
Question69: It is MOST important to the effectiveness of an IT risk management function that the associated processes are:
Question70: An organization is considering outsourcing user administration controls for a critical system. The potential vendor has offered to perform quarterly self-audits of its controls instead of having annual independent audits.
Which of the following should be of GREATEST concern to the risk practitioner?
Question71: Which of the following could BEST detect an in-house developer inserting malicious functions into a web-based application?
Question72: While considering entity-based risks, which dimension of the COSO ERM framework is being referred?
Question73: Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?
Question74: The head of a business operations department asks to review the entire IT risk register. Which of the following would be the risk manager s BEST approach to this request before sharing the register?
Question75: The number of tickets to rework application code has significantly exceeded the established threshold.
Which of the following would be the risk practitioner's BEST recommendation?
Question76: You are the project manager of the NGQQ Project for your company. To help you communicate project status to your stakeholders, you are going to create a stakeholder register. All of the following information should be included in the stakeholder register except for which one?
Question77: The best way to test the operational effectiveness of a data backup procedure is to:
Question78: Your project team has completed the quantitative risk analysis for your project work. Based on their findings, they need to update the risk register with several pieces of information. Which one of the following components is likely to be updated in the risk register based on their analysis?
Question79: An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?
Question80: Which of the following is an acceptable method for handling positive project risk?
Question81: The PRIMARY objective for requiring an independent review of an organizations IT risk management process should be to:
Question82: Which of the following should be done FIRST when a new risk scenario has been identified?
Question83: You work as a project manager for BlueWell Inc. Management has asked you to work with the key project stakeholder to analyze the risk events you have identified in the project. They would like you to analyze the project risks with a goal of improving the project's performance as a whole. What approach can you use to achieve this goal of improving the project's performance through risk analysis with your project stakeholders?
Question84: Which of the following BEST measures the impact of business interruptions caused by an IT service outage?
Question85: Risks to an organization's image are referred to as what kind of risk?
Question86: Which of the following is the BEST way to validate the results of a vulnerability assessment?
Question87: Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?
Question88: David is the project manager of the HRC Project. He has identified a risk in the project, which could cause the delay in the project. David does not want this risk event to happen so he takes few actions to ensure that the risk event will not happen. These extra steps, however, cost the project an additional $10,000. What type of risk response has David adopted?
Question89: Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are:
Question90: Which of the following are parts of SWOT Analysis?
Each correct answer represents a complete solution. (Choose four.)
Question91: A risk owner has identified a risk with high impact and very low likelihood. The potential loss is covered by insurance. Which of the following should the risk practitioner do NEXT?
Question92: Business areas within an organization have engaged various cloud service providers directly without assistance from the IT department. What should the risk practitioner do?
Question93: Tom works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks, and provides a quantitative assessment of the likely cost to complete the scheduled activities?
Question94: What are the functions of the auditor while analyzing risk?
Each correct answer represents a complete solution. Choose three.
Question95: Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?
Question96: Which of the following is the MOST important component in a risk treatment plan?
Question97: During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:
Question98: Which of the following is the first MOST step in the risk assessment process?
Question99: Which negative risk response usually has a contractual agreement?
Question100: Which of the following data would be used when performing a business impact analysis (BIA)?
Question101: A large organization needs to report risk at all levels for a new centralized visualization project to reduce cost and improve performance. Which of the following would MOST effectively represent the overall risk of the project to senior management?
Question102: The MAIN reason for creating and maintaining a risk register is to:
Question103: Which of the following would BEST help to ensure that suspicious network activity is identified?
Question104: Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited.
Which of the following would be the BEST response to this scenario?
Question105: Which of the following would be considered a vulnerability?
Question106: Which of the following is the BEST metric to demonstrate the effectiveness of an organization's change management process?
Question107: A risk practitioner has become aware of production data being used in a test environment. Which of the following should be the practitioner's PRIMARY concern?
Question108: Which of the following BEST indicates effective information security incident management?
Question109: You are the risk professional of your enterprise. Your enterprise has introduced new systems in many departments. The business requirements that were to be addressed by the new system are still unfulfilled, and the process has been a waste of resources. Even if the system is implemented, it will most likely be underutilized and not maintained making it obsolete in a short period of time. What kind of risk is it?
Question110: What is MOST important for the risk practitioner to understand when creating an initial IT risk register?
Question111: Which of the following is MOST important to the integrity of a security log?
Question112: Which of the following should be the FIRST consideration when a business unit wants to use personal information for a purpose other than for which it was originally collected?
Question113: Which of these documents is MOST important to request from a cloud service provider during a vendor risk assessment?
Question114: A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:
Question115: Which of the following should be of MOST concern to a risk practitioner reviewing an organization risk register after the completion of a series of risk assessments?
Question116: The BEST way to determine the likelihood of a system availability risk scenario is by assessing the:
Question117: Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?
Question118: Which among the following acts as a trigger for risk response process?
Question119: You are the project manager of GRT project. You discovered that by bringing on more qualified resources or by providing even better quality than originally planned, could result in reducing the amount of time required to complete the project. If your organization seizes this opportunity it would be an example of what risk response?
Question120: Which of the following is the GREATEST risk associated with the use of data analytics?
Question121: Which of the following techniques examines the degree to which organizational strengths offset threats and opportunities that may serve to overcome weaknesses?
Question122: You are a project manager for your organization and you're working with four of your key stakeholders. One of the stakeholders is confused as to why you're not discussing the current problem in the project during the risk identification meeting. Which one of the following statements best addresses when a project risk actually happens?
Question123: Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?
Question124: Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?
Question125: Which of the following should be the FIRST consideration when a business unit wants to use personal information for a purpose other than for which it was originally collected?
Question126: The MAIN goal of the risk analysis process is to determine the:
Question127: One of the risk events you've identified is classified as force majeure. What risk response is likely to be used?
Question128: Which of the following is the process of numerically analyzing the effects of identified risks on the overall enterprise's objectives?
Question129: Which of the following controls do NOT come under technical class of control?
Question130: You are working in an enterprise. Your enterprise owned various risks. Which among the following is MOST likely to own the risk to an information system that supports a critical business process?
Question131: Which of the following should be the PRIMARY input when designing IT controls?
Question132: A risk practitioner has received an updated enterprise risk management (ERM) report showing that residual risk is now within the organization's defined appetite and tolerance levels. Which of the following is the risk practitioner's BEST course of action?
Question133: You are preparing to complete the quantitative risk analysis process with your project team and several subject matter experts. You gather the necessary inputs including the project's cost management plan.
Why is it necessary to include the project's cost management plan in the preparation for the quantitative risk analysis process?
Question134: An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure manuals for use by the part- time employees. This situation would be considered:
Question135: In which of the following risk management capability maturity levels does the enterprise takes major business decisions considering the probability of loss and the probability of reward? Each correct answer represents a complete solution. Choose two.
Question136: The MAIN reason for creating and maintaining a risk register is to:
Question137: Which of the following is the MOST important consideration when determining whether to accept residual risk after security controls have been implemented on a critical system?
Question138: Which of the following components ensures that risks are examined for all new proposed change requests in the change control system?
Question139: Which of the following is the PRIMARY objective for automating controls?
Question140: What are the PRIMARY requirements for developing risk scenarios?
Each correct answer represents a part of the solution. Choose two.
Question141: Which of the following role carriers is accounted for analyzing risks, maintaining risk profile, and risk-aware decisions?
Question142: What is the FIRST phase of IS monitoring and maintenance process?
Question143: An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:
Question144: An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST?
Question145: To minimize risk in a software development project, when is the BEST time to conduct a risk analysis?
Question146: Which of the following is MOST helpful to review when identifying risk scenarios associated with the adoption of Internet of Things (loT) technology in an organization?
Question147: Which of the following characteristics of risk controls can be defined as under?
"The separation of controls in the production environment rather than the separation in the design and implementation of the risk"
Question148: Who is responsible for IT security controls that are outsourced to an external service provider?
Question149: During which of the following processes, probability and impact matrix are prepared?
Question150: Which of the following is true for risk evaluation?
Question151: Which of the following is the PRIMARY requirement before choosing Key performance indicators of an enterprise?
Question152: Which of the following is the BEST method of creating risk awareness in an organization?
Question153: Which of the following is the MAIN reason for documenting the performance of controls?
Question154: Which of the following would BEST help secure online financial transactions from improper users?
Question155: Which of the following is the MOST important benefit of key risk indicators (KRIs)'
Question156: Which of the following is the MOST effective inhibitor of relevant and efficient communication?
Question157: You are the project manager of HFD project. You have identified several project risks. You have adopted alternatives to deal with these risks which do not attempt to reduce the probability of a risk event or its impacts. Which of the following response have you implemented?
Question158: Which of the following documents is described in the statement below?
"It is developed along with all processes of the risk management. It contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning."
Question159: Which of the following control is used to ensure that users have the rights and permissions they need to perform their jobs, and no more?
Question160: A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?
Question161: Which of the following is the BEST way to ensure that outsourced service providers comply with the enterprise's information security policy?
Question162: Which of the following is the BEST key control indicator (KCI) for a vulnerability management program?
Question163: Which of the following is the MOST effective method for indicating that the risk level is approaching a high or unacceptable level of risk?
Question164: Which of the following is true for Cost Performance Index (CPI)?
Question165: Which of the following control is used to ensure that users have the rights and permissions they need to perform their jobs, and no more?
Question166: Which erf the following stakeholders are typically included as part of a line of defense within the three lines of defense model?
Question167: A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:
Question168: Which of the following is the PRIMARY reason to update a risk register with risk assessment results?
Question169: Which of the following is the BEST way of managing risk inherent to wireless network?
Question170: You are working on a project in an enterprise. Some part of your project requires e-commerce, but your enterprise choose not to engage in e-commerce. This scenario is demonstrating which of the following form?
Question171: Henry is the project sponsor of the JQ Project and Nancy is the project manager. Henry has asked Nancy to start the risk identification process for the project, but Nancy insists that the project team be involved in the process. Why should the project team be involved in the risk identification?
Question172: Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:
Question173: Which of the following is the PRIMARY requirement before choosing Key performance indicators of an enterprise?
Question174: Della works as a project manager for Tech Perfect Inc. She is studying the documentation of planning of a project. The documentation states that there are twenty-eight stakeholders with the project. What will be the number of communication channels for the project?
Question175: An organization has decided to commit to a business activity with the knowledge that the risk exposure is higher than the risk appetite. Which of the following is the risk practitioner's MOST important action related to this decision?
Question176: Natural disaster is BEST associated to which of the following types of risk?
Question177: Which of the following is NOT true for risk governance?
Question178: An organization is considering acquiring a new line of business and wants to develop new IT risk scenarios to guide its decisions. Which of the following would add the MOST value to the new risk scenarios?
Question179: Which of the following criteria is MOST important when developing a response to an attack that would compromise data?
Question180: An organization automatically approves exceptions to security policies on a recurring basis. This practice is MOST likely the result of:
Question181: A business unit has decided to accept the risk of implementing an off-the-shelf, commercial software package that uses weak password controls. The BEST course of action would be to:
Question182: The BEST control to mitigate the risk associated with project scope creep is to:
Question183: Which of the following techniques examines the degree to which organizational strengths offset
threats and opportunities that may serve to overcome weaknesses?
Question184: You work as the project manager for Bluewell Inc. Your project has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks?
Question185: Which of the following is the BEST way to determine whether new controls mitigate security gaps in a business system?
Question186: What are the requirements of monitoring risk?
Each correct answer represents a part of the solution. Choose three.
Question187: Which of the following is true for risk evaluation?
Question188: To which level the risk should be reduced to accomplish the objective of risk management?
Question189: Which of the following is a key component of strong internal control environment?
Question190: A large organization is replacing its enterprise resource planning (ERP) system and has decided not to deploy the payroll module of the new system. Instead, the current payroll system will continue to be used. Of the following, who should own the risk if the ERP and payroll system fail to operate as expected?
Question191: Which of the following risk scenarios would be the GREATEST concern as a result of a single sign-on implementation?
Question192: Of the following, who should be responsible for determining the inherent risk rating of an application?
Question193: You are the project manager of HGT project. You are in the first phase of the risk response process and are doing following tasks :
Communicating risk analysis results
Reporting risk management activities and the state of compliance
Interpreting independent risk assessment findings
Identifying business opportunities
Which of the following process are you performing?
Question194: A recent internal risk review reveals the majority of core IT application recovery time objectives (RTOs) have exceeded the maximum time defined by the business application owners. Which of the following is MOST likely to change as a result?
Question195: Which of the following is the PRIMARY risk management responsibility of the second line of defense?
Question196: Which of the following is the MOST effective control to maintain the integrity of system configuration files?
Question197: The MAIN purpose of conducting a control self-assessment (CSA) is to:
Question198: You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project. You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response?
Question199: Which of The following should be of GREATEST concern for an organization considering the adoption of a bring your own device (BYOD) initiative?
Question200: A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?
Question201: After a high-profile systems breach at an organization's key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:

Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?
Question202: Which of the following should be the PRIMARY recipient of reports showing the progress of a current IT risk mitigation project?
Question203: Which of the following is MOST helpful in aligning IT risk with business objectives?
Question204: The BEST way to obtain senior management support for investment in a control implementation would be to articulate the reduction in:
Question205: Which of the following events refer to loss of integrity?
Each correct answer represents a complete solution. Choose three.
Question206: Which of the following BEST promotes commitment to controls?
Question207: Which of the following BEST helps to identify significant events that could impact an organization?
Vulnerability analysis
Question208: A risk practitioner discovers several key documents detailing the design of a product currently in development have been posted on the Internet. What should be the risk practitioner's FIRST course of action?
Question209: How residual risk can be determined?
Question210: You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project. You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response?
Question211: Reviewing historical risk events is MOST useful for which of the following processes within the risk management life cycle?
Question212: Which of the following is the BEST indication that an organization is following a mature risk management process?
Question213: When of the following is the MOST significant exposure when an application uses individual user accounts to access the underlying database?
Question214: An organization has raised the risk appetite for technology risk. The MOST likely result would be:
Question215: An organization's HR department has implemented a policy requiring staff members to take a minimum of five consecutive days leave per year to mitigate the risk of malicious insider activities. Which of the following is the BEST key performance indicator (KPI) of the effectiveness of this policy?
Question216: You are the project manager of GHT project. Your hardware vendor left you a voicemail saying that the delivery of the equipment you have ordered would not arrive on time. You identified a risk response strategy for this risk and have arranged for a local company to lease you the needed equipment until yours arrives. This is an example of which risk response strategy?
Question217: You are using Information system. You have chosen a poor password and also sometimes transmits data over unprotected communication lines. What is this poor quality of password and unsafe transmission refers to?
Question218: Which of the following is the BEST way for a risk practitioner to verify that management has addressed control issues identified during a previous external audit?
Question219: Which of the following would be the result of a significant increase in the motivation of a malicious threat actor?
Question220: You are the project manager of GHT project. Your hardware vendor left you a voicemail saying that the delivery of the equipment you have ordered would not arrive on time. She wanted to give you a heads-up and asked that you return the call. Which of the following statements is TRUE?
Question221: Which of the following is MOST critical to the design of relevant risk scenarios?
Question222: Which of the following establishes mandatory rules, specifications and metrics used to measure compliance against quality, value, etc.?
Question223: An organization's internal auditors have identified a new IT control deficiency in the organization's identity and access management (IAM) system. It is most important for the risk practitioner to:
Question224: You work as a project manager for BlueWell Inc. You are involved with the project team on the different risk issues in your project. You are using the applications of IRGC model to facilitate the understanding and managing the rising of the overall risks that have impacts on the economy and society. One of your team members wants to know that what the need to use the IRGC is. What will be your reply?
Question225: Which of the following is the FOREMOST root cause of project risk?
Each correct answer represents a complete solution. Choose two.
Question226: Participants in a risk workshop have become focused on the financial cost to mitigate risk rather than choosing the most appropriate response. Which of the following is the BEST way to address this type of issue in the long term?
Question227: What are the requirements for creating risk scenarios? Each correct answer represents a part of the solution.
Choose three.
Question228: You are the risk professional of your enterprise. You have performed cost and benefit analysis of control that you have adopted. What are all the benefits of performing cost and benefit analysis of control? Each correct answer represents a complete solution. Choose three.
Question229: Which of the following statements in an organization's current risk profile report is cause for further action by senior management?
Question230: Which of the following provides the MOST useful information to determine risk exposure following control implementations?
Question231: You are the project manager for TTP project. You are in the Identify Risks process. You have to create the risk register. Which of the following are included in the risk register?
Each correct answer represents a complete solution. (Choose two.)
Question232: Which of the following is MOST helpful in identifying new risk exposures due to changes in the business environment?
Question233: The risk associated with a high-risk vulnerability in an application is owned by the:
Question234: Which of the following is the BEST way to identify changes in the risk profile of an organization?
Question235: Implementing which of the following controls would BEST reduce the impact of a vulnerability that has been exploited?
Question236: Which of the following is the MOST critical element to maximize the potential for a successful security implementation?
Question237: When is the BEST to identify risk associated with major project to determine a mitigation plan?
Question238: Which of the following is the BEST indicator of an effective IT security awareness program?
Question239: What are the three PRIMARY steps to be taken to initialize the project?
Each correct answer represents a complete solution. (Choose three.)
Question240: Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?
Question241: A review of an organization s controls has determined its data loss prevention {DLP) system is currently failing to detect outgoing emails containing credit card data. Which of the following would be MOST impacted?
Question242: Which of the following establishes mandatory rules, specifications and metrics used to measure compliance against quality, value, etc?
Question243: Which of the following are the common mistakes while implementing KRIs?
Each correct answer represents a complete solution. Choose three.
Question244: A risk owner should be the person accountable for:
Question245: Which of the following roles is BEST suited to help a risk practitioner understand the impact of IT-related events on business objectives?
Question246: Which of the following statements are true for enterprise's risk management capability maturity level 3 ?
Question247: What are the various outputs of risk response?
Question248: You are the project manager for the NHH project. You are working with your project team to examine the project from four different defined perspectives to increase the breadth of identified risks by including internally generated risks. What risk identification approach are you using in this example?
Question249: Which of the following represents a vulnerability?
Question250: A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges. What is the risk practitioner's BEST course of action?
Question251: Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?
Question252: The risk associated with an asset before controls are applied can be expressed as:
Question253: Risk acceptance of an exception to a security control would MOST likely be justified when:
Question254: Walter is the project manager of a large construction project. He'll be working with several vendors on the project. Vendors will be providing materials and labor for several parts of the project. Some of the works in the project are very dangerous so Walter has implemented safety requirements for all of the vendors and his own project team. Stakeholders for the project have added new requirements, which have caused new risks in the project. A vendor has identified a new risk that could affect the project if it comes into fruition. Walter agrees with the vendor and has updated the risk register and created potential risk responses to mitigate the risk.
What should Walter also update in this scenario considering the risk event?
Question255: Which of the following controls will BEST detect unauthorized modification of data by a database administrator?
Question256: Which of the following is MOST important to communicate to senior management during the initial implementation of a risk management program?
Question257: Which of the following would be the BEST justification to invest in the development of a governance, risk, and compliance (GRC) solution?
Question258: The BEST key performance indicator (KPI) to measure the effectiveness of a vendor risk management program is the percentage of:
Question259: Which of the following steps ensure effective communication of the risk analysis results to relevant stakeholders? Each correct answer represents a complete solution. Choose three.
Question260: An unauthorized individual has socially engineered entry into an organization's secured physical premises.
Which of the following is the BEST way to prevent future occurrences?
Question261: You are the project manager of the GHY Project for your company. You need to complete a project management process that will be on the lookout for new risks, changing risks, and risks that are now outdated. Which project management process is responsible for these actions?
Question262: You are the IT manager in Bluewell Inc. You identify a new regulation for safeguarding the information processed by a specific type of transaction. What would be the FIRST action you will take?
Question263: Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?
Question264: Which of the following are the principles of risk management?
Each correct answer represents a complete solution. Choose three.
Question265: During a risk assessment, the risk practitioner finds a new risk scenario without controls has been entered into the risk register. Which of the following is the MOST appropriate action?
Question266: Which of the following is MOST useful when communicating risk to management?
Question267: The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:
Question268: Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?
Question269: When reviewing a business continuity plan (BCP), which of the following would be the MOST significant deficiency?
Question270: Which of the following approaches BEST identifies information systems control deficiencies?
Question271: Which of the following controls are BEST strengthened by a clear organizational code of ethics?
Question272: Which of the following matrices is used to specify risk thresholds?
Question273: You work as a project manager for BlueWell Inc. You are preparing for the risk identification process. You will need to involve several of the project's key stakeholders to help you identify and communicate the identified risk events. You will also need several documents to help you and the stakeholders identify the risk events. Which one of the following is NOT a document that will help you identify and communicate risks within the project?
Question274: Which of the following is the MOST effective way to mitigate identified risk scenarios?
Question275: NIST SP 800-53 identifies controls in three primary classes. What are they?
Question276: What are the various outputs of risk response?
Question277: A risk practitioner observes that the fraud detection controls in an online payment system do not perform as expected. Which of the following will MOST likely change as a result?
Question278: Which of the following is MOST helpful in identifying gaps between the current and desired state of the IT risk environment?
Question279: You are the project manager of the QPS project. You and your project team have identified a pure risk.
You along with the key stakeholders, decided to remove the pure risk from the project by changing the project plan altogether. What is a pure risk?
Question280: Wendy has identified a risk event in her project that has an impact of $75,000 and a 60 percent chance of happening. Through research, her project team learns that the risk impact can actually be reduced to just $15,000 with only a ten percent chance of occurring. The proposed solution will cost $25,000. Wendy agrees to the $25,000 solution. What type of risk response is this?
Question281: You are the risk professional in Bluewell Inc. You have identified a risk and want to implement a specific risk mitigation activity. What you should PRIMARILY utilize?
Question282: During an IT department reorganization, the manager of a risk mitigation action plan was replaced. The new manager has begun implementing a new control after identifying a more effective option. Which of the following is the risk practitioner's BEST course of action?
Question283: Which of the following risk register updates is MOST important for senior management to review?
Question284: Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?
Question285: Which of the following will BEST help an organization select a recovery strategy for critical systems?
Question286: Who should be responsible for implementing and maintaining security controls?
Question287: You are the project manager for GHT project. You need to perform the Qualitative risk analysis process. When you have completed this process, you will produce all of the following as part of the risk register update output except which one?
Question288: Which of the following is the MOST important reason to maintain key risk indicators (KRIs)?
Question289: Which of The following would offer the MOST insight with regard to an organization's risk culture?
Question290: You are the project manager of the GHY project for your organization. You are working with your project team to begin identifying risks for the project. As part of your preparation for identifying the risks within the project you will need eleven inputs for the process. Which one of the following is NOT an input to the risk identification process?
Question291: An IT risk practitioner is evaluating an organization's change management controls over the last six months.
The GREATEST concern would be an increase in:
Question292: You are the project manager for BlueWell Inc. Your current project is a high priority and high profile project within your organization. You want to identify the project stakeholders that will have the most power in relation to their interest on your project. This will help you plan for project risks, stakeholder management, and ongoing communication with the key stakeholders in your project. In this process of stakeholder analysis, what type of a grid or model should you create based on these conditions?
Question293: Which of the following approaches to bring you own device (BYOD) service delivery provides the BEST protection from data loss?
Question294: An organization has outsourced a critical process involving highly regulated data to a third party with servers located in a foreign country. Who is accountable for the confidentiality of this data?
Question295: Which of the following BEST enables an organization to determine whether external emerging risk factors will impact the organization's risk profile?
Question296: Which of The following is the PRIMARY consideration when establishing an organization's risk management methodology?
Question297: Which of the following characteristics of risk controls answers the aspect about the control given below: "Will it continue to function as expressed over the time and adopts as changes or new elements are introduced to the environment"
Question298: Which of the following are the security plans adopted by the organization?
Each correct answer represents a complete solution. (Choose three.)
Question299: You are the project manager of a project in Bluewell Inc. You and your project team have identified several project risks, completed risk analysis, and are planning to apply most appropriate risk responses. Which of the following tools would you use to choose the appropriate risk response?
Question300: Mapping open risk issues to an enterprise risk heat map BEST facilitates:
Question301: Which of the following is the BEST way to manage the risk associated with malicious activities performed by database administrators (DBAs)?
Question302: When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes
Question303: Which of the following is a technique that provides a systematic description of the combination of unwanted occurrences in a system?
Question304: You are working in an enterprise. You project deals with important files that are stored on the computer.
You have identified the risk of the failure of operations. To address this risk of failure, you have guided the system administrator sign off on the daily backup. This scenario is an example of which of the following?
Question305: Mapping open risk issues to an enterprise risk heat map BEST facilitates:
Question306: Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?
Question307: Which of the following is the MOST cost-effective way to test a business continuity plan?
Question308: John works as a project manager for BlueWell Inc. He is determining which risks can affect the project.
Which of the following inputs of the identify risks process is useful in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk?
Question309: Which of the following is the MOST appropriate key risk indicator (KRI) for backup media that is recycled monthly?
Question310: You are completing the qualitative risk analysis process with your project team and are relying on the risk management plan to help you determine the budget, schedule for risk management, and risk categories. You discover that the risk categories have not been created. When the risk categories should have been created?
Question311: Which of the following risk responses include feedback and guidance from well-qualified risk officials and those internal to the project?
Question312: Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?
Question313: You work as a project manager for BlueWell Inc. You are preparing for the risk identification process. You will need to involve several of the project's key stakeholders to help you identify and communicate the identified risk events. You will also need several documents to help you and the stakeholders identify the risk events.
Which one of the following is NOT a document that will help you identify and communicate risks within the project?
Question314: You are the risk professional of your enterprise. You have performed cost and benefit analysis of control that you have adopted. What are all the benefits of performing cost and benefit analysis of control? Each correct answer represents a complete solution. Choose three.
Question315: Which of the following methods would BEST contribute to identifying obscure risk scenarios?
Question316: Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?
Question317: Where are all risks and risk responses documented as the project progresses?
Question318: Which of the following would present the GREATEST challenge when assigning accountability for control ownership?
Question319: What is the IMMEDIATE step after defining set of risk scenarios?
Question320: Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an anti-virus program?
Question321: Which of the following is MOST effective in continuous risk management process improvement?
Question322: If one says that the particular control or monitoring tool is sustainable, then it refers to what ability?
Question323: While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially Which of the following would be the BEST approach for the risk practitioner to take?
Question324: Which of the following will help ensure the elective decision-making of an IT risk management committee?
Question325: Your project has several risks that may cause serious financial impact if they occur. You have studied the risk events and made some potential risk responses for the risk events but management wants you to do more. They'd like you to create some type of a chart that identified the risk probability and impact with a financial amount for each risk event. What is the likely outcome of creating this type of chart?
Question326: Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk developer?
Question327: What is the most important benefit of classifying information assets?
Question328: Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness?
Question329: An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?
Question330: Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)?
Question331: Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?
Question332: Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?
Question333: You are the project manager of GHT project. You have implemented an automated tool to analyze and report on access control logs based on severity. This tool generates excessively large amounts of results.
You perform a risk assessment and decide to configure the monitoring tool to report only when the alerts are marked "critical". What you should do in order to fulfill that?
Question334: Which of the following role carriers has to account for collecting data on risk and articulating risk?
Question335: Which of the following would be the GREATEST challenge when implementing a corporate risk framework for a global organization?
Question336: Risk mitigation procedures should include:
Question337: The PRIMARY purpose of IT control status reporting is to:
Question338: Which of the following would MOST likely drive the need to review and update key performance indicators (KPIs) for critical IT assets?
Question339: A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?
Question340: A global organization is planning to collect customer behavior data through social media advertising. Which of the following is the MOST important business risk to be considered?
Question341: Which of the following is MOST important to understand when developing key risk indicators (KRIs)?
Question342: NIST SP 800-53 identifies controls in three primary classes. What are they?
Question343: NIST SP 800-53 identifies controls in three primary classes. What are they?
Question344: Which one of the following is the only output for the qualitative risk analysis process?
Question345: Of the following, who is BEST suited to assist a risk practitioner in developing a relevant set of risk scenarios?
Question346: When prioritizing risk response, management should FIRST:
Question347: Which of the following decision tree nodes have probability attached to their branches?
Question348: An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure manuals for use by the part-time employees. Which of the following BEST describes this situation?
Question349: A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:
Question350: When establishing leading indicators for the information security incident response process it is MOST important to consider the percentage of reported incidents:
Question351: Which of the following is the HIGHEST risk of a policy that inadequately defines data and system ownership?
Question352: Which of the following is the greatest risk to reporting?
Question353: Which of the following is the MOST important consideration when developing an organization's risk taxonomy?
Question354: Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?
Question355: The MAIN purpose of conducting a control self-assessment (CSA) is to:
Question356: You are the project manager of GHT project. You have identified a risk event on your project that could save $100,000 in project costs if it occurs. Which of the following statements BEST describes this risk event?
Question357: Which of the following should an organization perform to forecast the effects of a disaster?
Question358: Which of the following processes is described in the statement below?
"It is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions."
Question359: You are the project manager of a HGT project that has recently finished the final compilation process. The project customer has signed off on the project completion and you have to do few administrative closure activities. In the project, there were several large risks that could have wrecked the project but you and your project team found some new methods to resolve the risks without affecting the project costs or project completion date. What should you do with the risk responses that you have identified during the project's monitoring and controlling process?
Question360: You are the project manager of HGT project. You are in the first phase of the risk response process and are doing following tasks :
Communicating risk analysis results
Reporting risk management activities and the state of compliance
Interpreting independent risk assessment findings
Identifying business opportunities
Which of the following process are you performing?
Question361: Which of the following is the BEST indication that an organization's risk management program has not reached the desired maturity level?
Question362: Which of the following is MOST appropriate method to evaluate the potential impact of legal, regulatory, and contractual requirements on business objectives?
Question363: How are the potential choices of risk based decisions are represented in decision tree analysis?
Question364: What should be considered while developing obscure risk scenarios?
Each correct answer represents a part of the solution. Choose two.
Question365: Which of the following BEST ensures that a firewall is configured in compliance with an enterprise's security policy?
Question366: Which of the following is the BEST evidence that a user account has been properly authorized?
Question367: Thomas is a key stakeholder in your project. Thomas has requested several changes to the project scope for the project you are managing.
Upon review of the proposed changes, you have discovered that these new requirements are laden with risks and you recommend to the change control board that the changes be excluded from the project scope. The change control board agrees with you. What component of the change control system communicates the approval or denial of a proposed change request?
Question368: You are the project manager for Bluewell Inc. You are studying the documentation of project plan. The documentation states that there are twenty-five stakeholders with the project. What will be the number of communication channel s for the project?
Question369: Risks to an organization's image are referred to as what kind of risk?
Question370: Which of the following is MOST important to communicate to senior management during the initial implementation of a risk management program?
Question371: Which of the following would be MOST useful to senior management when determining an appropriate risk response?
Question372: Which of the following approaches will BEST help to ensure the effectiveness of risk awareness training?
Question373: Which of the following is a risk practitioner's BEST course of action upon learning that a control under internal review may no longer be necessary?
Question374: The purpose of requiring source code escrow in a contractual agreement is to:
Question375: From a risk management perspective, the PRIMARY objective of using maturity models is to enable:
Question376: Which of the following is the BEST key performance indicator (KPI) for determining how well an IT policy is aligned to business requirements?
Question377: What activity should be done for effective post-implementation reviews during the project?
Question378: Which of the following BEST supports the communication of risk assessment results to stakeholders?
Question379: The PRIMARY purpose of a maturity model is to compare the:
Question380: Performing a background check on a new employee candidate before hiring is an example of what type of control?
Question381: You are the Risk Official in Bluewell Inc. You have detected much vulnerability during risk assessment process. What you should do next?
Question382: A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to:
Question383: The BEST way to improve a risk register is to ensure the register:
Question384: Which of the following would MOST likely cause a risk practitioner to reassess risk scenarios?
Question385: The risk associated with an asset before controls are applied can be expressed as:
Question386: You are the product manager in your enterprise. You have identified that new technologies, products and services are introduced in your enterprise time-to-time. What should be done to prevent the efficiency and effectiveness of controls due to these changes?
Question387: You are the project manager of the KJH Project and are working with your project team to plan the risk responses. Consider that your project has a budget of $500,000 and is expected to last six months. Within the KJH Project you have identified a risk event that has a probability of .70 and has a cost impact of $350,000.
When it comes to creating a risk response for this event what is the risk exposure of the event that must be considered for the cost of the risk response?
Question388: Which of the following is MOST important to the integrity of a security log?
Question389: Which of the following is the PRIMARY role of a data custodian in the risk management process?
Question390: You are the project manager for TTP project. You are in the Identify Risks process. You have to create the risk register. Which of the following are included in the risk register?
Each correct answer represents a complete solution. Choose two.
Question391: You are the project manager of a HGT project that has recently finished the final compilation process. The project customer has signed off on the project completion and you have to do few administrative closure activities. In the project, there were several large risks that could have wrecked the project but you and your project team found some new methods to resolve the risks without affecting the project costs or project completion date. What should you do with the risk responses that you have identified during the project's monitoring and controlling process?
Question392: Which of the following come under the management class of controls?
Each correct answer represents a complete solution. (Choose two.)
Question393: Which of the following is the STRONGEST indication an organization has ethics management issues?
Question394: A risk practitioner has identified that the organization's secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?
Question395: An organization operates in a jurisdiction where heavy fines are imposed for leakage of customer data. Which of the following provides the BEST input to assess the inherent risk impact?
Question396: Which of the following is the final step in the policy development process?
Question397: In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities.
The risk practitioner's BEST recommendation to further reduce the impact of ransomware attacks would be to implement:
Question398: Which of the following would provide the BEST evidence of an effective internal control environment/?
Question399: The BEST key performance indicator (KPI) to measure the effectiveness of a backup process would be the number of:
Question400: You work as a project manager for SoftTech Inc. You are working with the project stakeholders to begin the qualitative risk analysis process. Which of the following inputs will be needed for the qualitative risk analysis process in your project?
Each correct answer represents a complete solution. Choose all that apply.
Question401: It is MOST appropriate for changes to be promoted to production after they are;
Question402: The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:
Question403: Marie has identified a risk event in her project that needs a mitigation response. Her response actually creates a new risk event that must now be analyzed and planned for. What term is given to this newly created risk event?
Question404: Which of the following is MOST effective against external threats to an organization's confidential information?
Question405: Which of the following is the MOST important responsibility of a risk owner?
Question406: A risk assessment indicates the residual risk associated with a new bring your own device (BYOD) program is within organizational risk tolerance. Which of the following should the risk practitioner recommend be done NEXT?
Question407: Which of the following activities would BEST facilitate effective risk management throughout the organization?
Question408: What can be determined from the risk scenario chart?

Question409: To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:
Question410: Which section of the Sarbanes-Oxley Act specifies "Periodic financial reports must be certified by CEO and CFO"?
Question411: An organization has initiated a project to launch an IT-based service to customers and take advantage of being the first to market. Which of the following should be of GREATEST concern to senior management?
Question412: Mary is a project manager in her organization. On her current project she is working with her project team and other key stakeholders to identify the risks within the project. She is currently aiming to create a comprehensive list of project risks so she is using a facilitator to help generate ideas about project risks. What risk identification method is Mary likely using?
Question413: An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:
Question414: Which of the following is MOST important for a risk practitioner to ensure once a risk action plan has been completed?
Question415: Which of the following is MOST essential for an effective change control environment?
Question416: Which of the following will provide the BEST measure of compliance with IT policies?
Question417: A payroll manager discovers that fields in certain payroll reports have been modified without authorization.
Which of the following control weaknesses could have contributed MOST to this problem?
Question418: Which of the following is MOST helpful in identifying new risk exposures due to changes in the business environment?
Question419: An organization is considering modifying its system to enable acceptance of credit card payments. To reduce the risk of data exposure, which of the following should the organization do FIRST?
Question420: Which of the following should be included in a risk assessment report to BEST facilitate senior management's understanding of the results?
Question421: Which of the following nodes of the decision tree analysis represents the start point of decision tree?
Question422: Which of the following is NOT true for Key Risk Indicators?
Question423: Which of the following controls is an example of non-technical controls?
Question424: You are the project manager for BlueWell Inc. You have noticed that the risk level in your project increases above the risk tolerance level of your enterprise. You have applied several risk response. Now you have to update the risk register in accordance to risk response process. All of the following are included in the risk register except for which item?
Question425: You work as the project manager for Bluewell Inc. Your project has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks?
Question426: You are the risk official in Bluewell Inc. You are supposed to prioritize several risks. A risk has a rating for occurrence, severity, and detection as 4, 5, and 6, respectively. What Risk Priority Number (RPN) you would give to it?
Question427: Which of the following is an acceptable method for handling positive project risk?
Question428: Which of the following is the BEST way to ensure ongoing control effectiveness?
Question429: A risk practitioner's PRIMARY focus when validating a risk response action plan should be that risk response:
Question430: Which of the following assets are the examples of intangible assets of an enterprise?
Each correct answer represents a complete solution. Choose two.
Question431: Which of the following BEST mitigates the risk of violating privacy laws when transferring personal information lo a supplier?
Question432: Which of the following is MOST helpful in defining an early-warning threshold associated with insufficient network bandwidth''
Question433: From a risk management perspective, the PRIMARY objective of using maturity models is to enable:
Question434: When a high-risk security breach occurs, which of the following would be MOST important to the person responsible for managing the incident?
Question435: An organization is implementing encryption for data at rest to reduce the risk associated with unauthorized access. Which of the following MUST be considered to assess the residual risk?
Question436: The BEST control to mitigate the risk associated with project scope creep is to:
Question437: Shelly is the project manager of the BUF project for her company. In this project Shelly needs to establish some rules to reduce the influence of risk bias during the qualitative risk analysis process. What method can Shelly take to best reduce the influence of risk bias?
Question438: What can be determined from the risk scenario chart?

Question439: An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?
Question440: Which of the following BEST assists in justifying an investment in automated controls?
Question441: Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?
Question442: Which of the following aspects are included in the Internal Environment Framework of COSO ERM?
Each correct answer represents a complete solution. Choose three.
Question443: Which of the following is a crucial component of a key risk indicator (KRI) to ensure appropriate action is taken to mitigate risk?
Question444: Which of the following BEST indicates the efficiency of a process for granting access privileges?
Question445: Judy has identified a risk event in her project that will have a high probability and a high impact. Based on the requirements of the project, Judy has asked to change the project scope to remove the associated requirement and the associated risk. What type of risk response is this?
Question446: An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?

Question447: In the project initiation phase of System Development Life Cycle, there is information on project initiated by which of the following role carriers?
Question448: An organization maintains independent departmental risk registers that are not automatically aggregated.
Which of the following is the GREATEST concern?
Question449: Which of the following statements is NOT true regarding the risk management plan?
Question450: The PRIMARY reason to have risk owners assigned to entries in the risk register is to ensure:
Question451: You are the project manager of GHT project. Your hardware vendor left you a voicemail saying that the delivery of the equipment you have ordered would not arrive on time. She wanted to give you a heads-up and asked that you return the call. Which of the following statements is TRUE?
Question452: Capability maturity models are the models that are used by the enterprise to rate itself in terms of the least mature level to the most mature level. Which of the following capability maturity levels shows that the enterprise does not recognize the need to consider the risk management or the business impact from IT risk?
Question453: An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?
Question454: What are the requirements of effectively communicating risk analysis results to the relevant stakeholders?
Each correct answer represents a part of the solution. Choose three.
Question455: What is the PRIMARY need for effectively assessing controls?
Question456: An organization is implementing encryption for data at rest to reduce the risk associated with unauthorized access. Which of the following MUST be considered to assess the residual risk?
Question457: Which of the following will be MOST effective in uniquely identifying the originator of electronic transactions?
Question458: You are the project manager of a SGT project. You have been actively communicating and working with the project stakeholders. One of the outputs of the "manage stakeholder expectations" process can actually create new risk events for your project. Which output of the manage stakeholder expectations process can create risks?
Question459: Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?
Question460: Which of the following statements are true for risk communication? Each correct answer represents a complete solution. Choose three.
Question461: A risk owner has accepted a high-impact risk because the control was adversely affecting process efficiency. Before updating the risk register, it is MOST important for the risk practitioner to:
Question462: A risk practitioner is reviewing a vendor contract and finds there is no clause to control privileged access to the organization's systems by vendor employees. Which of the following is the risk practitioner's BEST course of action?
Question463: The BEST control to mitigate the risk associated with project scope creep is to:
Question464: When presenting risk, the BEST method to ensure that the risk is measurable against the organization's risk appetite is through the use of a:
Question465: An IT department originally planned to outsource the hosting of its data center at an overseas location to reduce operational expenses. After a risk assessment, the department has decided to keep the data center in-house. How should the risk treatment response be reflected in the risk register?
Question466: Which of the following observations would be GREATEST concern to a risk practitioner reviewing the implementation status of management action plans?
Question467: Which of the following attributes of a key risk indicator (KRI) is MOST important?
Question468: Which of the following would provide the MOST objective assessment of the effectiveness of an organization's security controls?
Question469: Which of the following is the MAIN reason for analyzing risk scenarios?
Question470: You are the project manager of your enterprise. You have identified several risks. Which of the following responses to risk is considered the MOST appropriate?
Question471: Jane is the project manager of the NHJ Project for his company. He has identified several positive risk events within his project and he thinks these events can save the project time and money. Positive risk events, such as these within the NHJ Project are referred to as?
Question472: Which of the following is the MOST effective inhibitor of relevant and efficient communication?
Question473: Which of the following BEST contributes to the implementation of an effective risk response action plan?
Question474: Which of the following would be MOST helpful to understand the impact of a new technology system on an organization's current risk profile?
Question475: An organization automatically approves exceptions to security policies on a recurring basis. This practice is MOST likely the result of:
Question476: Which of the following would be a weakness in procedures for controlling the migration of changes to production libraries?
Question477: Which of the following is a KEY outcome of risk ownership?
Question478: Which of the following parameters are considered for the selection of risk indicators?
Each correct answer represents a part of the solution. Choose three.
Question479: An organization has opened a subsidiary in a foreign country. Which of the following would be the BEST way to measure the effectiveness of the subsidiary's IT systems controls?
Question480: You are the project manager for your organization. You are preparing for the quantitative risk analysis.
Mark, a project team member, wants to know why you need to do quantitative risk analysis when you just completed qualitative risk analysis. Which one of the following statements best defines what quantitative risk analysis is?
Question481: The risk appetite for an organization could be derived from which of the following?
Question482: You are the project manager of GHT project. Your project utilizes a machine for production of goods. This machine has the specification that if its temperature would rise above 450 degree Fahrenheit then it may result in burning of windings. So, there is an alarm which blows when machine's temperature reaches 430 degree Fahrenheit and the machine is shut off for 1 hour.
What role does alarm contribute here?
Question483: Which of the following BEST indicates the effectiveness of anti-malware software?
Question484: Which of the following BEST mitigates the risk of sensitive personal data leakage from a software development environment?
Question485: Which of the following should be the PRIMARY input when designing IT controls?
Question486: Which of the following will BEST help ensure that risk factors identified during an information systems review are addressed?
Question487: Which of the following is the MOST critical security consideration when an enterprise outsource its major part of IT department to a third party whose servers are in foreign company?
Question488: An application owner was specified the acceptable downtime in the event of an incident to be much lower the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?
Question489: A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?
Question490: Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery test of critical business processes?
Question491: Which of the following is the MOST effective key performance indicator (KPI) for change management?
Question492: Which of the following would be- MOST helpful to understand the impact of a new technology system on an organization's current risk profile?
Question493: Which of the following should be PRIMARILY considered while designing information systems controls?
Question494: You are the risk professional of your enterprise. Your enterprise has introduced new systems in many departments. The business requirements that were to be addressed by the new system are still unfulfilled, and the process has been a waste of resources. Even if the system is implemented, it will most likely be underutilized and not maintained making it obsolete in a short period of time. What kind of risk is it?
Question495: You are using Information system. You have chosen a poor password and also sometimes transmits data over unprotected communication lines. What is this poor quality of password and unsafe transmission referring to?
Question496: Your company is covered under a liability insurance policy, which provides various liability coverage for information security risks, including any physical damage of assets, hacking attacks, etc. Which of the following risk management techniques is your company using?
Question497: Jane, the Director of Sales, contacts you and demands that you add a new feature to the software your project team is creating for the organization. In the meeting she tells you how important the scope change would be.
You explain to her that the software is almost finished and adding a change now could cause the deliverable to be late, cost additional funds, and would probably introduce new risks to the project. Jane stands up and says to you, "I am the Director of Sales and this change will happen in the project." And then she leaves the room.
What should you do with this verbal demand for a change in the project?
Question498: Which of the following are parts of SWOT Analysis?
Each correct answer represents a complete solution. Choose all that apply.
Question499: The objective of aligning mitigating controls to risk appetite is to ensure that:
Question500: Which of the following is the process of numerically analyzing the effects of identified risks on the overall enterprise's objectives?
Question501: There are five inputs to the quantitative risk analysis process. Which one of the following is NOT an input to quantitative risk analysis process?
Question502: Which of the following will be the GREATEST concern when assessing the risk profile of an organization?
Question503: Tom works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks, and provides a quantitative assessment of the likely cost to complete the scheduled activities?
Question504: Mike is the project manager of the NNP Project for his organization. He is working with his project team to plan the risk responses for the NNP Project. Mike would like the project team to work together on establishing risk thresholds in the project. What is the purpose of establishing risk threshold?
Question505: Which of the following is NOT true for Key Risk Indicators?
Question506: Which of the following is MOST important to promoting a risk-aware culture?
Question507: Which of the following would be a risk practitioner's BEST course of action when a project team has accepted a risk outside the established risk appetite?
Question508: Which of The following should be the FIRST step when a company is made aware of new regulatory requirements impacting IT?
Question509: A global company s business continuity plan (BCP) requires the transfer of its customer information....
event of a disaster. Which of the following should be the MOST important risk consideration?
Question510: Which of the following would be MOST helpful to an information security management team when allocating resources to mitigate exposures?
Question511: Which of the following is MOST useful when communicating risk to management?
Question512: Which of the following items is considered as an objective of the three dimensional model within the framework described in COSO ERM?
Question513: Which of the following is MOST important for a risk practitioner to verify when evaluating the effectiveness of an organization's existing controls?
Question514: During a risk treatment plan review, a risk practitioner finds the approved risk action plan has not been completed However, there were other risk mitigation actions implemented. Which of the fallowing is the BEST course of action?
Question515: Which of the following is the BEST way to determine the ongoing efficiency of control processes?
Question516: While conducting an organization-wide risk assessment, it is noted that many of the information security policies have not changed in the past three years. The BEST course of action is to:
Question517: Which of the following phases is involved in the Data Extraction, Validation, Aggregation and Analysis?
Question518: The acceptance of control costs that exceed risk exposure MOST likely demonstrates:
Question519: You are the project manager of your enterprise. You have identified new threats, and then evaluated the ability of existing controls to mitigate risk associated with new threats. You noticed that the existing control is not efficient in mitigating these new risks. What are the various steps you could take in this case?
Each correct answer represents a complete solution. (Choose three.)
Question520: You work as the project manager for Bluewell Inc. Your project has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks?
Question521: An organization is considering outsourcing user administration controls tor a critical system. The potential vendor has offered to perform quarterly sett-audits of its controls instead of having annual independent audits. Which of the following should be of GREATEST concern to me risk practitioner?
Question522: Which of the following role carriers is accounted for analyzing risks, maintaining risk profile, and risk-aware decisions?
Question523: You are the administrator of your enterprise. Which of the following controls would you use that BEST protects an enterprise from unauthorized individuals gaining access to sensitive information?
Question524: Which of the following is described by the definition given below?
"It is the expected guaranteed value of taking a risk."
Question525: When using a third party to perform penetration testing, which of the following is the MOST important control to minimize operational impact?
Question526: Which of the following is the BEST course of action when risk is found to be above the acceptable risk appetite?
Question527: Effective risk communication BEST benefits an organization by:
Question528: Which of the following is the PRIMARY reason for an organization to ensure the risk register is updated regularly?
Question529: You work as a project manager for TechSoft Inc. You are working with the project stakeholders on the qualitative risk analysis process in your project. You have used all the tools to the qualitative risk analysis process in your project. Which of the following techniques is NOT used as a tool in qualitative risk analysis process?
Question530: Which of the following processes addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget?
Question531: Which of the following are the security plans adopted by the organization?
Each correct answer represents a complete solution. Choose all that apply.
Question532: An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the risk associated with these new entries has been;
Question533: Which of the following statements BEST describes risk appetite?
Question534: A risk practitioner has been asked to advise management on developing a log collection and correlation strategy. Which of the following should be the MOST important consideration when developing this strategy?
Question535: Which of the following is the MOST important reason to revisit a previously accepted risk?
Question536: Which of the following presents the GREATEST risk to change control in business application development over the complete life cycle?
Question537: Business areas within an organization have engaged various cloud service providers directly without assistance from the IT department. What should the risk practitioner do?
Question538: What are the key control activities to be done to ensure business alignment?
Each correct answer represents a part of the solution. Choose two.
Question539: Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?
Question540: A risk practitioner shares the results of a vulnerability assessment for a critical business application with the business manager. Which of the following is the NEXT step?
Question541: Which of the following statements is NOT true regarding the risk management plan?
Question542: Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the following would BEST help to prioritize investment efforts?
Question543: Which of The following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?
Question544: Which of the following conditions presents the GREATEST risk to an application?
Question545: Which of the following is the priority of data owners when establishing risk mitigation method?
Question546: You are the project manager of GHT project. You have applied certain control to prevent the unauthorized changes in your project. Which of the following control you would have applied for this purpose?
Question547: Which of the following is the MOST important objective of the information system control?
Question548: The PRIMARY objective of collecting information and reviewing documentation when performing periodic risk analysis should be to:
Question549: Which of the following would BEST help to ensure that identified risk is efficiently managed?
Question550: An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?

Question551: Who is accountable for risk treatment?
Question552: An organization is considering outsourcing user administration controls for a critical system. The potential vendor has offered to perform quarterly self-audits of its controls instead of having annual independent audits. Which of the following should be of GREATEST concern to the risk practitioner?
Question553: You are the project manager of GFT project. Your project involves the use of electrical motor. It was stated in its specification that if its temperature would increase to 500 degree Fahrenheit the machine will overheat and have to be shut down for 48 hours. If the machine overheats even once it will delay the project's arrival date.
So to prevent this you have decided while creating response that if the temperature of the machine reach 450, the machine will be paused for at least an hour so as to normalize its temperature. This temperature of 450 degrees is referred to as?
Question554: Which of the following is MOST important when developing risk scenarios?
Question555: Once a risk owner has decided to implement a control to mitigate risk, it is MOST important to develop:
Question556: Which of the following is MOST important to ensure when continuously monitoring the performance of a client- facing application?
Question557: Capability maturity models are the models that are used by the enterprise to rate itself in terms of the least mature level to the most mature level. Which of the following capability maturity levels shows that the enterprise does not recognize the need to consider the risk management or the business impact from IT risk?
Question558: Which of the following is the MOST important concern when assigning multiple risk owners for an identified risk?
Question559: Which of the following is the BEST evidence that a user account has been properly authorized?
Question560: Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?
Question561: Which of the following operational risks ensures that the provision of a quality product is not overshadowed by the production costs of that product?
Question562: What is the process for selecting and implementing measures to impact risk called?
Question563: Which of the following events refer to loss of integrity?
Each correct answer represents a complete solution. Choose three.
Question564: Which of the following would be MOST relevant to stakeholders regarding ineffective control implementation?
Question565: Fred is the project manager of a large project in his organization. Fred needs to begin planning the risk management plan with the project team and key stakeholders. Which plan risk management process tool and technique should Fred use to plan risk management?
Question566: Which of the following is the MOST important aspect to ensure that an accurate risk register is maintained?
Question567: Which of the following provides the BEST measurement of an organization's risk management maturity level?
Question568: Prior to selecting key performance indicators (KPIs), itis MOST important to ensure:
Question569: Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:
Question570: What is the value of exposure factor if the asset is lost completely?
Question571: Which of the following methods involves the use of predictive or diagnostic analytical tool for exposing risk factors?
Question572: Your project is an agricultural-based project that deals with plant irrigation systems. You have discovered a byproduct in your project that your organization could use to make a profit. If your organization seizes this opportunity it would be an example of what risk response?
Question573: What are the three PRIMARY steps to be taken to initialize the project?
Each correct answer represents a complete solution. Choose all that apply.
Question574: Which of the following controls is an example of non-technical controls?
Question575: Which among the following acts as a trigger for risk response process?
Question576: You are the project manager of HJT project. You want to measure the operational effectiveness of risk management capabilities. Which of the following is the BEST option to measure the operational effectiveness?
Question577: Which of the following is the PRIMARY objective for automating controls?
Question578: In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities. The risk practitioner's BEST recommendation to further reduce the impact of ransomware attacks would be to implement:
Question579: You are the project manager of a large construction project. This project will last for 18 months and will cost $750,000 to complete. You are working with your project team, experts, and stakeholders to identify risks within the project before the project work begins. Management wants to know why you have scheduled so many risk identification meetings throughout the project rather than just initially during the project planning. What is the best reason for the duplicate risk identification sessions?
Question580: Which of the following BEST enforces access control for an organization that uses multiple cloud technologies?
Question581: Which of the following baselines identifies the specifications required by the resource that meet the approved requirements?
Question582: Which is the MOST important parameter while selecting appropriate risk response?
Question583: Which of the following controls would BEST decrease exposure if a password is compromised?
Question584: Which of the following is the MOST important consideration when performing a risk assessment of a fire suppression system within a data center?
Question585: You are the project manager of GHT project. You identified a risk of noncompliance with regulations due to missing of a number of relatively simple procedures.
The response requires creating the missing procedures and implementing them. In which of the following risk response prioritization should this case be categorized?
Question586: An organization delegates its data processing to the internal IT team to manage information through its applications. Which of the following is the role of the internal IT team in this situation?
Question587: You work as a project manager for BlueWell Inc. You have declined a proposed change request because of the risk associated with the proposed change request. Where should the declined change request be documented and stored?
Question588: While considering entity-based risks, which dimension of the COSO ERM framework is being referred?
Question589: You are the project manager of GHT project. Your project team is in the process of identifying project risks on your current project. The team has the option to use all of the following tools and techniques to diagram some of these potential risks EXCEPT for which one?
Question590: You and your project team have identified a few risk events in the project and recorded the events in the risk register. Part of the recording of the events includes the identification of a risk owner. Who is a risk owner?
Question591: Which of the following process ensures that extracted data are ready for analysis?
Question592: Which of the following matrices is used to specify risk thresholds?
Question593: Which of the following would MOST likely result in updates to an IT risk appetite statement?
Question594: Mitigating technology risk to acceptable levels should be based PRIMARILY upon:
Question595: Who should be accountable for ensuring effective cybersecurity controls are established?
Question596: Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?
Question597: Which of the following would be the GREATEST concern for an IT risk practitioner when an employees.....
Question598: For a large software development project, risk assessments are MOST effective when performed:
Question599: Which of the following is the BEST method for discovering high-impact risk types?
Question600: In which of the following conditions business units tend to point the finger at IT when projects are not delivered on time?
Question601: What is the FIRST phase of IS monitoring and maintenance process?
Question602: A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?
Question603: Which of the following provides the BEST evidence that a selected risk treatment plan is effective?
Question604: Which of the following is an acceptable method for handling positive project risk?
Question605: You are the risk official of your enterprise. Your enterprise takes important decisions without considering risk credential information and is also unaware of external requirements for risk management and integration with enterprise risk management. In which of the following risk management capability maturity levels does your enterprise exists?
Question606: Which of the following is MOST helpful in providing an overview of an organization's risk management program?
Question607: Which of the following provides an organization with the MOST insight with regard to operational readiness associated with risk?
Question608: Implementing which of the following will BEST help ensure that systems comply with an established baseline before deployment?
Question609: Which of the following is MOST important for maintaining the effectiveness of an IT risk register?
Question610: Qualitative risk assessment uses which of the following terms for evaluating risk level?
Each correct answer represents a part of the solution. Choose two.
Question611: Which of the following would be MOST beneficial as a key risk indicator (KRI)?
Question612: After migrating a key financial system to a new provider, it was discovered that a developer could gain access to the production environment. Which of the following is the BEST way to mitigate the risk in this situation?
Question613: Which of the following process ensures that the risk response strategy remains active and that proposed controls are implemented according to schedule?
Question614: While developing obscure risk scenarios, what are the requirements of the enterprise?
Each correct answer represents a part of the solution. Choose two.
Question615: You work as a project manager for BlueWell Inc. You are preparing to plan risk responses for your project with your team. How many risk response types are available for a negative risk event in the project?
Question616: You are the risk official of your enterprise. You have just completed risk analysis process. You noticed that the risk level associated with your project is less than risk tolerance level of your enterprise. Which of following is the MOST likely action you should take?
Question617: An IT department has organized training sessions to improve user awareness of organizational information security policies. Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training?
Question618: Which of the following guidelines should be followed for effective risk management?
Each correct answer represents a complete solution. Choose three.
Question619: You are the risk professional in Bluewell Inc. A risk is identified and enterprise wants to quickly implement control by applying technical solution that deviates from the company's policies. What you should do?
Question620: The BEST metric to monitor the risk associated with changes deployed to production is the percentage of:
Question621: A risk owner should be the person accountable for:
Question622: Thomas is a key stakeholder in your project. Thomas has requested several changes to the project scope for the project you are managing.
Upon review of the proposed changes, you have discovered that these new requirements are laden with risks and you recommend to the change control board that the changes be excluded from the project scope. The change control board agrees with you. What component of the change control system communicates the approval or denial of a proposed change request?
Question623: Which of the following is the PRIMARY reason to establish the root cause of an IT security incident?
Question624: Which of the following are the responsibilities of Enterprise risk committee?
Each correct answer represents a complete solution. Choose three.
Question625: An IT operations team implements disaster recovery controls based on decisions from application owners regarding the level of resiliency needed. Who is the risk owner in this scenario?
Question626: The PRIMARY benefit associated with key risk indicators (KRls) is that they
Question627: A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?
Question628: Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?
Question629: To communicate the risk associated with IT in business terms, which of the following MUST be defined?
Question630: The risk associated with data loss from a website which contains sensitive customer information is BEST owned by:
Question631: You are the project manager of RFT project. You have identified a risk that the enterprise's IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become very expensive. To overcome this risk the response adopted is re-architecture of the existing system and purchase of new integrated system. In which of the following risk prioritization options would this case be categorized?
Question632: You are the project manager of GHT project. A risk event has occurred in your project and you have identified it. Which of the following tasks you would do in reaction to risk event occurrence? Each correct answer represents a part of the solution. Choose three.
Question633: Risk aggregation in a complex organization will be MOST successful when:
Question634: Which of the following is the PRIMARY purpose of periodically reviewing an organization's risk profile?
Question635: Which of the following is the BEST key performance indicator (KPI) to measure the ability to deliver uninterrupted IT services?
Question636: Which of the following provides the MOST important information to facilitate a risk response decision?
Question637: Which of the following is the PRIMARY reason to perform ongoing risk assessments?
Question638: Which of the following is MOST important to include in a risk assessment of an emerging technology?
Question639: Which of the following is the MOST important objective of establishing an enterprise risk management (ERM) function within an organization?
Question640: Which of the following is the FOREMOST root cause of project risk?
Each correct answer represents a complete solution. Choose two.
Question641: Which of the following is the MOST effective way to help ensure an organization's current risk scenarios are relevant?
Question642: The only output of qualitative risk analysis is risk register updates. When the project manager updates the risk register he will need to include several pieces of information including all of the following except for which one?
Question643: Which of the following is the final step in the policy development process?
Question644: John is the project manager of the HGH Project for her company. He and his project team have agreed that if the vendor is late by more than ten days they will cancel the order and hire the NBG Company to fulfill the order. The NBG Company can guarantee orders within three days, but the costs of their products are significantly more expensive than the current vendor. What type of response does John adopt here?
Question645: In which of the following conditions business units tend to point the finger at IT when projects are not delivered on time?
Question646: A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:
Question647: A business unit has decided to accept the risk of implementing an off-the-shelf, commercial software package that uses weak password controls. The BEST course of action would be to:
Question648: Which of the following control detects problem before it can occur?
Question649: Which of the following is MOST important to ensure when continuously monitoring the performance of a client-facing application?
Question650: During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?
Question651: The only output of qualitative risk analysis is risk register updates. When the project manager updates the risk register he will need to include several pieces of information including all of the following except for which one?
Question652: From a business perspective, which of the following is the MOST important objective of a disaster recovery test?
Question653: Which of the following BEST indicates the effectiveness of anti-malware software?
Question654: Which of the following are sub-categories of threat?
Each correct answer represents a complete solution. Choose three.
Question655: A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner's GREATEST concern?
Question656: Judy has identified a risk event in her project that will have a high probability and a high impact. Based on the requirements of the project, Judy has asked to change the project scope to remove the associated requirement and the associated risk. What type of risk response is this?
Question657: Which of the following is the BEST way to identify changes to the risk landscape?
Question658: Which of the following is NOT the method of Qualitative risk analysis?
Question659: You are the project manager of HFD project. You have identified several project risks. You have adopted alternatives to deal with these risks which do not attempt to reduce the probability of a risk event or its impacts.
Which of the following response have you implemented?
Question660: An organization has completed a project to implement encryption on all databases that host customer data.
Which of the following elements of the risk register should be updated to reflect this change?
Question661: Who is at the BEST authority to develop the priorities and identify what risks and impacts would occur if there were loss of the organization's private information?
Question662: Calculation of the recovery time objective (RTO) is necessary to determine the:
Question663: The compensating control that MOST effectively addresses the risk associated with piggybacking into a restricted area without a dead-man door is:
Question664: You work as a project manager for BlueWell Inc. You have declined a proposed change request because of the risk associated with the proposed change request. Where should the declined change request be documented and stored?
Question665: You are working on a project in an enterprise. Some part of your project requires e-commerce, but your enterprise choose not to engage in e-commerce. This scenario is demonstrating which of the following form?
Question666: Which of the following is the MOST important foundational element of an effective three lines of defense model for an organization?
Question667: The acceptance of control costs that exceed risk exposure is MOST likely an example of:
Question668: You are the project manager of your project. You have to analyze various project risks. You have opted for quantitative analysis instead of qualitative risk analysis. What is the MOST significant drawback of using quantitative analysis over qualitative risk analysis?
Question669: Your project change control board has approved several scope changes that will drastically alter your project plan. You and the project team set about updating the project scope, the WBS, the WBS dictionary, the activity list, and the project network diagram. There are also some changes caused to the project risks, communication, and vendors. What also should the project manager update based on these scope changes?
Question670: A chief information officer (CIO) has identified risk associated with shadow systems being maintained by business units to address specific functionality gaps in the organization's enterprise resource planning (ERP) system. What is the BEST way to reduce this risk going forward?
Question671: The MOST effective way to increase the likelihood that risk responses will be implemented is to:
Question672: Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk?
Question673: To communicate the risk associated with IT in business terms, which of the following MUST be defined?
Question674: The BEST indication that risk management is effective is when risk has been reduced to meet:
Question675: Which of the following would require updates to an organization's IT risk register?
Question676: Which of the following is the BEST way to validate whether controls have been implemented according to the risk mitigation action plan?
Question677: You are the risk official in Bluewell Inc. You are supposed to prioritize several risks. A risk has a rating for occurrence, severity, and detection as 4, 5, and 6, respectively. What Risk Priority Number (RPN) you would give to it?
Question678: When reviewing a business continuity plan (BCP), which of the following would be the MOST significant deficiency?
Question679: Which of the following is the GREATEST benefit of analyzing logs collected from different systems?
Question680: Which of the following should be considered to ensure that risk responses that are adopted are cost- effective and are aligned with business objectives?
Each correct answer represents a part of the solution. Choose three.
Question681: Malicious code protection is which type control?
Question682: An organization has outsourced its IT security management function to an external service provider. The BEST party to own the IT security controls under this arrangement is the:
Question683: Whose risk tolerance matters MOST when making a risk decision?
Question684: An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?
Question685: You are the project manager for BlueWell Inc. You have noticed that the risk level in your project increases above the risk tolerance level of your enterprise. You have applied several risk responses. Now you have to update the risk register in accordance to risk response process. All of the following are included in the risk register except for which item?
Question686: A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:
Question687: You are working with a vendor on your project. A stakeholder has requested a change for the project, which will add value to the project deliverables. The vendor that you're working with on the project will be affected by the change. What system can help you introduce and execute the stakeholder change request with the vendor?
Question688: When reviewing the business continuity plan (BCP) of an online sales order system, a risk practitioner notices that the recovery time objective (RTO) has a shorter lime than what is defined in the disaster recovery plan (DRP). Which of the following is the BEST way for the risk practitioner to address this concern?
Question689: Risk mitigation procedures should include:
Question690: Which of the following guidelines should be followed for effective risk management?
Each correct answer represents a complete solution. Choose three.
Question691: Which of the following is the HIGHEST risk of a policy that inadequately defines data and system ownership?
Question692: Which of the following components of risk scenarios has the potential to generate internal or external threat on an enterprise?
Question693: An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:
Question694: Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications?
Question695: Which of the following is the BEST way to validate whether controls to reduce user device vulnerabilities have been implemented according to management's action plan?
Question696: Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process?
Question697: Which of the following is MOST important when conducting a post-implementation review as part of the system development life cycle (SDLC)?
Question698: An enterprise has identified risk events in a project. While responding to these identified risk events, which among the following stakeholders is MOST important for reviewing risk response options to an IT risk.
Question699: You are the project manager of GHT project. A stakeholder of this project requested a change request in this project. What are your responsibilities as the project manager that you should do in order to approve this change request?
Each correct answer represents a complete solution. Choose two.
Question700: You are the project manager of the NHQ project in Bluewell Inc. The project has an asset valued at $200,000 and is subjected to an exposure factor of 45 percent. If the annual rate of occurrence of loss in this project is once a month, then what will be the Annual Loss Expectancy (ALE) of the project?
Question701: A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner's BEST course of action when a compensating control needs to be applied?
Question702: Which of the following is a risk practitioner's MOST important responsibility in managing risk acceptance that exceeds risk tolerance?
Question703: Which of the following is the MOST effective inhibitor of relevant and efficient communication?
Question704: Which of the following techniques examines the degree to which organizational strengths offset threats and opportunities that may serve to overcome weaknesses?
Question705: Establishing ao organizational code of conduct is an example of which type of control?
Question706: Which of the following is the BEST recommendation to senior management when the results of a risk and control assessment indicate a risk scenario can only be partially mitigated?
Question707: Which of the following parameters would affect the prioritization of the risk responses and development of the risk response plan? Each correct answer represents a complete solution. Choose three.
Question708: Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?
Question709: Which of the following is the MOST important foundational element of an effective three lines of defense model for an organization?
Question710: Which of the following should be a risk practitioner's NEXT step upon learning the organization is not in compliance with a specific legal regulation?
Question711: You have identified several risks in your project. You have opted for risk mitigation in order to respond to identified risk. Which of the following ensures that risk mitigation method that you have chosen is effective?
Question712: After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:
Question713: Which of the following should be the risk practitioner s FIRST course of action when an organization has decided to expand into new product areas?
Question714: Which of me following is MOST helpful to mitigate the risk associated with an application under development not meeting business objectives?
Question715: Which of the following BEST provides an early warning that network access of terminated employees is not being revoked in accordance with the service level agreement (SLA)?
Question716: Which of the following is NOT true for effective risk communication?
Question717: You are the program manager for your organization and you are working with Alice, a project manager in her program. Alice calls you and insists you to add a change to program scope. You agree for that the change.
What must Alice do to move forward with her change request?
Question718: Which of the following is MOST important when developing risk scenarios?
Question719: You are the administrator of your enterprise. Which of the following controls would you use that BEST protects an enterprise from unauthorized individuals gaining access to sensitive information?
Question720: Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?
Question721: An organization has implemented a preventive control to lock user accounts after three unsuccessful login attempts. This practice has been proven to be unproductive, and a change in the control threshold value has been recommended. Who should authorize changing this threshold?
Question722: Which of the following is the MOST cost-effective way to test a business continuity plan?
Question723: Who should be responsible for strategic decisions on risk management?
Question724: Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents:
Question725: Which among the following is the MOST crucial part of risk management process?
Question726: Which of the following is the BEST method for discovering high-impact risk types?
Question727: The MOST important characteristic of an organization s policies is to reflect the organization's:
Question728: A bank wants to send a critical payment order via email to one of its offshore branches. Which of the following is the BEST way to ensure the message reaches the intended recipient without alteration?
Question729: Which of the following is the MOST important element of a successful risk awareness training program?
Question730: If one says that the particular control or monitoring tool is sustainable, then it refers to what ability?
Question731: Which of the following will BEST help to ensure key risk indicators (KRIs) provide value to risk owners?
Question732: Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?
Question733: A risk practitioner has become aware of production data being used in a test environment. Which of the following should be the practitioner's PRIMARY concern?
Question734: Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents:
Question735: Which of the following vulnerability assessment software can check for weak passwords on the network?
Question736: Jane, the Director of Sales, contacts you and demands that you add a new feature to the software your project team is creating for the organization. In the meeting she tells you how important the scope change would be. You explain to her that the software is almost finished and adding a change now could cause the deliverable to be late, cost additional funds, and would probably introduce new risks to the project. Jane stands up and says to you, "I am the Director of Sales and this change will happen in the project." And then she leaves the room. What should you do with this verbal demand for a change in the project?
Question737: Which of the following represents lack of adequate controls?
Question738: Following a significant change to a business process, a risk practitioner believes the associated risk has been reduced. The risk practitioner should advise the risk owner to FIRST
Question739: What is the BEST information to present to business control owners when justifying costs related to controls?
Question740: Which of the following activities should be performed FIRST when establishing IT risk management processes?
Question741: Which of The following is the MOST relevant information to include in a risk management strategy?
Question742: Which of the following is MOST important for an organization to update following a change in legislation requiring notification to individuals impacted by data breaches?
Question743: Which of the following is the MOST important factor when deciding on a control to mitigate risk exposure?
Question744: Which of the following MOST effectively limits the impact of a ransomware attack?
Question745: Accountability for a particular risk is BEST represented in a:
Question746: Which of the following is the BEST way to detect zero-day malware on an end user's workstation?
Question747: What should be the PRIMARY driver for periodically reviewing and adjusting key risk indicators (KRIs)?
Question748: An organization has been notified that a dis grunted, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization?
Question749: Which of the following is the BEST method for assessing control effectiveness?
Question750: Whose risk tolerance matters MOST when making a risk decision?
Question751: An application runs a scheduled job that compiles financial data from multiple business systems and updates the financial reporting system. If this job runs too long, it can delay financial reporting. Which of the following is the risk practitioner's BEST recommendation?
Question752: What is the MOST important consideration when aligning IT risk management with the enterprise risk management (ERM) framework?
Question753: Which of the following would BEST enable mitigation of newly identified risk factors related to internet of Things (loT)?
Question754: Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?
Question755: Shelly is the project manager of the BUF project for her company. In this project Shelly needs to establish some rules to reduce the influence of risk bias during the qualitative risk analysis process. What method can Shelly take to best reduce the influence of risk bias?
Question756: Which of the following BEST indicates the condition of a risk management program?
Question757: Which of the following are the principles of access controls?
Each correct answer represents a complete solution. Choose three.
Question758: You are the project manager of the GHT project. This project will last for 18 months and has a project budget of $567,000. Robert, one of your stakeholders, has introduced a scope change request that will likely have an impact on the project costs and schedule. Robert assures you that he will pay for the extra time and costs associated with the risk event. You have identified that change request may also affect other areas of the project other than just time and cost. What project management component is responsible for evaluating a change request and its impact on all of the project management knowledge areas?
Question759: Which of the following is MOST effective against external threats to an organizations confidential information?
Question760: Who should be responsible for implementing and maintaining security controls?
Question761: Sensitive data has been lost after an employee inadvertently removed a file from the premises, in violation of organizational policy. Which of the following controls MOST likely failed?
Question762: A control owner has completed a year-long project To strengthen existing controls. It is MOST important for the risk practitioner to:
Question763: An organization is measuring the effectiveness of its change management program to reduce the number of unplanned production changes. Which of the following would be the BEST metric to determine if the program is performing as expected?
Question764: Which of the following assets are the examples of intangible assets of an enterprise?
Each correct answer represents a complete solution. Choose two.
Question765: A PRIMARY advantage of involving business management in evaluating and managing risk is that management:
Question766: Following an acquisition, the acquiring company's risk practitioner has been asked to update the organization's IT risk profile What is the MOST important information to review from the acquired company to facilitate this task?
Question767: You are the risk control professional of your enterprise. You have implemented a tool that correlates information from multiple sources. To which of the following do this monitoring tool focuses?
Question768: Which of the following is the MAIN reason to continuously monitor IT-related risk?
Question769: An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk?
Question770: Who is PRIMARILY accountable for risk treatment decisions?
Question771: Which of the following is the BEST method to ensure a terminated employee's access to IT systems is revoked upon departure from the organization?
Question772: The PRIMARY objective for requiring an independent review of an organization's IT risk management process should be to:
Question773: Which of the following provides the BEST evidence of the effectiveness of an organization's account provisioning process?
Question774: An organization maintains independent departmental risk registers that are not automatically aggregated. Which of the following is the GREATEST concern?
Question775: The acceptance of control costs that exceed risk exposure is MOST likely an example of:
Question776: Assessing the probability and consequences of identified risks to the project objectives, assigning a risk score to each risk, and creating a list of prioritized risks describes which of the following processes?
Question777: The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner's BEST recommendation?
Question778: According to the Section-302 of the Sarbanes-Oxley Act of 2002, what does certification of reports implies? Each correct answer represents a complete solution. Choose three.
Question779: Which of the following should be the HIGHEST priority when developing a risk response?
Question780: Which of the following controls will BEST detect unauthorized modification of data by a database administrator?
Question781: Which of the following is the MOST important objective of embedding risk management practices into the initiation phase of the project management life cycle?
Question782: Which of the following BEST indicates the efficiency of a process for granting access privileges?
Question783: Which of the following processes is described in the statement below?
"It is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions."
Question784: Which of the following is prepared by the business and serves as a starting point for producing the IT Service Continuity Strategy?
Question785: Which of following is NOT used for measurement of Critical Success Factors of the project?
Question786: A new policy has been published to forbid copying of data onto removable medi a. Which type of control has been implemented?
Question787: An organization has recently updated its disaster recovery plan (DRP). Which of the following would be the GREATEST risk if the new plan is not tested?
Question788: FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?
Question789: Which of the following contributes MOST to the effective implementation of risk responses?
Question790: You are the project manager of the GHY Project for your company. You need to complete a project management process that will be on the lookout for new risks, changing risks, and risks that are now outdated.
Which project management process is responsible for these actions?
Question791: Which of the following tools is MOST effective in identifying trends in the IT risk profile?
Question792: Which of the following is the MAIN purpose of monitoring risk?
Question793: Mary is a project manager in her organization. On her current project she is working with her project team and other key stakeholders to identify the risks within the project. She is currently aiming to create a comprehensive list of project risks so she is using a facilitator to help generate ideas about project risks.
What risk identification method is Mary likely using?
Question794: Which of the following approaches BEST identifies information systems control deficiencies?
Question795: Which of the following is the STRONGEST indication an organization has ethics management issues?
Question796: Which of the following is the MOST effective method for indicating that the risk level is approaching a high or unacceptable level of risk?
Question797: Which of the following risks refer to probability that an actual return on an investment will be lower than the investor's expectations?
Question798: The compensating control that MOST effectively addresses the risk associated with piggybacking into a restricted area without a dead-man door is:
Question799: Which of the following is the BEST indication of the effectiveness of a business continuity program?
Question800: You are the project manager of GHT project. Your hardware vendor left you a voicemail saying that the delivery of the equipment you have ordered would not arrive on time. You identified a risk response strategy for this risk and have arranged for a local company to lease you the needed equipment until yours arrives. This is an example of which risk response strategy?
Question801: Which of the following provides the BEST evidence that risk responses have been executed according to their risk action plans?
Question802: Which of the following will BEST support management reporting on risk?
Question803: Kelly is the project manager of the NNQ Project for her company. This project will last for one year and has a budget of $350,000. Kelly is working with her project team and subject matter experts to begin the risk response planning process. What are the two inputs that Kelly would need to begin the plan risk response process?
Question804: An organization is considering modifying its system to enable acceptance of credit card payments. To reduce the risk of data exposure, which of the following should the organization do FIRST?
Question805: Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are:
Question806: A risk practitioner is reviewing the status of an action plan to mitigate an emerging IT risk and finds the risk level has increased. The BEST course of action would be to:
Question807: An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?
Question808: Which of the following would be MOST beneficial as a key risk indicator (KRI)?
Question809: Which of the following statements BEST illustrates the relationship between key performance indicators (KPIs) and key control indicators (KCIs)?
Question810: Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs?
Question811: A vulnerability assessment of a vendor-supplied solution has revealed that the software is susceptible to cross-site scripting and SQL injection attacks. Which of the following will BEST mitigate this issue?
Question812: Which of the following is a KEY responsibility of the second line of defense?
Question813: You are the risk official in Techmart Inc. You are asked to perform risk assessment on the impact of losing a server. For this assessment you need to calculate monetary value of the server. On which of the following bases do you calculate monetary value?
Question814: A multinational organization is considering implementing standard background checks to' all new employees A KEY concern regarding this approach
Question815: Which of the following is the GREATEST risk associated with the transition of a sensitive data backup solution from on-premise to a cloud service provider?
Question816: It is MOST appropriate for changes to be promoted to production after they are;
Question817: A risk owner has accepted a high-impact risk because the control was adversely affecting process efficiency.
Before updating the risk register, it is MOST important for the risk practitioner to:
Question818: What should be PRIMARILY responsible for establishing an organization's IT risk culture?
Question819: When an organization's disaster recovery plan has a reciprocal agreement, which of the following risk treatment options is being applied?
Question820: Which of the following is the MOST important reason to create risk scenarios?
Question821: You are the project manager for your company and a new change request has been approved for your project.
This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project.
You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response?
Question822: Which of the following terms is described in the statement below?
"They are the prime monitoring indicators of the enterprise, and are highly relevant and possess a high probability of predicting or indicating important risk."
Question823: Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?
Question824: Which of the following is true for risk evaluation?
Question825: Which of the following is the HIGHEST risk of a policy that inadequately defines data and system ownership?
Question826: If one says that the particular control or monitoring tool is sustainable, then it refers to what ability?
Question827: Which of the following individuals is responsible for identifying process requirements, approving process design and managing process performance?
Question828: What should be considered while developing obscure risk scenarios?
Each correct answer represents a part of the solution. Choose two.
Question829: Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?
Question830: Which of the following is the FIRST step in risk assessment?
Question831: An organization has granted a vendor access to its data in order to analyze customer behavior. Which of the following would be the MOST effective control to mitigate the risk of customer data leakage?
Question832: Management has required information security awareness training to reduce the risk associated with credential compromise. What is the BEST way to assess the effectiveness of the training?
Question833: You are the risk professional in Bluewell Inc. A risk is identified and enterprise wants to quickly implement control by applying technical solution that deviates from the company's policies. What you should do?
Question834: In which of the following risk management capability maturity levels risk appetite and tolerance are applied only during episodic risk assessments?